| draft-ietf-grow-route-leak-detection-mitigation-01.txt | draft-ietf-grow-route-leak-detection-mitigation-02.txt | |||
|---|---|---|---|---|
| IDR and SIDR K. Sriram, Ed. | IDR and SIDR K. Sriram, Ed. | |||
| Internet-Draft USA NIST | Internet-Draft USA NIST | |||
| Intended status: Standards Track A. Azimov, Ed. | Intended status: Standards Track A. Azimov, Ed. | |||
| Expires: January 26, 2020 Yandex | Expires: July 28, 2020 Yandex | |||
| July 25, 2019 | January 25, 2020 | |||
| Methods for Detection and Mitigation of BGP Route Leaks | Methods for Detection and Mitigation of BGP Route Leaks | |||
| draft-ietf-grow-route-leak-detection-mitigation-01 | draft-ietf-grow-route-leak-detection-mitigation-02 | |||
| Abstract | Abstract | |||
| Problem definition for route leaks and enumeration of types of route | Problem definition for route leaks and enumeration of types of route | |||
| leaks are provided in [RFC7908]. This document describes a new well- | leaks are provided in [RFC7908]. This document describes a new well- | |||
| known Large Community that provides a way for route leak prevention, | known Large Community that provides a way for route leak prevention, | |||
| detection, and mitigation. The configuration process for this | detection, and mitigation. The configuration process for this | |||
| Community can be automated with the methodology for setting BGP roles | Community can be automated with the methodology for setting BGP roles | |||
| that is described in ietf-idr-bgp-open-policy draft. | that is described in ietf-idr-bgp-open-policy draft. | |||
| skipping to change at page 1, line 36 ¶ | skipping to change at page 1, line 36 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 26, 2020. | This Internet-Draft will expire on July 28, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 2, line 16 ¶ | skipping to change at page 2, line 16 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Peering Relationships . . . . . . . . . . . . . . . . . . . . 2 | 2. Peering Relationships . . . . . . . . . . . . . . . . . . . . 2 | |||
| 3. Community vs Attribute . . . . . . . . . . . . . . . . . . . 3 | 3. Community vs Attribute . . . . . . . . . . . . . . . . . . . 3 | |||
| 4. Down Only Community . . . . . . . . . . . . . . . . . . . . . 4 | 4. Down Only Community . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4.1. Route Leak Mitigation . . . . . . . . . . . . . . . . . . 5 | 4.1. Route Leak Mitigation . . . . . . . . . . . . . . . . . . 5 | |||
| 4.2. Only Marking . . . . . . . . . . . . . . . . . . . . . . 6 | 4.2. Only Marking . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 5. Implementation Considerations . . . . . . . . . . . . . . . . 6 | 5. Implementation Considerations . . . . . . . . . . . . . . . . 6 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | |||
| 8. Informative References . . . . . . . . . . . . . . . . . . . 7 | 8. Informative References . . . . . . . . . . . . . . . . . . . 7 | |||
| Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 8 | Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 1. Introduction | 1. Introduction | |||
| [RFC7908] provides a definition of the route leak problem and | [RFC7908] provides a definition of the route leak problem and | |||
| enumerates several types of route leaks. For this document, the | enumerates several types of route leaks. For this document, the | |||
| definition that is applied is that a route leak occurs when a route | definition that is applied is that a route leak occurs when a route | |||
| skipping to change at page 3, line 41 ¶ | skipping to change at page 3, line 41 ¶ | |||
| 3. Community vs Attribute | 3. Community vs Attribute | |||
| This section presents a brief discussion of the advantages and | This section presents a brief discussion of the advantages and | |||
| disadvantages of communities and BGP path attributes for the purpose | disadvantages of communities and BGP path attributes for the purpose | |||
| of route leak detection. | of route leak detection. | |||
| A transitive path attribute is a native way to implement the route- | A transitive path attribute is a native way to implement the route- | |||
| leak detection signal. Based on the way BGP protocol works, the use | leak detection signal. Based on the way BGP protocol works, the use | |||
| of a transitive attribute makes it more certain that the route-leak | of a transitive attribute makes it more certain that the route-leak | |||
| detection signal would pass unaltered through non-participating | detection signal would pass unaltered through non-participating | |||
| (i.e., not updated) BGP routers. The main disadvantage of this | (i.e., not upgraded) BGP routers. The main disadvantage of this | |||
| approach is that the deployment of a new BGP attribute requires a | approach is that the deployment of a new BGP attribute requires a | |||
| software update in router OS which may delay wide adoption for years. | software upgrade in router OS which may delay wide adoption for | |||
| years. | ||||
| On the other hand, BGP communities do not require a router OS update. | On the other hand, BGP communities do not require a router OS update. | |||
| The potential disadvantage of using a Community for the route-leak | The potential disadvantage of using a Community for the route-leak | |||
| detection signal is that it is more likely to be dropped somewhere | detection signal is that it is more likely to be dropped somewhere | |||
| along the way in the AS path. Currently, the use of BGP Communities | along the way in the AS path. Currently, the use of BGP Communities | |||
| is somewhat overloaded. BGP Communities are already used for | is somewhat overloaded. BGP Communities are already used for | |||
| numerous applications: different types of route marking, route policy | numerous applications: different types of route marking, route policy | |||
| control, black-holing, etc. It is observed that some ASes seem to | control, black-holing, etc. It is observed that some ASes seem to | |||
| purposefully or accidentally remove transitive communities on | purposefully or accidentally remove transitive communities on | |||
| receipt, sometimes well-known ones. Perhaps this issue may be | receipt, sometimes well-known ones. Perhaps this issue may be | |||
| skipping to change at page 4, line 17 ¶ | skipping to change at page 4, line 18 ¶ | |||
| Due to frequently occurring regional and global disruptions in | Due to frequently occurring regional and global disruptions in | |||
| Internet connectivity, it is critical to move forward with a solution | Internet connectivity, it is critical to move forward with a solution | |||
| that is viable in the near term. That solution would be route leak | that is viable in the near term. That solution would be route leak | |||
| detection using BGP Community. | detection using BGP Community. | |||
| Large Communities have much higher capacity, and therefore they are | Large Communities have much higher capacity, and therefore they are | |||
| likely to be less overloaded. Hence, Large Community is proposed to | likely to be less overloaded. Hence, Large Community is proposed to | |||
| be used for route-leak detection. This document suggests reserving | be used for route-leak detection. This document suggests reserving | |||
| <TBD1> class for the purpose of transitive well-known Large | <TBD1> class for the purpose of transitive well-known Large | |||
| Communities that MUST not be stripped on ingress or egress. | Communities that MUST NOT be stripped on ingress or egress. | |||
| While it is not part of this document, the route-leak detection | While it is not part of this document, the route-leak detection | |||
| signal described here can also be carried in a BGP path attribute, | signal described here can also be carried in a BGP path attribute, | |||
| and the same prevention and mitigation techniques as described here | and the same prevention and mitigation techniques as described here | |||
| would apply. The authors are pursuing a separate internet draft in | would apply. The authors are pursuing a separate internet draft in | |||
| the IDR WG on that approach. | the IDR WG on that approach. | |||
| 4. Down Only Community | 4. Down Only Community | |||
| This section specifies the semantics of route-leak-detection | This section specifies the semantics of route-leak-detection | |||
| Community and its usage. This Community is given the specific name | Community and its usage. This Community is given the specific name | |||
| Down Only (DO) Community. The DO Community is carried in a BGP Large | Down Only (DO) Community. The DO Community is carried in a BGP Large | |||
| Community with a format as shown in Figure 1. | Community with a format as shown in Figure 1. | |||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | TBD1 (class for well-known transit communities) | | | TBD1 (class for transitive well-known Large Communities) | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | TBD2 (subclass for DO) | | | TBD2 (subclass for DO) | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | ASN | | | ASN | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Figure 1: Format of the DO Community using a Large Community | Figure 1: Format of the DO Community using a Large Community | |||
| [RFC8092]. | [RFC8092]. | |||
| The authors studied different options for route leak mitigation. The | The authors studied different options for route leak mitigation. The | |||
| skipping to change at page 5, line 46 ¶ | skipping to change at page 5, line 47 ¶ | |||
| transit) and DO value is not equal to the sending neighbor's ASN, | transit) and DO value is not equal to the sending neighbor's ASN, | |||
| then it is a route leak and MUST be rejected. The procedure | then it is a route leak and MUST be rejected. The procedure | |||
| halts. | halts. | |||
| 3. If a route is received from a Provider, Peer or RS, then the DO | 3. If a route is received from a Provider, Peer or RS, then the DO | |||
| Community MUST be added with a value equal to the sending | Community MUST be added with a value equal to the sending | |||
| neighbor's ASN. | neighbor's ASN. | |||
| The egress policy MUST use the following procedure: | The egress policy MUST use the following procedure: | |||
| 1. A route with DO Community set MUST not be sent to Providers, | 1. A route with DO Community set MUST NOT be sent to Providers, | |||
| Peers, and RS. | Peers, and RS. | |||
| 2. If a route is sent to a Customer or Peer, then the DO Community | 2. If a route is sent to a Customer or Peer, then the DO Community | |||
| MUST be added with a value equal to the ASN of the sender. | MUST be added with a value equal to the ASN of the sender. | |||
| The above procedures comprehensively provide route-leak prevention, | The above procedures comprehensively provide route-leak prevention, | |||
| detection and mitigation. Policy consisting of these procedures | detection and mitigation. Policy consisting of these procedures | |||
| SHOULD be used as a default behavior. | SHOULD be used as a default behavior. | |||
| 4.2. Only Marking | 4.2. Only Marking | |||
| skipping to change at page 7, line 15 ¶ | skipping to change at page 7, line 15 ¶ | |||
| If a route with DO Community set is received from a Peer and DO value | If a route with DO Community set is received from a Peer and DO value | |||
| is equal to the sending neighbor's ASN, then it is a valid route, | is equal to the sending neighbor's ASN, then it is a valid route, | |||
| otherwise it is a route leak. The procedure halts. | otherwise it is a route leak. The procedure halts. | |||
| This rule is based on a weaker assumption that a peer that is doing | This rule is based on a weaker assumption that a peer that is doing | |||
| marking is also doing filtering (dropping detected leaks). That is | marking is also doing filtering (dropping detected leaks). That is | |||
| why networks that do not follow the route leak mitigation policy in | why networks that do not follow the route leak mitigation policy in | |||
| Section 4.1 MUST carefully follow marking rules described in | Section 4.1 MUST carefully follow marking rules described in | |||
| Section 4.2. | Section 4.2. | |||
| 6. Security Considerations | 6. IANA Considerations | |||
| The draft suggests to reserve a Global Administrator ID <TBD1> for | ||||
| transitive well-known Large Community registry. IANA is requested to | ||||
| register a subclass <TBD2> for DO Community in this registry. | ||||
| 7. Security Considerations | ||||
| In specific circumstances in a state of partial adoption, route leak | In specific circumstances in a state of partial adoption, route leak | |||
| mitigation mechanism can result in Denial of Service (DoS) for the | mitigation mechanism can result in Denial of Service (DoS) for the | |||
| victim prefix. Such a scenario may happen only for a prefix that has | victim prefix. Such a scenario may happen only for a prefix that has | |||
| a single path from the originator to a Tier-1 ISP and only when the | a single path from the originator to a Tier-1 ISP and only when the | |||
| prefix is not covered with a less specific prefix with multiple paths | prefix is not covered with a less specific prefix with multiple paths | |||
| to the Tier-1 ISP. If, in such unreliable topology, route leak is | to the Tier-1 ISP. If, in such unreliable topology, route leak is | |||
| injected somewhere inside this single path, then it may be rejected | injected somewhere inside this single path, then it may be rejected | |||
| by upper layer providers in the path, thus limiting prefix | by upper layer providers in the path, thus limiting prefix | |||
| visibility. While such anomaly is unlikely to happen, such an issue | visibility. While such anomaly is unlikely to happen, such an issue | |||
| should be easy to debug, since it directly affects the sequence of | should be easy to debug, since it directly affects the sequence of | |||
| originator's providers. | originator's providers. | |||
| With the use of BGP Community, there is often a concern that the | With the use of BGP Community, there is often a concern that the | |||
| Community propagates beyond its intended perimeter and causes harm | Community propagates beyond its intended perimeter and causes harm | |||
| [streibelt]. However, that concern does not apply to the DO | [streibelt]. However, that concern does not apply to the DO | |||
| Community because it is a transitive Community that must propagate as | Community because it is a transitive Community that must propagate as | |||
| far as the update goes. | far as the update goes. | |||
| 7. IANA Considerations | ||||
| The draft suggests to reserve a Global Administrator ID <TBD1> for | ||||
| transitive well-known Large Community registry. IANA is requested to | ||||
| register a subclass <TBD2> for DO Community in this registry. | ||||
| 8. Informative References | 8. Informative References | |||
| [I-D.ietf-idr-bgp-open-policy] | [I-D.ietf-idr-bgp-open-policy] | |||
| Azimov, A., Bogomazov, E., Bush, R., Patel, K., and K. | Azimov, A., Bogomazov, E., Bush, R., Patel, K., and K. | |||
| Sriram, "Route Leak Prevention using Roles in Update and | Sriram, "Route Leak Prevention using Roles in Update and | |||
| Open messages", draft-ietf-idr-bgp-open-policy-06 (work in | Open messages", draft-ietf-idr-bgp-open-policy-07 (work in | |||
| progress), July 2019. | progress), January 2020. | |||
| [RFC4264] Griffin, T. and G. Huston, "BGP Wedgies", RFC 4264, | [RFC4264] Griffin, T. and G. Huston, "BGP Wedgies", RFC 4264, | |||
| DOI 10.17487/RFC4264, November 2005, | DOI 10.17487/RFC4264, November 2005, | |||
| <https://www.rfc-editor.org/info/rfc4264>. | <https://www.rfc-editor.org/info/rfc4264>. | |||
| [RFC7908] Sriram, K., Montgomery, D., McPherson, D., Osterweil, E., | [RFC7908] Sriram, K., Montgomery, D., McPherson, D., Osterweil, E., | |||
| and B. Dickson, "Problem Definition and Classification of | and B. Dickson, "Problem Definition and Classification of | |||
| BGP Route Leaks", RFC 7908, DOI 10.17487/RFC7908, June | BGP Route Leaks", RFC 7908, DOI 10.17487/RFC7908, June | |||
| 2016, <https://www.rfc-editor.org/info/rfc7908>. | 2016, <https://www.rfc-editor.org/info/rfc7908>. | |||
| skipping to change at page 8, line 23 ¶ | skipping to change at page 8, line 23 ¶ | |||
| <https://www.rfc-editor.org/info/rfc8092>. | <https://www.rfc-editor.org/info/rfc8092>. | |||
| [streibelt] | [streibelt] | |||
| Streibelt et al., F., "BGP Communities: Even more Worms in | Streibelt et al., F., "BGP Communities: Even more Worms in | |||
| the Routing Can", ACM IMC, October 2018, | the Routing Can", ACM IMC, October 2018, | |||
| <https://archive.psg.com//181101.imc-communities.pdf>. | <https://archive.psg.com//181101.imc-communities.pdf>. | |||
| Acknowledgements | Acknowledgements | |||
| The authors wish to thank John Scudder, Susan Hares, Ruediger Volk, | The authors wish to thank John Scudder, Susan Hares, Ruediger Volk, | |||
| Mat Ford, Greg Skinner for their review and comments. | Jeffrey Haas, Mat Ford, Greg Skinner for their review and comments. | |||
| Contributors | Contributors | |||
| The following people made significant contributions to this document | The following people made significant contributions to this document | |||
| and should be considered co-authors: | and should be considered co-authors: | |||
| Brian Dickson | Brian Dickson | |||
| Independent | Independent | |||
| Email: brian.peter.dickson@gmail.com | Email: brian.peter.dickson@gmail.com | |||
| End of changes. 14 change blocks. | ||||
| 22 lines changed or deleted | 23 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||