--- 1/draft-ietf-idr-bgp-open-policy-20.txt 2022-01-22 12:13:10.314393520 -0800 +++ 2/draft-ietf-idr-bgp-open-policy-21.txt 2022-01-22 12:13:10.350394421 -0800 @@ -1,45 +1,45 @@ Network Working Group A. Azimov Internet-Draft Qrator Labs & Yandex Intended status: Standards Track E. Bogomazov -Expires: July 22, 2022 Qrator Labs +Expires: July 26, 2022 Qrator Labs R. Bush Internet Initiative Japan & Arrcus, Inc. K. Patel Arrcus K. Sriram USA NIST - January 18, 2022 + January 22, 2022 Route Leak Prevention and Detection using Roles in UPDATE and OPEN Messages - draft-ietf-idr-bgp-open-policy-20 + draft-ietf-idr-bgp-open-policy-21 Abstract Route leaks are the propagation of BGP prefixes that violate assumptions of BGP topology relationships, e.g., announcing a route learned from one transit provider to another transit provider or a lateral (i.e., non-transit) peer or announcing a route learned from one lateral peer to another lateral peer or a transit provider. These are usually the result of misconfigured or absent BGP route filtering or lack of coordination between autonomous systems (ASes). Existing approaches to leak prevention rely on marking routes by operator configuration, with no check that the configuration corresponds to that of the eBGP neighbor, or enforcement that the two - eBGP speakers agree on the relationship. This document enhances the - BGP OPEN message to establish an agreement of the relationship on - each eBGP session between autonomous systems in order to enforce - appropriate configuration on both sides. Propagated routes are then - marked according to the agreed relationship, allowing both prevention - and detection of route leaks. + eBGP speakers agree on the peering relationship. This document + enhances the BGP OPEN message to establish an agreement of the + peering relationship on each eBGP session between autonomous systems + in order to enforce appropriate configuration on both sides. + Propagated routes are then marked according to the agreed + relationship, allowing both prevention and detection of route leaks. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Status of This Memo @@ -50,21 +50,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on July 22, 2022. + This Internet-Draft will expire on July 26, 2022. Copyright Notice Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -76,28 +76,28 @@ Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Peering Relationships . . . . . . . . . . . . . . . . . . 4 3. BGP Role . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.1. BGP Role Capability . . . . . . . . . . . . . . . . . . . 5 3.2. Role Correctness . . . . . . . . . . . . . . . . . . . . 6 4. BGP Only to Customer (OTC) Attribute . . . . . . . . . . . . 7 - 5. Additional Considerations . . . . . . . . . . . . . . . . . . 8 + 5. Additional Considerations . . . . . . . . . . . . . . . . . . 9 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 8.1. Normative References . . . . . . . . . . . . . . . . . . 11 8.2. Informative References . . . . . . . . . . . . . . . . . 12 - Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 12 - Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 12 + Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 13 + Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 1. Introduction Route leaks are the propagation of BGP prefixes that violate assumptions of BGP topology relationships, e.g., announcing a route learned from one transit provider to another transit provider or a lateral (i.e., non-transit) peer or announcing a route learned from one lateral peer to another lateral peer or a transit provider [RFC7908]. These are usually the result of misconfigured or absent @@ -107,23 +107,23 @@ Existing approaches to leak prevention rely on marking routes by operator configuration, with no check that the configuration corresponds to that of the eBGP neighbor, or enforcement that the two eBGP speakers agree on the relationship. This document enhances the BGP OPEN message to establish an agreement of the relationship on each eBGP session between autonomous systems in order to enforce appropriate configuration on both sides. Propagated routes are then marked according to the agreed relationship, allowing both prevention and detection of route leaks. - This document specifies a means of replacing the operator driven + This document specifies a means of replacing the operator-driven configuration-based method of route leak prevention, described above, - with a built-in method for route leak prevention and detection. + with an in-band method for route leak prevention and detection. This method uses a new configuration parameter, BGP Role, which is negotiated using a BGP Role Capability in the OPEN message [RFC5492]. An eBGP speaker may require the use of this capability and confirmation of BGP Role with a neighbor for the BGP OPEN to succeed. An optional, transitive BGP Path Attribute, called Only to Customer (OTC), is specified in Section 4. It prevents ASes from creating leaks and detects leaks created by the ASes in the middle of an AS path. The main focus/applicability is the Internet (IPv4 and IPv6 @@ -140,20 +140,24 @@ same meaning as in [RFC4271], i.e., "route is ineligible to be installed in Loc-RIB and will be excluded from the next phase of route selection." 2.1. Peering Relationships The terms defined and used in this document (see below) do not necessarily represent business relationships based on payment agreements. These terms are used to represent restrictions on BGP route propagation, sometimes known as the Gao-Rexford model [Gao]. + The terms Provider, Customer, and Peer used here are synonymous to + the terms "transit provider", "customer", and "lateral (i.e., non- + transit) peer", respectively, used in [RFC7908]. + The following is a list of BGP Roles for eBGP peering and the corresponding rules for route propagation: Provider: MAY propagate any available route to a Customer. Customer: MAY propagate any route learned from a Customer, or locally originated, to a Provider. All other routes MUST NOT be propagated. Route Server (RS): MAY propagate any available route to a Route @@ -172,23 +176,25 @@ Client-to-RS, or Peer-to-Peer (i.e., lateral peers), respectively. These are called normal peering relationships. If the local AS has more than one peering role with the remote AS such peering relation is called Complex. An example is when the peering relationship is Provider-to-Customer for some prefixes while it is Peer-to-Peer for other prefixes [Gao]. A BGP speaker may apply policy to reduce what is announced, and a recipient may apply policy to reduce the set of routes they accept. - Violation of the above rules may result in route leaks. Automatic - enforcement of these rules should significantly reduce route leaks - that may otherwise occur due to manual configuration mistakes. + + Violation of the route propagation rules listed above may result in + route leaks [RFC7908]. Automatic enforcement of these rules should + significantly reduce route leaks that may otherwise occur due to + manual configuration mistakes. As specified in Section 4, the Only to Customer (OTC) Attribute is used to identify all the routes in the AS that have been received from a Peer, Provider, or RS. 3. BGP Role The BGP Role characterizes the relationship between the eBGP speakers forming a session. One of the Roles described below SHOULD be configured at the local AS for each eBGP session (see definitions in @@ -230,21 +236,23 @@ | 2 | RS-Client | | 3 | Customer | | 4 | Peer (Lateral Peer) | | 5-255 | Unassigned | +-------+------------------------------+ Table 1: Predefined BGP Role Values If BGP Role is locally configured, the eBGP speaker MUST advertise BGP Role Capability in the BGP OPEN message. An eBGP speaker MUST - NOT advertise multiple versions of the BGP Role Capability. + NOT advertise multiple versions of the BGP Role Capability. The + error handling when multiple BGP Role Capabilities are received is + described in Section 3.2. 3.2. Role Correctness Section 3.1 described how BGP Role encodes the relationship on each eBGP session between autonomous systems (ASes). The mere receipt of BGP Role Capability does not automatically guarantee the Role agreement between two eBGP neighbors. If the BGP Role Capability is advertised, and one is also received from the peer, the Roles MUST correspond to the relationships in Table 2. If @@ -285,22 +293,22 @@ using the Role Mismatch Notification (code 2, subcode TBD). The BGP Role value for the local AS (in conjunction with the OTC Attribute in the received UPDATE message) is used in the route leak prevention and detection procedures described in Section 4. 4. BGP Only to Customer (OTC) Attribute The Only to Customer (OTC) Attribute is an optional transitive path attribute of the UPDATE message with Attribute Type Code 35 and a - length of 4 octets. The purpose of this attribute is to guarantee - that once a route is sent to a Customer, Peer, or RS-Client, it will + length of 4 octets. The purpose of this attribute is to enforce that + once a route is sent to a Customer, Peer, or RS-Client, it will subsequently go only to Customers. The attribute value is an AS number (ASN) determined by the procedures described below. The following ingress procedure applies to the processing of the OTC Attribute on route receipt: 1. If a route with the OTC Attribute is received from a Customer or RS-Client, then it is a route leak and MUST be considered ineligible (see Section 2). @@ -331,28 +339,28 @@ from a Peer, Provider, or RS, and it can be advertised only to the customers. The same OTC Attribute which is set locally also provides a way to detect route leaks by an AS multiple hops away if a route is received from a Customer, Peer, or RS-Client. For example, if an AS sets the OTC Attribute on a route sent to a Peer and the route is subsequently received by a compliant AS from a Customer, then the receiving AS detects (based on the presence of the OTC Attribute) that the route is a leak. The OTC Attribute might be set at the egress of the remote AS or at - the ingress of the local AS, i.e., if the remote AS is noncompliant + the ingress of the local AS, i.e., if the remote AS is non-compliant with this specification, then the local AS will have to set the OTC Attribute if it is absent. In both scenarios, the OTC value will be the same. This makes the scheme more robust and benefits early adopters. - If an eBGP speaker receives an UPDATE with an OTC Attribute with a - length different from 4 octets, then the UPDATE SHALL be considered + If an UPDATE is received with an OTC Attribute with a length + different from 4 octets, then the UPDATE SHALL be considered malformed. If malformed, the UPDATE message SHALL be handled using the approach of "treat-as-withdraw" [RFC7606]. The procedures specified in this document are NOT RECOMMENDED to be used between autonomous systems in an AS Confederation [RFC5065]. If an OTC Attribute is added on egress from the AS Confederation, its value MUST equal the AS Confederation Identifier. Also, on egress from the AS Confederation, an UPDATE MUST NOT contain an OTC Attribute with a value corresponding to any Member-AS Number other than the AS Confederation Identifier. @@ -376,21 +384,21 @@ Roles MUST NOT be configured on an eBGP session with a Complex peering relationship. If multiple eBGP sessions can segregate the Complex peering relationship into eBGP sessions with normal peering relationships, BGP Roles SHOULD be used on each of the resulting eBGP sessions. An operator may want to achieve an equivalent outcome by configuring policies on a per-prefix basis to follow the definitions of peering relations as described in Section 2.1. However, in this case, there - are no built-in measures to check the correctness of the per-prefix + are no in-band measures to check the correctness of the per-prefix peering configuration. The incorrect setting of BGP Roles and/or OTC Attributes may affect prefix propagation. Further, this document does not specify any special handling of incorrect AS numbers in the OTC Attribute. In AS migration scenarios [RFC7705], a given router may represent itself as any one of several different ASes. This should not be a problem since the egress procedures in Section 4 specify that the OTC Attribute is to be attached as part of route transmission. @@ -457,21 +466,21 @@ in propagating routes that are received from other Providers or Peers. But the BGP Role negotiation and the resulting confirmation of Roles make such misconfigurations unlikely. Setting the strict mode of operation for BGP Role negotiation as the default may result in a situation where the eBGP session will not come up after a software update. Implementations with such default behavior are strongly discouraged. Removing the OTC Attribute or changing its value can limit the - opportunity of route leak detection. Such activity can be done on + opportunity for route leak detection. Such activity can be done on purpose as part of an on-path attack. For example, an AS can remove the OTC Attribute on a received route and then leak the route to its transit provider. This kind of threat is not new in BGP and it may affect any Attribute (Note: BGPsec [RFC8205] offers protection only for the AS_PATH Attribute). Adding an OTC Attribute when the route is advertised from Customer to Provider will limit the propagation of the route. Such a route may be considered as ineligible by the immediate Provider or its Peers or upper layer Providers. This kind of OTC Attribute addition is