< draft-mcbride-grow-as-path-prepend-00.txt		draft-mcbride-grow-as-path-prepend-01.txt >
	Network Working Group M. McBride		Network Working Group M. McBride
	Internet-Draft Futurewei		Internet-Draft Futurewei
	Intended status: Best Current Practice D. Madory		Intended status: Best Current Practice D. Madory
	Expires: January 14, 2021 Oracle		Expires: January 27, 2021 Oracle
	J. Tantsura		J. Tantsura
	Apstra		Apstra
	July 13, 2020		July 26, 2020
	AS-Path Prepend		AS-Path Prepend
	draft-mcbride-grow-as-path-prepend-00		draft-mcbride-grow-as-path-prepend-01
	Abstract		Abstract
	AS_Path prepending provides a tool to manipulate the BGP AS_Path		AS_Path prepending provides a tool to manipulate the BGP AS_Path
	attribute through prepending multiple entries of an AS. AS_Path		attribute through prepending multiple entries of an AS. AS_Path
	prepend is used to deprioritize a route or alternate path. By		prepend is used to deprioritize a route or alternate path. By
	prepending the local ASN multiple times, ASes can make advertised AS		prepending the local ASN multiple times, ASes can make advertised AS
	paths appear artificially longer. Excessive AS_Path prepending has		paths appear artificially longer. Excessive AS_Path prepending has
	caused routing issues in the internet. This document provides		caused routing issues in the internet. This document provides
	guidance,to the internet community, with how best to utilize AS_Path		guidance,to the internet community, with how best to utilize AS_Path
	skipping to change at page 1, line 40 ¶		skipping to change at page 1, line 40 ¶
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute		Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-		working documents as Internet-Drafts. The list of current Internet-
	Drafts is at https://datatracker.ietf.org/drafts/current/.		Drafts is at https://datatracker.ietf.org/drafts/current/.
	Internet-Drafts are draft documents valid for a maximum of six months		Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	This Internet-Draft will expire on January 14, 2021.		This Internet-Draft will expire on January 27, 2021.
	Copyright Notice		Copyright Notice
	Copyright (c) 2020 IETF Trust and the persons identified as the		Copyright (c) 2020 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents		Provisions Relating to IETF Documents
	(https://trustee.ietf.org/license-info) in effect on the date of		(https://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents		publication of this document. Please review these documents
	skipping to change at page 2, line 24 ¶		skipping to change at page 2, line 24 ¶
	1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3		1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
	2. Problems . . . . . . . . . . . . . . . . . . . . . . . . . . 3		2. Problems . . . . . . . . . . . . . . . . . . . . . . . . . . 3
	2.1. Excessive Prepending . . . . . . . . . . . . . . . . . . 3		2.1. Excessive Prepending . . . . . . . . . . . . . . . . . . 3
	2.2. Prepending during a routing leak . . . . . . . . . . . . 3		2.2. Prepending during a routing leak . . . . . . . . . . . . 3
	2.3. Route Competition . . . . . . . . . . . . . . . . . . . . 4		2.3. Route Competition . . . . . . . . . . . . . . . . . . . . 4
	2.4. Prepending to All . . . . . . . . . . . . . . . . . . . . 5		2.4. Prepending to All . . . . . . . . . . . . . . . . . . . . 5
	2.5. Memory . . . . . . . . . . . . . . . . . . . . . . . . . 6		2.5. Memory . . . . . . . . . . . . . . . . . . . . . . . . . 6
	2.6. Errant announcement . . . . . . . . . . . . . . . . . . . 6		2.6. Errant announcement . . . . . . . . . . . . . . . . . . . 6
	3. Best Practices . . . . . . . . . . . . . . . . . . . . . . . 6		3. Best Practices . . . . . . . . . . . . . . . . . . . . . . . 6
	4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6		4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
	5. Security Considerations . . . . . . . . . . . . . . . . . . . 7		5. Security Considerations . . . . . . . . . . . . . . . . . . . 6
	6. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 7		6. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 7
	7. Normative References . . . . . . . . . . . . . . . . . . . . 7		7. Normative References . . . . . . . . . . . . . . . . . . . . 7
	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7		Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
	1. Introduction		1. Introduction
	The Border Gateway Protocol (BGP) [RFC4271] specifies the AS_Path		The Border Gateway Protocol (BGP) [RFC4271] specifies the AS_Path
	attribute which enumerates the ASs that must be traversed to reach		attribute which enumerates the ASs that must be traversed to reach
	the networks listed in the BGP UPDATE message. If the UPDATE message		the networks listed in the BGP UPDATE message. If the UPDATE message
	is propagated over an external link, then the local AS number is		is propagated over an external link, then the local AS number is
	skipping to change at page 3, line 30 ¶		skipping to change at page 3, line 30 ¶
	which is normally announced with an inordinate amount of prepending.		which is normally announced with an inordinate amount of prepending.
	A recent analysis revealed that 95.47.142.0/23 is announced to the		A recent analysis revealed that 95.47.142.0/23 is announced to the
	world along the following AS path:		world along the following AS path:
	3255 197158 197158 197158 197158 197158 197158 197158 197158 197158		3255 197158 197158 197158 197158 197158 197158 197158 197158 197158
	197158 197158 197158 197158 197158 197158 197158 197158 197158 197158		197158 197158 197158 197158 197158 197158 197158 197158 197158 197158
	197158 197158 197158 197158		197158 197158 197158 197158
	In this example, the origin AS197158 appears 23 consecutive times		In this example, the origin AS197158 appears 23 consecutive times
	before being passed on to a single upstream (AS3255), which passes it		before being passed on to a single upstream (AS3255), which passes it
	on to the global internet, prepended-to-all. An attacker wanting to		on to the global internet, prepended-to-all. An attacker, wanting to
	intercept or manipulate traffic to this prefix might enlist a		intercept or manipulate traffic to this prefix, could enlist a
	datacenter of questionable morals who would allow announcements of		datacenter to allow announcements of the same prefix with a
	the same prefix with a fabricated AS path such as 999999 3255 197158.		fabricated AS path such as 999999 3255 197158. Here the fictional
	Here the fictional AS999999 represents the shady datacenter. This		AS999999 represents the shady datacenter. This malicious route would
	malicious route would be pretty popular due to the shortened AS path		be pretty popular due to the shortened AS path length and might go
	length and might go unnoticed by the true origin, even if route-		unnoticed by the true origin, even if route-monitoring had been
	monitoring had been implemented. Standard BGP route monitoring		implemented. Standard BGP route monitoring checks a route's origin
	checks a route's origin and upstream and both would be intact in this		and upstream and both would be intact in this scenario. The length
	scenario. The length of the prepending gives the attacker room to		of the prepending gives the attacker room to craft an AS path that
	craft an AS path that would appear plausible to the casual observer,		would appear plausible to the casual observer, comply with origin
	comply with origin validation mechanisms, and not be detected by off-		validation mechanisms, and not be detected by off-the-shelf route
	the-shelf route monitoring.		monitoring.
	2.2. Prepending during a routing leak		2.2. Prepending during a routing leak
	In April 2010, China Telecom experienced a routing leak. While		In April 2010, China Telecom experienced a routing leak. While
	analyzing the leak something peculiar was noticed. When we ranked		analyzing the leak something peculiar was noticed. When we ranked
	the approximately 50,000 prefixes involved in the leak based on how		the approximately 50,000 prefixes involved in the leak based on how
	many ASes accepted the leaked routes, most of the impact was		many ASes accepted the leaked routes, most of the impact was
	constrained to Chinese routes. However, two of the top five most-		constrained to China routes. However, two of the top five most-
	propagated leaked routes (listed in the table below) were US routes.		propagated leaked routes (listed in the table below) were US routes.
	Was there some grand conspiracy to intercept traffic destined for
	these routes? Actually, it was due to something much more troubling:
	gratuitous AS path prepending.
	During the routing leak, nearly all of the ASes of the internet		During the routing leak, nearly all of the ASes of the internet
	preferred the Chinese leaked routes for 12.5.48.0/21 and		preferred the China leaked routes for 12.5.48.0/21 and 12.4.196.0/22
	12.4.196.0/22 because, at the time, these two US prefixes were being		because, at the time, these two US prefixes were being announced to
	announced to the entire internet along the following excessively		the entire internet along the following excessively prepended AS
	prepended AS path: 3257 7795 12163 12163 12163 12163 12163 12163.		path: 3257 7795 12163 12163 12163 12163 12163 12163. Virtually any
	With this odd configuration, virtually any illegitimate route,		illegitimate route would be preferred over the legitimate route. In
	whether a deliberate hijack or an inadvertent leak, would be		this case, the victim is all but ensuring their victimhood.
	preferred over the legitimate route. In this case, the victim is all
	but ensuring their victimhood.
	There was only a single upstream seen in the prepending example from		There was only a single upstream seen in the prepending example from
	above, so the prepending was achieving nothing while incurring risk		above, so the prepending was achieving nothing except incurring risk.
	of hijacked traffic during a routing leak or hijack. You'd think		You would think such mistakes would be relatively rare, especially
	such mistakes would be relatively rare, especially now, 10 years		now, 10 years later. As it turns out, there is quite a lot of
	later. As it turns out, there is quite a lot of prepending-to-all		prepending-to-all going on right now and during leaks, it doesn't go
	going on right now and during leaks, it doesn't go well for those who		well for those who make this mistake. While one can debate the
	make this mistake. While one can debate the merits of prepending to		merits of prepending to a subset of multiple transit providers, it is
	a subset of multiple transit providers, it is difficult to see the		difficult to see the utility in prepending to every provider. In
	utility in prepending to every provider. In this configuration, the		this configuration, the prepending is no longer shaping route
	prepending is no longer shaping route propagation. It is simply		propagation. It is simply incentivizing ASes to choose another
	incentivizing ASes to choose another origin if one were to suddenly		origin if one were to suddenly appear whether by mistake or
	appear whether by mistake or otherwise.		otherwise.
	2.3. Route Competition		2.3. Route Competition
	So what happens when a non-prepended route competes against an		So what happens when a non-prepended route competes against an
	excessively prepended route? Let's consider a real-world example.		excessively prepended route? Let's consider a real-world example.
	The Polish route 91.149.240.0/22 is normally announced with the		The Polish route 91.149.240.0/22 is normally announced with the
	origin prepended three times (41952 41952 41952) to three providers		origin prepended three times (41952 41952 41952) to three providers
	and prepended twice to a fourth. Beginning at 15:28:14 UTC on June		and prepended twice to a fourth. Beginning at 15:28:14 UTC on June
	6, a new origin that was not prepended appeared in the routing table		6, a new origin that was not prepended appeared in the routing table
	for this route. As is illustrated in the graphic below, AS60781		for this route. As is illustrated in the graphic below, AS60781
End of changes. 10 change blocks.
	41 lines changed or deleted		36 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/