idnits 2.17.1 draft-ietf-sidr-pfx-validate-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 2012) is 4332 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'I-D.ietf-idr-as0' is defined on line 385, but no explicit reference was found in the text == Unused Reference: 'I-D.ietf-sidr-rpki-rtr' is defined on line 394, but no explicit reference was found in the text ** Obsolete normative reference: RFC 4893 (Obsoleted by RFC 6793) == Outdated reference: A later version (-06) exists of draft-ietf-idr-as0-05 == Outdated reference: A later version (-23) exists of draft-ietf-sidr-origin-ops-16 Summary: 1 error (**), 0 flaws (~~), 6 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Mohapatra 3 Internet-Draft Cisco Systems 4 Intended status: Standards Track J. Scudder 5 Expires: December 01, 2012 Juniper Networks 6 D. Ward 7 Cisco Systems 8 R. Bush 9 Internet Initiative Japan 10 R. Austein 11 Dragon Research Labs 12 June 2012 14 BGP Prefix Origin Validation 15 draft-ietf-sidr-pfx-validate-07 17 Abstract 19 To help reduce well-known threats against BGP including prefix mis- 20 announcing and monkey-in-the-middle attacks, one of the security 21 requirements is the ability to validate the origination AS of BGP 22 routes. More specifically, one needs to validate that the AS number 23 claiming to originate an address prefix (as derived from the AS_PATH 24 attribute of the BGP route) is in fact authorized by the prefix 25 holder to do so. This document describes a simple validation 26 mechanism to partially satisfy this requirement. 28 Status of This Memo 30 This Internet-Draft is submitted in full conformance with the 31 provisions of BCP 78 and BCP 79. 33 Internet-Drafts are working documents of the Internet Engineering 34 Task Force (IETF). Note that other groups may also distribute 35 working documents as Internet-Drafts. The list of current Internet- 36 Drafts is at http://datatracker.ietf.org/drafts/current/. 38 Internet-Drafts are draft documents valid for a maximum of six months 39 and may be updated, replaced, or obsoleted by other documents at any 40 time. It is inappropriate to use Internet-Drafts as reference 41 material or to cite them other than as "work in progress." 43 This Internet-Draft will expire on December 01, 2012. 45 Copyright Notice 47 Copyright (c) 2012 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents (http://trustee.ietf.org/ 52 license-info) in effect on the date of publication of this document. 53 Please review these documents carefully, as they describe your rights 54 and restrictions with respect to this document. Code Components 55 extracted from this document must include Simplified BSD License text 56 as described in Section 4.e of the Trust Legal Provisions and are 57 provided without warranty as described in the Simplified BSD License. 59 This document may contain material from IETF Documents or IETF 60 Contributions published or made publicly available before November 61 10, 2008. The person(s) controlling the copyright in some of this 62 material may not have granted the IETF Trust the right to allow 63 modifications of such material outside the IETF Standards Process. 64 Without obtaining an adequate license from the person(s) controlling 65 the copyright in such materials, this document may not be modified 66 outside the IETF Standards Process, and derivative works of it may 67 not be created outside the IETF Standards Process, except to format 68 it for publication as an RFC or to translate it into languages other 69 than English. 71 Table of Contents 73 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 74 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 75 2. Prefix-to-AS Mapping Database . . . . . . . . . . . . . . . . 4 76 2.1. Pseudo-Code . . . . . . . . . . . . . . . . . . . . . . . 5 77 3. Policy Control . . . . . . . . . . . . . . . . . . . . . . . . 6 78 4. Interaction with Local Cache . . . . . . . . . . . . . . . . . 6 79 5. Deployment Considerations . . . . . . . . . . . . . . . . . . 7 80 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7 81 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 82 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 83 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 84 9.1. Normative References . . . . . . . . . . . . . . . . . . . 8 85 9.2. Informational References . . . . . . . . . . . . . . . . . 8 86 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9 88 1. Introduction 90 A BGP route associates an address prefix with a set of autonomous 91 systems (AS) that identify the interdomain path the prefix has 92 traversed in the form of BGP announcements. This set is represented 93 as the AS_PATH attribute in BGP [RFC4271] and starts with the AS that 94 originated the prefix. To help reduce well-known threats against BGP 95 including prefix mis-announcing and monkey-in-the-middle attacks, one 96 of the security requirements is the ability to validate the 97 origination AS of BGP routes. More specifically, one needs to 98 validate that the AS number claiming to originate an address prefix 99 (as derived from the AS_PATH attribute of the BGP route) is in fact 100 authorized by the prefix holder to do so. This document describes a 101 simple validation mechanism to partially satisfy this requirement. 103 The Resource Public Key Infrastructure (RPKI) describes an approach 104 to build a formally verifiable database of IP addresses and AS 105 numbers as resources. The overall architecture of RPKI as defined in 106 [RFC6480] consists of three main components: 108 o A public key infrastructure (PKI) with the necessary certificate 109 objects, 111 o Digitally signed routing objects, 113 o A distributed repository system to hold the objects that would 114 also support periodic retrieval. 116 The RPKI system is based on resource certificates that define 117 extensions to X.509 to represent IP addresses and AS identifiers 118 [RFC3779], thus the name RPKI. Route Origin Authorizations (ROA) 119 [RFC6482] are separate digitally signed objects that define 120 associations between ASes and IP address blocks. Finally the 121 repository system is operated in a distributed fashion through the 122 IANA, RIR hierarchy, and ISPs. 124 In order to benefit from the RPKI system, it is envisioned that 125 relying parties either at AS or organization level obtain a local 126 copy of the signed object collection, verify the signatures, and 127 process them. The cache must also be refreshed periodically. The 128 exact access mechanism used to retrieve the local cache is beyond the 129 scope of this document. 131 Individual BGP speakers can utilize the processed data contained in 132 the local cache to validate BGP announcements. The protocol details 133 to retrieve the processed data from the local cache to the BGP 134 speakers is beyond the scope of this document (refer to [I-D.ietf- 135 sidr-rpki-rtr] for such a mechanism). This document proposes a means 136 by which a BGP speaker can make use of the processed data in order to 137 assign a "validation state" to each prefix in a received BGP UPDATE 138 message. 140 Note that the complete path attestation against the AS_PATH attribute 141 of a route is outside the scope of this document. 143 Although RPKI provides the context for this draft, it is equally 144 possible to use any other database which is able to map prefixes to 145 their authorized origin ASes. Each distinct database will have its 146 own particular operational and security characteristics; such 147 characteristics are beyond the scope of this document. 149 1.1. Requirements Language 151 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 152 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 153 document are to be interpreted as described in RFC 2119 [RFC2119]. 155 2. Prefix-to-AS Mapping Database 157 The BGP speaker loads validated objects from the cache into local 158 storage. The objects loaded have the content (IP address, prefix 159 length, maximum length, origin AS number). We refer to such a locally 160 stored object as a "Validated ROA Payload" or "VRP". 162 We define several terms in addition to "VRP". Where these terms are 163 used, they are capitalized: 165 o Prefix: (IP address, prefix length), interpreted as is customary 166 (see [RFC4632]). 168 o Route: Data derived from a received BGP UPDATE, as defined in 169 [RFC4271], Section 1.1. The Route includes one Prefix and an 170 AS_PATH; it may include other attributes to characterize the 171 prefix. 173 o VRP Prefix: The Prefix from a VRP. 175 o VRP ASN: The origin AS number from a VRP. 177 o Route Prefix: The Prefix derived from a route. 179 o Route Origin ASN: The origin AS number derived from a Route as 180 follows: 182 * the rightmost AS in the final segment of the AS_PATH attribute 183 in the Route if that segment is of type AS_SEQUENCE, or 185 * the BGP speaker's own AS number if that segment is of type 186 AS_CONFED_SEQUENCE or AS_CONFED_SET or if the AS_PATH is empty, 187 or 189 * the distinguished value "NONE" if the final segment of the 190 AS_PATH attribute is of any other type. 192 o Covered: A Route Prefix is said to be Covered by a VRP when the 193 VRP prefix length is less than or equal to the Route prefix 194 length, and the VRP prefix address and the Route prefix address 195 are identical for all bits specified by the VRP prefix 196 length.(I.e. the Route prefix is either identical to the VRP 197 prefix or a more specific of the VRP prefix.) 199 o Matched: A Route Prefix is said to be Matched by a VRP when the 200 Route Prefix is Covered by that VRP and in addition, the Route 201 prefix length is less than or equal to the VRP maximum length and 202 the Route Origin ASN is equal to the VRP ASN. 204 Given these definitions, any given BGP Route will be found to have 205 one of the following "validation states": 207 o NotFound: No VRP Covers the Route Prefix. 209 o Valid: At least one VRP Matches the Route Prefix. 211 o Invalid: At least one VRP Covers the Route Prefix, but no VRP 212 Matches it. 214 We observe that no VRP can have the value "NONE" as its VRP ASN. Thus 215 a Route whose Origin ASN is "NONE" cannot be Matched by any VRP. 216 Similarly, no valid Route can have an Origin ASN of zero [I-D.ietf- 217 idr-as0]. Thus no Route can be Matched by a VRP whose ASN is zero. 219 When a BGP speaker receives an UPDATE from a neighbor, it SHOULD 220 perform a lookup as described above for each of the Routes in the 221 UPDATE message. The lookup SHOULD also be applied to routes which 222 are redistributed into BGP from another source, such as another 223 protocol or a locally defined static route. An implementation MAY 224 provide configuration options to control which routes the lookup is 225 applied to. The "validation state" of the Route MUST be set to 226 reflect the result of the lookup. The implementation should consider 227 the "validation state" as described in the document as a local 228 property or attribute of the Route. If validation is not performed 229 on a Route, the implementation SHOULD initialize the "validation 230 state" of such a route to "NotFound". 232 Use of the validation state is discussed in Section 3 and Section 5. 233 An implementation MUST NOT exclude a route from the Adj-RIB-In or 234 from consideration in the decision process as a side-effect of its 235 validation state, unless explicitly configured to do so. 237 We observe that a Route can be Matched or Covered by more than one 238 VRP. This procedure does not mandate an order in which VRPs must be 239 visited; however, the "validation state" output is fully determined. 241 2.1. Pseudo-Code 243 The following pseudo-code illustrates the procedure above. In case 244 of ambiguity, the procedure above, rather than the pseudo-code, 245 should be taken as authoritative. 247 result = BGP_PFXV_STATE_NOT_FOUND; 249 //Iterate through all the Covering entries in the local VRP 250 //database, pfx_validate_table. 251 entry = next_lookup_result(pfx_validate_table, route_prefix); 253 while (entry != NULL) { 254 prefix_exists = TRUE; 256 if (route_prefix_length <= entry->max_length) { 257 if (route_origin_as != NONE 258 && entry->origin_as != 0 259 && route_origin_as == entry->origin_as) { 260 result = BGP_PFXV_STATE_VALID; 261 return (result); 262 } 263 } 264 entry = next_lookup_result(pfx_validate_table, input.prefix); 265 } 267 //If one or more VRP entries Covered the route prefix, but 268 //no one Matched, return "Invalid" validation state. 269 if (prefix_exists == TRUE) { 270 result = BGP_PFXV_STATE_INVALID; 271 } 273 return (result); 275 3. Policy Control 277 An implementation MUST provide the ability to match and set the 278 validation state of routes as part of its route policy filtering 279 function. Use of validation state in route policy is elaborated in 280 Section 5. For more details on operational policy considerations, see 281 [I-D.ietf-sidr-origin-ops]. 283 An implementation MUST also support Four-Octet AS Numbers, [RFC4893]. 285 4. Interaction with Local Cache 287 Each BGP speaker supporting prefix validation as described in this 288 document is expected to communicate with one or more RPKI caches, 289 each of which stores a local copy of the global RPKI database. The 290 protocol mechanisms used to gather and validate these data and 291 present them to BGP speakers are described in [I-D.ietf-sidr-rpki- 292 rtr]. 294 The prefix-to-AS mappings used by the BGP speaker are expected to be 295 updated over time. When a mapping is added or deleted, the 296 implementation MUST re-validate any affected prefixes and run the BGP 297 decision process if needed. An "affected prefix" is any prefix that 298 was matched by a deleted or updated mapping, or could be matched by 299 an added mapping. 301 5. Deployment Considerations 303 Once a Route is selected for validation, it is categorized according 304 the procedure given in Section 2. Subsequently, routing policy as 305 discussed in Section 3 can be used to take action based on the 306 validation state. 308 Policies which could be implemented include filtering routes based on 309 validation state (for example, rejecting all "invalid" routes) or 310 adjusting a route's degree of preference in the selection algorithm 311 based on its validation state. The latter could be accomplished by 312 adjusting the value of such attributes as LOCAL_PREF. Considering 313 invalid routes for BGP decision process is a pure local policy matter 314 and should be done with utmost care. 316 In some cases (particularly when the selection algorithm is 317 influenced by the adjustment of a route property that is not 318 propagated into IBGP) it could be necessary for routing correctness 319 to propagate the validation state to the IBGP peer. This can be 320 accomplished on the sending side by setting a community or extended 321 community based on the validation state, and on the receiving side by 322 matching the (extended) community and setting the validation state. 324 6. Acknowledgments 326 The authors wish to thank Rex Fernando, Hannes Gredler, Mouhcine 327 Guennoun, Russ Housley, Junaid Israr, Miya Kohno, Shin Miyakawa, Taka 328 Mizuguchi, Hussein Mouftah, Keyur Patel, Tomoya Yoshida, Kannan 329 Varadhan, Wes George, Jay Borkenhagen, and Sandra Murphy. The 330 authors are grateful for the feedback from the members of the SIDR 331 working group. 333 Junaid Israr's contribution to this specification was part of his PhD 334 research work and thesis at University of Ottawa. 336 7. IANA Considerations 338 8. Security Considerations 339 Although this specification discusses one portion of a system to 340 validate BGP routes, it should be noted that it relies on a database 341 (RPKI or other) to provide validation information. As such, the 342 security properties of that database must be considered in order to 343 determine the security provided by the overall solution. If 344 "invalid" routes are blocked as this specification suggests, the 345 overall system provides a possible denial-of-service vector, for 346 example if an attacker is able to inject or remove one or more 347 records in the validation database, it could lead an otherwise valid 348 route to be marked as invalid. 350 In addition, this system is only able to provide limited protection 351 against a determined attacker -- the attacker need only prepend the 352 "valid" source AS to a forged BGP route announcement in order to 353 defeat the protection provided by this system. 355 This mechanism does not protect against "AS in the middle attacks" or 356 provide any path validation. It only attempts to verify the origin. 357 In general, this system should be thought of more as a protection 358 against misconfiguration than as true "security" in the strong sense. 360 9. References 362 9.1. Normative References 364 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 365 Requirement Levels", BCP 14, RFC 2119, March 1997. 367 [RFC3779] Lynn, C., Kent, S. and K. Seo, "X.509 Extensions for IP 368 Addresses and AS Identifiers", RFC 3779, June 2004. 370 [RFC4271] Rekhter, Y., Li, T. and S. Hares, "A Border Gateway 371 Protocol 4 (BGP-4)", RFC 4271, January 2006. 373 [RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing 374 (CIDR): The Internet Address Assignment and Aggregation 375 Plan", BCP 122, RFC 4632, August 2006. 377 [RFC4893] Vohra, Q. and E. Chen, "BGP Support for Four-octet AS 378 Number Space", RFC 4893, May 2007. 380 [RFC6482] Lepinski, M., Kent, S. and D. Kong, "A Profile for Route 381 Origin Authorizations (ROAs)", RFC 6482, February 2012. 383 9.2. Informational References 385 [I-D.ietf-idr-as0] 386 Kumari, W., Bush, R., Schiller, H. and K. Patel, 387 "Codification of AS 0 processing.", Internet-Draft draft- 388 ietf-idr-as0-05, May 2012. 390 [I-D.ietf-sidr-origin-ops] 391 Bush, R., "RPKI-Based Origin Validation Operation", 392 Internet-Draft draft-ietf-sidr-origin-ops-16, May 2012. 394 [I-D.ietf-sidr-rpki-rtr] 395 Bush, R. and R. Austein, "The RPKI/Router Protocol", 396 Internet-Draft draft-ietf-sidr-rpki-rtr-26, February 2012. 398 [RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support 399 Secure Internet Routing", RFC 6480, February 2012. 401 Authors' Addresses 403 Pradosh Mohapatra 404 Cisco Systems 405 170 W. Tasman Drive 406 San Jose, CA 95134 407 USA 409 Email: pmohapat@cisco.com 411 John Scudder 412 Juniper Networks 413 1194 N. Mathilda Ave 414 Sunnyvale, CA 94089 415 USA 417 Email: jgs@juniper.net 419 David Ward 420 Cisco Systems 421 170 W. Tasman Drive 422 San Jose, CA 95134 423 USA 425 Email: dward@cisco.com 427 Randy Bush 428 Internet Initiative Japan 429 5147 Crystal Springs 430 Bainbridge Island, Washington 98110 431 USA 433 Email: randy@psg.com 435 Rob Austein 436 Dragon Research Labs 438 Email: sra@hactrn.net