idnits 2.17.1 draft-ietf-sidr-pfx-validate-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 2012) is 4303 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'I-D.ietf-idr-as0' is defined on line 392, but no explicit reference was found in the text == Unused Reference: 'I-D.ietf-sidr-rpki-rtr' is defined on line 401, but no explicit reference was found in the text ** Obsolete normative reference: RFC 4893 (Obsoleted by RFC 6793) == Outdated reference: A later version (-06) exists of draft-ietf-idr-as0-05 == Outdated reference: A later version (-23) exists of draft-ietf-sidr-origin-ops-17 Summary: 1 error (**), 0 flaws (~~), 7 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Mohapatra 3 Internet-Draft Cisco Systems 4 Intended status: Standards Track J. Scudder 5 Expires: December 31, 2012 Juniper Networks 6 D. Ward 7 Cisco Systems 8 R. Bush 9 Internet Initiative Japan 10 R. Austein 11 Dragon Research Labs 12 July 2012 14 BGP Prefix Origin Validation 15 draft-ietf-sidr-pfx-validate-08 17 Abstract 19 To help reduce well-known threats against BGP including prefix mis- 20 announcing and monkey-in-the-middle attacks, one of the security 21 requirements is the ability to validate the origination AS of BGP 22 routes. More specifically, one needs to validate that the AS number 23 claiming to originate an address prefix (as derived from the AS_PATH 24 attribute of the BGP route) is in fact authorized by the prefix 25 holder to do so. This document describes a simple validation 26 mechanism to partially satisfy this requirement. 28 Status of This Memo 30 This Internet-Draft is submitted in full conformance with the 31 provisions of BCP 78 and BCP 79. 33 Internet-Drafts are working documents of the Internet Engineering 34 Task Force (IETF). Note that other groups may also distribute 35 working documents as Internet-Drafts. The list of current Internet- 36 Drafts is at http://datatracker.ietf.org/drafts/current/. 38 Internet-Drafts are draft documents valid for a maximum of six months 39 and may be updated, replaced, or obsoleted by other documents at any 40 time. It is inappropriate to use Internet-Drafts as reference 41 material or to cite them other than as "work in progress." 43 This Internet-Draft will expire on December 31, 2012. 45 Copyright Notice 47 Copyright (c) 2012 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents (http://trustee.ietf.org/ 52 license-info) in effect on the date of publication of this document. 53 Please review these documents carefully, as they describe your rights 54 and restrictions with respect to this document. Code Components 55 extracted from this document must include Simplified BSD License text 56 as described in Section 4.e of the Trust Legal Provisions and are 57 provided without warranty as described in the Simplified BSD License. 59 This document may contain material from IETF Documents or IETF 60 Contributions published or made publicly available before November 61 10, 2008. The person(s) controlling the copyright in some of this 62 material may not have granted the IETF Trust the right to allow 63 modifications of such material outside the IETF Standards Process. 64 Without obtaining an adequate license from the person(s) controlling 65 the copyright in such materials, this document may not be modified 66 outside the IETF Standards Process, and derivative works of it may 67 not be created outside the IETF Standards Process, except to format 68 it for publication as an RFC or to translate it into languages other 69 than English. 71 Table of Contents 73 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 74 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 75 2. Prefix-to-AS Mapping Database . . . . . . . . . . . . . . . . 4 76 2.1. Pseudo-Code . . . . . . . . . . . . . . . . . . . . . . . 5 77 3. Policy Control . . . . . . . . . . . . . . . . . . . . . . . . 6 78 4. Interaction with Local Cache . . . . . . . . . . . . . . . . . 6 79 5. Deployment Considerations . . . . . . . . . . . . . . . . . . 7 80 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7 81 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 82 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 83 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 84 9.1. Normative References . . . . . . . . . . . . . . . . . . . 8 85 9.2. Informational References . . . . . . . . . . . . . . . . . 8 86 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9 88 1. Introduction 90 A BGP route associates an address prefix with a set of autonomous 91 systems (AS) that identify the interdomain path the prefix has 92 traversed in the form of BGP announcements. This set is represented 93 as the AS_PATH attribute in BGP [RFC4271] and starts with the AS that 94 originated the prefix. To help reduce well-known threats against BGP 95 including prefix mis-announcing and monkey-in-the-middle attacks, one 96 of the security requirements is the ability to validate the 97 origination AS of BGP routes. More specifically, one needs to 98 validate that the AS number claiming to originate an address prefix 99 (as derived from the AS_PATH attribute of the BGP route) is in fact 100 authorized by the prefix holder to do so. This document describes a 101 simple validation mechanism to partially satisfy this requirement. 103 The Resource Public Key Infrastructure (RPKI) describes an approach 104 to build a formally verifiable database of IP addresses and AS 105 numbers as resources. The overall architecture of RPKI as defined in 106 [RFC6480] consists of three main components: 108 o A public key infrastructure (PKI) with the necessary certificate 109 objects, 111 o Digitally signed routing objects, 113 o A distributed repository system to hold the objects that would 114 also support periodic retrieval. 116 The RPKI system is based on resource certificates that define 117 extensions to X.509 to represent IP addresses and AS identifiers 118 [RFC3779], thus the name RPKI. Route Origin Authorizations (ROA) 119 [RFC6482] are separate digitally signed objects that define 120 associations between ASes and IP address blocks. Finally the 121 repository system is operated in a distributed fashion through the 122 IANA, RIR hierarchy, and ISPs. 124 In order to benefit from the RPKI system, it is envisioned that 125 relying parties either at AS or organization level obtain a local 126 copy of the signed object collection, verify the signatures, and 127 process them. The cache must also be refreshed periodically. The 128 exact access mechanism used to retrieve the local cache is beyond the 129 scope of this document. 131 Individual BGP speakers can utilize the processed data contained in 132 the local cache to validate BGP announcements. The protocol details 133 to retrieve the processed data from the local cache to the BGP 134 speakers is beyond the scope of this document (refer to [I-D.ietf- 135 sidr-rpki-rtr] for such a mechanism). This document proposes a means 136 by which a BGP speaker can make use of the processed data in order to 137 assign a "validation state" to each prefix in a received BGP UPDATE 138 message. 140 Note that the complete path attestation against the AS_PATH attribute 141 of a route is outside the scope of this document. 143 Like the DNS, the global RPKI presents only a loosely consistent 144 view, depending on timing, updating, fetching, etc. Thus, one cache 145 or router may have different data about a particular prefix than 146 another cache or router. There is no 'fix' for this, it is the 147 nature of distributed data with distributed caches. 149 Although RPKI provides the context for this draft, it is equally 150 possible to use any other database which is able to map prefixes to 151 their authorized origin ASes. Each distinct database will have its 152 own particular operational and security characteristics; such 153 characteristics are beyond the scope of this document. 155 1.1. Requirements Language 156 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 157 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to 158 be interpreted as described in RFC 2119 [RFC2119] only when they 159 appear in all upper case. They may also appear in lower or mixed 160 case as English words, without any normative meaning. 162 2. Prefix-to-AS Mapping Database 164 The BGP speaker loads validated objects from the cache into local 165 storage. The objects loaded have the content (IP address, prefix 166 length, maximum length, origin AS number). We refer to such a locally 167 stored object as a "Validated ROA Payload" or "VRP". 169 We define several terms in addition to "VRP". Where these terms are 170 used, they are capitalized: 172 o Prefix: (IP address, prefix length), interpreted as is customary 173 (see [RFC4632]). 175 o Route: Data derived from a received BGP UPDATE, as defined in 176 [RFC4271], Section 1.1. The Route includes one Prefix and an 177 AS_PATH; it may include other attributes to characterize the 178 prefix. 180 o VRP Prefix: The Prefix from a VRP. 182 o VRP ASN: The origin AS number from a VRP. 184 o Route Prefix: The Prefix derived from a route. 186 o Route Origin ASN: The origin AS number derived from a Route as 187 follows: 189 * the rightmost AS in the final segment of the AS_PATH attribute 190 in the Route if that segment is of type AS_SEQUENCE, or 192 * the BGP speaker's own AS number if that segment is of type 193 AS_CONFED_SEQUENCE or AS_CONFED_SET or if the AS_PATH is empty, 194 or 196 * the distinguished value "NONE" if the final segment of the 197 AS_PATH attribute is of any other type. 199 o Covered: A Route Prefix is said to be Covered by a VRP when the 200 VRP prefix length is less than or equal to the Route prefix 201 length, and the VRP prefix address and the Route prefix address 202 are identical for all bits specified by the VRP prefix 203 length.(I.e. the Route prefix is either identical to the VRP 204 prefix or a more specific of the VRP prefix.) 206 o Matched: A Route Prefix is said to be Matched by a VRP when the 207 Route Prefix is Covered by that VRP and in addition, the Route 208 prefix length is less than or equal to the VRP maximum length and 209 the Route Origin ASN is equal to the VRP ASN. 211 Given these definitions, any given BGP Route will be found to have 212 one of the following "validation states": 214 o NotFound: No VRP Covers the Route Prefix. 216 o Valid: At least one VRP Matches the Route Prefix. 218 o Invalid: At least one VRP Covers the Route Prefix, but no VRP 219 Matches it. 221 We observe that no VRP can have the value "NONE" as its VRP ASN. Thus 222 a Route whose Origin ASN is "NONE" cannot be Matched by any VRP. 223 Similarly, no valid Route can have an Origin ASN of zero [I-D.ietf- 224 idr-as0]. Thus no Route can be Matched by a VRP whose ASN is zero. 226 When a BGP speaker receives an UPDATE from a neighbor, it SHOULD 227 perform a lookup as described above for each of the Routes in the 228 UPDATE message. The lookup SHOULD also be applied to routes which 229 are redistributed into BGP from another source, such as another 230 protocol or a locally defined static route. An implementation MAY 231 provide configuration options to control which routes the lookup is 232 applied to. The "validation state" of the Route MUST be set to 233 reflect the result of the lookup. The implementation should consider 234 the "validation state" as described in the document as a local 235 property or attribute of the Route. If validation is not performed 236 on a Route, the implementation SHOULD initialize the "validation 237 state" of such a route to "NotFound". 239 Use of the validation state is discussed in Section 3 and Section 5. 240 An implementation MUST NOT exclude a route from the Adj-RIB-In or 241 from consideration in the decision process as a side-effect of its 242 validation state, unless explicitly configured to do so. 244 We observe that a Route can be Matched or Covered by more than one 245 VRP. This procedure does not mandate an order in which VRPs must be 246 visited; however, the "validation state" output is fully determined. 248 2.1. Pseudo-Code 250 The following pseudo-code illustrates the procedure above. In case 251 of ambiguity, the procedure above, rather than the pseudo-code, 252 should be taken as authoritative. 254 result = BGP_PFXV_STATE_NOT_FOUND; 256 //Iterate through all the Covering entries in the local VRP 257 //database, pfx_validate_table. 258 entry = next_lookup_result(pfx_validate_table, route_prefix); 260 while (entry != NULL) { 261 prefix_exists = TRUE; 263 if (route_prefix_length <= entry->max_length) { 264 if (route_origin_as != NONE 265 && entry->origin_as != 0 266 && route_origin_as == entry->origin_as) { 267 result = BGP_PFXV_STATE_VALID; 268 return (result); 269 } 270 } 271 entry = next_lookup_result(pfx_validate_table, input.prefix); 272 } 274 //If one or more VRP entries Covered the route prefix, but 275 //no one Matched, return "Invalid" validation state. 276 if (prefix_exists == TRUE) { 277 result = BGP_PFXV_STATE_INVALID; 278 } 280 return (result); 282 3. Policy Control 284 An implementation MUST provide the ability to match and set the 285 validation state of routes as part of its route policy filtering 286 function. Use of validation state in route policy is elaborated in 287 Section 5. For more details on operational policy considerations, see 288 [I-D.ietf-sidr-origin-ops]. 290 An implementation MUST also support Four-Octet AS Numbers, [RFC4893]. 292 4. Interaction with Local Cache 294 Each BGP speaker supporting prefix validation as described in this 295 document is expected to communicate with one or more RPKI caches, 296 each of which stores a local copy of the global RPKI database. The 297 protocol mechanisms used to gather and validate these data and 298 present them to BGP speakers are described in [I-D.ietf-sidr-rpki- 299 rtr]. 301 The prefix-to-AS mappings used by the BGP speaker are expected to be 302 updated over time. When a mapping is added or deleted, the 303 implementation MUST re-validate any affected prefixes and run the BGP 304 decision process if needed. An "affected prefix" is any prefix that 305 was matched by a deleted or updated mapping, or could be matched by 306 an added mapping. 308 5. Deployment Considerations 310 Once a Route is selected for validation, it is categorized according 311 the procedure given in Section 2. Subsequently, routing policy as 312 discussed in Section 3 can be used to take action based on the 313 validation state. 315 Policies which could be implemented include filtering routes based on 316 validation state (for example, rejecting all "invalid" routes) or 317 adjusting a route's degree of preference in the selection algorithm 318 based on its validation state. The latter could be accomplished by 319 adjusting the value of such attributes as LOCAL_PREF. Considering 320 invalid routes for BGP decision process is a pure local policy matter 321 and should be done with utmost care. 323 In some cases (particularly when the selection algorithm is 324 influenced by the adjustment of a route property that is not 325 propagated into IBGP) it could be necessary for routing correctness 326 to propagate the validation state to the IBGP peer. This can be 327 accomplished on the sending side by setting a community or extended 328 community based on the validation state, and on the receiving side by 329 matching the (extended) community and setting the validation state. 331 6. Acknowledgments 333 The authors wish to thank Rex Fernando, Hannes Gredler, Mouhcine 334 Guennoun, Russ Housley, Junaid Israr, Miya Kohno, Shin Miyakawa, Taka 335 Mizuguchi, Hussein Mouftah, Keyur Patel, Tomoya Yoshida, Kannan 336 Varadhan, Wes George, Jay Borkenhagen, and Sandra Murphy. The 337 authors are grateful for the feedback from the members of the SIDR 338 working group. 340 Junaid Israr's contribution to this specification was part of his PhD 341 research work and thesis at University of Ottawa. 343 7. IANA Considerations 345 8. Security Considerations 346 Although this specification discusses one portion of a system to 347 validate BGP routes, it should be noted that it relies on a database 348 (RPKI or other) to provide validation information. As such, the 349 security properties of that database must be considered in order to 350 determine the security provided by the overall solution. If 351 "invalid" routes are blocked as this specification suggests, the 352 overall system provides a possible denial-of-service vector, for 353 example if an attacker is able to inject or remove one or more 354 records in the validation database, it could lead an otherwise valid 355 route to be marked as invalid. 357 In addition, this system is only able to provide limited protection 358 against a determined attacker -- the attacker need only prepend the 359 "valid" source AS to a forged BGP route announcement in order to 360 defeat the protection provided by this system. 362 This mechanism does not protect against "AS in the middle attacks" or 363 provide any path validation. It only attempts to verify the origin. 364 In general, this system should be thought of more as a protection 365 against misconfiguration than as true "security" in the strong sense. 367 9. References 369 9.1. Normative References 371 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 372 Requirement Levels", BCP 14, RFC 2119, March 1997. 374 [RFC3779] Lynn, C., Kent, S. and K. Seo, "X.509 Extensions for IP 375 Addresses and AS Identifiers", RFC 3779, June 2004. 377 [RFC4271] Rekhter, Y., Li, T. and S. Hares, "A Border Gateway 378 Protocol 4 (BGP-4)", RFC 4271, January 2006. 380 [RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing 381 (CIDR): The Internet Address Assignment and Aggregation 382 Plan", BCP 122, RFC 4632, August 2006. 384 [RFC4893] Vohra, Q. and E. Chen, "BGP Support for Four-octet AS 385 Number Space", RFC 4893, May 2007. 387 [RFC6482] Lepinski, M., Kent, S. and D. Kong, "A Profile for Route 388 Origin Authorizations (ROAs)", RFC 6482, February 2012. 390 9.2. Informational References 392 [I-D.ietf-idr-as0] 393 Kumari, W., Bush, R., Schiller, H. and K. Patel, 394 "Codification of AS 0 processing.", Internet-Draft draft- 395 ietf-idr-as0-05, May 2012. 397 [I-D.ietf-sidr-origin-ops] 398 Bush, R., "RPKI-Based Origin Validation Operation", 399 Internet-Draft draft-ietf-sidr-origin-ops-17, June 2012. 401 [I-D.ietf-sidr-rpki-rtr] 402 Bush, R. and R. Austein, "The RPKI/Router Protocol", 403 Internet-Draft draft-ietf-sidr-rpki-rtr-26, February 2012. 405 [RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support 406 Secure Internet Routing", RFC 6480, February 2012. 408 Authors' Addresses 410 Pradosh Mohapatra 411 Cisco Systems 412 170 W. Tasman Drive 413 San Jose, CA 95134 414 USA 416 Email: pmohapat@cisco.com 418 John Scudder 419 Juniper Networks 420 1194 N. Mathilda Ave 421 Sunnyvale, CA 94089 422 USA 424 Email: jgs@juniper.net 426 David Ward 427 Cisco Systems 428 170 W. Tasman Drive 429 San Jose, CA 95134 430 USA 432 Email: dward@cisco.com 434 Randy Bush 435 Internet Initiative Japan 436 5147 Crystal Springs 437 Bainbridge Island, Washington 98110 438 USA 440 Email: randy@psg.com 442 Rob Austein 443 Dragon Research Labs 445 Email: sra@hactrn.net