SIDR Operations                                           I. van Beijnum
Internet-Draft                                             BGPexpert.com
Updates: RFC 3779, RFC 8210 (if                            June 20, 2019
         approved)
Intended status: Experimental
Expires: December 22, 2019


                       Path validation with RPKI
                 draft-van-beijnum-sidrops-pathrpki-00

Abstract

   This memo adds the capability to validate the full BGP AS path to the
   RPKI mechanism.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on December 22, 2019.

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.




Van Beijnum             Expires December 22, 2019               [Page 1]


Internet-Draft          Path validation with RPKI              June 2019


1.  Introduction

   With RPKI, it's possible for BGP routers to validate the origin AS
   found in the BGP AS path attribute for a given IP prefix.  However,
   RPKI can't validat the rest of the AS path, allowing for route leaks
   types 1 - 4 as described in RFC 7908 [RFC7908].

   This specification extends RPKI to allow for validating the full BGP
   AS path, based on the observation that each AS in a valid AS path has
   either a trust relation with the origin AS or has a trust relation
   with the local AS (the AS performing validation).  I.e., each
   intermediary AS provides transit service to either the origin AS or
   the local AS.

   An extension to RFC 3779 [RFC3779] allows for binding a list of
   allowed transit ASes to a set of IP addresses.  Operators of RPKI
   [RFC6480] relying party software add to this their list of locally
   allowed transit ASes through manual configuration.  An update to the
   RPKI-router protocol [RFC8210] lets relying party software propagate
   the thus created list of allowed ASes for the prefix(es) in question
   so BGP routers can validate the corresponding AS paths.

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

2.  Changes to the ROA certificate format

   RFC 3779 [RFC3779] specifies an extension to X.509 certificates that
   contains a set of AS numbers: id-pe-autonomousSysIds.  This is the
   set of valid origin ASes for a given set of IP addresses.

   This memo adds another extension to X.509 certificates with the name
   id-pe-autonomousSysIdsPath.  id-pe-autonomousSysIdsPath is identical
   in syntax to the existing id-pe-autonomousSysIds, allowing for code
   reuse.

   An explicit specification of the id-pe-autonomousSysIdsPath extension
   will be added to a later version of this document.

3.  Changes to the RPKI-router protocol

   This memo updates the RPKI-router protocol [RFC8210] by adding
   version 2 of the RPKI-router protocol.  Version 2 is a superset of
   version 1; all implemenations that support version 2 MUST also
   support version 1.  Version negotiation is performed as specified in



Van Beijnum             Expires December 22, 2019               [Page 2]


Internet-Draft          Path validation with RPKI              June 2019


   RFC 8210 [RFC8210], with the addition that version 2 may now be
   advertised and used if advertised by both sides.

   Version 2 extends the IPv4 Prefix PDU and IPv6 Prefix PDU.  All
   version 1 PDUs (including the IPv4 and IPv6 Prefix PDUs) may also be
   used without changes by version 2, and are transmitted with version
   number 1.

   The format of the version 2 IPv4 Prefix PDU is as follows:

      0          8          16         24        31
      .-------------------------------------------.
      | Protocol |   PDU    |                     |
      | Version  |   Type   |         zero        |
      |    2     |    4     |                     |
      +-------------------------------------------+
      |                                           |
      |                   Length                  |
      |                                           |
      +-------------------------------------------+
      |          |  Prefix  |   Max    |          |
      |  Flags   |  Length  |  Length  |   zero   |
      |          |   0..32  |   0..32  |          |
      +-------------------------------------------+
      |                                           |
      |                IPv4 Prefix                |
      |                                           |
      +-------------------------------------------+
      |                                           |
      |       Autonomous System Number  1         |
      |                                           |
      +-------------------------------------------+
      |                                           |
      |       Autonomous System Number ...        |
      |                                           |
      +-------------------------------------------+
      |                                           |
      |       Autonomous System Number  n         |
      |                                           |
      `-------------------------------------------'

      Version: 2

      Length: the length of the PDU: 16 + 4 * the number of Autonomous
      System Numbers present.






Van Beijnum             Expires December 22, 2019               [Page 3]


Internet-Draft          Path validation with RPKI              June 2019


      Autonomous System Numbers: AS numbers allowed in the BGP AS path.
      See the section "path filter semantics" later in this document.
      At least one Autonomous System Number must be present.

      All other fields are the same as in version 1.

   The format of the version 2 IPv6 Prefix PDU is as follows:

      0          8          16         24        31
      .-------------------------------------------.
      | Protocol |   PDU    |                     |
      | Version  |   Type   |         zero        |
      |    2     |    6     |                     |
      +-------------------------------------------+
      |                                           |
      |                   Length                  |
      |                                           |
      +-------------------------------------------+
      |          |  Prefix  |   Max    |          |
      |  Flags   |  Length  |  Length  |   zero   |
      |          |  0..128  |  0..128  |          |
      +-------------------------------------------+
      |                                           |
      +---                                     ---+
      |                                           |
      +---            IPv6 Prefix              ---+
      |                                           |
      +---                                     ---+
      |                                           |
      +-------------------------------------------+
      |                                           |
      |       Autonomous System Number  1         |
      |                                           |
      +-------------------------------------------+
      |                                           |
      |       Autonomous System Number ...        |
      |                                           |
      +-------------------------------------------+
      |                                           |
      |       Autonomous System Number  n         |
      |                                           |
      `-------------------------------------------'

      Version: 2

      Length: the length of the PDU: 28 + 4 * the number of Autonomous
      System Numbers present.




Van Beijnum             Expires December 22, 2019               [Page 4]


Internet-Draft          Path validation with RPKI              June 2019


      Autonomous System Numbers: AS numbers allowed in the BGP AS path.
      See the section "path filter semantics" later in this document.
      At least one Autonomous System Number must be present.

      All other fields are the same as in version 1.

   For the purposes of determining uniqueness of IPvX PDUs, only the
   fields {Prefix, Len, Max-Len, ASN} are considered, as per RFC 8210
   [RFC8210], where ASN is the first Autonomous System Number in a
   version 2 IPvX PDU.

   So for a given {Prefix, Len, Max-Len, ASN} either a version 1 IPvX
   PDU or a version 2 IPvX PDU may be transmitted, but not both.  The
   relying party software generates a version 2 IPvX PDU when an id-pe-
   autonomousSysIdsPath with one or more ASes is present in a ROA and
   generates a version 1 IPvX PDU otherwise.

4.  Path filter semantics

   The order in which allowed ASes appear in a ROA is relevant.  This
   order, and the order of the locally allowed ASes, is retained in the
   list of ASes sent to routers using the RPKI-router protocol version
   2.  A BGP AS path validates when all unique AS numbers in the path
   are present in the filter in the same order, ignoring AS numbers
   present in the filter that are missing from the BGP AS path.

   If an AS path contains an AS_SET with more than one AS number in it
   and the implementation doesn't perform AS_SET sorting specified as an
   option in the BGP protocol specification [RFC4271] appendix F.4.,
   then filtering behavior is undefined.

   Example: the ROA for 192.0.2.0/24 lists the ASes 200 100.  The local
   relying party software is configured to allow the transit AS 800 and
   the local AS 900.  (The local AS normally doesn't appear in AS paths
   but may be prepended and SHOULD therefore be listed in the filter.)
   This results in the following sequence of Autonomous System Numbers
   in the RPKI-router protocol IPv4 Prefix PDU:

   100 200 800 900

   Conceptually, this results in the following regular expression BGP AS
   path filter:

   ^(900_)*(800_)*(200_)*(100_)+$

   However, filtering can be performed more efficiently as shown in the
   example code in the appendix.




Van Beijnum             Expires December 22, 2019               [Page 5]


Internet-Draft          Path validation with RPKI              June 2019


5.  Internet exchange route servers

   Many networks interconnect through internet exchanges.  In many
   cases, rather than maintain a direct BGP neighbor relationship
   between the routers in both ASes, networks connected through an
   internet exchange interconnect through one or more route servers
   operated by the internet exchange.

   As there are many internet exchanges throughout the world and
   connectivity is subject to change, it would be difficult to add all
   possible route servers ASes to ROAs.  However, in practice this many
   not be an issue as many route servers don't include their own AS in
   the AS path.

6.  IANA Considerations

   This memo includes no request to IANA.

7.  Security considerations

   When two organizations that communicate over the internet both fully
   implement this specification, they have the ability to make sure to
   avoid paths containing ASes that neither of them has authorized to
   carry their their communication, as long as the BGP AS path attribute
   is an accurate reflection of the actual communication path.

   In the absence of BGPsec [RFC8205], an AS that doesn't appear on the
   filter list may forge an AS path in order to reroute traffic through
   it.  However, that AS must then transmit BGP updates with an AS path
   that doesn't match its own AS as configured by its neighbor.  Some
   implementations check if the neighbor AS and the left most AS in AS
   paths are the same, as per the MAY in RFC 4271 [RFC4271] section 6.3.
   So these implementations would reject the forged AS path.

   Another way to accomplish the same result of a valid looking BGP AS
   path but an invalid communication path would be for a malicious
   network to connect to other networks by presenting a falsified AS
   number when setting up a BGP session.  It is unclear to what degree
   networks make sure the AS numbers that new customers or peers claim
   to hold are legitimate.

8.  References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.




Van Beijnum             Expires December 22, 2019               [Page 6]


Internet-Draft          Path validation with RPKI              June 2019


   [RFC3779]  Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP
              Addresses and AS Identifiers", RFC 3779,
              DOI 10.17487/RFC3779, June 2004,
              <https://www.rfc-editor.org/info/rfc3779>.

   [RFC4271]  Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
              Border Gateway Protocol 4 (BGP-4)", RFC 4271,
              DOI 10.17487/RFC4271, January 2006,
              <https://www.rfc-editor.org/info/rfc4271>.

   [RFC6480]  Lepinski, M. and S. Kent, "An Infrastructure to Support
              Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480,
              February 2012, <https://www.rfc-editor.org/info/rfc6480>.

   [RFC7908]  Sriram, K., Montgomery, D., McPherson, D., Osterweil, E.,
              and B. Dickson, "Problem Definition and Classification of
              BGP Route Leaks", RFC 7908, DOI 10.17487/RFC7908, June
              2016, <https://www.rfc-editor.org/info/rfc7908>.

   [RFC8205]  Lepinski, M., Ed. and K. Sriram, Ed., "BGPsec Protocol
              Specification", RFC 8205, DOI 10.17487/RFC8205, September
              2017, <https://www.rfc-editor.org/info/rfc8205>.

   [RFC8210]  Bush, R. and R. Austein, "The Resource Public Key
              Infrastructure (RPKI) to Router Protocol, Version 1",
              RFC 8210, DOI 10.17487/RFC8210, September 2017,
              <https://www.rfc-editor.org/info/rfc8210>.

Appendix A.  Appendix: filter code example

   #include <stdio.h>

   struct pfxpdu
     {
       unsigned int version;
       unsigned int type;
       unsigned int length;
       unsigned int *path_filter;
     };

   unsigned int path_filter[] = { 100, 200, 800, 900, 0 };
   unsigned int as_path[]     = { 900, 900, 800, 300, 200, 100, 0 };

   char *filter_as_path(struct pfxpdu *pfxpdu, unsigned int *as_path,
     int as_path_length)
   {
     unsigned int path_filter_length = (pfxpdu->length - 16) / 4;
     int path_filter_index;



Van Beijnum             Expires December 22, 2019               [Page 7]


Internet-Draft          Path validation with RPKI              June 2019


     int as_path_index;

     // if the path filter is empty we return status unknown
     if (path_filter_length < 1)
       return("unknown");

     // check the origin AS as per version 1 of the protocol
     if (as_path[as_path_length - 1] != pfxpdu->path_filter[0])
       return("invalid");

     // if the pfxpdu version == 2 then we check the entire path
     if (pfxpdu->version == 2)
       {
         path_filter_index = 0;
         for (as_path_index = as_path_length - 1; as_path_index >= 0;
           as_path_index--)
           {
             while (path_filter_index < path_filter_length &&
               as_path[as_path_index] !=
                 pfxpdu->path_filter[path_filter_index])
               path_filter_index++;
             if (path_filter_index >= path_filter_length)
               return("invalid");
           }
       }
     return("valid");
   }

   unsigned int count_length(unsigned int *asns)
   {
     unsigned int length = 0;

     while (asns[length] != 0)
       length++;
     return length;
   }

   int main()
   {
     int i;
     int as_path_length;
     struct pfxpdu pfxpdu;

     as_path_length = count_length(as_path);

     pfxpdu.version = 2;
     pfxpdu.type = 4;
     pfxpdu.length = 16 + 4 * count_length(path_filter);



Van Beijnum             Expires December 22, 2019               [Page 8]


Internet-Draft          Path validation with RPKI              June 2019


     pfxpdu.path_filter = path_filter;

     printf("Filter regexp: ^");
     for (i = (pfxpdu.length - 16) / 4 - 1; i > 0; i--)
       printf("(%d_)*", pfxpdu.path_filter[i]);
     printf("(%d_)+$\n", pfxpdu.path_filter[0]);

     printf("AS path:");
     for (i = 0; i < as_path_length; i++)
       printf(" %d", as_path[i]);
     printf("\n");

     printf("RPKI status: %s\n", filter_as_path(&pfxpdu, as_path,
       as_path_length));
   }

Author's Address

   Iljitsch van Beijnum
   BGPexpert.com

   Email: iljitsch@muada.com





























van Beijnum             Expires December 22, 2019               [Page 9]