Origin Validation Policy Considerations for Dropping Invalid Routes
draft-sriram-sidrops-drop-invalid-policy-00

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft whose latest revision state is "Expired".
Authors Kotikalapudi Sriram , Oliver Borchert , Doug Montgomery
Last updated 2018-03-05
RFC stream (None)
Formats
txt htmlized pdf bibtex bibxml
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
Email authors IPR References Referenced by Nits Search email archive
draft-sriram-sidrops-drop-invalid-policy-00 
SIDROPS Working Group                                          K. Sriram
Internet-Draft                                               O. Borchert
Intended status: Best Current Practice                     D. Montgomery
Expires: September 6, 2018                                      USA NIST
                                                           March 5, 2018

  Origin Validation Policy Considerations for Dropping Invalid Routes
              draft-sriram-sidrops-drop-invalid-policy-00

Abstract

   During incremental deployment of RPKI and Route Origin Authorizations
   (and possibly under some transient conditions), network operators
   would wish to have a meaningful policy for dropping Invalid routes.
   Their goal is to balance (A) dropping Invalid routes so hijacked
   routes can be eliminated, versus (B) tolerance for missing or
   erroneously created ROAs for customer prefixes.  This document
   considers a Drop Invalid if Still Routable (DISR) policy that is
   based on these considerations.  The key principle of DISR policy is
   that an Invalid route can be dropped if a Valid or NotFound route
   exists for a subsuming less specific prefix.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 6, 2018.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of

Sriram, et al.          Expires September 6, 2018               [Page 1]
Internet-Draft           Dropping Invalid Routes              March 2018

   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Drop Invalid if Still Routable (DISR) Policy  . . . . . . . .   2
     2.1.  Motivation for the DISR Policy  . . . . . . . . . . . . .   3
   3.  Algorithm for Implementation of DISR Policy . . . . . . . . .   4
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   5.  Normative References  . . . . . . . . . . . . . . . . . . . .   5
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .   6
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   6

1.  Introduction

   During incremental deployment of RPKI [RFC6481] and Route Origin
   Authorizations [RFC6482] (and possibly under some transient
   conditions), network operators would wish to have a meaningful policy
   for dropping Invalid routes (see [RFC6811] for validation state
   definitions).  Their goal is to balance (A) dropping Invalid routes
   so hijacked routes can be eliminated, versus (B) tolerance for
   missing or erroneously created ROAs for customer prefixes.  This
   document considers a Drop Invalid if Still Routable (DISR) policy
   that is based on these considerations.  The key principle of DISR
   policy is that an Invalid route can be dropped if a Valid or NotFound
   route exists for a subsuming less specific prefix.

   The DISR policy applies in addition to (1) preferring Valid when more
   than one route exists for the same prefix, and (2) NotFound routes
   are always included in the best path selection process.  Note that
   the existence of a NotFound route excludes the possibility of an
   alternate Valid or Invalid route for the same prefix or a subsuming
   less specific prefix.

   This document also provides an algorithm for best path selection
   policy that considers Origin Validation (OV) outcome and includes the
   DISR policy.

2.  Drop Invalid if Still Routable (DISR) Policy

   When origin validation (OV) is performed on a BGP route, there are
   three possible outcomes: (1) Valid, (2) Invalid, or (3) NotFound (see
   definitions in [RFC6811]).  During partial/incremental deployment of

Sriram, et al.          Expires September 6, 2018               [Page 2]
Internet-Draft           Dropping Invalid Routes              March 2018

   RPKI and Route Origin Authorizations, it is natural to always include
   Valid and NotFound routes in the path selection decision process.
   (Note: Valid and NotFound are mutually exclusive, i.e., there cannot
   be two routes for a prefix where one is Valid and the other is
   NotFound.  The same is also true about Invalid and NotFound.)  If
   Invalid routes are always dropped from consideration, then there
   would be no tolerance for missing or erroneously created ROAs for
   customer prefixes.  Then, the question arises: Should an Invalid
   route be dropped only if another Valid or NotFound route exists for
   subsuming a less specific prefix?  This policy is called Drop Invalid
   if Still Routable (DISR).

2.1.  Motivation for the DISR Policy

   Consider these scenarios:

   Scenario 1: A transit ISP A (AS A) created a ROA for a /22 prefix
   they announce.  They also announce a /24 prefix (subsumed in the /22)
   that is owned by directly-connected customer X (has no AS).  But ISP
   A neglected to create a ROA for X's /24 prefix.  Clearly, the
   announcement of X's /24 will be Invalid.  ISP A happens to propagate
   to neighbors the /22 and the /24.

   Scenario 2: Customer X (AS X) announces a /22 prefix to transit ISP A
   and a /24 prefix (subsumed in the /22) to transit ISP B.  X is
   attempting to do traffic engineering (TE).  X created a ROA for the
   /22, but neglected to have ROA coverage for the /24.  Clearly, X's
   announcement of the /24 will be Invalid.  X happens to propagate the
   /24 to ISP B; ISP B does not participate in OV and propagates the
   Invalid route to its neighbors.

   In each of the above scenarios, DISR policy (applied at routers
   elsewhere in the Internet) ensures that traffic for the more specific
   (/24) still reaches the correct destination, i.e., customer X (albeit
   possibly via a suboptimal / non-TE path).  Any actual hijacks of the
   /24 prefix would be dropped at all eBGP routers that employ the DISR
   policy.

   Measurements show that there are 10,417 Invalid prefix-origin pairs
   in the global Internet (based on NIST Routeviews/RPKI/ROA data
   analysis, February 2018).  Of these, 6846 are Invalid due to
   maxlength violation. 6027 (of the 6846) are seen to be routable via
   Valid or NotFound routes for the same prefix (as in the Invalid
   route) or a subsuming less specific prefix.  Again, 5987 (of the
   6027) are routes for which the corresponding Valid or NotFound routes
   (with the same or subsuming less specific prefix) have the exact same
   origin AS as in the Invalid route in question.  These measurements
   show that Scenarios 1 and 2 described above do occur in significant

Sriram, et al.          Expires September 6, 2018               [Page 3]
Internet-Draft           Dropping Invalid Routes              March 2018

   numbers currently.  So, the data lends support the efficacy of the
   DISR policy in terms of delivering the data traffic to the right
   destination (though not necessarily via the optimal/TE path).

   The following is recommended in BCP 185 [RFC7115]: "Before issuing a
   ROA for a super-block, an operator MUST ensure that all sub-
   allocations from that block that are announced by other ASes, e.g.,
   customers, have correct ROAs in the RPKI."  However, as seen by the
   above measurement data, there are lapses in following this
   recommendation.

   Network operators who do not wish to drop Invalid routes outright
   (during partial deployment or possibly in transient conditions),
   SHOULD consider employing the DISR policy.  It helps eliminate actual
   prefix hijacks, while incentivizing creation of required ROAs and the
   adherence to the above recommendation from BCP 185.  The stick used
   here is the possibility of data traveling via a suboptimal path,
   while the more aggressive stick of dropping all Invalid routes is
   held in abeyance.

3.  Algorithm for Implementation of DISR Policy

   An algorithm for implementation of the DISR policy is as follows.

   Perform the following steps when a route is received:

   1.  Perform OV [RFC6811].

   2.  The second step consists of:

       *  Modify LOCAL_PREF value: Add Kv if Valid; Add Knf if NotFound;
          Add Ki if Invalid (Kv > Knf >> Ki).

       *  Store the route in RIB-in.

   3.  Apply route selection algorithm (this includes consideration of
       LOCAL_PREF and other parameters such as MED, etc. in the
       appropriate order [RFC4271]).

   4.  If selected route is Valid/NotFound, then add the route to Loc-
       RIB; Else, if Invalid, then add the route to Loc-RIB only if
       there is no existing route in the Loc-RIB for a subsuming Less
       Specific prefix.

   Additional steps in the algorithm that are performed in reaction to
   addition/withdrawal of routes that influence DISR policy decisions
   and due to changes in RPKI:

Sriram, et al.          Expires September 6, 2018               [Page 4]
Internet-Draft           Dropping Invalid Routes              March 2018

   a.  When a Valid/NotFound route is added to Loc-RIB, check to see if
       there are any more-specific prefixes subsumed by the route prefix
       that are in Loc-RIB; If such more-specific prefix is Invalid,
       then remove it from Loc-RIB.

   b.  When a Valid/NotFound route is withdrawn from Loc-RIB, check to
       see if there are any more-specifics prefixes subsumed by the
       route prefix that are in RIB-in; If such more-specific prefix is
       Invalid, then rerun the route selection decision (Steps 3 and 4
       above) for it.

   c.  When router learns of RPKI state change, then list all the
       prefixes effected by it.  Rerun Steps 1 through 4 for those
       prefixes.

4.  Security Considerations

   This document addresses some aspects of best common practices for
   origin validation and related BGP policy.  The security
   considerations provided in RFC 6811 [RFC6811] and BCP 185 [RFC7115]
   also apply here.

5.  Normative References

   [RFC4271]  Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
              Border Gateway Protocol 4 (BGP-4)", RFC 4271,
              DOI 10.17487/RFC4271, January 2006,
              <https://www.rfc-editor.org/info/rfc4271>.

   [RFC6481]  Huston, G., Loomans, R., and G. Michaelson, "A Profile for
              Resource Certificate Repository Structure", RFC 6481,
              DOI 10.17487/RFC6481, February 2012,
              <https://www.rfc-editor.org/info/rfc6481>.

   [RFC6482]  Lepinski, M., Kent, S., and D. Kong, "A Profile for Route
              Origin Authorizations (ROAs)", RFC 6482,
              DOI 10.17487/RFC6482, February 2012,
              <https://www.rfc-editor.org/info/rfc6482>.

   [RFC6811]  Mohapatra, P., Scudder, J., Ward, D., Bush, R., and R.
              Austein, "BGP Prefix Origin Validation", RFC 6811,
              DOI 10.17487/RFC6811, January 2013,
              <https://www.rfc-editor.org/info/rfc6811>.

   [RFC7115]  Bush, R., "Origin Validation Operation Based on the
              Resource Public Key Infrastructure (RPKI)", BCP 185,
              RFC 7115, DOI 10.17487/RFC7115, January 2014,
              <https://www.rfc-editor.org/info/rfc7115>.

Sriram, et al.          Expires September 6, 2018               [Page 5]
Internet-Draft           Dropping Invalid Routes              March 2018

Acknowledgements

   The authors wish to thank Sebastian Spies for discussions related to
   this work.  Also, thanks are due to Lilia Hannachi for her insightful
   analysis of global RPKI and BGP data that has been helpful in this
   work.

Authors' Addresses

   Kotikalapudi Sriram
   USA National Institute of Standards and Technology

   Email: ksriram@nist.gov

   Oliver Borchert
   USA National Institute of Standards and Technology

   Email: oliver.borchert@nist.gov

   Doug Montgomery
   USA National Institute of Standards and Technology

   Email: dougm@nist.gov

Sriram, et al.          Expires September 6, 2018               [Page 6]