This comment applies to draft-ietf-sidr-roa-validation
and also to draft-ietf-sidr-pfx-validate-00.
One additional question that I feel the origin validation algorithms need to
consider is
as follows. Should there be a fourth Validation state added to the existing
three?
1. Valid
2. Valid-i (Valid - imperfect; AS matches but max-length exceeded) -- proposed
new state
3. Unknown (or Not Found)
4. Invalid
The rationale for the proposed additional state "Valid-i" is as follows.
Let us say a prefix owner has prefix 10.1.0.0/20 and also own AS1.
He has a ROA registered: {10.1.0.0/20, AS1, maxlength = 22},
and has announced 10.1.0.0/20 with origin AS = AS1.
An adversary has AS2, and announces 10.1.0.0/23 with origin AS = AS2.
During partial deployment, the adversary's announcement gets
accepted in routing tables because potentially the /23 could be a suballocation
to a customer with AS2 that does not have a ROA yet.
The legitimate prefix owner detects that there is a hijack attempt,
and then announces 10.1.0.0/23 with origin AS = AS1
in order to recover quickly at least some of the traffic.
But both the hijack update of the adversary as well as the recovery
update of the legitimate prefix owner for 10.1.0.0/23 will be marked as
"Invalid".
The legitimate prefix owner has no advantage over the hijacker!
I think this is not desirable. The origin AS in the recovery update
matches that in the ROA, except that the legitimate owner
has momentarily exceeded the maxlength in order to recover his hijacked
subprefix.
If we introduce the additional validation state "Valid-i" as
described above, then this undue disadvantage for the legitimate
owner can be mitigated.
Routers will give higher preference for "Valid-i" over "Invalid"
and thus mitigate the problem stated above.
The same principles will apply if the legitimate prefix owner
wants to recover his traffic by announcing even more specific /24s.
Sriram
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On Behalf Of Geoff
> Huston
> Sent: Wednesday, November 10, 2010 9:12 PM
> To: [email protected] wg
> Cc: [email protected]
> Subject: [sidr] WG Last Call Request for draft-ietf-sidr-roa-validation-10
>
> Hi,
>
> We've revised this draft as per the informal poll of the WG in today's SIDR
> meeting
> regarding the text concerning a "origin AS" when the AS_PATH contain as
> AS_SET path
> element.
>
> We request the chairs to conduct a WG Last Call for this draft.
>
> thanks
>
> Geoff & George
>
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
