Internet DRAFT - draft-beck-bgp-security-tracking
draft-beck-bgp-security-tracking
SIDR Working Group J. Beck
Internet-Drafts A. Gray
Intended status: Standards Track Charter
Expires: Oct 1, 2019 Mar 2019
BGP Security Tracking
draft-beck-bgp-security-tracking-00
Abstract
This document describes the BGP Path Security Tracking attribute, an
extension to BGP-4. This attribute provides a transitive means for
networks to indicate BGP security checks in place to upstream
networks. Upstream networks can optionally use that information to
modify the path selection algorithm giving preference to paths
reporting better security where the prefix length is the same and
as-path length is similar. Effectively reporting no security would
be treated the same as prepending the announcement once and reporting
strong security would be treated the same as not prepending. The net
result of using the information to influence path selection is that
more secured paths would be preferred over less secured paths.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on Oct 1, 2019.
Beck, et al. Expires Oct 1, 2019 [Page 1]
Internet-Draft BGP Security Tracking Nov 2018
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................2
2. Requirements Language ...........................................3
3. BGP Security Tracking Attribute .................................3
4. Canonical Representation.........................................4
5. Cost Value of Security Methods Used..............................4
6. Modifying Path Selection Algorithm...............................5
7. Error Handling...................................................5
8. Security Considerations .........................................5
9. IANA Considerations .............................................6
10. References .....................................................6
10.1. Normative References ......................................6
10.2. Informative References ....................................6
Acknowledgments ....................................................7
Contributors .......................................................7
Authors' Addresses .................................................8
1. Introduction
Securing BGP from unauthorized prefix leaks is important. There are
multiple measures available to validate inbound route announcements
but most are only locally significant within an autonomous system
(AS).The BGP Security tracking attribute allows a BGP speaking router
to optionally mark the validation steps that were performed on a
prefix with an attribute after accepting the prefix as valid for the
purpose of transparency and allowing that information to influence
the BGP path selection process. A router that learns of a prefix
equal in length from multiple sources may optionally choose a path
with better advertised security practices over a less secured one.
The intent is to encourage better security practices and partially
limit the radius and impact of unauthorized route announcements.
Functionally the path selection is modified by assigning a cost
based security practices implemented. A network with no ingress
security would have a cost of 1 and a network with good ingress
security would have a cost of 0. The BGP path selection algorithm
would then be modified to evaluate the sum of ASN's in AS_PATH
combined with the security measures for each network. A prefix
with an AS_PATH length of 3 with no security would have a "cost"
of 6 and prefix with an AS_PATH length of 3 with "good" security
would have a "cost" of 3 allowing preference to the theoretically
more secure path. Because the "cost" of security is less than or
equal to an additional ASN in AS_PATH a bad actor is discouraged
from spoofing false ASN's for the purpose of forging the security
of that relationship.
Beck, et al. Expires Oct 1, 2019 [Page 2]
Internet-Draft BGP Security Tracking Nov 2018
2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. BGP Security Tracking Attribute
This document defines the BGP Security Tracking attribute as an
optional transitive path attribute of variable length. The values
are written to the prefix being accepted by the border router
typically over an eBGP session before being announced upstream
to other iBGP or eBGP peers. Networks opting not to disclose the
information or not running supporting software do not push a value
to the accepted prefix.
(Attribute type code for Security Tracking is to be assigned by IANA)
The format of the field is a concatenated list of 32-bit pairs of
values, with each pair having the following definition:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ASN Writing Value |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved |B|R|R|A|C|P|N|
| |S|E|V|P|M|L|D|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
All bits in the bitfield must start set to zero, and then set as below:
+------+-------------+------------------------------------------------+
| Abbr | Name | Set to 1 if and only if |
+------+-------------+------------------------------------------------+
| BS | BGPSec | Evaluated against BGPSec and returned VALID |
| RE | RPKI Eval | Evaluated against RPKI and was not INVALID |
| RV | RPKI Valid | Evaluated against RPKI and was VALID |
| AP | AS-Path | Validated against a per-customer AS-Path filter|
| CM | Community | Validated against a community tag value |
| PL | Prefix List | Validated against a per-customer prefix list |
| ND | Blocked | Data Not Disclosed |
+------+-------------+------------------------------------------------+
The order of the attribute SHOULD reflect the order of ASN's in the
AS_PATH. An ASN that is in the AS_PATH that lacks a corresponding BGP
Security Tracking Attribute is assumed to be not participating or not
supported.
Setting a value is OPTIONAL but a network router MUST NOT modify
values written by other downstream ASN's in the AS_PATH.
A value SHOULD be determined by the ingress router over an eBGP
boundary. The originating ASN MUST NOT set a value for itself.
Beck, et al. Expires Oct 1, 2019 [Page 3]
Internet-Draft BGP Security Tracking Nov 2018
4. Canonical Representation
The canonical representation of the BGP Security Tracking attribute
is 2 separate unsigned integers in decimal notation in the following
order: Autonomous System Number, Security Methods Used. Numbers MUST
NOT contain leading zeros; a zero value MUST be represented with a
single zero. Each number is separated from the next by a single colon.
For example: 64496:50 (RPKI Valid, validated against prefix list) or
64496:1 (data administratively suppressed).
5. Cost Value of Security Methods Used
84% of ASN's are stubs. Average AS-PATH length is 4-5 hops
or 3.8 hops after accounting for prepends. Research by Sharon
Goldberg and Boston University reflects that security against
invalid announcements requires a combination of methods to be
successful.
(Ref: http://www.cs.bu.edu/~goldbe/papers/BGPsecurityGoldbe.pdf)
As such, it is the intent of the cost values to reward use of
multiple approaches and best practices. The use of the BGP Security
Tracking attribute to modify the Path Selection Algorithm of BGP is
OPTIONAL.
Methodology: By default networks with no security or no available
data have a cost metric of 1. That value is reduced by 0.5 or 0.25
for validation methods used until the cost reaches 0 with 0 being the
lowest possible and 1 being the highest possible value.
The cost reduction amounts are as follows:
1. Not Disclosed -0
2. Filtered against prefix list -0.5
3. RPKI Valid -0.5
4. RPKI Invalid +1
5. BGPsec -0.5
6. Validated against community -0.25
7. Validated against AS_PATH -0.25
6. Modifying BGP Best Path Selection Algorithm
The use of the BGP Security Tracking attribute to modify the BGP Best
Path Selection Algorithm of BGP is OPTIONAL.
In the path selection algorithm where a prefix is normally selected
based on shortest AS_PATH this process is modified to take the sum of
the AS_PATH plus the security tracking cost of the path. Functionally
less secured paths have a higher cost of AS_PATH + Security and more
secured paths have a lower cost of AS_PATH + Security.
Example 6.1
View from within ASN 64496:
Security Attribute:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 64496 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0 |1|0|1|1|0|1|0| - cost = 0
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 64497 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0 |0|0|0|1|1|0|0| - cost = 0.5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 64498 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0 |0|0|0|0|0|1|0| - cost = 0.5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
In example 6.1 even though the AS_PATH length is 3 the combined
"cost" to reach the prefix is 4. There is no security value for ASN
64499 because it is the originating ASN and doesn't perform ingress
validation of its own routes. There are 3 security tracking values
because 64496:90 was written by the local ASN.
Example 6.2
View from within ASN 64496:
Security Attribute:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 64996 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0 |0|0|0|0|0|0|1| - cost = 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 65537 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0 |0|0|0|0|0|0|1| - cost = 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 65536 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0 |1|0|1|1|0|1|0| - cost = 0
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
In example 6.2 even the AS_PATH length is 3 and the security "cost"
is 2 for a total cost to reach the prefix of 5. A network evaluating
a prefix with equal length received from both the example 6.1 and 6.2
path will see example 6.1 as having a shorter [AS_PATH + Security]
preferring it.
In the event of a tie in combined AS_PATH + Security length the path
with the lower security cost should be preferred breaking the tie. In
the event they are both tied the router should continue through
normal path selection or ECMP behavior.
Beck, et al. Expires Oct 1, 2019 [Page 4]
Internet-Draft BGP Security Tracking Nov 2018
7. Error Handling
The error handling of BGP Path Security Tracking is as follows:
o A BGP Security Tracking attribute SHALL be considered malformed if
the length of the BGP Security Tracking Attribute value, expressed
in octets, is not a non-zero multiple of 8.
o A BGP Security Tracking attribute SHALL be considered
malformed due to presence of duplicate ASNs.
o A BGP Security Tracking attribute exceeding the number of
ASNs in AS_PATH SHALL pair entries with corresponding ASN's in
AS_PATH ignoring invalid entries (to handle potential
repercussions of remove-private)
o A BGP UPDATE message with a malformed BGP Security Tracking
attribute SHALL be handled using the approach of "treat-as-
withdraw" as described in Section 2 of [RFC7606].
o If bits in the Reserved section are set, they MUST be preserved
and MUST NOT be used for evaluation of the security "cost".
The BGP Security Tracking ASN field may contain any value,
and a BGP Security Tracking attribute MUST NOT be considered
malformed if the ASN field contains an unallocated, unassigned,
or reserved ASN.
Beck, et al. Expires Oct 1, 2019 [Page 5]
Internet-Draft BGP Security Tracking Nov 2018
8. Security Considerations
As this document describes a security protocol, many aspects of
security interest are described in relevant sections. This section
points out issues that may not be obvious in other sections.
Spoofing of invalid path attribute values:
The most obvious means to defeat this measure is to falsify data
about security checks that were not actually performed such as
reporting that a prefix has been thoroughly validated when it has
not. This is addressed by being lower to equal in value in the BGP
Best Path Algorithm. If a bad actor is able to forge data it would
generally be more beneficial to do so by shorting the AS_PATH rather
than falsifying data about prefix validation or spoofing downstream
ASN's for the purpose of reporting those borders as secure.
The exception to this is that it is possible to defeat RPKI
validation by spoofing the valid origin ASN as being downstream
artificially extending the AS_PATH length for the purpose of
validating RPKI. In that case it would be more beneficial to forge
the path security attribute data rather than shorten the AS_PATH.
More Specific Prefix Announcement:
The purpose of the path security tracking is to be able to select
more secure paths over less secure paths where prefix length is
equal. It does not override the preference for more specific routes
over less specific routes and as such doesn't directly address the
problem of invalid more specific announcements into the BGP table.
It does indirectly help by encouraging adoption of better input
validation and potential increased adoption of recommended best
practices.
Network administrators should note the recommendations in [RFC7454]
"BGP Operations and Security".
Beck, et al. Expires Oct 1, 2019 [Page 6]
Internet-Draft BGP Security Tracking Nov 2018
9. IANA Considerations
It is requested that IANA assign a value for SECURITY_TRACKING for
an optional transitive attribute under the "BGP Path Attributes"
subregistry under the Border Gateway Protocol (BGP) Parameters
registry.
10. References
10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
Border Gateway Protocol 4 (BGP-4)", RFC 4271,
DOI 10.17487/RFC4271, January 2006,
<http://www.rfc-editor.org/info/rfc4271>.
[RFC7606] Chen, E., Ed., Scudder, J., Ed., Mohapatra, P., and K.
Patel, "Revised Error Handling for BGP UPDATE Messages",
RFC 7606, DOI 10.17487/RFC7606, August 2015,
<http://www.rfc-editor.org/info/rfc7606>.
10.2. Informative References
[RFC1997] Chandra, R., Traina, P., and T. Li, "BGP Communities
Attribute", RFC 1997, DOI 10.17487/RFC1997, August 1996,
<http://www.rfc-editor.org/info/rfc1997>.
[RFC4360] Sangli, S., Tappan, D., and Y. Rekhter, "BGP Extended
Communities Attribute", RFC 4360, DOI 10.17487/RFC4360,
February 2006, <http://www.rfc-editor.org/info/rfc4360>.
[RFC6793] Vohra, Q. and E. Chen, "BGP Support for Four-Octet
Autonomous System (AS) Number Space", RFC 6793,
DOI 10.17487/RFC6793, December 2012,
<http://www.rfc-editor.org/info/rfc6793>.
[RFC7300] Haas, J. and J. Mitchell, "Reservation of Last Autonomous
System (AS) Numbers", BCP 6, RFC 7300,
DOI 10.17487/RFC7300, July 2014,
<http://www.rfc-editor.org/info/rfc7300>.
[RFC7454] Durand, J., Pepelnjak, I., and G. Doering, "BGP Operations
and Security", BCP 194, RFC 7454, DOI 10.17487/RFC7454,
February 2015, <http://www.rfc-editor.org/info/rfc7454>.
Beck, et al. Expires Oct 1, 2019 [Page 7]
Internet-Draft BGP Security Tracking Nov 2018
[RFC7607] Kumari, W., Bush, R., Schiller, H., and K. Patel,
"Codification of AS 0 Processing", RFC 7607,
DOI 10.17487/RFC7607, August 2015,
<http://www.rfc-editor.org/info/rfc7607>.
Acknowledgments
The authors would like to thank Jon Doe
Contributors
The following people contributed significantly to the content of the
document:
Jon Doe
Company Name
Email: email@domain.com
Beck, et al. Expires Oct 1, 2019 [Page 8]
Internet-Draft BGP Security Tracking Nov 2018
Authors' Addresses
Jody Beck
Charter Communications
14810 Grasslands Drive
Englewood, CO 80112
United States of America
Email: jody.beck@charter.com
Andrew Gray
Charter Communications
14810 Grasslands Drive
Englewood, CO 80112
United States of America
Email: andrew.gray@charter.com
Beck, et al. Expires Oct 1, 2019 [Page 9]