Internet DRAFT - draft-giuliano-blocking-considerations
draft-giuliano-blocking-considerations
intarea L. Giuliano
Internet-Draft
Intended status: Best Current Practice M. Aelmans
Expires: 8 September 2022
T. Li
7 March 2022
Regional Internet Blocking Considerations
draft-giuliano-blocking-considerations-00
Abstract
Geopolitical conflicts can cause policy makers to question whether or
not blocking the Internet connectivity for an opposing region is a
constructive tactic. This document provides an overview of the
various technologies that can be used to implement regional blocking
of Internet connectivity and discusses the implications of these
options. This document does not advocate any policy or given
blocking mechanism, but does attempt to articulate the implications
of these blocking technologies for policy makers. The document also
intends to help inform policy makers from countries who could be
exposed to such blocking techniques on the implications of these
methods.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 8 September 2022.
Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved.
Giuliano, et al. Expires 8 September 2022 [Page 1]
Internet-Draft Blocking Considerations March 2022
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Disconnection Methods . . . . . . . . . . . . . . . . . . . . 3
3.1. Physical layer . . . . . . . . . . . . . . . . . . . . . 4
3.2. Routing layer . . . . . . . . . . . . . . . . . . . . . . 4
3.2.1. Autonomous System Number Filtering . . . . . . . . . 5
3.2.2. De-peering . . . . . . . . . . . . . . . . . . . . . 5
3.2.3. Countering De-peering . . . . . . . . . . . . . . . . 6
3.2.4. Prefix Filtering . . . . . . . . . . . . . . . . . . 7
3.3. Packet Filtering . . . . . . . . . . . . . . . . . . . . 7
3.3.1. GeoIP ACLs . . . . . . . . . . . . . . . . . . . . . 8
3.4. DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4. Gaps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.1. Information Dissemination . . . . . . . . . . . . . . . . 9
4.1.1. Information Value . . . . . . . . . . . . . . . . . . 9
4.2. Information Concealment . . . . . . . . . . . . . . . . . 10
4.3. Misinformation . . . . . . . . . . . . . . . . . . . . . 10
4.4. Target Inaccuracy . . . . . . . . . . . . . . . . . . . . 10
4.4.1. Accuracy of Registry Information . . . . . . . . . . 11
4.5. Spoofing ASNs and Hijacking Prefixes . . . . . . . . . . 11
4.6. Porous Borders . . . . . . . . . . . . . . . . . . . . . 12
4.7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . 12
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
6. Security Considerations . . . . . . . . . . . . . . . . . . . 12
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
7.1. Normative References . . . . . . . . . . . . . . . . . . 13
7.2. Informative References . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
Giuliano, et al. Expires 8 September 2022 [Page 2]
Internet-Draft Blocking Considerations March 2022
1. Introduction
Geopolitical conflicts can cause policy makers to question whether or
not blocking the Internet connectivity for an opposing region is a
constructive tactic. This document provides an overview of the
various technologies that can be used to implement regional blocking
of Internet connectivity and discusses the implications of these
options. This document does not advocate any policy or given
blocking mechanism, but does attempt to articulate the implications
of these blocking technologies for policy makers. The document also
intends to help inform policy makers from countries who could be
exposed to such blocking techniques on the implications of these
methods.
The content expressed in this document solely reflects the views of
the authors and do not necessarily reflect the views or positions of
any of our organizations, affiliates, friends, or enemies.
1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
2. Scope
The scope of this document it limited to a description of well-known
methods for disrupting core Internet services including physical
cabling, Internet routing, filtering, and the Domain Name System.
The document does not intend to give any political directions or
advocate for implementing the described methods, nor does it intend
to be a guide for malicious attackers hence it will purely describe
concepts and does not provide actual configuration or implementation
methods.
3. Disconnection Methods
There are many ways of blocking a region's Internet connectivity. In
this section, we discuss some of them, their implications,
capabilities, advantages, and disadvantages.
Giuliano, et al. Expires 8 September 2022 [Page 3]
Internet-Draft Blocking Considerations March 2022
3.1. Physical layer
Disconnection at the physical layer is the most definitive method.
Cutting cables and severing fibers will most definitely stop bits
from passing. Unfortunately, this approach is also the most
expensive to repair. In the optimistic view that disconnection is
only intended to be temporary, creating downstream costs of physical
repair is distinctly suboptimal. This approach may also be selected
by the unscrupulous who have physical access to the media, but do not
have further physical or managerial access.
A less destructive physical layer disconnection is simply
disconnecting the fiber or cable, either at the terminating device,
optical module, patch panel, amplifier, repeater, or transponder.
This is easily repaired, but still requires physical access.
Unscrupulous parties that wish to prevent easy repairs would be
unlikely to select this option.
The simplest physical layer disconnection is administrative shutdown.
Managerially disabling a physical circuit is a trivial configuration
option that will sever communications. It is trivial to revert.
3.2. Routing layer
The Internet is a collection of many enterprises, web and cloud
hosting, access-providers, etc. networks connected to each other
using the Border Gateway Protocol (BGP) [RFC4271] to exchange routing
information between those networks.
The simplest explanation of how BGP works is to compare it to a group
of networks using the earlier described physical connections to
gossip with each other on their knowledge about their own and
neighboring networks. In other words, they exchange routing
information describing how to reach destinations on the Internet.
Connected entities play different roles in this ecosystem, some will
know how to reach all destinations on the Internet. These networks
are so-called Tier 1 providers and provide connectivity to Tier 2 and
Tier 3 networks. They offer services on a global scale and connect
thousands of networks.
Tier 2 providers are large regional or national operators (for
example the national service providers) offering services in country
or regional. They have connections to many other networks, provide
services to Tier 3 networks, but also purchase services from Tier 1
networks to reach destinations on the Internet they cannot reach
themselves.
Giuliano, et al. Expires 8 September 2022 [Page 4]
Internet-Draft Blocking Considerations March 2022
Tier 3 providers don't provide routing information knowledge to other
networks and are dependent from Tier 1 and Tier 2 networks to reach
destinations on the Internet. In this category are small service
providers or webhosting providers.
The BGP protocols offers several options to manipulate the routing
information that is exchanged between these networks.
3.2.1. Autonomous System Number Filtering
Networks participating in the exchange of routing information with
other networks use unique Autonomous System Numbers (ASNs) to
identify themselves. These numbers are assigned to them by the
Regional Internet Registries.
The ASN is used to construct a path to a destination prefix on the
Internet. For example, a Tier 1 advertises its prefix to a Tier 2
originating from its own ASN. Next the Tier 2 advertises the prefix
to a Tier 1 and adds its own ASN to the path. The route to reach
this prefix now looks as follows: ASN2 ASN1.
As networks are highly connected there are many ASN paths through the
Internet to reach destinations. The 'further away' the destination
is the longer the ASN path will be. On average most destinations on
the Internet are reachable in a maximum of 5 hops. In other words,
most destinations on the Internet can be reached via a maximum of 5
networks.
Networks that have a need to filter out another network with which
they don't have a direct peering session completely have, next to
filtering prefixes, the option to filter on ASN. When applying an
ASN filter, it will filter out all prefixes originating from that
specific ASN.
Mitigating ASN filtering requires similar measures as mitigating
prefix filters; networks with many upstream connections to Tier 1 and
2 networks will have a much lower chance of being completely filtered
as, if one out of many upstream peers filters the ASN (and so its
originating prefixes), others might still propagate them. This could
still result in prefixes not being globally reachable anymore, but
the chances are much lower.
3.2.2. De-peering
BGP uses a TCP session between two networks to exchange routing
information. Such a session is called a peering session. Disabling
such a session is referred to as de-peering.
Giuliano, et al. Expires 8 September 2022 [Page 5]
Internet-Draft Blocking Considerations March 2022
3.2.2.1. De-peering Tier 3 networks
In many cases Tier 3 networks are using a single Tier 1 or 2 network
for their connectivity to the Internet. In that case it's relatively
easy to disconnect such networks from the Internet by disabling their
peering sessions on the Tier 1 or 2 side.
3.2.2.2. De-peering Tier 2 networks
As described earlier these networks have multiple connections to
other Tier 2 providers and typically between 2-8 Tier 1 providers to
provide connectivity to the Internet. Subsequently, they could also
receive routing information via Internet Exchange Points giving them
even more options to reach destinations on the Internet.
De-peering such a network is much harder as one would need to disable
peering sessions in many networks and at multiple (probably
international) locations. Tier 2 networks will likely have
international connections as well. Pursuing networks to disable
these peering sessions in another jurisdiction could be very
complicated.
3.2.2.3. De-peering Tier 1 networks
By their nature, Tier 1 networks have global span and have thousands
of connections with other Tier 1, 2 and 3 networks. Fully
disconnecting such networks is considered almost impossible without
having physical and administrative access to the network itself.
Pursuing other networks to de-peer a Tier 1 network is impossible
because of the many countries they are present in and their
jurisdictions.
3.2.3. Countering De-peering
Entities that want to protect themselves against de-peering would
have a diversified connectivity strategy including multiple Tier 1
and 2 peers, actively peering on Internet Exchange Points, and
preferably possessing its own physical infrastructure to connect to
other networks in different countries or regions.
Tier 3 networks are most vulnerable to de-peering.
Giuliano, et al. Expires 8 September 2022 [Page 6]
Internet-Draft Blocking Considerations March 2022
3.2.4. Prefix Filtering
Each network that is part of the Internet uses unique IPv4 and IPv6
address prefixes ranges to expose services to its directly connected
(local) customers but also those connected via the Internet. These
prefixes are advertised over a BGP peering session to the neighboring
network so they will learn which prefixes originate from their
neighbor and know how to reach them. Subsequently, they will
advertise any routing knowledge they have about their neighboring
networks and the neighboring network of their neighbors, etc. This
way every network builds it own view of the Internet and map of how
to reach destinations.
For example, Tier 1 and 2 networks will both have 'downstream'
(customer) peering sessions with networks of which they have
knowledge about; the prefixes they are advertising. If one of these
networks wants to filter a neighbor, they could de-peer them as
discussed earlier but that would basically filter all prefixes. In
many cases, for example when intending to filter out social media, a
subset of the prefixes is enough to accomplish this goal.
With this method a Tier 1 could also filter out prefixes from a Tier
3 that it learns via a Tier 2. De-peering the Tier 2 would result in
all Tier 2 and all its customer prefixes becoming unreachable via
this Tier 1. If only prefixes advertised by the single Tier 3 need
to be filtered, the Tier 1 applies a prefix filter to the peering
session from which it receives the advertisements.
Contrary, networks with many upstream connections to Tier 1 and 2
networks will have a much lower chance of being completely filtered
as, if one out of many upstream peers filters the prefixes, others
might still propagate them. This could still result in the prefix
not being globally reachable anymore, but the chances are much lower.
3.3. Packet Filtering
Most network layer devices have the ability to filter traffic. The
mechanism for doing this is commonly called an "Access Control List"
(ACL). This is a possible mechanism for implementing a
disconnection. Typically, an ACL allows filtering on a combination
of source address, destination address, protocol number, and TCP/UDP
source or destination port number.
Giuliano, et al. Expires 8 September 2022 [Page 7]
Internet-Draft Blocking Considerations March 2022
3.3.1. GeoIP ACLs
The question then becomes one of ACL construction. However, this is
not simple. IP address space is delegated in large sets, commonly
known as 'prefixes.' Each prefix is assigned to an organization.
Some organizations, such as Internet Service Providers (ISPs) will in
turn delegate a portion of their address space to a customer.
Customers and service providers do not necessarily fall along clean
regional lines. Large multi-national corporations can receive a
prefix from an ISP in one region and may use it in an entirely
different region or even globally. They may also receive a prefix
directly from a Regional Internet Registry (RIR). Service providers
can obtain a prefix from an RIR and delegate parts of that prefix to
customers from another region. This can create both false positives
and false negatives when trying to map between a prefix and a region.
There are services which attempt to provide mappings from an IP
address or prefix to a region, commonly called 'GeoIP' services.
However, due to the above issues, these services cannot guarantee
their accuracy. Constructing an ACL based on GeoIP services is
likely to have unintended consequences, both filtering unintended
addresses and not filtering intended addresses. Some commercial
applications (notably streaming video) are willing to accept these
inaccuracies, but this may not be acceptable in all circumstances.
Virtual Private Networks (VPNs) and other tunneling mechanisms can be
used to create virtual topologies. If a single VPN server within a
target region is not blocked, then it can provide access to
innumerable other systems within the region, effectively bypassing
GeoIP filtering services. When these are discovered, they are
typically added to GeoIP databases, but this creates an ongoing
battle between VPN service providers and GeoIP providers. As a
result, this is an imperfect solution that may or may not be
sufficiently accurate.
3.4. DNS
Blocking DNS capabilities can be an effective method for inhibiting
end users from easily accessing Internet resources in a given region.
For example, removing the delegation entries in the root servers for
a given country code can prevent users from resolving the names of
all domains for that country code. This approach can be circumvented
to an extent with the creation of stub zones on resolving
nameservers, which can provide a shortcut delegation to the country
code top-level domain servers (ccTLDs) that are authoritative for
that country code. But these stub zone entries would have to be
manually created on any resolving nameserver that serves the
resolution requests of users seeking resolution of domains for that
Giuliano, et al. Expires 8 September 2022 [Page 8]
Internet-Draft Blocking Considerations March 2022
particular country code.
In the opposite direction, blocking resolution requests can inhibit
users coming from a region from easily accessing Internet resources.
Specifically, filters can be used to block resolving nameservers from
a given region, or can block resolution requests from end users
within a given region from making resolution requests to resolving
nameservers that reside outside that region.
4. Gaps
The mechanisms discussed above cover the salient technical points for
blocking a region. In this section, we discuss the various other
considerations that are relevant to regional blocking.
4.1. Information Dissemination
At the very lowest level, the Internet copies bits from one location
to another. Bits that are injected at one point are packetized,
forwarded, and hopefully show up at their intended destination. The
technology of the Internet does not care what is encoded in those
bits. Whether it is state secrets or yesterday's grocery list, the
Internet will happily ship it all the way around the world in
milliseconds. The intrinsic value, properties, and attributes of the
information conveyed in those bits is immaterial at the technological
level.
4.1.1. Information Value
Policies considering blocking the transfer of information must also
consider the value of the information that is being blocked.
Filtering mechanisms can be extremely coarse and block all
information, and this may not match the purposes of the policy.
Thus, a blocking policy may need to be extremely specific about its
goals and purposes.
A policy may want some information to be able to enter into a region.
Sending certain messages into the region may be beneficial to the
policy maker. Similarly, being able to get information out of a
region may be beneficial. Further, parties within a region may be
depending on global Internet connectivity to coordinate activities.
A policy that blocks too much information may be counterproductive to
the aims of the policy maker. A more selective policy would want
some information to be communicated and not other information.
Further, a selective policy is likely to be highly directional.
Information that should flow into the region may not be permitted
back out, and vice versa.
Giuliano, et al. Expires 8 September 2022 [Page 9]
Internet-Draft Blocking Considerations March 2022
4.2. Information Concealment
If a policy allows any information to transit a boundary, then there
is the technological possibility that other information may also
transit that boundary. Information can be disguised or concealed
through the use of cryptography, steganography, or other techniques.
Policy makers should assume that any mechanism that allows any
information to transit a boundary would eventually be used to
transfer information against the purposes of the policy.
4.3. Misinformation
If a policy blocks information from flowing into a region, that may
allow parties within that region to generate misinformation that is
not disputed by outside information. This may be highly advantageous
to the parties within the region. In the past, there have been many
occurrences when parties within a region disconnected from the
Internet precisely so that internal information could not be
disputed.
4.4. Target Inaccuracy
The Internet infrastructure does not assign address space or ASNs
according to strict regional, national, or continental boundaries.
While there is some rough correlation, that is the result of
administrative convenience. Thus, a prefix that is allocated from
the general pool of European address space may end up covering part
of Europe and Greenland. An ASN that was allocated for Singapore may
be used in Australia.
This is further complicated by the fact that the parties that receive
an ASN or prefix are not obligated or constrained to use it in a
given region. If an organization acquires an ASN and subsequently
grows outside of its original region, it may still use that ASN. If
a company is assigned a prefix and the company is acquired by another
firm, then that prefix could be used in a completely different
hemisphere.
Consequently, if a policy elects to block traffic based on ASNs and
prefixes, it may have unintended consequences, potentially blocking
unintended traffic and not blocking proscribed traffic.
Giuliano, et al. Expires 8 September 2022 [Page 10]
Internet-Draft Blocking Considerations March 2022
4.4.1. Accuracy of Registry Information
Many public resources are available to query Internet routing related
information including, IPv4, IPv6 and ASN resource holders, routing
intentions and actual reachability data. Unfortunately, the data
doesn't always represent the actual situation, can be incomplete and
in quite a few occasions outdated.
4.4.1.1. Internet Routing Registries
Internet Routing Registry (IRR) databases hold information about
network operators routing intentions. For example, ASN holders can
specify with whom they have peering relationships. This could give
an indication which networks a specific ASN is connected to, however
the data is entered (manually or automated) by network operators and
isn't per se verified.
In practice IRR databases are between 40-70% accurate. However, some
show an accuracy of around 95%.
4.4.1.2. RPKI
Resource Public Key Infrastructure (RPKI) is a public key
infrastructure (PKI) framework to support improved security for the
Internet's BGP routing infrastructure. The most important property
is that in RPKI only legitimate resource holders can make statements
about the IPv4, IPv6 and ASN resources they hold. This means that
any information, right or wrong, found in RPKI databases represents
the intention of, or at least is entered into RPKI by, the rightful
holder.
RPKI is therefore considered to be 100% accurate. The downside of
RPKI is that there aren't records for every resource and a large
portion of the IPv4, IPv6 and ASN resources don't have records in
RPKI.
4.5. Spoofing ASNs and Hijacking Prefixes
If a policy attempts to filter routing advertisements based on an
ASN, then the opposition may attempt to counter that filtering
attempt by using an alternate ASN. The alternate ASN may be an
unused one, an ASN that has been assigned but is not actively in use
elsewhere, or could be one that is actively assigned to another
party. Using this ASN, the opposition could advertise its prefixes
into BGP, bypass the ASN filter, and regain connectivity.
Giuliano, et al. Expires 8 September 2022 [Page 11]
Internet-Draft Blocking Considerations March 2022
Similarly, if a policy attempts to filter routing advertisements or
implement forwarding plane filters based on assigned prefixes, then
the opposition may attempt to circumvent these policies by obtaining,
advertising, and deploying alternate prefixes. As with ASNs, these
prefixes could come from unassigned address space, address space that
has been assigned but is not actively advertised, or even address
space that is actively advertised by other parties.
There are security mechanisms that have been developed to help
counter these possible attacks (IRR filtering [RFC7682], RPKI
[RFC6811], and BGPsec [RFC8205]), but they are not ubiquitously
deployed and may or may not be effective, depending on the
operational procedures of ISPs that provide connectivity to the
region.
4.6. Porous Borders
The Internet is, by design, a decentralized system of
interconnections. Thus, it is nearly impossible to completely block
Internet access for a region. Simply put, there will always be ways
to circumvent any blocking attempts by sufficiently motivated
parties. However, there are certain chokepoints and various methods,
as described above, that can significantly inhibit connectivity and
throughput for users going to/coming from a given region.
4.7. Acknowledgments
This document was inspired by the thoughtful comments of many friends
and colleagues.
5. IANA Considerations
This document makes no requests of IANA.
6. Security Considerations
This document discusses technical and policy considerations of
blocking Internet access for regions, and their potential impact on
global security.
This document does not present new attack or defense strategies and
merely discusses the implications of a variety of technical
approaches. This document does not advocate or dissuade any policy
about blocking Internet connectivity, it discusses various
considerations that policy makers should understand prior to setting
policy.
7. References
Giuliano, et al. Expires 8 September 2022 [Page 12]
Internet-Draft Blocking Considerations March 2022
7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
7.2. Informative References
[RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
Border Gateway Protocol 4 (BGP-4)", RFC 4271,
DOI 10.17487/RFC4271, January 2006,
<https://www.rfc-editor.org/info/rfc4271>.
[RFC6811] Mohapatra, P., Scudder, J., Ward, D., Bush, R., and R.
Austein, "BGP Prefix Origin Validation", RFC 6811,
DOI 10.17487/RFC6811, January 2013,
<https://www.rfc-editor.org/info/rfc6811>.
[RFC7682] McPherson, D., Amante, S., Osterweil, E., Blunk, L., and
D. Mitchell, "Considerations for Internet Routing
Registries (IRRs) and Routing Policy Configuration",
RFC 7682, DOI 10.17487/RFC7682, December 2015,
<https://www.rfc-editor.org/info/rfc7682>.
[RFC8205] Lepinski, M., Ed. and K. Sriram, Ed., "BGPsec Protocol
Specification", RFC 8205, DOI 10.17487/RFC8205, September
2017, <https://www.rfc-editor.org/info/rfc8205>.
Authors' Addresses
Lenny Giuliano
Email: lenny@lenny.net
Melchior Aelmans
Email: melchior@aelmans.eu
Tony Li
Email: tony.li@tony.li
Giuliano, et al. Expires 8 September 2022 [Page 13]