draft-ietf-grow-filtering-threats-06.txt   draft-ietf-grow-filtering-threats-07.txt 
Network Working Group Camilo Cardona Network Working Group Camilo Cardona
Internet-Draft IMDEA Networks/UC3M Internet-Draft IMDEA Networks/UC3M
Intended status: Informational Pierre Francois Intended status: Informational Pierre Francois
Expires: December 11, 2015 IMDEA Networks Expires: January 28, 2016 IMDEA Networks
Paolo Lucente Paolo Lucente
Cisco Systems Cisco Systems
June 9, 2015 July 27, 2015
Impact of BGP filtering on Inter-Domain Routing Policies Impact of BGP filtering on Inter-Domain Routing Policies
draft-ietf-grow-filtering-threats-06 draft-ietf-grow-filtering-threats-07
Abstract Abstract
This document describes how unexpected traffic flows can emerge This document describes how unexpected traffic flows can emerge
across an autonomous system, as the result of other autonomous across an autonomous system, as the result of other autonomous
systems filtering, or restricting the propagation of more specific systems filtering, or restricting the propagation of more specific
prefixes. We provide a review of the techniques to detect the prefixes. We provide a review of the techniques to detect the
occurrence of this issue and defend against it. occurrence of this issue and defend against it.
Status of This Memo Status of This Memo
skipping to change at page 1, line 37 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 11, 2015. This Internet-Draft will expire on January 28, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 24 skipping to change at page 2, line 24
2.1.1. Unexpected traffic flows caused by local filtering of 2.1.1. Unexpected traffic flows caused by local filtering of
more specific prefixes . . . . . . . . . . . . . . . 5 more specific prefixes . . . . . . . . . . . . . . . 5
2.2. Remote filtering . . . . . . . . . . . . . . . . . . . . 6 2.2. Remote filtering . . . . . . . . . . . . . . . . . . . . 6
2.2.1. Unexpected traffic flows caused by remotely triggered 2.2.1. Unexpected traffic flows caused by remotely triggered
filtering of more specific prefixes . . . . . . . . . 7 filtering of more specific prefixes . . . . . . . . . 7
3. Techniques to detect unexpected traffic flows caused by 3. Techniques to detect unexpected traffic flows caused by
filtering of more specific prefixes . . . . . . . . . . . . . 8 filtering of more specific prefixes . . . . . . . . . . . . . 8
3.1. Existence of unexpected traffic flows within an AS . . . 8 3.1. Existence of unexpected traffic flows within an AS . . . 8
3.2. Contribution to the existence of unexpected traffic flows 3.2. Contribution to the existence of unexpected traffic flows
in another AS . . . . . . . . . . . . . . . . . . . . . . 9 in another AS . . . . . . . . . . . . . . . . . . . . . . 9
4. Techniques to Traffic Engineer unexpected traffic flows . . . 10 4. Techniques to Traffic Engineer unexpected flows . . . . . . . 10
4.1. Reactive Traffic Engineering . . . . . . . . . . . . . . 11 4.1. Reactive Traffic Engineering . . . . . . . . . . . . . . 11
4.2. Proactive measures . . . . . . . . . . . . . . . . . . . 12 4.2. Proactive measures . . . . . . . . . . . . . . . . . . . 12
4.2.1. Access lists . . . . . . . . . . . . . . . . . . . . 12 4.2.1. Access lists . . . . . . . . . . . . . . . . . . . . 12
4.2.2. Neighbor-specific forwarding . . . . . . . . . . . . 13 4.2.2. Neighbor-specific forwarding . . . . . . . . . . . . 13
5. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 14 5. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 13
6. Security Considerations . . . . . . . . . . . . . . . . . . . 14 6. Security Considerations . . . . . . . . . . . . . . . . . . . 14
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
9.1. Informative References . . . . . . . . . . . . . . . . . 14 9.1. Normative References . . . . . . . . . . . . . . . . . . 14
9.2. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 15 9.2. Informative References . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
It is common practice for network operators to propagate a more It is common practice for network operators to propagate a more
specific prefix in the BGP routing system, along with the less specific prefix in the BGP routing system, along with the less
specific prefix that they originate. It is also possible for some specific prefix that they originate. It is also possible for some
Autonomous Systems (ASes) to apply different policies to the more Autonomous Systems (ASes) to apply different policies to the more
specific and the less specific prefix. specific and the less specific prefix.
While BGP makes independent, policy driven decisions for the Although BGP makes independent, policy driven decisions for the
selection of the best path to be used for a given IP prefix, routers selection of the best path to be used for a given IP prefix, routers
must forward packets using the longest-prefix-match rule, which must forward packets using the longest-prefix-match rule, which
"precedes" any BGP policy (RFC1812 [1]). The existence of a prefix p "precedes" any BGP policy (RFC1812 [RFC1812]). The existence of a
that is more specific than a prefix p' in the Forwarding Information prefix p that is more specific than a prefix p' in the Forwarding
Base (FIB) will let packets whose destination matches p be forwarded Information Base (FIB) will let packets whose destination matches p
according to the next hop selected as best for p (the more specific be forwarded according to the next hop selected as best for p (the
prefix). This process takes place by disregarding the policies more specific prefix). This process takes place by disregarding the
applied in the control plane for the selection of the best next-hop policies applied in the control plane for the selection of the best
for p'. When an Autonomous System filters more specific prefixes and next-hop for p'. When an Autonomous System filters more specific
forwards packets according to the less specific prefix, the prefixes and forwards packets according to the less specific prefix,
discrepancy in the routing policies applied to the less and the more the discrepancy among the routing policies applied to the less and
specific prefixes can create unexpected traffic flows that infringe the more specific prefixes can create unexpected traffic flows.
the policies of other ASes, still holding a path towards the more These may infringe the policies of other ASes, still holding a path
specific prefix. towards the more specific prefix.
The objective of this draft is to shed light on possible side effects The objective of this draft is to shed light on possible side effects
associated with more specific prefix filtering. This document associated with more specific prefix filtering. Such actions can be
presents examples of such side effects and discusses approaches explained by traffic engineering action, misconfiguration, or
towards solutions to the problem. malicious intent. This document presents examples of such side
effects and discusses approaches towards solutions to the problem.
The rest of the document is organized as follows: In Section 2 we The rest of the document is organized as follows: In Section 2 we
provide some scenarios in which the filtering of more specific provide some scenarios in which the filtering of more specific
prefixes leads to the creation of unexpected traffic flows. prefixes leads to the creation of unexpected traffic flows.
Section 3 and Section 4 discuss some techniques that ASes can use Section 3 and Section 4 discuss some techniques that ASes can use
for, respectively, detect and react to unexpected traffic flows. We for, respectively, detecting and reacting to unexpected traffic
conclude in Section 5. flows. The document concludes in Section 5.
1.1. Terminology 1.1. Terminology
More specific prefix: A prefix in the routing table with an address More specific prefix: A prefix in the routing table with an address
range that is covered by a shorter prefix also present in the routing range that is covered by a shorter prefix also present in the routing
table. table.
Less specific prefix: A prefix in the routing table with an address Less specific prefix: A prefix in the routing table with an address
range partially covered by other prefixes. range partially covered by other prefixes.
We re-use the definitions of customer-transit peering and settlement- This document reuses the definitions of customer-transit peering and
free peering of RFC4384 [2]. settlement-free peering of RFC4384 [RFC4384].
Selective advertisement: The behavior of only advertising a self Selective advertisement: The behavior of only advertising a self
originated BGP path for a prefix over a strict subset of the eBGP originated BGP path for a prefix over a strict subset of the eBGP
sessions of the AS. sessions of the AS.
Selective propagation: The behavior of only propagating a BGP path Selective propagation: The behavior of only propagating a BGP path
for a prefix over a strict subset of the eBGP sessions of an AS. for a prefix over a strict subset of the eBGP sessions of an AS.
Local filtering: The behavior of explicitly ignoring a BGP path Local filtering: The behavior of explicitly ignoring a BGP path
received over an eBGP session. received over an eBGP session.
skipping to change at page 4, line 21 skipping to change at page 4, line 23
2. Unexpected Traffic Flows 2. Unexpected Traffic Flows
In this section, we describe how more specific prefix filtering can In this section, we describe how more specific prefix filtering can
lead to unexpected traffic flows in other, remote, ASes. We lead to unexpected traffic flows in other, remote, ASes. We
differentiate cases in which the filtering is performed locally from differentiate cases in which the filtering is performed locally from
those where the filtering is triggered remotely. those where the filtering is triggered remotely.
2.1. Local filtering 2.1. Local filtering
Local filtering can be motivated by different reasons, such as: (1) Different reasons motivate local filtering, for example: (1) Traffic
Traffic engineering, where an AS wants to control its local outbound engineering, where an AS wants to control its local outbound traffic
traffic distribution using only the policy applied to the less distribution using only the policy applied to the less specific
specific prefix. Such a practice was notably documented in [3] (2) prefix. Such a practice was notably documented in [INIT7-RIPE63] (2)
Enforcing contract compliance, where, for instance, an AS avoids a Enforcing contract compliance, where, for instance, an AS avoids a
settlement-free peer to attract traffic to one link by using settlement-free peer to attract traffic to one link by using
selective advertisement, when this is not allowed by their peering selective advertisement, when this is not allowed by their peering
agreement. (3) The need for Forwarding Information Base memory agreement. (3) The need for Forwarding Information Base memory
preservation sometimes pushes ISP operators to filter more specific preservation sometimes pushes ISP operators to filter more specific
prefixes. prefixes.
Figure 1 illustrates a scenario in which one AS is motivated to Figure 1 illustrates a scenario where one AS performs local filtering
perform local filtering due to outbound traffic engineering. The due to outbound traffic engineering. The figure depicts AS64504, and
figure depicts AS64504, and two of its neighboring ASes, AS64502, and two of its neighboring ASes, AS64502, and AS64505. AS64504 has a
AS64505. AS64504 has a settlement-free peering with AS64502 and is a settlement-free peering with AS64502 and is a customer of AS64505.
customer of AS64505. AS64504 receives from AS64505 prefixes AS64504 receives from AS64505 prefixes 2001:DB8::/32 and
2001:DB8::/32 and 2001:DB8::/34, a less specific and a more specific 2001:DB8::/34. AS64504 only receives the less specific prefix
prefix, respectively. AS64504 receives only the less specific prefix
2001:DB8::/32 from AS64502. 2001:DB8::/32 from AS64502.
,-----. ,-----.
/ \ / \
( AS64505 ) ( AS64505 )
\ / \ /
`--+--' `--+--'
2001:DB8::/32 | | 2001:DB8::/32 | |
2001:DB8::/34 v | 2001:DB8::/34 v |
| |
skipping to change at page 5, line 27 skipping to change at page 5, line 27
`-----' `-----' `-----' `-----'
Figure 1: Local Filtering Figure 1: Local Filtering
Due to economic reasons, AS64504 might prefer to send traffic to Due to economic reasons, AS64504 might prefer to send traffic to
AS64502 instead of AS64505. However, even if paths received from AS64502 instead of AS64505. However, even if paths received from
AS64502 are given a large local preference, routers in AS64504 will AS64502 are given a large local preference, routers in AS64504 will
still send traffic to prefix 2001:DB8::/34 via neighbor AS64505. still send traffic to prefix 2001:DB8::/34 via neighbor AS64505.
This situation may push AS64504 to apply an inbound filter for the This situation may push AS64504 to apply an inbound filter for the
more specific prefix, 2001:DB8::/34, on the session with AS64505. more specific prefix, 2001:DB8::/34, on the session with AS64505.
After the filter is applied, traffic to the more specific prefix will After applying the filter, AS64504 will send traffic for the more
be sent to AS64502 specific prefix to AS64502.
2.1.1. Unexpected traffic flows caused by local filtering of more 2.1.1. Unexpected traffic flows caused by local filtering of more
specific prefixes specific prefixes
In this section, we show how the decision of AS64504 to perform local In this section, we show how the decision of AS64504 to perform local
filtering creates unexpected traffic flows in AS64502. Figure 2 filtering creates unexpected traffic flows in AS64502. Figure 2
shows the whole picture of the scenario; where AS64501 is a customer shows the whole picture of the scenario; where AS64501 is a customer
of AS64503 and AS64502. AS64503 is a settlement-free peer with of AS64503 and AS64502. AS64503 is a settlement-free peer with
AS64502. AS64503 and AS64502 are customers of AS64505. The AS AS64502. AS64503 and AS64502 are customers of AS64505. The AS
originating the two prefixes, AS64501, performs selective originating the two prefixes, AS64501, performs selective
skipping to change at page 6, line 41 skipping to change at page 6, line 41
`. _, `. _,
`-.._ _,,,' `-.._ _,,,'
`''---------''' `''---------'''
Figure 2: Unexpected traffic flows due to local filtering Figure 2: Unexpected traffic flows due to local filtering
2.2. Remote filtering 2.2. Remote filtering
ISPs can tag the BGP paths that they propagate to neighboring ASes ISPs can tag the BGP paths that they propagate to neighboring ASes
with communities, in order to tweak the propagation behavior of the with communities, in order to tweak the propagation behavior of the
ASes that handle these paths [1]. Some ISPs allow their customers to ASes that handle these paths [on_BGP_communities]. Some ISPs allow
use such communities to let the receiving AS not export the path to their customers to use such communities to let the receiving AS not
some selected neighboring ASes. By combining communities, the prefix export the path to some selected neighboring ASes. By combining
could be advertised only to a given peer of the AS providing this communities, the prefix could be advertised only to a given peer of
feature. Remote filtering can be leveraged by an AS to, for the AS providing this feature. A network operator can leverage
instance, limit the scope of prefixes and hence perform a more remote filtering to, for instance, limit the scope of prefixes and
granular inbound traffic engineering. hence perform a more granular inbound traffic engineering.
Figure 3 illustrates a scenario in which an AS uses BGP communities Figure 3 illustrates a scenario in which an AS uses BGP communities
to command its provider to selectively propagate a more specific to command its provider to selectively propagate a more specific
prefix. Let AS64501 be a customer of AS64502 and AS64503. AS64501 prefix. Let AS64501 be a customer of AS64502 and AS64503. AS64501
originates prefix 2001:DB8::/32, which it advertises to AS64502 and originates prefix 2001:DB8::/32, which it advertises to AS64502 and
AS64503. AS64502 and AS64503 are settlement-free peers. Let AS64501 AS64503. AS64502 and AS64503 are settlement-free peers. Let AS64501
do selective advertisement and only propagate 2001:DB8::/34 over do selective advertisement and only propagate 2001:DB8::/34 over
AS64503. AS64503 would normally propagate this prefix to its AS64503. AS64503 would normally propagate this prefix to its
customers, providers, and peers, including AS64502. customers, providers, and peers, including AS64502.
skipping to change at page 7, line 42 skipping to change at page 7, line 42
( ) ( )
\ / \ /
`. ,' `. ,'
'-----' '-----'
Figure 3: Remote triggered filtering Figure 3: Remote triggered filtering
2.2.1. Unexpected traffic flows caused by remotely triggered filtering 2.2.1. Unexpected traffic flows caused by remotely triggered filtering
of more specific prefixes of more specific prefixes
Figure 4 expands the scenario from Figure 3 and includes other AS Figure 4 expands the scenario from Figure 3 and includes other ASes
peering with ASes 64502 and 64503. Due to the limitation on the peering with AS64502 and AS64503. Due to the limitation on the scope
scope performed on the more specific prefix, ASes that are not performed on the more specific prefix, ASes that are not customers of
customers of AS64502 will not receive a path for 2001:DB8::/34. AS64502 will not receive a path for 2001:DB8::/34. These ASes will
These ASes will forward packets destined to 2001:DB8::/34 according forward packets destined to 2001:DB8::/34 according to their routing
to their routing state for 2001:DB8::/32. Let us assume that AS64505 state for 2001:DB8::/32. Let us assume that AS64505 is such an AS,
is such an AS, and that its best path towards 2001:DB8::/32 is and that its best path towards 2001:DB8::/32 is through AS64502.
through AS64502. Packets sent towards 2001:DB8::1 by AS64505 will Packets sent towards 2001:DB8::1 by AS64505 will reach AS64502.
reach AS64502. However, in the data-plane of the nodes of AS64502, However, in the data-plane of the nodes of AS64502, the longest
the longest prefix match for 2001:DB8::1 is 2001:DB8::/34, which is prefix match for 2001:DB8::1 is 2001:DB8::/34, which is reached
reached through AS64503, a settlement-free peer of AS64502. Since through AS64503, a settlement-free peer of AS64502. Since AS64505 is
AS64505 is not in the customer branch of AS64502, we are in a not in the customer branch of AS64502, traffic flows between two non-
situation in which traffic flows between non-customer ASes take place customer ASes in AS64502.
in AS64502.
,-----. ,-----.
,' `. ------- Connections to other ASes ,' `. ------- Connections to other ASes
/ AS64505 \ /32 / AS64505 \ /32
( ) <-+ ( ) <-+
\ / \ /
`. ,' `. ,'
'-----' '-----'
^ \ / ^ ^ \ / ^ ^ \ / ^ ^ \ / ^
| /32 \ / /32 | | /32 \ / /32 | | /32 \ / /32 | | /32 \ / /32 |
skipping to change at page 8, line 46 skipping to change at page 8, line 45
Figure 4: Unexpected traffic flows due to remote triggered filtering Figure 4: Unexpected traffic flows due to remote triggered filtering
3. Techniques to detect unexpected traffic flows caused by filtering of 3. Techniques to detect unexpected traffic flows caused by filtering of
more specific prefixes more specific prefixes
3.1. Existence of unexpected traffic flows within an AS 3.1. Existence of unexpected traffic flows within an AS
To detect if unexpected traffic flows are taking place in its To detect if unexpected traffic flows are taking place in its
network, an ISP can monitor its traffic data to check if it is network, an ISP can monitor its traffic data to check if it is
providing transit between two of its peers, although his policy is providing transit between two of its peers, although this policy is
configured to not provide such transit. IPFIX (RFC7011 [3]) is an configured to not provide such transit. IPFIX (RFC7011 [RFC7011]) is
example of a technology that can be used to export information an example of a technology that can be used to export information
regarding traffic flows across the network. Traffic information must regarding traffic flows across the network. Traffic information must
be analyzed under the perspective of the business relationships with be analyzed under the perspective of the business relationships with
neighboring ASes. Open source tools such as [4] can be used to this neighboring ASes to detect the flows not fitting the policy.
end. Operators can use collection systems that combine traffic statistics
with policy information for this end. Check [PMACCT] for an open
source application meeting these requirements.
Note that the AS detecting the unexpected traffic flow may simply Note that the AS detecting the unexpected traffic flow may simply
realize that his policy configuration is broken. The first realize that this policy configuration is broken. The first
recommended action upon detection of an unexpected traffic flow is to recommended action upon detection of an unexpected traffic flow is to
verify the correctness of the BGP configuration. verify the correctness of the BGP configuration.
Once it has been assessed that the local configuration is correct, Once the local configuration is confirmed correct, the operator
the operator should check if the unexpected flow arose due to should check if the unexpected flow arose due to filtering of BGP
filtering of BGP paths for more-specific prefixes by neighboring paths for more-specific prefixes by neighboring ASes. This can be
ASes. This can be performed in two steps. First, the operator performed in two steps. First, the operator should check whether the
should check whether the neighboring AS originating the unexpected neighboring AS originating the unexpected flow is forwarding traffic
flow is forwarding traffic using a less-specific prefix that is using a less-specific prefix that is announced to it by the affected
announced to it by the affected network. The second step is to try network. The second step is to try to infer the reason why the
to infer the reason why the neighboring AS does not use the more- neighboring AS does not use the more specific path for forwarding,
specific path for forwarding, i.e., finding why the more-specific i.e., finding why the more specific prefix was filtered. The authors
prefix was filtered. We note that due to the distributed nature and note that due to the distributed nature and restricted visibility of
restricted visibility of the steering of BGP policies, this second the steering of BGP policies, this second step is deemed to not
step is deemed to not identify the origin of the problem with identify the origin of the problem with guaranteed accuracy.
guaranteed accuracy.
For the first step, the operator should check if the destination For the first step, the operator should check if the destination
address of the unexpected traffic flow is locally routed as per a address of the unexpected traffic flow is locally routed as per a
more specific prefix only received from non-customer peers. The more specific prefix only received from non-customer peers. The
operator should also check if there are paths to a less specific operator should also check if there are paths to a less specific
prefix received from a customer, and hence propagated to peers. If prefix received from a customer, and hence propagated to peers. If
these two situations happen at the same time, the neighboring AS at these two situations happen at the same time, the neighboring AS at
the entry point of the unexpected flow is routing the traffic based the entry point of the unexpected flow is routing the traffic based
on the less specific prefix, although the ISP is actually forwarding on the less specific prefix, although the ISP is actually forwarding
the traffic via non-customer links. the traffic via non-customer links.
For the second step, human interaction or looking glasses can be used For the second step, one can rely on human interaction or looking
in order to find out whether local filtering, remote filtering, or glasses to find out whether local filtering, remote filtering, or
selective propagation was performed on the more specific prefix. We selective propagation was performed on the more specific prefix. The
are not aware, at the time of this writing, of any openly available authors are not aware, at the time of this writing, of any openly
tool that can automatically perform this operation. available tool that can automatically perform this operation.
3.2. Contribution to the existence of unexpected traffic flows in 3.2. Contribution to the existence of unexpected traffic flows in
another AS another AS
It can be considered problematic to be causing unexpected traffic It can be considered problematic to trigger unexpected traffic flows
flows in other ASes. It is thus advisable for an AS to assess the in another AS. It is thus advisable for an AS to assess the risks of
risks of filtering more specific prefixes before implementing them by filtering more specific prefixes before implementing them, by
obtaining as much data information as possible about its surrounding obtaining as much information as possible about its surrounding
routing environment. routing environment.
There may be justifiable reasons for one ISP to perform filtering; There may be justifiable reasons for one ISP to perform filtering;
either to enforce established policies or to provide prefix either to enforce established policies or to provide prefix
advertisement scoping features to its customers. These can vary from advertisement scoping features to its customers. These can vary from
trouble-shooting purposes to business relationship implementations. trouble-shooting purposes to business relationship implementations.
Restricting the use of these features for the sake of avoiding the Restricting the use of these features for the sake of avoiding the
creation of unexpected traffic flows is not a practical option. creation of unexpected traffic flows is not a practical option.
In order to assess the risk of filtering more specific prefixes, the In order to assess the risk of filtering more specific prefixes, the
skipping to change at page 10, line 26 skipping to change at page 10, line 23
information, the operator could detect other ASes receiving the more information, the operator could detect other ASes receiving the more
specific prefix from non-customer ASes, while announcing the less specific prefix from non-customer ASes, while announcing the less
specific prefix to other non-customer ASes. If the filtering of the specific prefix to other non-customer ASes. If the filtering of the
more specific prefix leads other ASes to send traffic for the more more specific prefix leads other ASes to send traffic for the more
specific prefix to these ASes, an unexpected traffic flow can arise. specific prefix to these ASes, an unexpected traffic flow can arise.
However, the information required for this operation is difficult to However, the information required for this operation is difficult to
obtain, due to the distributed nature of BGP policies. We are not obtain, due to the distributed nature of BGP policies. We are not
aware, at the time of this writing, of any openly available tool that aware, at the time of this writing, of any openly available tool that
can automatically perform this procedure. can automatically perform this procedure.
4. Techniques to Traffic Engineer unexpected traffic flows 4. Techniques to Traffic Engineer unexpected flows
Network Operators can adopt different approaches with respect to Network Operators can adopt different approaches with respect to
unexpected traffic flows. Note that due the complexity of inter- unexpected traffic flows. Note that due the complexity of inter-
domain routing policies, there is not a single solution that can be domain routing policies, there is not a single solution that can be
applied to all situations. We provide potential solutions that ISPs applied to all situations. This section provides potential solutions
must evaluate against each particular case. We classify these that ISPs must evaluate against each particular case. We classify
actions according to whether they are proactive or reactive. these actions according to whether they are proactive or reactive.
Reactive approaches are those in which the operator tries to detect Reactive approaches are those in which the operator tries to detect
the situations via monitoring and solve unexpected traffic flows, the situations via monitoring and solve unexpected traffic flows,
manually, on a case-by-case basis. manually, on a case-by-case basis.
Anticipant or preventive approaches are those in which the routing Anticipant or preventive approaches are those in which the routing
system will not let the unexpected traffic flows actually take place system will not let the unexpected traffic flows actually take place
when the scenario arises. when the scenario arises.
We use the scenario depicted in Figure 5 to describe these two kinds We use the scenario depicted in Figure 5 to describe these two kinds
of approaches. Based on our analysis, we observe that proactive of approaches. The authors observe that proactive approaches can be
approaches can be complex to implement and can lead to undesired complex to implement and can lead to undesired effects, and thus
effects. Therefore, we conclude that the reactive approach is the conclude that the reactive approach is the more reasonable
more reasonable recommendation to deal with unexpected flows. recommendation to deal with unexpected flows.
____,,................______ ____,,................______
_,.---'''' `''---..._ _,.---'''' `''---..._
,-'' AS64505 `-. ,-'' AS64505 `-.
[ / [ /
-.._ __.-' -.._ __.-'
. `'---....______ ______...---'' . `'---....______ ______...---''
+ |/32 `''''''''''''''' | + |/32 `''''''''''''''' |
| |/34 + |/32 | | |/34 + |/32 |
v | v |/34 | v | v |/34 |
skipping to change at page 11, line 50 skipping to change at page 11, line 50
An operator who detects unexpected traffic flows originated by any of An operator who detects unexpected traffic flows originated by any of
the cases described in Section 2 can contact the ASes that are likely the cases described in Section 2 can contact the ASes that are likely
to have performed the propagation tweaks, inform them of the to have performed the propagation tweaks, inform them of the
situation, and persuade them to change their behavior. situation, and persuade them to change their behavior.
If the situation remains, the operator can implement prefix filtering If the situation remains, the operator can implement prefix filtering
in order to stop the unexpected flows. The operator can decide to in order to stop the unexpected flows. The operator can decide to
perform this action over the session with the operator announcing the perform this action over the session with the operator announcing the
more specific prefix or over the session with the neighboring AS from more specific prefix or over the session with the neighboring AS from
which it is receiving the traffic. Each of these options carry a which it is receiving the traffic. Each of these options carry a
different repercussion for the affected AS. We describe briefly the different repercussion for the affected AS. We briefly describe the
two alternatives. two alternatives.
o An operator can decide to stop announcing the less specific prefix o An operator can decide to stop announcing the less specific prefix
at the peering session with the neighboring AS from which it is at the peering session with the neighboring AS from which it is
receiving traffic to the more specific prefix. In the example of receiving traffic to the more specific prefix. In the example of
Figure 5, AS64502 would filter out the prefix 2001:DB8::/32 from Figure 5, AS64502 would filter out the prefix 2001:DB8::/32 from
the eBGP session with AS64504. In this case, traffic heading to the eBGP session with AS64504. In this case, traffic heading to
the prefix 2001:DB8::/32 from AS64501 would no longer traverse the prefix 2001:DB8::/32 from AS64501 would no longer traverse
AS64502. AS64502 should evaluate if solving the issues originated AS64502. AS64502 should evaluate if solving the issues originated
by the unexpected traffic flows are worth the loss of this traffic by the unexpected traffic flows are worth the loss of this traffic
skipping to change at page 12, line 29 skipping to change at page 12, line 29
the traffic destined to that /32 would be forwarded by AS64502 the traffic destined to that /32 would be forwarded by AS64502
along its link with AS64501, despite the actions performed by along its link with AS64501, despite the actions performed by
AS64501 to have this traffic coming in through its link with AS64501 to have this traffic coming in through its link with
AS64503. However, as AS64502 will no longer know a route to the AS64503. However, as AS64502 will no longer know a route to the
more specific prefix, it risks losing the traffic share from more specific prefix, it risks losing the traffic share from
customers different from AS64501 to that prefix. Furthermore, customers different from AS64501 to that prefix. Furthermore,
this action can generate conflicts between AS64502 and AS64501, this action can generate conflicts between AS64502 and AS64501,
since AS64502 does not follow the routing information expressed by since AS64502 does not follow the routing information expressed by
AS64501 in its BGP announcements. AS64501 in its BGP announcements.
It is possible that the behavior of the neighboring AS causing the Note that it is possible that the behavior of the neighboring AS
unexpected traffic flows opposes the peering agreement. In this causing the unexpected traffic flows violates a contractual agreement
case, an operator could account the amount of traffic that has been between the two networks.
subject to the unexpected flows, using traffic measurement protocols
such as IPFIX, and charge the peer for that traffic. That is, the
operator can claim that it has been a provider of that peer for the
traffic that transited between the two ASes.
4.2. Proactive measures 4.2. Proactive measures
4.2.1. Access lists 4.2.1. Access lists
An operator could install access-lists to prevent unexpected traffic An operator could install access-lists to prevent unexpected traffic
flows from happening in the first place. In the example of Figure 5, flows from happening in the first place. In the example of Figure 5,
AS64502 would install an access-list denying packets matching AS64502 would install an access-list denying packets matching
2001:DB8::/34 associated with the interface connecting to AS64504. 2001:DB8::/34 associated with the interface connecting to AS64504.
As a result, traffic destined to that prefix would be dropped, As a result, traffic destined to that prefix would be dropped,
despite the existence of a valid route towards 2001:DB8::/32. despite the existence of a valid route towards 2001:DB8::/32.
The operational overhead of such a solution is considered high, as The operational overhead of such a solution is considered high, as
the operator would have to constantly adapt these access-lists to the operator would have to constantly adapt these access-lists to
accommodate inter-domain routing changes. Moreover, this technique accommodate inter-domain routing changes. Moreover, this technique
lets packets destined to a valid prefix be dropped while they are lets packets destined to a valid prefix be dropped while they are
sent from a neighboring AS that may not know about the policy sent from a neighboring AS that may not know about the policy
conflict, and hence had no means to avoid the creation of unexpected conflict, and hence had no means to avoid the creation of unexpected
traffic flows. For this reason, this technique can be considered traffic flows. For this reason, this technique can be considered
harmful and is thus not recommended for implementation. harmful.
4.2.2. Neighbor-specific forwarding 4.2.2. Neighbor-specific forwarding
An operator can technically ensure that traffic destined to a given An operator can technically ensure that traffic destined to a given
prefix will be forwarded from an entry point of the network based prefix will be forwarded from an entry point of the network based
only on the set of paths that have been advertised over that entry only on the set of paths that have been advertised over that entry
point. point.
As an example, let us analyze the scenario of Figure 5 from the point As an example, let us analyze the scenario of Figure 5 from the point
of view of AS64502. The edge router connecting to the AS64504 of view of AS64502. The edge router connecting to the AS64504
skipping to change at page 13, line 30 skipping to change at page 13, line 27
the less specific prefix (2001:DB8::/32) to AS64504. An operator the less specific prefix (2001:DB8::/32) to AS64504. An operator
could implement the necessary techniques to force the edge router to could implement the necessary techniques to force the edge router to
forward packets coming from AS64504 based only on the paths forward packets coming from AS64504 based only on the paths
propagated to AS64504. Thus, the edge router would forward packets propagated to AS64504. Thus, the edge router would forward packets
destined to 2001:DB8::/34 towards AS64501 in which case no unexpected destined to 2001:DB8::/34 towards AS64501 in which case no unexpected
traffic flow would occur. traffic flow would occur.
Different techniques could provide this functionality; however, their Different techniques could provide this functionality; however, their
technical implementation can be complex to design and operate. An technical implementation can be complex to design and operate. An
operator could, for instance, employ Virtual Routing Forwarding (VRF) operator could, for instance, employ Virtual Routing Forwarding (VRF)
tables (RFC4364 [4]) to store the routes announced to a neighbor and tables (RFC4364 [RFC4364]) to store the routes announced to a
forward traffic exclusively based on those routes. [2] describes the neighbor and forward traffic exclusively based on those routes.
use of such an architecture for Internet routing, and provides a [on_BGP_RS_VPNs] describes the use of such an architecture for
description of its limitations. Internet routing, and provides a description of its limitations.
In such architecture, packets received from a peer would be forwarded In such architecture, packets received from a peer would be forwarded
solely based on the paths that fit the path propagation policy for solely based on the paths that fit the path propagation policy for
that peer, and not based on the global routing table of the router. that peer, and not based on the global routing table of the router.
As a result, a more specific path that would not be propagated to a As a result, a more specific path that would not be propagated to a
peer will not be used to forward a packet from that peer, and the peer will not be used to forward a packet from that peer, and the
unexpected flow will not take place. Packets will be forwarded based unexpected flow will not take place. Packets will be forwarded based
on the policy compliant less specific prefix. However, note that an on the policy compliant less specific prefix. However, note that an
operator must make sure that all their routers could support the operator must make sure that all their routers could support the
potential performance impact of this approach. potential performance impact of this approach.
Note that similarly to the solution described in Section 4.1, this Note that similarly to the solution described in Section 4.1, this
approach could create conflicts between AS64502 and AS64501, since approach could create conflicts between AS64502 and AS64501, since
the traffic forwarding performed by AS64502 goes against the policy the traffic forwarding performed by AS64502 goes against the policy
of AS64501. of AS64501.
5. Conclusions 5. Conclusions
In this document, we described how the filtering of more specific This document describes how filtering and selective propagation of
prefixes can potentially create unexpected traffic flows in remote more-specific prefixes can potentially create unexpected traffic
ASes. We provided examples of scenarios in which unexpected traffic flows across some ASes. We provided examples of scenarios where
flows are caused by these practices and introduce some techniques for these practices lead to unexpected traffic flows, and introduce some
their detection and prevention. Analyzing the different options for techniques for their detection and prevention. Although there are
dealing with this kind of problems, we recommend ASes to implement reasonable situations in which ASes could filter more-specific
monitoring systems that can detect them and react to them according prefixes, authors encourage network operators to implement this type
to the specific situation. Although we observe that there are of filters considering the cases described in this document.
reasonable situations in which ASes could filter more specific Analyzing the different options for dealing with such situations,
prefixes, we encourage network operators to implement this type of authors recommend ASes to implement monitoring systems that can
filters considering the cases described in this document. detect violations and react to them on a case-by-case basis,
according to their own policy.
6. Security Considerations 6. Security Considerations
It is possible for an AS to use any of the methods described in this It is possible for an AS to use any of the methods described in this
document to deliberately reroute traffic flowing through another AS. document to deliberately reroute traffic flowing through another AS.
The objective of this document is to inform on this potential routing The objective of this document is to inform on this potential routing
security issue, and analyse ways for operators to defend against security issue, and analyze ways for operators to defend against
them. them.
It must be noted that, at the time of this document, there are no It must be noted that, at the time of this document, there are no
existing or proposed tools to automatically protect against such existing or proposed tools to automatically protect against such
behavior. Network monitoring allowing for the detection of behavior. Operators can use network monitoring and collection tools
unexpected traffic flows exist, but automated configuration changes to detect unexpected flows and deal with them on a case-by-case
to solve the problem do not. basis.
7. IANA Considerations 7. IANA Considerations
This document has no IANA actions. This document has no IANA actions.
8. Acknowledgments 8. Acknowledgments
The authors would like to thank Wes George, Jon Mitchell, and Bruno The authors would like to thank Wes George, Jon Mitchell, Bruno
Decraene for their useful suggestions and comments. Decraene, and Job Snijders for their useful suggestions and comments.
9. References 9. References
9.1. Informative References 9.1. Normative References
[1] Donnet, B. and O. Bonaventure, "On BGP Communities", ACM [RFC4384] Meyer, D., "BGP Communities for Data Collection", RFC
4384, February 2006.
[RFC1812] Baker, F., "Requirements for IP Version 4 Routers", RFC
1812, June 1995.
[RFC7011] Claise, B., Trammell, B., and P. Aitken, "Specification of
the IP Flow Information Export (IPFIX) Protocol for the
Exchange of Flow Information", RFC 7011, September 2013.
[RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private
Networks (VPNs)", RFC 4364, February 2006.
9.2. Informative References
[on_BGP_communities]
Donnet, B. and O. Bonaventure, "On BGP Communities", ACM
SIGCOMM Computer Communication Review vol. 38, no. 2, pp. SIGCOMM Computer Communication Review vol. 38, no. 2, pp.
55-59, April 2008. 55-59, April 2008.
[2] Vanbever, L., Francois, P., Bonaventure, O., and J. [on_BGP_RS_VPNs]
Vanbever, L., Francois, P., Bonaventure, O., and J.
Rexford, "Customized BGP Route Selection Using BGP/MPLS Rexford, "Customized BGP Route Selection Using BGP/MPLS
VPNs", Cisco Systems, Routing Symposium VPNs", Cisco Systems, Routing Symposium
http://www.cs.princeton.edu/~jrex/talks/cisconag09.pdf, http://www.cs.princeton.edu/~jrex/talks/cisconag09.pdf,
October 2009. October 2009.
[3] "INIT7-RIPE63", <http://ripe63.ripe.net/presentations/48- [INIT7-RIPE63]
"INIT7-RIPE63", <http://ripe63.ripe.net/presentations/48-
How-more-specifics-increase-your-transit-bill-v0.2.pdf>. How-more-specifics-increase-your-transit-bill-v0.2.pdf>.
[4] "pmacct project: IP accounting iconoclasm", [PMACCT] "pmacct project: IP accounting iconoclasm",
<http://www.pmacct.net>. <http://www.pmacct.net>.
9.2. URIs
[1] http://www.ietf.org/rfc/rfc1812.txt
[2] http://www.ietf.org/rfc/rfc4384.txt
[3] http://www.ietf.org/rfc/rfc7011.txt
[4] http://www.ietf.org/rfc/rfc4364.txt
Authors' Addresses Authors' Addresses
Camilo Cardona Camilo Cardona
IMDEA Networks/UC3M IMDEA Networks/UC3M
Avenida del Mar Mediterraneo, 22 Avenida del Mar Mediterraneo, 22
Leganes 28919 Leganes 28919
Spain Spain
Email: juancamilo.cardona@imdea.org Email: juancamilo.cardona@imdea.org
 End of changes. 40 change blocks. 
143 lines changed or deleted 148 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/