Network Working Group Tony Bates Internet Draft cisco Systems Expiration Date: July 1998 Randy Bush RGnet Tony Li Juniper Networks Yakov Rekhter cisco Systems DNS-based NLRI origin AS verification in BGP draft-bates-bgp4-nlri-orig-verif-00.txt 1. Status of this Memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as ``work in progress.'' To learn the current status of any Internet-Draft, please check the ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast). 2. Abstract This document describes how a BGP speaker may verify that the Network Layer Reachability Information (NLRI) of a prefix received from a peer is consistent with the allocation of IP address space as determined by the Internet Registry system. These verification procedures rely on the DNS to provide a repository of information about address space allocation provided by the Internet Registry system. Note that this is not a repository of announceable prefixes, but rather of allocation of delegated address space. [Page 1] Internet Draft draft-bates-bgp4-nlri-orig-verif-00.txt January 1998 3. Motivations IP address space is allocated by the Internet Registry system [RFC2050]. To provide Internet-wide IP connectivity it is imperative that the information provided by the Internet routing system be consistent with IP address allocation. Specifically, the consistency requirement implies that an organization should inject a route for a particular IP address prefix into inter-domain routing only if the address space covered by the prefix was allocated to the organization via the Internet Address Registry system. To provide adequate fault isolation and robust Internet-wide routing in the presence of either misconfiguration or malicious attacks on routing, procedures/mechanisms which allow operators to enforce this consistency requirement are essential. This document describes procedures and mechanisms that will allow operators to determine the correct origin AS of a prefix advertised into interdomain routing. While other procedures and mechanisms are also necessary to provide reasonably secure routing, such procedures and mechanisms are beyond the scope of this document. This document does not address the related, but orthogonal, issue of determining the authenticated identity of the routing domain advertising a given prefix. 4. Overview of Operations We propose that information about IP address space allocation provided by the Internet Registry system be maintained within the DNS [DNS] under the bgp.in-addr.arpa domain. This domain is to be further subdivided into additional sub-domains to reflect the allocation structure associated with IP address space. Within this domain, and all of its subdomains, each node in the DNS tree (i.e., each fully qualified domain name (FQDN)) represents one or more IP address prefixes allocated by the Internet Registry system. This document uses Autonomous System numbers (ASs) to identify entities to which address space has been allocated. For each address prefix, the DNS may contain either (a) the AS to which the address space described by the prefix has been allocated, or (b) NS delegation to name servers authoritative for the zone identified by the address prefix, or (c) no information about the prefix. When a BGP speaker receives a route from an external neighbor, the speaker uses the information provided by the DNS to verify that the [Page 2] Internet Draft draft-bates-bgp4-nlri-orig-verif-00.txt January 1998 prefix was legitimately allocated to the AS/organization that injected the route into the inter-domain routing system. If the speaker determines that the NLRI of the route wasn't legitimately allocated to the organization, the speaker rejects the route. 5. Extensions to the DNS The mechanism described in this document requires one new Resource Record (RR): Autonomous System RR (AS): This RR consists of two fields, 'AS' and 'Prefix Length'. The AS field contains an AS number, encoded as a two octet unsigned integer (0 through 65535), with 0 and 65535 having special meanings. The Prefix Length field contains an octet encoding the length of the address prefix associated with the node named by the RR (0 through 32). 6. Procedures for populating the DNS with the Address Allocation information A node under the bgp.in-addr.arpa domain may contain either (a) a set of NS RRs that specify name servers authoritative for the zone covered by the address prefix associated with the node, or (b) a CNAME RR, or (c) a set of one or more AS RRs, where each AS RR specifies the AS to which the address prefix has been allocated via the Internet Registry procedures and the length of the allocated address prefix. Discussion: An alternative to constructing this information under the in-addr.arpa domain would be to pick up some other domain (e.g.,ipv4.nlri.ietf.org). Comments and suggestions are welcome. CNAME RRs are used for allocations which occur on non-octet boundaries as described in draft-ietf-dnsind-classless-inaddr-04.txt. The AS field of an AS RR may contain the special value zero (0). This value indicates that the DNS may not contain all the information about allocations out of the address prefix as defined by a combination of the node and the Prefix Length field of the AS RR. In other words, the allocation status of this space is not known. This is distinct from the case where the space is not allocated or it is known to be allocated to some particular AS. [Page 3] Internet Draft draft-bates-bgp4-nlri-orig-verif-00.txt January 1998 The AS field of the AS RR may also contain the special value 65535. This value indicates that the address prefix associated with the address space has not been allocated by the Internet Registries. An AS RR with an AS value of 65535 can also be used to prevent authentication of certain prefixes. While 0/0 is not allocated address space per se, as some routing domains use default announcement, default should be allowed in practice. Hence we propose 0/0 be considered unauthenticated (AS of zero) and all truely unallocated space be specifically so marked (AS 65535). 7. Conventions for encoding address allocations in DNS names Syntactically, a DNS name is a series of text 'labels', separated by the '.' character. Within the bgp.in-addr.arpa domain, a label that is a decimal number is used to represent an octet within a prefix. To indicate partial octets, we use the notation / where the contains the value of the last significant octet in the prefix and the is the prefix length. Thus, the prefix 10.1.128/20 may be encoded in a DNS name as 128/20.1.10.bgp.in- addr.arpa. In addition, for this proposal to work, the hierarchy of address allocations must be explicitly encoded in the name through the addition of one or more labels. This also implies that no labels may be removed as part of the allocation of portions of a prefix. If a prefix is allocated on a non-octet boundary, then the allocating domain constructs the name by first adding the labels for the additional full octets, if any, in reversed order to the leftmost position in the name. Then, the label for the partial octet is added as the leftmost position in the name. This name is given an NS RR. As always, normal DNS syntax applies and the resulting name need not be fully qualified. For non-octet allocations, the NS record is necessary but not sufficient. In addition, a number of CNAME RRs must be added. Recall that the partial octet specifies a number of significant bits in the least significant octet in the prefix. One CNAME RR must be created for each possible value of the remaining bits. The name that the CNAME RR points to (i.e., the name on the right hand side) is constructed by using the value of the least significant octet concatenated with the fully qualified name used for the NS RR. These RRs allow lookups for longer prefixes to redirect through the correct allocation. [Page 4] Internet Draft draft-bates-bgp4-nlri-orig-verif-00.txt January 1998 A prefix can be extracted from a DNS name constructed using the above conventions by using the labels that represent full octets and the leftmost label (if any) that represents a partial octet. These labels are then reversed in the normal in-addr.arpa manner. This particular naming scheme is a suggested convention, and alternate semantically equivalent conventions are also perfectly acceptable. 8. An Example The following example illustrates how the DNS might be populated with address allocation information. ; the root $ORIGIN bgp.in-addr.arpa. ;well-known root zone @ SOA (...) ;presume ns etc. for zone 0 AS 0 0 ;default not allocated but Ok 1 NS ns0.bbn.com. ;allocate 1/8 to bbn 205 NS ns0.arin.net. ;allocate 205/8 to arin ; ns0.bbn.com - bbn's server $ORIGIN 1.bgp.in-addr.arpa. @ SOA (...) ;presume ns etc. for zone AS 1 8 ;claim allocation for 1/8 ; ns0.arin.net - arin's server $ORIGIN 205.bgp.in-addr.arpa. @ SOA (...) ;presume ns etc. for zone AS 65535 8 ;205/8 is delegated in parts 0 NS ns0.digex.net. ;delegating 205.0/16 1 NS ns0.verio.net. ;delegating 205.1/16 ; ns0.digex.net - digex's server $ORIGIN 0.205.bgp.in-addr.arpa. @ SOA (...) ;presume ns etc. for zone AS 2548 16 ;claim allocation for 205.0/16 ; ns0.verio.net - verio's server $ORIGIN 1.205.bgp.in-addr.arpa. @ SOA (...) ;presume ns etc. for zone AS 2914 16 ;205.1/16 is allocated to AS 2914 0 AS 777 24 ;205.1.0/24 is allocated to AS 777 1 AS 2914 24 ;205.1.1/24 is allocated to AS 2914 ; delegate 205.1.2/23 using the classless in-addr hack 2 CNAME 2.2/23.1.205.bgp.in-addr.arpa. 3 CNAME 3.2/23.1.205.bgp.in-addr.arpa. [Page 5] Internet Draft draft-bates-bgp4-nlri-orig-verif-00.txt January 1998 2/23 NS ns.cust.com. ;delegate 205.1.2/23, or ;205.1.2/24 and 205.1.3/24 ;to customer server 4 AS 42 22 ;205.1.4/22 is allocated to AS 42 AS 0 22 ;also allocated elsewhere 8 AS 666 21 ;205.1.8/21 is allocated to AS 666 ; delegate 205.1.16/22 using the classless in-addr hack 16 CNAME 16.16/22.1.205.bgp.in-addr.arpa. 17 CNAME 17.16/22.1.205.bgp.in-addr.arpa. 18 CNAME 18.16/22.1.205.bgp.in-addr.arpa. 19 CNAME 19.16/22.1.205.bgp.in-addr.arpa. 16/22 NS ns.cust.net. ;delegate 205.1.16/22 and longer ;to customer ; ns.cust.com - 2/23 server $ORIGIN 2/23.1.205.bgp.in-addr.arpa. @ SOA (...) ;presume ns etc. for zone AS 4242 23 ;AS 4242 claims 205.1.2/23 ; ns.cust.net - 16/22 server $ORIGIN 16/22.1.205.bgp.in-addr.arpa. @ SOA (...) ;presume ns etc. for zone 16 AS 222 23 ;AS 222 claims 205.1.16/23 18 NS ns.c1.cust.net. ;delegate 205.1.18/24 ;to a customer's campus 9. Procedures for verifying BGP routing information Given a prefix, a lookup in the bgp.in-addr.arpa domain is done by padding the least significant side of the prefix with zeros to an octet boundary and then reversing the octets, as is normally done within the bgp.in-addr.arpa domain. A normal DNS lookup on the resulting name may involve multiple CNAME records, eventually resulting in a FQDN. We define that a DNS node, authenticated by DNSSEC and under the bgp.in-addr.arpa domain, 'matches' a particular prefix if (a) the result of a lookup on the prefix is the node, and (b) the node contains an AS RR with the value of the Prefix Length field less than or equal to the length of the prefix. We refer to any such AS RR as a "matching" AS RR. If a BGP speaker performs a lookup on a prefix and cannot find a match, it first clears the least significant set bit in the least significant octet in the prefix and performs another lookup. If there is no set bit in the least significant octet, it then discards the least significant octet from the prefix and performs another [Page 6] Internet Draft draft-bates-bgp4-nlri-orig-verif-00.txt January 1998 lookup. The AS RRs that result from this lookup are compared to the original, unmodified prefix to determine if there is a match. Using the example from the previous section, an address prefix 205.1.4/22 matches the node 4.1.205.bgp.in-addr.arpa. The matching AS RR is "AS 42 22". An address prefix 205.1/16 matches the node 1.205.bgp.in-addr.arpa with a matching AS RR of (AS 2914 16). Further, an address prefix 205.1.0/18 matches the node 1.205.bgp.in- addr.arpa, with the matching AS RR as (AS 2914 16). Note that in this case, the first lookup fails and requires a second lookup. Similarly, the prefix 205.1.5/24 matches the node 4.1.205.bgp.in- addr.arpa with the matching AS RR as (AS 42 22). The following assumes that a BGP speaker has sufficient routing information to have access into the DNS system. A route may be marked "Authenticated", "Unauthenticated", or "Authentication Failed". When a BGP speaker receives a route from an external peer, the speaker marks the route as "Unauthenticated", and then performs the following: - the speaker checks the DNS for the presence of a node that "matches" the NLRI of the route. - if there is a matching node with an AS RR where the value of the AS field is equal to the origin AS of the BGP AS_PATH attribute of the received prefix, the route is marked as "Authenticated." - if there is a matching node with an AS RR where the value of the AS field is 65535, the route is marked as "Authentication Failed." - if there is a matching node with an AS RR where the value of the AS field is is zero (0), the route is left as as "Unauthenticated." - if there is a matching node with an AS RR where the value of the AS field is neither 0, 65535, nor the origin AS of the received prefix, the route is marked as "Authentication Failed." - in all other cases the marking of the route is not modified, i.e. it remains "Unauthenticated." The authentication status of a route has a time limit, maintained in the authentication status timer. If the origin of a route is [Page 7] Internet Draft draft-bates-bgp4-nlri-orig-verif-00.txt January 1998 Authenticated, then the timer is set to the Time To Live (TTL) of the matching AS RR. The timer for a route marked as "Unauthenticated" is set to RouteAuthenticationRetryTimer value (by default 24 hours). Note that the authentication status timer is not propagated in BGP Update messages. When the timer expires, the route is marked as "Unauthenticated", and the BGP speaker performs the above procedures. A BGP speaker MAY use and advertise to other BGP speakers a route that is marked as either Unauthenticated or Authenticated. As a matter of local policy the BGP speaker in its route selection policy MAY give preference to routes marked as Authenticated. A BGP speaker MUST NOT use and/or advertise to other BGP speakers a route that is marked as "Authentication Failed". Since a BGP speaker may perform the above procedures asynchronously with route installation and advertisement, a speaker may advertise a route marked as "Unauthenticated", but then might later mark the route as "Authentication Failed". In this case the speaker MUST withdraw the route, and stop using it. As a local matter a BGP speaker MAY "preload" as much of the DNS information as it wants. Doing this would allow the speaker to accelerate the marking of a newly received routes. A BGP speaker, MAY (under control of its local configuration) exempt certain routes from the above verification procedures. In addition to address allocations, the bgp.in-addr.arpa domain can be used to encode aggregated prefixes. As with other prefixes, the AS RR is used to indicate the origin of the aggregate. Insertion of information about the aggregate requires the cooperation of the entity controlling the appropriate point in the namespace. [Page 8] Internet Draft draft-bates-bgp4-nlri-orig-verif-00.txt January 1998 10. Use of TXT RRs Instead of introducing a new RR type, the AS RR, the scheme described in this document might use a TXT RR, where the information encoded in the TXT RR would be the same as in the AS RR (although the encoding will be different). One of the problems with using the TXT RRs is that it redefines the semantics of the TXT RR, which at least will be somewhat confusing. Further, if a TXT RR is used for initial deployment, there is a likelihood that no transition would ever be made to the AS RR. 11. Security Considerations This entire document is about security considerations. DNSSEC should be used in conjunction with the procedures described in this document to provide authentication for the DNS information. 12. Acknowledgments The authors would like to acknowledge the contributions of the DNSSEC working group and the authors of draft-ietf-dnsind-classless-inaddr- 04.txt for their contributions without which, this work would have been impossible. Additionally, the authors would like to thank Jerry Scharf for commenting on the work as it progressed. 13. References [BGP-4] [DNS] [DNSSEC] [Page 9] Internet Draft draft-bates-bgp4-nlri-orig-verif-00.txt January 1998 14. Author Information Tony Bates cisco Systems, Inc. 170 W. Tasman Dr. San Jose, CA 95134 Email: tbates@cisco.com Randy Bush RGnet, Inc. 5147 Crystal Springs Bainbridge Island, WA 98110 E-mail: randy@psg.com Tony Li Juniper Networks, Inc. 385 Ravendale Dr. Mountain View, CA 94043 E-mail: tli@juniper.com Yakov Rekhter cisco Systems, Inc. 170 W. Tasman Dr. San Jose, CA 95134 Email: yakov@cisco.com [Page 10]