Internet DRAFT - draft-cheng-idr-redirection-risks-ps
draft-cheng-idr-redirection-risks-ps
grow W. Cheng, Ed.
Internet-Draft China Mobile
Intended status: Standards Track D. Li
Expires: 9 January 2024 Tsinghua University
C. Zheng
China Mobile
M. Huang
Huawei
F. Gao
Zhongguancun Laboratory
M. Liu
Huawei
8 July 2023
Problem statement of Inter-domain Traffic Redirection Risks
draft-cheng-idr-redirection-risks-ps-03
Abstract
BGP Update includes the destination prefix and AS_PATH that records
the AS number through which it passes. The traffic routing to the
destination prefix should be forwarded along the AS sequence in
AS_PATH. However, due to traffic redirection, route aggregation and
etc., the AS path of forwarding and the AS_PATH of BGP Update often
do not match. The inconsistency leads to security risks such as
black holes, loops in inter-domain forwarding, and the possibility of
forwarding through malicious AS that source/upstream AS does not want
to pass through.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 9 January 2024.
Cheng, et al. Expires 9 January 2024 [Page 1]
�
Internet-Draft Inter-domain Traffic Redirection risks July 2023
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Risks Description . . . . . . . . . . . . . . . . . . . . . . 3
3. Valuable Scenarios and Potential Solutions . . . . . . . . . 5
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . 6
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6
7. Normative References . . . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction
An significant reason of inter-domain routing and forwarding
inconsistency is inter-domain traffic redirection, where the AS
redirects traffic to a new next-hop AS that is not in AS_PATH that
source/upstream AS selects. Therefore, the draft uses inter-domain
traffic redirection as an example to clarify the risk of this
inconsistency.
There are many network traffic redirection technologies[RFC1102],
such as Policy Based Routing[RFC1104] and BGP Flow Specification
Rules[RFC8955] etc. These technologies are widely used in carrier
networks.
For example, BGP Flow Specification provides various filtering
conditions and processing actions to implement traffic
control[RFC9117]. This function is used not only to protect the
device against denial-of-service (DoS) and distributed DoS (DDoS)
attacks, but also used for network traffic optimization.
Cheng, et al. Expires 9 January 2024 [Page 2]
�
Internet-Draft Inter-domain Traffic Redirection risks July 2023
As reliability and effectiveness of traffic redirection are
artificially guaranteed, there are risks, such as traffic detour,
traffic exposure, traffic black hole, traffic loop, as well as
inconsistent traffic paths between the control plane and data plane.
Currently, operators have applied the redirection technologies, such
as BGP Flowspec, on a large scale. How to deal with these risks
needs further discussion.
2. Risks Description
The operation and maintenance of redirection in the long run is a big
challenge. Typo, limitation of out-of-band tool capabilities for
configuration verification, network adjustment or failure may cause
potential problems without system awareness.
The following figure shows the risks of traffic redirection.
Take the topology in Figure 1 as an example, In this application
scenario, one campus network inter-connects to two providers Network.
AS 65003 and AS 65500, AS 65105 and AS 65500 form a provider-customer
adjacency relationship. Assume that the user needs to transmit data
to the server. According to the routing information on the control
plane, the traffic is transmitted through the path [User -- AS65001
-- AS65003 -- AS65104 -- AS65106 -- Server].
Cheng, et al. Expires 9 January 2024 [Page 3]
�
Internet-Draft Inter-domain Traffic Redirection risks July 2023
+---------------------+ +--------------------+
| ISP1 | | ISP2 |
+----+ | ,-. | | ,-. |
|user| | / \ | | / \ |
| |-----| AS | | | | AS | |
+----+ | |65001\ | | |65106| | +------+
| \ / \ ,-. | | ,-. .\ / -----|server|
| '-' \ / \ | | / \ ' '-' | | |
| | '| AS | | | | AS |-` | +------+
| ,-. .|65003|-----------|65104| ,-. |
| / \ ' \ / | | \ / `. / \ |
| | AS -` '\' | | '-' '| AS | |
| |65002| \ | | |65105| |
| \ / , | | \ / |
| '-' \ | | '-' |
+------------------\--+ +------------/-------+
\ Provider /
\ /
\ Customer /
+------+--------+---+
| '.-, |
| / \ |
| | AS | |
| |65500 | |
| \ / |
| `--` |
| ISP3(Campus) |
+-------------------+
Figure 1: Example of the risks of traffic redirection
Risk 1: Violation of the valley-free principle[RFC7908] leads to
traffic detour and exposure.
Assume ISP1 configures wrong traffic redirection rule, as a result,
AS 65003 redirects traffic from AS 65104 to AS 65500. In this case,
valley-free principle is violated as AS 65003 and AS 65500 form a
provider-customer adjacency relationship. Traffic passes through the
AS 65500 and exposes itself to the campus network.
Risk 2: The traffic is redirected to a network node that has no
route, which leads to a traffic black hole
After traffic is redirected from AS 65003 to the AS 65500, the AS
65500 may not have a route to the destination server. In this case,
the traffic is discarded, resulting in a traffic black hole.
Cheng, et al. Expires 9 January 2024 [Page 4]
�
Internet-Draft Inter-domain Traffic Redirection risks July 2023
Assume traffic is redirected from AS65003 to AS65500, and AS65500
learns the route to server from AS65105. After the traffic is
redirected to the AS65500, it is forwarded to the server according to
the route. If the link between AS 65500 and AS 65105 fails, as a
result, the route is lost. The traffic is redirected to AS 65500
anyway, which also causes a traffic black hole.
Risk 3: One or more traffic redirections on the traffic transmission
path may cause a traffic loop.
Assume that traffic is redirected from AS 65104 to AS 65105. In AS
65105, the traffic is transmitted to AS 65500, or the traffic is
redirected to AS 65500. In this case, if the traffic on AS 65500 is
transmitted to AS 65003, then traffic loop occurs.
Assume traffic is redirected from AS 65003 to AS 65500, and AS 65500
learns the route to server from AS 65105. After receiving the
redirected traffic, the AS65500 forwards the traffic to the server
according to the route. If the link between AS6500 and AS65105
fails, AS 65500 learns that the next hop of the route to the server
is AS65003 through routing protocols. If the traffic is still
redirected to AS 65500 at this time, AS 65500 will send packets back
to AS65003, then traffic loop occurs.
Risk 4: inconsistent paths on the control plane and data plane may
cause O&M risks.
The traffic owner expects traffic to be transmitted along the AS path
carried in the route, but the actual transmission path is different
from the AS path.
If the network O&M control system does not obtain traffic redirection
information on the network, unpredictable risks may occur during
traffic optimization, for example, network congestion.
For the risks mentioned above, it is not sufficient to rely on manual
operation or automated management. Traffic redirection increases
management difficulties and effectiveness requirements. It is
necessary to explore technical solutions, such as redirection
configuration verification, protocol extension, or path
visualization, to reduce risks mentioned above.
3. Valuable Scenarios and Potential Solutions
Solution 1: AS path validation
Cheng, et al. Expires 9 January 2024 [Page 5]
�
Internet-Draft Inter-domain Traffic Redirection risks July 2023
The root cause of the above risks is that BGP cannot perceive the
AS_path generated by the inter-domain traffic redirection. The
security of the AS_path only relies on human decision, which
inevitably increases the risk of violating valley-free principle.
There is the same problem in BGP flowspec, which only considers the
verification of the source of the flow specification.
The potential solution is to add a redirection path perception
capability to BGP, and verify the validity of the redirection path
before actually configuring the redirection. If the redirection
could lead to the above risks, alert the configurator explicitly.
Solution 2: Considerate routing
Traffic redirection may generate unexpected inter-domain traffic
models, causing some SLAs (service level agreement) to be
unguaranteed.
A potential solution is to extend BGP to allow redirection rules and
the redirection AS_PATH to be advertised to other peers for routing
decision.
Solution 3: Network visualization
Inter-domain redirection also hinders network visualization, making
it impossible to determine the forwarding path of packets solely
based on routing protocols.
A potential solution is to extend the BMP protocol to allow
redirection rules and redirected forwarding paths to be sent to the
BMP server, improving administrators' ability to visualize and plan
their own traffic.
4. IANA Considerations
This document makes no request of IANA.
5. Security Considerations
TBD
6. Acknowledgements
The authors would like to thank Hao Li.
7. Normative References
Cheng, et al. Expires 9 January 2024 [Page 6]
�
Internet-Draft Inter-domain Traffic Redirection risks July 2023
[RFC1102] Clark, D., "Policy routing in Internet protocols",
RFC 1102, DOI 10.17487/RFC1102, May 1989,
<https://www.rfc-editor.org/info/rfc1102>.
[RFC1104] Braun, H., "Models of policy based routing", RFC 1104,
DOI 10.17487/RFC1104, June 1989,
<https://www.rfc-editor.org/info/rfc1104>.
[RFC7908] Sriram, K., Montgomery, D., McPherson, D., Osterweil, E.,
and B. Dickson, "Problem Definition and Classification of
BGP Route Leaks", RFC 7908, DOI 10.17487/RFC7908, June
2016, <https://www.rfc-editor.org/info/rfc7908>.
[RFC8955] Loibl, C., Hares, S., Raszuk, R., McPherson, D., and M.
Bacher, "Dissemination of Flow Specification Rules",
RFC 8955, DOI 10.17487/RFC8955, December 2020,
<https://www.rfc-editor.org/info/rfc8955>.
[RFC9117] Uttaro, J., Alcaide, J., Filsfils, C., Smith, D., and P.
Mohapatra, "Revised Validation Procedure for BGP Flow
Specifications", RFC 9117, DOI 10.17487/RFC9117, August
2021, <https://www.rfc-editor.org/info/rfc9117>.
Authors' Addresses
Weiqiang Cheng (editor)
China Mobile
China
Email: chengweiqiang@chinamobile.com
Dan Li
Tsinghua University
China
Email: tolidan@tsinghua.edu.cn
Ce Zheng
China Mobile
China
Email: zhengce@chinamobile.com
Mingqing Huang
Huawei
China
Email: huangmingqing@huawei.com
Cheng, et al. Expires 9 January 2024 [Page 7]
�
Internet-Draft Inter-domain Traffic Redirection risks July 2023
Fang Gao
Zhongguancun Laboratory
China
Email: gaofang@zgclab.edu.cn
Mingxing Liu
Huawei
China
Email: liumingxing7@huawei.com
Cheng, et al. Expires 9 January 2024 [Page 8]
