| draft-liu-sidrops-community-authentication-00.txt | draft-liu-sidrops-community-authentication-01.txt | |||
|---|---|---|---|---|
| sidrops Y. Liu | sidrops Y. Liu | |||
| Internet-Draft J. Wang | Internet-Draft J. Wang | |||
| Intended status: Standards Track Y. Wang | Intended status: Standards Track Y. Wang | |||
| Expires: 30 March 2024 M. Xu | Expires: 26 September 2024 M. Xu | |||
| Tsinghua University | Tsinghua University | |||
| 27 September 2023 | 25 March 2024 | |||
| BGP Community-based Attacks and Community Origin Authentication | BGP Community-based Attacks and Community Origin Authentication | |||
| draft-liu-sidrops-community-authentication-00 | draft-liu-sidrops-community-authentication-01 | |||
| Abstract | Abstract | |||
| BGP community usage has continued to increase during the past decade. | BGP community usage has continued to increase during the past decade. | |||
| Unfortunately, while BGP community is a seemingly innocuous feature, | Unfortunately, while BGP community is a seemingly innocuous feature, | |||
| it can be used to influence routing in unintended ways. Existing | it can be used to influence routing in unintended ways. Existing | |||
| defense mechanisms are insufficient to defend community-based | defense mechanisms are insufficient to prevent community-based | |||
| attacks. This document describes some of the scenarios that may be | attacks. This document describes some of the scenarios that may be | |||
| used to launch these attacks and make recommendations on practices | used to launch these attacks and make recommendations on practices | |||
| that may defend them. In particular, this document proposes | that may defend them. In particular, this document proposes | |||
| SecCommunity, an extension to the Border Gateway Protocol (BGP) that | SecCommunity, an extension to the Border Gateway Protocol (BGP) that | |||
| can authenticate the ASes who added action community values on the | can authenticate the ASes who added action community values on the | |||
| announcements. | announcements. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| skipping to change at page 1, line 41 ¶ | skipping to change at page 1, line 41 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 30 March 2024. | This Internet-Draft will expire on 26 September 2024. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2023 IETF Trust and the persons identified as the | Copyright (c) 2024 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| RFC Community Origin Authentication September 2023 | ||||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| and restrictions with respect to this document. Code Components | and restrictions with respect to this document. Code Components | |||
| extracted from this document must include Revised BSD License text as | extracted from this document must include Revised BSD License text as | |||
| described in Section 4.e of the Trust Legal Provisions and are | described in Section 4.e of the Trust Legal Provisions and are | |||
| provided without warranty as described in the Revised BSD License. | provided without warranty as described in the Revised BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 | 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Suggested Reading . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Suggested Reading . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. Community-based Attack Cases . . . . . . . . . . . . . . . . 4 | 3. Community-based Attack Cases . . . . . . . . . . . . . . . . 4 | |||
| 3.1. Remotely Triggered Blackholing . . . . . . . . . . . . . 5 | 3.1. Remotely Triggered Blackholing . . . . . . . . . . . . . 6 | |||
| 3.2. Tuning Local Prference . . . . . . . . . . . . . . . . . 9 | 3.2. Tuning Local Prference . . . . . . . . . . . . . . . . . 9 | |||
| 4. Community-based Attacks in the Wild . . . . . . . . . . . . . 12 | 4. Community-based Attacks in the Wild . . . . . . . . . . . . . 13 | |||
| 5. BGP Community Origin Authentication . . . . . . . . . . . . . 13 | 5. BGP Community Origin Authentication . . . . . . . . . . . . . 13 | |||
| 5.1. SecCommunity Attribute . . . . . . . . . . . . . . . . . 15 | 5.1. SecCommunity Attribute . . . . . . . . . . . . . . . . . 14 | |||
| 5.2. Adding action community values to the SecCommunity | 5.2. Adding action community values to the SecCommunity | |||
| Attribute . . . . . . . . . . . . . . . . . . . . . . . . 16 | Attribute . . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 5.3. Validating a Received SecCommunity UPDATE Message . . . . 17 | 5.3. Validating a Received SecCommunity UPDATE Message . . . . 17 | |||
| 5.4. Removing action community values from the SecCommunity | 5.4. Removing action community values from the SecCommunity | |||
| Attribute . . . . . . . . . . . . . . . . . . . . . . . . 19 | Attribute . . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 6. Operational Considerations . . . . . . . . . . . . . . . . . 19 | 6. Operational Considerations . . . . . . . . . . . . . . . . . 19 | |||
| 6.1. Private AS Numbers . . . . . . . . . . . . . . . . . . . 19 | 6.1. Private AS Numbers . . . . . . . . . . . . . . . . . . . 19 | |||
| 6.2. Deployment Considerations . . . . . . . . . . . . . . . . 20 | 6.2. Deployment Considerations . . . . . . . . . . . . . . . . 20 | |||
| 6.3. Incremental Deployment Considerations . . . . . . . . . . 20 | 6.3. Incremental Deployment Considerations . . . . . . . . . . 20 | |||
| 6.4. Considerations for Four-octet Community Values . . . . . 20 | 6.4. Considerations for Four-octet Community Values . . . . . 20 | |||
| skipping to change at page 3, line 5 ¶ | skipping to change at page 3, line 5 ¶ | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 1. Introduction | 1. Introduction | |||
| BGP community is a group of destinations which share some common | BGP community is a group of destinations which share some common | |||
| property [RFC1997]. It is an optional transitive BGP attribute used | property [RFC1997]. It is an optional transitive BGP attribute used | |||
| to tag meta-data in route announcements. It provides the ability to | to tag meta-data in route announcements. It provides the ability to | |||
| signal opaque information within separate namespaces to aid in | signal opaque information within separate namespaces to aid in | |||
| routing management [RFC8092]. | routing management [RFC8092]. | |||
| RFC Community Origin Authentication September 2023 | ||||
| Roughly speaking, BGP community is used by Autonomous Systems (ASes) | Roughly speaking, BGP community is used by Autonomous Systems (ASes) | |||
| mainly for two kinds of purposes [RFC8195], i.e., labeling the routes | mainly for two kinds of purposes [RFC8195], i.e., labeling the routes | |||
| that have particular attributes (named as informational community) or | that have particular attributes (named as informational community) or | |||
| notifying upstream ASes to conduct some actions (named as action | notifying upstream ASes to conduct some actions (named as action | |||
| community) [DB08]. Informational community values are used by an AS | community) [DB08]. Informational community values are used by an AS | |||
| to label the routes that have particular attributes, including | to label the routes that have particular attributes, including | |||
| business relationship, the geographical locations of original | business relationship, the geographical locations of original | |||
| prefixes and inter-AS interconnections, or simply the ASN of next-hop | prefixes and inter-AS interconnections, or simply the ASN of next-hop | |||
| AS. Action community values are used by an AS to notify other ASes | AS. Action community values are used by an AS to notify other ASes | |||
| to conduct specific actions for it, such as tuning local preference, | to conduct specific actions for it, such as tuning local preference, | |||
| selective announcement, AS path prepending, and remotely triggered | selective announcement, AS path prepending, and remotely triggered | |||
| blackholing [RFC7999]. | blackholing. | |||
| Because action communities can be used to notify upstream ASes to | Because action communities can be used to notify upstream ASes to | |||
| conduct some actions, their values must be negotiated between the AS | conduct some actions, their values must be negotiated between the AS | |||
| who tags these community values and the AS who takes actions. A | who tags these community values and the AS who takes actions. A | |||
| simple way is that one AS (usually the larger one) defines the | simple way is that one AS (usually the larger one) defines the | |||
| actions associated with specific community values and the other AS | actions associated with specific community values and the other AS | |||
| just tags values according to the definitions to notify that AS. | just tags values according to the definitions to notify that AS. | |||
| Currently, BGP communities provide one of the most convenient way for | Currently, BGP communities provide one of the most convenient way for | |||
| signaling information between ASes and are an essential component for | signaling information between ASes and are an essential component for | |||
| skipping to change at page 4, line 4 ¶ | skipping to change at page 4, line 4 ¶ | |||
| of their community values transparent to anyone else. It increases | of their community values transparent to anyone else. It increases | |||
| the risk of being attacked by ASes who do not negotiate with the | the risk of being attacked by ASes who do not negotiate with the | |||
| community value definers through community-based attacks. | community value definers through community-based attacks. | |||
| The necessity of restricting the usage of BGP community has been | The necessity of restricting the usage of BGP community has been | |||
| noticed in [RFC5635] and [RFC7999], which point out that "BGP | noticed in [RFC5635] and [RFC7999], which point out that "BGP | |||
| announcements carrying the BLACKHOLE community should only be | announcements carrying the BLACKHOLE community should only be | |||
| accepted and honored if the neighboring network is authorized to | accepted and honored if the neighboring network is authorized to | |||
| advertise the prefix". However, they only focus on one type of BGP | advertise the prefix". However, they only focus on one type of BGP | |||
| community, i.e., blackholing, and do not explicitly specify how to | community, i.e., blackholing, and do not explicitly specify how to | |||
| RFC Community Origin Authentication September 2023 | ||||
| implement the rules. Furthermore, measurements in [GV17] showed that | implement the rules. Furthermore, measurements in [GV17] showed that | |||
| almost 30% of the blackholing community values traveled more than one | almost 30% of the blackholing community values traveled more than one | |||
| hop, which indicates that the receiver of an announcement cannot know | hop, which indicates that the receiver of an announcement cannot know | |||
| who tags the community value on the announcement and then it is | who tags the community value on the announcement and then it is | |||
| incapable of judging whether the tagger is authorized to advertise | incapable of judging whether the tagger is authorized to ask for | |||
| the prefix. The measurment result suggests that community-based | blackholing the prefix. The measurment result suggests that | |||
| attacks can be launched several hops away from the AS who defines the | community-based attacks can be launched several hops away from the AS | |||
| action community values. We highlight some cases of community-based | who defines the action community values. We highlight some cases of | |||
| attacks in Section 3. | community-based attacks in Section 3. | |||
| As BGP community-based attacks do not modify AS_PATH attribute, | As BGP community-based attacks do not modify AS_PATH attribute, | |||
| existing hijacking defense methods including Resource Public Key | existing hijacking defense methods including Resource Public Key | |||
| Infrastructure (RPKI) [RFC6480] and BGPsec [RFC8205] are insufficient | Infrastructure (RPKI) [RFC6480] and BGPsec [RFC8205] are insufficient | |||
| to prevent community-based attacks. For this reason, this document | to prevent community-based attacks. For this reason, this document | |||
| suggests to take the origin authentication of BGP community into | suggests to take the origin authentication of BGP community into | |||
| consideration. We propose a BGP extension to authenticate the ASes | consideration. We propose a BGP extension to authenticate the ASes | |||
| who adds a community value on the announcement. See Section 5 for | who adds a community value on the announcement. See Section 5 for | |||
| more details. | more details. | |||
| skipping to change at page 5, line 5 ¶ | skipping to change at page 5, line 5 ¶ | |||
| [RFC7999], RPKI [RFC6480], and BGPsec [RFC8205]. | [RFC7999], RPKI [RFC6480], and BGPsec [RFC8205]. | |||
| 3. Community-based Attack Cases | 3. Community-based Attack Cases | |||
| We introduced the risk that BGP action community can be used to | We introduced the risk that BGP action community can be used to | |||
| attack routing in unintended ways though it seems harmless in | attack routing in unintended ways though it seems harmless in | |||
| Section 1. In this section, we will highlight different cases where | Section 1. In this section, we will highlight different cases where | |||
| transitive community propagation can be used to launch community- | transitive community propagation can be used to launch community- | |||
| based attacks. | based attacks. | |||
| RFC Community Origin Authentication September 2023 | ||||
| As defined in [RFC8195], "action community values are added as labels | As defined in [RFC8195], "action community values are added as labels | |||
| to request that a route be treated in a particular way within an AS. | to request that a route be treated in a particular way within an AS. | |||
| The operator of the AS defines a routing policy that adjusts path | The operator of the AS defines a routing policy that adjusts path | |||
| attributes based on the community. For example, the route's | attributes based on the community. For example, the route's | |||
| propagation characteristics, the LOCAL_PREF (local preference), the | propagation characteristics, the LOCAL_PREF (local preference), the | |||
| next hop, or the number of AS_PATH prepends to be added when it is | next hop, or the number of AS_PATH prepends to be added when it is | |||
| received or propagated can be changed." From it, we can see there | received or propagated can be changed." From it, we can see there | |||
| are four kinds of action communities which are generally used. | are four kinds of action communities which are generally used. | |||
| (1) Remotely Triggered Blackholing (RTBH) [RFC7999]. See | (1) Remotely Triggered Blackholing (RTBH) [RFC7999]. See | |||
| skipping to change at page 5, line 31 ¶ | skipping to change at page 5, line 29 ¶ | |||
| (3) Selective NO_EXPORT [RFC8195]. As part of an agreement between | (3) Selective NO_EXPORT [RFC8195]. As part of an agreement between | |||
| AS1 and AS2, AS1 might request AS2 to selectively filter routes | AS1 and AS2, AS1 might request AS2 to selectively filter routes | |||
| learned from AS1 to certain eBGP neighbors. | learned from AS1 to certain eBGP neighbors. | |||
| (4) Selective AS_PATH prepending [RFC8195]. As part of an agreement | (4) Selective AS_PATH prepending [RFC8195]. As part of an agreement | |||
| between AS1 and AS2, AS1 might request AS2 to selectively | between AS1 and AS2, AS1 might request AS2 to selectively | |||
| prepend the AS_PATH with AS2 on routes learned from AS1 to | prepend the AS_PATH with AS2 on routes learned from AS1 to | |||
| certain eBGP neighbors. | certain eBGP neighbors. | |||
| Not all kinds of action communities can be used to attack routing | These four kinds of action communities can be classified into two | |||
| behaviors. If an action community value can change the priority of | categories according to their impact on the community value definer. | |||
| the routes that it is tagged on, it can be used to launch community- | The first category of action community values can directly change the | |||
| based attacks. In other words, it can influence best route selection | priority of the community value definer on the routes that they are | |||
| process and force the community value definer to choose a backup path | tagged on, including RTBH community values and TLP community values. | |||
| that is harmful to itself. Two kinds of action community values | In other words, this category of community values can influence the | |||
| satisfy this requirement, i.e., RTBH community values and TLP | best route selection process and force the community value definer to | |||
| community values. | choose a backup path that is harmful to itself. Attacks launched | |||
| using this category of action community values can directly attack | ||||
| the community value definer and take effect without a deep | ||||
| understanding of its topology and routing policies. The second | ||||
| category of action community values can only enable the community | ||||
| value definer to modify the AS path length or propagation range of | ||||
| the routes that they are tagged on, including selective NO_EXPORT | ||||
| community values and selective AS_PATH prepending community values. | ||||
| In other words, this category of community values can influence the | ||||
| best route selection process of the community value definer's | ||||
| upstream ASes. Attacks launched using this category of community | ||||
| values may affect many upstream ASes of the community value definer | ||||
| and require familiarity with topology and routing policies of the | ||||
| community value definer and its upstream ASes to take effect. These | ||||
| attacks are more demanding on the attackers and environment than | ||||
| attacks launched using the first category of action community values, | ||||
| so they are more difficult to occur in reality. Therefore, we mainly | ||||
| introduce the community-based attacks launched by using RTBH | ||||
| community values and TLP community values in the following | ||||
| paragraphs. | ||||
| 3.1. Remotely Triggered Blackholing | 3.1. Remotely Triggered Blackholing | |||
| Distributed Denial of Service attacks can heavily degrade network | Distributed Denial of Service attacks can heavily degrade network | |||
| performance and even make the services unavailable [AM17]. One | performance and even make the services unavailable [AM17]. One | |||
| mitigation option is blackholing, i.e., dropping all traffic going to | mitigation option is blackholing, i.e., dropping all traffic going to | |||
| a destination under attack, which makes the victim prefix become | a destination under attack, which makes the victim prefix become | |||
| intentionally unreachable. Many networks enable blackholing by | intentionally unreachable. Many networks enable blackholing by | |||
| leveraging BGP community attribute as a signaling mechanism | leveraging BGP community attribute as a signaling mechanism | |||
| [RFC7999]. The AS who provides remotely triggered blackholing | [RFC7999]. The AS who provides remotely triggered blackholing | |||
| service defines an action community value. Other ASes trigger | service defines an action community value. Other ASes trigger | |||
| blackholing requests by sending BGP announcements to the RTBH service | blackholing requests by sending BGP announcements to the RTBH service | |||
| provider for specific destination prefixes with the chosen | provider for specific destination prefixes with the chosen | |||
| blackholing value. | blackholing value. | |||
| RFC Community Origin Authentication September 2023 | ||||
| In order to prevent community-based attacks using blackholing | In order to prevent community-based attacks using blackholing | |||
| community values, the usage scope is strictly limited in previous | community values, the usage scope is strictly limited in previous | |||
| RFCs. As defined in RFC 5635 [RFC5635] and RFC 7999 [RFC7999], an | RFCs. As defined in RFC 5635 [RFC5635] and RFC 7999 [RFC7999], an | |||
| operator configured with RTBH filtering MUST only accept | operator configured with RTBH filtering MUST only accept | |||
| announcements from the neighboring network for prefixes that it is | announcements from the neighboring network for prefixes that it is | |||
| authorized to advertise. Moreover, a BGP speaker receiving an | authorized to advertise. Moreover, a BGP speaker receiving an | |||
| announcement tagged with the blackholing community values SHOULD add | announcement tagged with the blackholing community values SHOULD add | |||
| the NO_ADVERTISE or NO_EXPORT community values [RFC1997], or a | the NO_ADVERTISE or NO_EXPORT community values [RFC1997], or a | |||
| similar community value, to prevent propagation of the prefix outside | similar community value, to prevent propagation of the prefix outside | |||
| the local AS [RFC7999]. If all the ASes obey the rules defined in | the local AS [RFC7999]. If all the ASes obey the rules defined in | |||
| skipping to change at page 7, line 5 ¶ | skipping to change at page 7, line 17 ¶ | |||
| service. AS3 receives two paths to AS1 for p. The first path is via | service. AS3 receives two paths to AS1 for p. The first path is via | |||
| path "AS2, AS1" and the second is via path "AS4, AS5, AS1". Let us | path "AS2, AS1" and the second is via path "AS4, AS5, AS1". Let us | |||
| assume AS3 prefers the first path since it is the shorter one. In | assume AS3 prefers the first path since it is the shorter one. In | |||
| this example, if AS2 adds the blackholing community value defined by | this example, if AS2 adds the blackholing community value defined by | |||
| AS3 (i.e., AS3:666 ) [RFC7999] to its announcement for p to AS3, | AS3 (i.e., AS3:666 ) [RFC7999] to its announcement for p to AS3, | |||
| traffic to p would be dropped at AS3. Compared with that AS2 (the | traffic to p would be dropped at AS3. Compared with that AS2 (the | |||
| attacker) directly drops the traffic to p at its own network by | attacker) directly drops the traffic to p at its own network by | |||
| itself, RTBH-based attacks can prevent AS3 from selecting the backup | itself, RTBH-based attacks can prevent AS3 from selecting the backup | |||
| path "AS4, AS5, AS1" to reach AS1. | path "AS4, AS5, AS1" to reach AS1. | |||
| RFC Community Origin Authentication September 2023 | ||||
| +-------+ | +-------+ | |||
| +---| AS3 |--+ | +---| AS3 |--+ | |||
| | +-------+ | | | +-------+ | | |||
| AS3:666 | | | AS3:666 | | | |||
| | | | | | | |||
| +-------+ +-------+ | +-------+ +-------+ | |||
| +--| AS2 | | AS4 | | +--| AS2 | | AS4 | | |||
| | +-------+ +-------+ | | +-------+ +-------+ | |||
| | | | | | | |||
| | | | | | | |||
| skipping to change at page 8, line 4 ¶ | skipping to change at page 8, line 17 ¶ | |||
| customer of AS4, tags the blackholing community values of AS4 on the | customer of AS4, tags the blackholing community values of AS4 on the | |||
| announcement to AS4 for p, AS4 will prefer path (2) rather than path | announcement to AS4 for p, AS4 will prefer path (2) rather than path | |||
| (1). This case is already discussed in [SF18]. The reason is that | (1). This case is already discussed in [SF18]. The reason is that | |||
| routers often treat community values before best path selection, | routers often treat community values before best path selection, | |||
| which is shown in the Cisco router configuration sample in [RFC5635]. | which is shown in the Cisco router configuration sample in [RFC5635]. | |||
| The router might set the local preference of an announcement to a | The router might set the local preference of an announcement to a | |||
| value above the value for general customer routes if the announcement | value above the value for general customer routes if the announcement | |||
| is tagged with blackholing community values. Then in the best route | is tagged with blackholing community values. Then in the best route | |||
| selection phase, the router will select this announcement as the best | selection phase, the router will select this announcement as the best | |||
| route and set the next-hop of the announcement to a discard | route and set the next-hop of the announcement to a discard | |||
| RFC Community Origin Authentication September 2023 | ||||
| interface. Therefore, ASes on a backup path can tag blackholing | interface. Therefore, ASes on a backup path can tag blackholing | |||
| community values on the announcement to make the RTBH service | community values on the announcement to make the RTBH service | |||
| provider select the backup path as the best and then drop all the | provider select the backup path as the best and then drop all the | |||
| traffic to the blackholed prefix. | traffic to the blackholed prefix. | |||
| It should be emphasized that the attacker on the backup path can be | It should be emphasized that the attacker on the backup path can be | |||
| out of the customer cone of the RTBH service provider, e.g. AS6. In | out of the customer cone of the RTBH service provider, e.g. AS6. In | |||
| the example in Figure 2, if AS6, the attacker, tags the blackholing | the example in Figure 2, if AS6, the attacker, tags the blackholing | |||
| community values of AS4 on the announcement to AS5 for p. Similar as | community values of AS4 on the announcement to AS5 for p. Similar as | |||
| the previous example, AS4 might increase the local preference of path | the previous example, AS4 might increase the local preference of path | |||
| skipping to change at page 9, line 4 ¶ | skipping to change at page 9, line 38 ¶ | |||
| +-------+ customer | +-------+ customer | |||
| Figure 2: Attacker on the backup path blackholes the traffic at | Figure 2: Attacker on the backup path blackholes the traffic at | |||
| RTBH service provider through RTBH-based attacks | RTBH service provider through RTBH-based attacks | |||
| In summary, attackers can blackhole the traffic from the RTBH service | In summary, attackers can blackhole the traffic from the RTBH service | |||
| provider to the destination by launching RTBH-based attacks, whether | provider to the destination by launching RTBH-based attacks, whether | |||
| they are on the best path or backup paths. For the attackers on the | they are on the best path or backup paths. For the attackers on the | |||
| best path, they can achieve the same result by simply dropping the | best path, they can achieve the same result by simply dropping the | |||
| traffic to the destination at their own networks, but the usage of | traffic to the destination at their own networks, but the usage of | |||
| RFC Community Origin Authentication September 2023 | ||||
| RTBH community values can help the attackers prevent the RTBH | RTBH community values can help the attackers prevent the RTBH | |||
| provider from selecting any backup path. But for the attackers on | provider from selecting any backup path. But for the attackers on | |||
| backup paths, it is impossible for them to block the traffic from the | backup paths, it is impossible for them to block the traffic from the | |||
| RTBH service provider to the destination without launching RTBH-based | RTBH service provider to the destination without launching RTBH-based | |||
| attacks. RTBH-based attacks make them capable of unauthorized | attacks. RTBH-based attacks make them capable of unauthorized | |||
| blackholing the traffic to the prefixes at the RTBH service provider. | blackholing the traffic to the prefixes at the RTBH service provider. | |||
| 3.2. Tuning Local Prference | 3.2. Tuning Local Prference | |||
| According to [RFC8195], as part of an agreement between two peering | According to [RFC8195], as part of an agreement between two peering | |||
| skipping to change at page 10, line 5 ¶ | skipping to change at page 10, line 38 ¶ | |||
| | Backup customer route | ASX:9:0 | | | Backup customer route | ASX:9:0 | | |||
| | Peering route | ASX:10:0 | | | Peering route | ASX:10:0 | | |||
| | Upstream transit route | ASX:11:0 | | | Upstream transit route | ASX:11:0 | | |||
| | Fallback route, to be installed | ASX:12:0 | | | Fallback route, to be installed | ASX:12:0 | | |||
| | if no other path is available | | | | if no other path is available | | | |||
| +-------------------------------------------------------------+ | +-------------------------------------------------------------+ | |||
| Figure 3: Preference Classes and Example Community Values in TLP | Figure 3: Preference Classes and Example Community Values in TLP | |||
| Service | Service | |||
| RFC Community Origin Authentication September 2023 | ||||
| As LOCAL_PREF attribute strongly affects the best route selection | As LOCAL_PREF attribute strongly affects the best route selection | |||
| process, TLP community values must be negotiated between the TLP | process, TLP community values must be negotiated between the TLP | |||
| service provider and the community value tagger. But if the AS who | service provider and the community value tagger. But if the AS who | |||
| offers the TLP service does not inspect whether the community value | offers the TLP service does not inspect whether the community value | |||
| tagger is allowed to tag this value, it might be used to launch TLP- | tagger is allowed to tag this value, it might be used to launch TLP- | |||
| based attacks. | based attacks. | |||
| An attackers on the backup path may use TLP community values that set | An attackers on the backup path may use TLP community values that set | |||
| the local preference to the class "normal customer route" or "backup | the local preference to the class "normal customer route" or "backup | |||
| customer route" to launch TLP-based attacks. An example is shown in | customer route" to launch TLP-based attacks. An example is shown in | |||
| skipping to change at page 11, line 5 ¶ | skipping to change at page 11, line 23 ¶ | |||
| Only prefixes whose best path are learned from peers or providers can | Only prefixes whose best path are learned from peers or providers can | |||
| be attacked by using the TLP community values that set local | be attacked by using the TLP community values that set local | |||
| preference to class "normal customer route" or "backup customer | preference to class "normal customer route" or "backup customer | |||
| route". But these two kinds of TLP community values are supported by | route". But these two kinds of TLP community values are supported by | |||
| many networks that provides TLP service and all ASes on backup paths | many networks that provides TLP service and all ASes on backup paths | |||
| for these prefixes are capable to launch TLP-based attacks using | for these prefixes are capable to launch TLP-based attacks using | |||
| them. It means that such attacks can be launched from a wide range | them. It means that such attacks can be launched from a wide range | |||
| of ASes on the backup path. | of ASes on the backup path. | |||
| RFC Community Origin Authentication September 2023 | ||||
| +-------+ provider | +-------+ provider | |||
| | AS4 |----------+ | | AS4 |----------+ | |||
| +-------+ | | +-------+ | | |||
| AS3:9:0 | provider | | AS3:9:0 | provider | | |||
| | | | | | | |||
| | customer | customer | | customer | customer | |||
| +-------+ +-------+ +------+ | +-------+ +-------+ +------+ | |||
| | AS2 |-------| AS3 | | AS5 | | | AS2 |-------| AS3 | | AS5 | | |||
| +-------+ peer +-------+ +------+ | +-------+ peer +-------+ +------+ | |||
| | provider | provider | | provider | provider | |||
| skipping to change at page 12, line 5 ¶ | skipping to change at page 12, line 17 ¶ | |||
| instead of the path directly received from AS1, making a financial | instead of the path directly received from AS1, making a financial | |||
| loss for AS2. Compared with the attacks in Figure 4, although few | loss for AS2. Compared with the attacks in Figure 4, although few | |||
| Internet service providers support the TLP community values of "above | Internet service providers support the TLP community values of "above | |||
| customer route", this kind of attacks can cause a bigger financial | customer route", this kind of attacks can cause a bigger financial | |||
| loss and have a wider range of victims. Even prefixes whose best | loss and have a wider range of victims. Even prefixes whose best | |||
| path are learned from customers can be attacked rather than only | path are learned from customers can be attacked rather than only | |||
| prefixes whose best path are learned from peers or providers. All | prefixes whose best path are learned from peers or providers. All | |||
| ASes on backup paths for these prefixes are capable to launch this | ASes on backup paths for these prefixes are capable to launch this | |||
| kind of TLP-based attacks. | kind of TLP-based attacks. | |||
| RFC Community Origin Authentication September 2023 | ||||
| AS2:7:0 +-------+ | AS2:7:0 +-------+ | |||
| +-----------| AS4 | | +-----------| AS4 | | |||
| | provider +-------+ | | provider +-------+ | |||
| | | provider | | | provider | |||
| | | | | | | |||
| | customer | customer | | customer | customer | |||
| +-------+ +-------+ | +-------+ +-------+ | |||
| | AS2 | | AS3 | | | AS2 | | AS3 | | |||
| +-------+ +-------+ | +-------+ +-------+ | |||
| | provider | provider | | provider | provider | |||
| skipping to change at page 13, line 4 ¶ | skipping to change at page 13, line 22 ¶ | |||
| One reported community-based attack in the Internet is as follows. | One reported community-based attack in the Internet is as follows. | |||
| Oracle reported a BGP hijack towards authoritative DNS servers of US | Oracle reported a BGP hijack towards authoritative DNS servers of US | |||
| payment processing companies in July 2018 that misdirected users to | payment processing companies in July 2018 that misdirected users to | |||
| malicious websites through directing the DNS requests of the users to | malicious websites through directing the DNS requests of the users to | |||
| a forged DNS server [oracle]. At the beginning of this BGP hijack, | a forged DNS server [oracle]. At the beginning of this BGP hijack, | |||
| the hijack prefixes were only propagated to three peers. But later, | the hijack prefixes were only propagated to three peers. But later, | |||
| the attacker changed a community value of the hijack announcements, | the attacker changed a community value of the hijack announcements, | |||
| then the hijack announcements were propagated to 48 peers. It can be | then the hijack announcements were propagated to 48 peers. It can be | |||
| seen that community values have been used in attacks to increase the | seen that community values have been used in attacks to increase the | |||
| scope of route propagation. [SF18] conducted an experiment to | scope of route propagation. [SF18] conducted an experiment to | |||
| RFC Community Origin Authentication September 2023 | ||||
| explore the potential of the 307 verified RTBH community values | explore the potential of the 307 verified RTBH community values | |||
| identified in [GV17] to be used to launch attacks. The researchers | identified in [GV17] to be used to launch attacks. The researchers | |||
| advertised prefix p twice, the first time without community values | advertised prefix p twice, the first time without community values | |||
| and the second time with one of the 307 RTBH community values. They | and the second time with one of the 307 RTBH community values. They | |||
| issued probes from 200 vantage points to p to detect whether the | issued probes from 200 vantage points to p to detect whether the | |||
| traffic to p was blackholed. The result showed that 25 distinct | traffic to p was blackholed. The result showed that 25 distinct | |||
| community values among the 307 RTBH community values sucessfully | community values among the 307 RTBH community values sucessfully | |||
| blackholed the traffic from at least one vantage point to p, i.e., at | blackholed the traffic from at least one vantage point to p, i.e., at | |||
| least one vantage point is responsive after the first advertisement | least one vantage point is responsive after the first advertisement | |||
| and then becomes unresponsive after the second advertisement. | and then becomes unresponsive after the second advertisement. | |||
| skipping to change at page 14, line 5 ¶ | skipping to change at page 13, line 48 ¶ | |||
| Community-based attacks may cause serious consequences for the | Community-based attacks may cause serious consequences for the | |||
| networks that define community values. However, BGP contains no | networks that define community values. However, BGP contains no | |||
| specific mechanism to prevent community-based attacks. As a result, | specific mechanism to prevent community-based attacks. As a result, | |||
| there is a strong need for a mechanism to solve the problem. BGP | there is a strong need for a mechanism to solve the problem. BGP | |||
| community values are essentially a convention between two ASes. | community values are essentially a convention between two ASes. | |||
| Therefore, community-based attacks can be mitigated by the signature | Therefore, community-based attacks can be mitigated by the signature | |||
| of the community value tagger and the validation of the community | of the community value tagger and the validation of the community | |||
| recipient. | recipient. | |||
| RFC Community Origin Authentication September 2023 | ||||
| This document describes SecCommunity, an extension to BGP that | This document describes SecCommunity, an extension to BGP that | |||
| provides the ability to authenticate the AS who adds a community | provides the ability to authenticate the AS who adds a community | |||
| value on an announcement. As informational community values are only | value on an announcement. As informational community values are only | |||
| used to label the routes that have particular attributes, they cannot | used to label the routes that have particular attributes, they cannot | |||
| be used to change the routing behaviors of other ASes directly, so | be used to change the routing behaviors of other ASes directly, so | |||
| there is little use for the community value recipient to verify the | there is little use for the community value recipient to verify the | |||
| identity of the informational community value tagger. Therefore, | identity of the informational community value tagger. Therefore, | |||
| SecCommunity is only used for action community values that may be | SecCommunity is only used for action community values that may be | |||
| leveraged to launch attacks through notifying other ASes to conduct | leveraged to launch attacks through notifying other ASes to conduct | |||
| specific actions. Before adopting SecCommunity, the community value | specific actions. Before adopting SecCommunity, the community value | |||
| skipping to change at page 14, line 31 ¶ | skipping to change at page 14, line 23 ¶ | |||
| who adds an action community value needs to make sure its identity is | who adds an action community value needs to make sure its identity is | |||
| authentic and knowable to the recipient by generating a digital | authentic and knowable to the recipient by generating a digital | |||
| signature. The recipient of the action community value (i.e., the AS | signature. The recipient of the action community value (i.e., the AS | |||
| who needs to take actions according to this community value) should | who needs to take actions according to this community value) should | |||
| verify the digital signature to know the identity of the community | verify the digital signature to know the identity of the community | |||
| tagger and then check whether the community tagger is allowed to add | tagger and then check whether the community tagger is allowed to add | |||
| this community value by consulting its pre-configured CACL. The | this community value by consulting its pre-configured CACL. The | |||
| recipient will conduct the specific actions only if the community | recipient will conduct the specific actions only if the community | |||
| tagger is allowed to add this community value in the CACL. | tagger is allowed to add this community value in the CACL. | |||
| SecCommunity is implemented through an optional transitive BGP path | SecCommunity extension is implemented through an optional transitive | |||
| attribute SecCommunity. This document specifies the format of | BGP path attribute SecCommunity. This document specifies the format | |||
| SecCommunity attribute. It also describes how a SecCommunity- | of SecCommunity attribute. It also describes how a SecCommunity- | |||
| compliant BGP speaker (referred to hereafter as a SecCommunity | compliant BGP speaker (referred to hereafter as a SecCommunity | |||
| speaker) generates, propagates, and validates BGP UPDATE messages | speaker) generates, propagates, and validates BGP UPDATE messages | |||
| containing this attribute (referred to hereafter as SecCommunity | containing this attribute (referred to hereafter as SecCommunity | |||
| UPDATE message) to achieve BGP community origin authentication. | UPDATE message) to achieve BGP community origin authentication. | |||
| SecCommunity relies on the BGPsec router certificates [RFC8209] to | SecCommunity relies on the BGPsec router certificates [RFC8209] to | |||
| generate and validate the digital signatures. Each BGPsec router | generate and validate the digital signatures. Each BGPsec router | |||
| certificate is issued to routers under a Resource Public Key | certificate is issued to routers under a Resource Public Key | |||
| Infrastructure (RPKI) certificate. A BGPsec route certificate | Infrastructure (RPKI) certificate. A BGPsec route certificate | |||
| contains a private key, a public key, AS Resources field and Subject | contains a private key, a public key, AS Resources field and Subject | |||
| Key Identifier (SKI) field. The AS Resources field includes at least | Key Identifier (SKI) field. The AS Resources field includes at least | |||
| one AS number that the router belongs to. The SKI field is used to | one AS number that the router belongs to. The SKI field is used to | |||
| identify the certificates that contain a particular pair of public | identify the certificates that contain a particular pair of public | |||
| key and private key [RFC6487]. Any SecCommunity speaker who wishes | key and private key [RFC6487]. Any SecCommunity speaker who wishes | |||
| to send SecCommunity UPDATE messages to eBGP peers needs to possess a | to send SecCommunity UPDATE messages to eBGP peers needs to possess a | |||
| private key associated with an BGPsec router certificate. Note, | private key associated with an BGPsec router certificate. Note, | |||
| however, that a SecCommunity speaker does not need such a certificate | however, that a SecCommunity speaker does not need such a certificate | |||
| in order to validate received SecCommunity UPDATE messages. | in order to validate received SecCommunity UPDATE messages. | |||
| RFC Community Origin Authentication September 2023 | ||||
| 5.1. SecCommunity Attribute | 5.1. SecCommunity Attribute | |||
| SecCommunity attribute is an optional transitive BGP path attribute. | SecCommunity attribute is an optional transitive BGP path attribute. | |||
| SecCommunity attribute carries the digital signatures used to | SecCommunity attribute carries the digital signatures used to | |||
| authenticate the ASes that added action community values to the BGP | authenticate the ASes that added action community values to the BGP | |||
| announcement. | announcement. | |||
| SecCommunity attribute is made up of several Secure_Community | SecCommunity attribute is made up of several Secure_Community | |||
| segments. Figure 6 provides the specification of the format for | segments. Figure 6 provides the specification of the format for | |||
| SecCommunity attribute. | SecCommunity attribute. | |||
| skipping to change at page 16, line 5 ¶ | skipping to change at page 15, line 46 ¶ | |||
| | Signature (variable) | | | Signature (variable) | | |||
| +----------------------------------------------------+ | +----------------------------------------------------+ | |||
| Figure 7: Secure_Community Segment Format | Figure 7: Secure_Community Segment Format | |||
| The AS Number field in Figure 7 is the AS number of the BGP speaker | The AS Number field in Figure 7 is the AS number of the BGP speaker | |||
| that added the action community value in the Action Community Value | that added the action community value in the Action Community Value | |||
| field. The AS Number field MUST be encoded as a 4-octet quantity to | field. The AS Number field MUST be encoded as a 4-octet quantity to | |||
| support 4-octet AS numbers defined in [RFC6793]. | support 4-octet AS numbers defined in [RFC6793]. | |||
| RFC Community Origin Authentication September 2023 | ||||
| The Action Community Value field in Figure 7 is the action community | The Action Community Value field in Figure 7 is the action community | |||
| value that needs origin authentication. It should support the | value that needs origin authentication. It should support the | |||
| community values in Communities attribute [RFC1997] and BGP Large | community values in Communities attribute [RFC1997] and BGP Large | |||
| Communities attribute [RFC8092]. The community attribute values are | Communities attribute [RFC8092]. The community attribute values are | |||
| 4 octets and the large community values are 12 octets. The Action | 4 octets and the large community values are 12 octets. The Action | |||
| Community Value field in Figure 7 SHOULD be encoded as a 12-octet | Community Value field in Figure 7 SHOULD be encoded as a 12-octet | |||
| quantity to support large community values. The considerations for | quantity to support large community values. The considerations for | |||
| 4-octet community values are detailed in Section 6.4. The Action | 4-octet community values are detailed in Section 6.4. The Action | |||
| Community Value field, like BGP large community, is made up of two | Community Value field, like BGP large community, is made up of two | |||
| parts. The first 4 octets contain the AS number who defines the | parts. The first 4 octets contain the AS number who defines the | |||
| skipping to change at page 17, line 5 ¶ | skipping to change at page 16, line 46 ¶ | |||
| 5.2. Adding action community values to the SecCommunity Attribute | 5.2. Adding action community values to the SecCommunity Attribute | |||
| In order to add a new action community value to a SecCommunity UPDATE | In order to add a new action community value to a SecCommunity UPDATE | |||
| message with a given algorithm suite, the SecCommunity speaker MUST | message with a given algorithm suite, the SecCommunity speaker MUST | |||
| possess a private key suitable for generating signatures to this | possess a private key suitable for generating signatures to this | |||
| algorithm suite. This private key must correspond to the public key | algorithm suite. This private key must correspond to the public key | |||
| in a valid BGPsec router certificate whose AS Resources field | in a valid BGPsec router certificate whose AS Resources field | |||
| [RFC8209] includes the SecCommunity speaker's AS number. | [RFC8209] includes the SecCommunity speaker's AS number. | |||
| RFC Community Origin Authentication September 2023 | ||||
| When a SecCommunity speaker wants to add a new action community | When a SecCommunity speaker wants to add a new action community | |||
| value, it needs to create a Secure_Community segment for this action | value, it needs to create a Secure_Community segment for this action | |||
| community value. The following steps are used to create a new | community value. The following steps are used to create a new | |||
| Secure_Community segment and update the SecCommunity attribute. | Secure_Community segment and update the SecCommunity attribute. | |||
| (1) Set the AS Number field. The AS Number field MUST match the AS | (1) Set the AS Number field. The AS Number field MUST match the AS | |||
| number of this SecCommunity speaker. | number of this SecCommunity speaker. | |||
| (2) Set the Action Community Value field. The Action Community | (2) Set the Action Community Value field. The Action Community | |||
| Value field SHOULD be the action community value that the | Value field SHOULD be the action community value that the | |||
| skipping to change at page 18, line 5 ¶ | skipping to change at page 18, line 5 ¶ | |||
| Upon receiving a SecCommunity UPDATE message from an external peer, a | Upon receiving a SecCommunity UPDATE message from an external peer, a | |||
| SecCommunity speaker SHOULD determine whether the action community | SecCommunity speaker SHOULD determine whether the action community | |||
| values need origin authentication validation. If the first 4 octets | values need origin authentication validation. If the first 4 octets | |||
| of the Action Community Value field in all Secure_Community segments | of the Action Community Value field in all Secure_Community segments | |||
| do not match the AS number of the SecCommunity speaker, there is no | do not match the AS number of the SecCommunity speaker, there is no | |||
| need to validate. Otherwise, a validation procedure is necessary | need to validate. Otherwise, a validation procedure is necessary | |||
| before conducting the actions associated with the action community | before conducting the actions associated with the action community | |||
| values. | values. | |||
| RFC Community Origin Authentication September 2023 | ||||
| Validation of a SecCommunity UPDATE message makes use of data from | Validation of a SecCommunity UPDATE message makes use of data from | |||
| BGPsec router certificates [RFC8209]. Therefore, it is necessary | BGPsec router certificates [RFC8209]. Therefore, it is necessary | |||
| that the recipient has access to the following fields that are | that the recipient has access to the following fields that are | |||
| obtained from all valid BGPsec router certificates: AS Number, Public | obtained from all valid BGPsec router certificates: AS Number, Public | |||
| Key, and SKI from each valid BGPsec router certificate. | Key, and SKI from each valid BGPsec router certificate. | |||
| The validation procedure is described as follows. | The validation procedure is described as follows. | |||
| First, check to ensure that the SecCommunity attribute is | First, check to ensure that the SecCommunity attribute is | |||
| syntactically correct (conforms to the specification in this | syntactically correct (conforms to the specification in this | |||
| skipping to change at page 19, line 4 ¶ | skipping to change at page 19, line 4 ¶ | |||
| (3) Compute the digest function for the Action Community Value field | (3) Compute the digest function for the Action Community Value field | |||
| of the NV segment. | of the NV segment. | |||
| (4) Use the signature validation algorithm to verify the Signature | (4) Use the signature validation algorithm to verify the Signature | |||
| field of the NV segment. That is, invoke the signature | field of the NV segment. That is, invoke the signature | |||
| validation algorithm on the following three inputs: the value of | validation algorithm on the following three inputs: the value of | |||
| the Signature field in the Secure_Community segment, the digest | the Signature field in the Secure_Community segment, the digest | |||
| value computed in (3) and public key obtained in (2). If the | value computed in (3) and public key obtained in (2). If the | |||
| signature validation algorithm determines that the signature is | signature validation algorithm determines that the signature is | |||
| RFC Community Origin Authentication September 2023 | ||||
| invalid, then the SecCommunity speaker SHOULD mark the | invalid, then the SecCommunity speaker SHOULD mark the | |||
| Secure_Community as 'Invalid' and proceed to the next NV | Secure_Community as 'Invalid' and proceed to the next NV | |||
| segment. | segment. | |||
| If a Secure_Community segment passes the above four-step validation, | If a Secure_Community segment passes the above four-step validation, | |||
| it is marked as 'Valid'. Then the SecCommunity speaker SHOULD check | it is marked as 'Valid'. Then the SecCommunity speaker SHOULD check | |||
| whether the AS in the AS Number field of this Secure_Community | whether the AS in the AS Number field of this Secure_Community | |||
| segment is permitted to add this community value by consulting its | segment is permitted to add this community value by consulting its | |||
| pre-configured CACL. If permitted, the SecCommunity speaker will | pre-configured CACL. If permitted, the SecCommunity speaker will | |||
| conduct the action associated with this community value. For each | conduct the action associated with this community value. For each | |||
| skipping to change at page 20, line 5 ¶ | skipping to change at page 20, line 5 ¶ | |||
| 6.1. Private AS Numbers | 6.1. Private AS Numbers | |||
| The generation of a Secure_Community segment requires a private key | The generation of a Secure_Community segment requires a private key | |||
| corresponding to the public key in a valid BGPsec router certificate | corresponding to the public key in a valid BGPsec router certificate | |||
| to generate the digest signature. However, SecCommunity speakers in | to generate the digest signature. However, SecCommunity speakers in | |||
| private ASes cannot be issued router certificates in the Global RPKI | private ASes cannot be issued router certificates in the Global RPKI | |||
| [RFC8205]. It is a common problem in RPKI system. This document | [RFC8205]. It is a common problem in RPKI system. This document | |||
| recommends to solve this problem through the method proposed in | recommends to solve this problem through the method proposed in | |||
| [RFC8416]. | [RFC8416]. | |||
| RFC Community Origin Authentication September 2023 | ||||
| 6.2. Deployment Considerations | 6.2. Deployment Considerations | |||
| SecCommunity attribute can coexist with Communities attribute in a | SecCommunity attribute can coexist with Communities attribute in a | |||
| SecCommunity UPDATE message. SecCommunity attribute only offers | SecCommunity UPDATE message. SecCommunity attribute only offers | |||
| origin authentication for action community values. Informational | origin authentication for action community values. Informational | |||
| community values SHOULD still be added to Communities attribute. | community values SHOULD still be added to Communities attribute. | |||
| If a BGP speaker does not support SecCommunity, it can still add | If a BGP speaker does not support SecCommunity, it can still add | |||
| action community values to Communities attribute. Yet, the recipient | action community values to Communities attribute. Yet, the recipient | |||
| of these action community values has no way to know the identity of | of these action community values has no way to know the identity of | |||
| skipping to change at page 21, line 4 ¶ | skipping to change at page 21, line 4 ¶ | |||
| 6.4. Considerations for Four-octet Community Values | 6.4. Considerations for Four-octet Community Values | |||
| As defined in [RFC1997], community attribute values are four octets. | As defined in [RFC1997], community attribute values are four octets. | |||
| The first two octets SHALL be an AS number and the semantics of the | The first two octets SHALL be an AS number and the semantics of the | |||
| last two octets may be defined by this AS [RFC1997]. When adding a | last two octets may be defined by this AS [RFC1997]. When adding a | |||
| new four-octet community value to SecCommunity attribute, the third | new four-octet community value to SecCommunity attribute, the third | |||
| and fourth octets of Action Community Value field SHOULD be populated | and fourth octets of Action Community Value field SHOULD be populated | |||
| with the first two octets of this four-octet community value and the | with the first two octets of this four-octet community value and the | |||
| last two octets of Action Community Value field SHOULD be populated | last two octets of Action Community Value field SHOULD be populated | |||
| with the last two octets of this four-octet community value. The | with the last two octets of this four-octet community value. The | |||
| RFC Community Origin Authentication September 2023 | ||||
| other octets of Action Community Value field SHOULD be populated with | other octets of Action Community Value field SHOULD be populated with | |||
| value "0". | value "0". | |||
| If the four-octet community value that a SecCommunity speaker wants | If the four-octet community value that a SecCommunity speaker wants | |||
| to add is not encoded as [RFC1997] defines, it is not supported by | to add is not encoded as [RFC1997] defines, it is not supported by | |||
| SecCommunity. | SecCommunity. | |||
| 7. Security Considerations | 7. Security Considerations | |||
| 7.1. Security Guarantees | 7.1. Security Guarantees | |||
| skipping to change at page 21, line 35 ¶ | skipping to change at page 21, line 32 ¶ | |||
| target for denial-of-service attacks against a SecCommunity speaker. | target for denial-of-service attacks against a SecCommunity speaker. | |||
| To mitigate the effectiveness of such denial-of-service attacks, | To mitigate the effectiveness of such denial-of-service attacks, | |||
| SecCommunity speakers should implement a validation algorithm that | SecCommunity speakers should implement a validation algorithm that | |||
| performs expensive checks (e.g., signature verification) after | performs expensive checks (e.g., signature verification) after | |||
| performing checks that are less expensive (e.g., syntax checks). | performing checks that are less expensive (e.g., syntax checks). | |||
| 8. IANA Considerations | 8. IANA Considerations | |||
| IANA needs to register a new path attribute described in Section 5 in | IANA needs to register a new path attribute described in Section 5 in | |||
| the "BGP Path Attribute" subregistry under the "Border Gateway | the "BGP Path Attribute" registry in the "Border Gateway Protocol | |||
| Protocol (BGP) Parameters" registry. The code for this new attribute | (BGP) Parameters" registry group. The code for this new attribute is | |||
| is "SecCommunity". This document is the reference for the new | "SecCommunity". This document is the reference for the new | |||
| attribute. | attribute. | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [RFC1997] Chandra, R., Traina, P., and T. Li, "BGP Communities | [RFC1997] Chandra, R., Traina, P., and T. Li, "BGP Communities | |||
| Attribute", RFC 1997, DOI 10.17487/RFC1997, August 1996, | Attribute", RFC 1997, DOI 10.17487/RFC1997, August 1996, | |||
| <https://www.rfc-editor.org/info/rfc1997>. | <https://www.rfc-editor.org/info/rfc1997>. | |||
| [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A | [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A | |||
| Border Gateway Protocol 4 (BGP-4)", RFC 4271, | Border Gateway Protocol 4 (BGP-4)", RFC 4271, | |||
| DOI 10.17487/RFC4271, January 2006, | DOI 10.17487/RFC4271, January 2006, | |||
| <https://www.rfc-editor.org/info/rfc4271>. | <https://www.rfc-editor.org/info/rfc4271>. | |||
| RFC Community Origin Authentication September 2023 | ||||
| [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for | [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for | |||
| X.509 PKIX Resource Certificates", RFC 6487, | X.509 PKIX Resource Certificates", RFC 6487, | |||
| DOI 10.17487/RFC6487, February 2012, | DOI 10.17487/RFC6487, February 2012, | |||
| <https://www.rfc-editor.org/info/rfc6487>. | <https://www.rfc-editor.org/info/rfc6487>. | |||
| [RFC8092] Heitz, J., Ed., Snijders, J., Ed., Patel, K., Bagdonas, | [RFC8092] Heitz, J., Ed., Snijders, J., Ed., Patel, K., Bagdonas, | |||
| I., and N. Hilliard, "BGP Large Communities Attribute", | I., and N. Hilliard, "BGP Large Communities Attribute", | |||
| RFC 8092, DOI 10.17487/RFC8092, February 2017, | RFC 8092, DOI 10.17487/RFC8092, February 2017, | |||
| <https://www.rfc-editor.org/info/rfc8092>. | <https://www.rfc-editor.org/info/rfc8092>. | |||
| skipping to change at page 23, line 5 ¶ | skipping to change at page 23, line 5 ¶ | |||
| <https://dl.acm.org/doi/10.5555/3241189.3241275>. | <https://dl.acm.org/doi/10.5555/3241189.3241275>. | |||
| [DB08] Donnet, B. and O. Bonaventure, "On BGP Communities", | [DB08] Donnet, B. and O. Bonaventure, "On BGP Communities", | |||
| CCR'08, DOI 10.1145/1355734.1355743, March 2008, | CCR'08, DOI 10.1145/1355734.1355743, March 2008, | |||
| <https://dl.acm.org/doi/pdf/10.1145/1355734.1355743>. | <https://dl.acm.org/doi/pdf/10.1145/1355734.1355743>. | |||
| [gtt] GTT, "Semantics of community values defined by AS 3257", | [gtt] GTT, "Semantics of community values defined by AS 3257", | |||
| 2023, <https://www.gtt.net/us-en/services/managed- | 2023, <https://www.gtt.net/us-en/services/managed- | |||
| networking/internet/ip-transit/bgp-communities/>. | networking/internet/ip-transit/bgp-communities/>. | |||
| RFC Community Origin Authentication September 2023 | ||||
| [GV17] Giotsas, V., Smaragdakis, G., Dietzel, C., Richter, P., | [GV17] Giotsas, V., Smaragdakis, G., Dietzel, C., Richter, P., | |||
| Feldmann, A., and A. Berger, "Inferring BGP blackholing | Feldmann, A., and A. Berger, "Inferring BGP blackholing | |||
| activity in the internet", IMC'17, | activity in the internet", IMC'17, | |||
| DOI 10.1145/3131365.3131379, November 2017, | DOI 10.1145/3131365.3131379, November 2017, | |||
| <https://dl.acm.org/doi/10.1145/3131365.3131379>. | <https://dl.acm.org/doi/10.1145/3131365.3131379>. | |||
| [irrdatabase] | [irrdatabase] | |||
| Internet Routing Registry, "IRR database", 2023, | Internet Routing Registry, "IRR database", 2023, | |||
| <https://www.irr.net/>. | <https://www.irr.net/>. | |||
| skipping to change at page 24, line 5 ¶ | skipping to change at page 24, line 5 ¶ | |||
| [RFC6793] Vohra, Q. and E. Chen, "BGP Support for Four-Octet | [RFC6793] Vohra, Q. and E. Chen, "BGP Support for Four-Octet | |||
| Autonomous System (AS) Number Space", RFC 6793, | Autonomous System (AS) Number Space", RFC 6793, | |||
| DOI 10.17487/RFC6793, December 2012, | DOI 10.17487/RFC6793, December 2012, | |||
| <https://www.rfc-editor.org/info/rfc6793>. | <https://www.rfc-editor.org/info/rfc6793>. | |||
| [RFC7093] Turner, S., Kent, S., and J. Manger, "Additional Methods | [RFC7093] Turner, S., Kent, S., and J. Manger, "Additional Methods | |||
| for Generating Key Identifiers Values", RFC 7093, | for Generating Key Identifiers Values", RFC 7093, | |||
| DOI 10.17487/RFC7093, December 2013, | DOI 10.17487/RFC7093, December 2013, | |||
| <https://www.rfc-editor.org/info/rfc7093>. | <https://www.rfc-editor.org/info/rfc7093>. | |||
| RFC Community Origin Authentication September 2023 | ||||
| [RFC7999] King, T., Dietzel, C., Snijders, J., Doering, G., and G. | [RFC7999] King, T., Dietzel, C., Snijders, J., Doering, G., and G. | |||
| Hankins, "BLACKHOLE Community", RFC 7999, | Hankins, "BLACKHOLE Community", RFC 7999, | |||
| DOI 10.17487/RFC7999, October 2016, | DOI 10.17487/RFC7999, October 2016, | |||
| <https://www.rfc-editor.org/info/rfc7999>. | <https://www.rfc-editor.org/info/rfc7999>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [RFC8195] Snijders, J., Heasley, J., and M. Schmidt, "Use of BGP | [RFC8195] Snijders, J., Heasley, J., and M. Schmidt, "Use of BGP | |||
| skipping to change at page 25, line 4 ¶ | skipping to change at page 25, line 4 ¶ | |||
| 100084 | 100084 | |||
| China | China | |||
| Email: jessiewang@tsinghua.edu.cn | Email: jessiewang@tsinghua.edu.cn | |||
| Yangyang Wang | Yangyang Wang | |||
| Tsinghua University | Tsinghua University | |||
| Beijing | Beijing | |||
| 100084 | 100084 | |||
| China | China | |||
| Email: wangyy@cernet.edu.cn | Email: wangyy@cernet.edu.cn | |||
| RFC Community Origin Authentication September 2023 | ||||
| Mingwei Xu | Mingwei Xu | |||
| Tsinghua University | Tsinghua University | |||
| Beijing | Beijing | |||
| 100084 | 100084 | |||
| China | China | |||
| Email: xumw@tsinghua.edu.cn | Email: xumw@tsinghua.edu.cn | |||
| End of changes. 38 change blocks. | ||||
| 84 lines changed or deleted | 48 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||