Randy's Work Blog

Florian Streibelt, Franziska Lichtblau, Robert Beverly, Anja Feldmann, Cristel Pelsser, Georgios Smaragdakis, and Randy Bush. BGP Communities: Even more Worms in the Routing Can. Proc. Internet Measurement Conference 2018 (IMC ‘18).ACM, New York, NY, USA, 279-292.

        RFC 8481

        Title:      Clarifications to BGP Origin Validation Based
                    on Resource Public Key Infrastructure (RPKI) 
        Author:     R. Bush
        Status:     Standards Track
        Stream:     IETF
        Date:       September 2018
        Mailbox:    randy@psg.com
        Pages:      5
        Characters: 9629
        Updates:    RFC 6811
        I-D Tag:    draft-ietf-sidrops-ov-clarify-05.txt
        URL:        https://www.rfc-editor.org/info/rfc8481
        DOI:        10.17487/RFC8481

Deployment of BGP origin validation based on Resource Public Key
Infrastructure (RPKI) is hampered by, among other things, vendor
misimplementations in two critical areas: which routes are validated
and whether policy is applied when not specified by configuration.
This document is meant to clarify possible misunderstandings causing
those misimplementations; it thus updates RFC 6811 by clarifying that
all prefixes should have their validation state set and that policy
must not be applied without operator configuration.

        RFC 8210

        Title:      The Resource Public Key Infrastructure 
                    (RPKI) to Router Protocol, Version 1 
        Author:     R. Bush, 
                    R. Austein
        Status:     Standards Track
        Stream:     IETF
        Date:       September 2017
        Mailbox:    randy@psg.com, 
                    sra@hactrn.net
        Pages:      35
        Characters: 78467
        Updates:    RFC 6810

        I-D Tag:    draft-ietf-sidr-rpki-rtr-rfc6810-bis-09.txt

        URL:        https://www.rfc-editor.org/info/rfc8210

        DOI:        10.17487/RFC8210

In order to verifiably validate the origin Autonomous Systems and Autonomous System Paths of BGP announcements, routers need a simple but reliable mechanism to receive Resource Public Key Infrastructure (RFC 6480) prefix origin data and router keys from a trusted cache.  This document describes a protocol to deliver them.

        BCP 211        
        RFC 8207

        Title:      BGPsec Operational Considerations 
        Author:     R. Bush
        Status:     Best Current Practice
        Stream:     IETF
        Date:       September 2017
        Mailbox:    randy@psg.com
        Pages:      10
        Characters: 21086
        See Also:   BCP 211

        I-D Tag:    draft-ietf-sidr-bgpsec-ops-16.txt

        URL:        https://www.rfc-editor.org/info/rfc8207

        DOI:        10.17487/RFC8207

Deployment of the BGPsec architecture and protocols has many
operational considerations.  This document attempts to collect and
present the most critical and universal.  Operational practices are
expected to evolve as BGPsec is formalized and initially deployed.

        RFC 8097

        Title:      BGP Prefix Origin Validation State 
                    Extended Community 
        Author:     P. Mohapatra, 
                    K. Patel,
                    J. Scudder, 
                    D. Ward,
                    R. Bush
        Status:     Standards Track
        Stream:     IETF
        Date:       March 2017
        Mailbox:    mpradosh@yahoo.com, 
                    keyur@arrcus.com, 
                    jgs@juniper.net,  
                    dward@cisco.com, 
                    randy@psg.com
        Pages:      6
        Characters: 12287
        Updates/Obsoletes/SeeAlso:   None

        I-D Tag:    draft-ietf-sidr-origin-validation-signaling-11.txt

        URL:        https://www.rfc-editor.org/info/rfc8097

        DOI:        10.17487/RFC8097

This document defines a new BGP opaque extended community to carry
the origination Autonomous System (AS) validation state inside an
autonomous system.  Internal BGP (IBGP) speakers that receive this
validation state can configure local policies that allow it to
influence their decision process.

Codification of AS 0 Processing
W. Kumari, R. Bush, H. Schiller, K. Patel. August 2015

This document updates RFC 4271 and proscribes the use of Autonomous System (AS) 0 in the Border Gateway Protocol (BGP) OPEN, AS_PATH, AS4_PATH, AGGREGATOR, and AS4_AGGREGATOR attributes in the BGP UPDATE message.

Josh Bailey, Dean Pemberton, Andy Linton, Cristel Pelsser, Randy Bush. Enforcing RPKI-Based Routing Policy on the Data Plane at an Internet Exchange Poster at HotSDN 2014.

Over a decade of work has gone into securing the BGP routing control plane. Through all this, there has been an oft repeated refrain, ”It is acknowledged that rigorous control plane verification does not in any way guarantee that packets follow the control plane.” We describe what may be the first deployment of data plane enforcement of RPKI-based control plane validation. OpenFlow switches providing an exchange fabric and controlled by a Quagga BGP route server drop traffic for prefixes which have invalid origins without requiring any RPKI support by connected BGP peers.

RFC 7353

Title: Security Requirements for BGP Path
Validation
Author: S. Bellovin, R. Bush, D. Ward
Status: Informational
Stream: IETF
Date: August 2014
Mailbox: bellovin@acm.org,
randy@psg.com,
dward@cisco.com
Pages: 9
Characters: 18148
Updates/Obsoletes/SeeAlso: None

I-D Tag: draft-ietf-sidr-bgpsec-reqs-12.txt

URL: https://www.rfc-editor.org/rfc/rfc7353.txt

This document describes requirements for a BGP security protocol
design to provide cryptographic assurance that the origin Autonomous
System (AS) has the right to announce the prefix and to provide
assurance of the AS Path of the announcement.

RFC 7196
Title: Making Route Flap Damping Usable
Author: C. Pelsser, R. Bush,
K. Patel, P. Mohapatra,
O. Maennel
Status: Standards Track
Stream: IETF
Date: May 2014
Mailbox: cristel@iij.ad.jp,
randy@psg.com,
keyupate@cisco.com,
mpradosh@yahoo.com,
o@maennel.net
Pages: 8
Characters: 15202
Updates/Obsoletes/SeeAlso: None
I-D Tag: draft-ietf-idr-rfd-usable-04.txt
URL: http://www.rfc-editor.org/rfc/rfc7196.txt

Route Flap Damping (RFD) was first proposed to reduce BGP churn in routers. Unfortunately, RFD was found to severely penalize sites for being well connected because topological richness amplifies the number of update messages exchanged. Many operators have turned RFD off. Based on experimental measurement, this document recommends adjusting a few RFD algorithmic constants and limits in order to reduce the high risks with RFD. The result is damping a non-trivial amount of long-term churn without penalizing well-behaved prefixes’ normal convergence process.

Nejc Skoberne, Olaf Maennel, Iain Phillips, Randy Bush, Jan Zorz, and Mojca Ciglaric, IPv4 Address Sharing Mechanism Classification and Tradeoff Analysis, IEEE/ACM Transactions On Networking April 2014.

The growth of the Internet has made IPv4 addresses a scarce resource. Due to slow IPv6 deployment, IANA-level IPv4 address exhaustion was reached before the world could transition to an IPv6-only Internet. The continuing need for IPv4 reachability will only be supported by IPv4 address sharing. This paper reviews ISP-level address sharing mechanisms, which allow Internet service providers to connect multiple customers who share a single IPv4 address. Some mechanisms come with severe and un- predicted consequences, and all of them come with tradeoffs. We propose a novel classification, which we apply to existing mechanisms such as NAT444 and DS-Lite and proposals such as 4rd, MAP, etc. Our tradeoff analysis reveals insights into many problems including: abuse attribution, performance degradation, ad- dress and port usage efficiency, direct inter-customer communication, and availability.