Let’s look at what’s happening in the IETF and the upcoming IETF 97 meeting in the area of Internet infrastructure resilience. My focus in this Rough Guide to IETF 97 post is primarily on the routing and forwarding planes and specifically routing security and unwanted traffic of DDoS attacks. There is interesting and important work underway at the IETF that can help address problems in both areas.
The Secure Inter-Domain Routing (SIDR, http://datatracker.ietf.org/wg/sidr/) WG has made a significant contribution to the area of routing security by developing the RPKI system and security extensions to BGP – BGPSEC. Its work is almost done, with the core specifications being either approved as IETF standards, or waiting in the IESG queue for approval.
Now the real focus is on the deployment of these technologies and related to this maintenance of the corresponding standards. This deployment must be properly handled to avoid the division of the Internet into separate networks.
A newly chartered SIDR Operations Working Group (sidrops) is aimed at developing guidelines for the operation of SIDR-aware networks, and providing operational guidance on how to deploy and operate SIDR technologies in existing and new networks.
From the charter (https://datatracker.ietf.org/wg/sidrops/charter/): “In the space of sidrops, the term operators will encompass a range of operational experience: CA Operators, Regional/National and Local Internet Registries, Relying Party software developers as well as the research/measurement community all have relevant operational experience or insight that this working group will consider in its work. The sidrops working group is focused on deployment and operational issues and experiences with SIDR technologies that are part of the global routing system, as well as the repositories and CA systems that form part of the SIDR architecture.”
The expectation is that the working group if formed will meet first at IETF 98. The proposed charter includes work items which are already underway.
In the area of route leaks there are still two proposals. One is an IDR WG document,“Methods for Detection and Mitigation of BGP Route Leaks”, where the authors suggest an enhancement to BGP that would extend the route-leak detection and mitigation capability of BGPSEC. Another is an independent submission “Route Leak Detection and Filtering using Roles in Update and Open messages”. This proposal enhances the BGP Open message to establish an agreement of the (peer, customer, provider, internal) relationship of two BGP neighboring speakers in order to enforce appropriate configuration on both sides. Propagated routes are then marked with a flag according to agreed relationship allowing detection and mitigation of route leaks.
There was no discussion of either approach on the mailing list, but a new version of “Route Leak Detection and Filtering using Roles in Update and Open messages” is on the agenda of the IDR WG meeting in Seoul.
Related to the forwarding plane and DDoS specifically, a few meetings ago a draft “BLACKHOLE BGP Community for Blackholing” was introduced initially to document a well-known community used for triggering blackholing at IXPs, similar to what DE-CIX is doing (https://www.de-cix.net/products-services/de-cix-frankfurt/blackholing). Several concerns about the risk of abusing IXPs as a “filtering sink of the internet,” for example by law enforcement, were raised that led to a more general document describing use of this attribute for just networks. The document was adopted by the GROW WG and is recently published as an informational RFC (https://datatracker.ietf.org/doc/rfc7999).
Also in the same problem area a DDoS Open Threat Signaling (DOTS, http://datatracker.ietf.org/wg/dots/) WG is making good progress. The goal of the group is to develop a communications protocol intended to facilitate the programmatic, coordinated mitigation of such attacks via a standards-based mechanism. This protocol should support requests for DDoS mitigation services and status updates across inter-organizational administrative boundaries.
The agenda of the WG meeting at IETF 97 contains discussion of use cases, requirements draft, architecture of the system, data and information model, including the telemetry specification.
I hope this work will lead to an effective solution for this huge problem of the Internet and facilitate necessary cooperation across network administrative domains.
Related Working Groups at IETF 97
SIDR (Secure Inter-Domain Routing) WG
Thursday, 17 November, 15:20-17:50, Studio 2
GROW (Global Routing Operations) WG
Wednesday, 16 November, 11:10-12:10, Grand Ballroom 2
IDR (Inter-Domain Routing Working Group) WG
Tuesday, 15 November, 15:50-18:20, Grand Ballroom 3
DOTS (DDoS Open Threat Signaling) WG
Friday, 18 November, 09:30-11:30, Park Ballroom 1
There’s a lot going on in Seoul, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see https://dev.internetsociety.org/tag/ietf97/.