]> Huawei

101 Ruanjian Ave Nanjing 210012 China liuchunchi@huawei.com

Huawei

China bill.wu@huawei.com

Huawei

China frank.xialiang@huawei.com

Path Validation Routing Security Proof of Transit This document provides a problem statement, history revisiting, gap analysis and use cases for path validation techniques.

Introduction Path validation has been interpreted differently in different contexts due to its ambiguous name and long history. This document aims to deliver a clearer understanding of the path validation problem and help navigate exploration towards potential solutions.

Problem Statement of Path Validation

History The term "path validation" was first used in the BGP context, referring to validating the correctness of AS-level path propagation. The term "path validation" mostly refers to verifying that a BGP route advertisement (an AS-path) is authentic, indeed authorized by all ASes on the path, and correctly representing the inter-AS propagation path, which later becomes BGPSec . While some RFCs also discussed data plane consistency with control plane , mentioning validating also the actual path that a packet has traversed, it remains a minority of understanding to this term. Later, as the inconsistency gap between control plane and data plane becomes bigger, the term "path validation" later be interpreted by a lot of research papers as "Validating what path a packet has actually traversed". The unambiguous equivalence to this interpretation in the IETF community is the concept of Proof-of-Transit .

Scope Despite the different focus, control plane or the data plane, we think they are two sides of a same coin. The former is to make sure the router receives the correct routing reference (routing table, interface configurations, segment list etc) before the forwarding happens, while the latter is to directly verify the correctness of forwarding outcome, after the forwarding is done. As a result, the scope of path validation should be:

1. Validating the planned path is a trusted, authorized path.
2. Validating what path a packet has actually traversed.

With the former protecting routing integrity and the latter protecting forwarding security.

Goal Given the above scope, the goal of path validation is to achieve:

• Verifiable assurance of hop-by-hop forwarding integrity.

Gap Analysis There are three major gaps in path validation.

1. The gap between path validation and proof of transit
2. The gap between BGP scenarios and more scenarios
3. The gap between routing integrity and forwarding integrity

The first gap is explained in the history section. Now we believe proof of transit is part of path validation. The second gap requires use case analysis which we will discuss later. The third gap exists in both explict routing and conventional routing scenarios, and it is the main gap for path validation to fill.

Routing Integrity vs Forwarding Integrity Also known as the inconsistency between control plane and data plane. To achieve secure routing, three basic steps are needed:

1. Secure path propagation
2. Secure router execution
3. Secure proof of transit

Secure path propagation relies on secure control plane techniques such as BGPSec and RPKI, leading to the correctness of routing reference information such as routing table, segment list, etc. Secure router execution relies on remote attestations on the trustworthiness of the router hardware, firmware, software and configurations. Achieving these two leads to routing integrity, and implies forwarding integrity. However, misconfigurations and/or various of new attacks could circumvent the security measures, leading to the deviation of actual forwarding path from the correct routing path , which can only be directly discoverable by data plane validation mechanisms like proof of transit. A secure proof of transit mechanism would significantly help fill the gap between routing integrity and forwarding integrity as it verifies the final results directly. Note that a probing mechanism such as IFIT/IOAM or other new path tracing mechanisms also has the same purpose. But they still rely on a secure proof of transit mechanism.

Proof-of-Transit Security As discussed earlier, the gap between routing integrity and forwarding integrity can be filled by a secure proof of transit mechanism that directly verifies the final forwarding results. Proof of Transit (POT) is thus the critical part of the path validation problem and we model path validation security around the security of a POT mechanism. We say a Proof-of-Transit mechanism is secure if the transit proof is correct, unforgeable identity-binding and position-binding.

• Correctness: A transit proof created by the right node n_i at the position i must pass the verification. (probability of a correct proof not passing verification is smaller than a negligible function)
• Unforgeability: A transit proof at position i must only be created by the node n_i. (probability of a forged proof passing verification is smaller than a negligible function)
• Identity-binding: A transit proof computed by a false node n_z at position i cannot pass a verification check.
• Position-binding A transit proof computed by a correct node n_i in the wrong position j, where i != j, cannot pass a verification check.
• Hiding * A transit proof may or may not directly reveal the creator's identity and/or his position.

Use Cases

Service Function Chaining Service Function Chaining enables the traffic to traverse virtual network functions in a user-defined order. Compliance or legal requirements may demand the service provider to prove that all packets have followed a specific path, preferably cryptographically verifiable. In today's deployments, this proof is typically delivered in an indirect way. A path validation mechanism can produce a cryptographically verifiable transit proof, proving that the corresponding packet has indeed been processed by a sequence of service functions.

Workload Identity Enterprises have been migrating their production-level IT systems to the cloud. This means that some of the enterprises' key production workflow security now heavily relies on the ordered calling of different microservices or APIs. Similar to the SFC case, workload identity also requires some kind of ordered proof-of-processing, proving to the enterprise management that the production systems are working correctly, or proving to the customers that they indeed received a sequence of services with a designated order.

Traffic Path Compliance For legal or business compliance reasons, customers' personal data cannot travel outside of certain geolocations, i.e., customer campus or native country (GeoFencing). Path validation can detect and avoid such exception. Similarly, path validation can make sure certain undesired geolocations will not be travelled too.

High Security traffic path

1. End-to-end Security: Some customers have high-security service path requirement for their sensitive traffic, i.e., VOIP calls or video conferences for VIP clients, or a bank's financial data. They need to make sure their data does not leak outside of their chosen secure path, especially to some insecure devices or domain.
2. To provide high-security VPN services for VIP customers, the operator needs to prove that the VPN connection indeed passes through a high security level service path.

Validating uRPF path uRPF is a security feature that helps prevent source IP address spoofing and denial-of-service (DoS) attacks . It works by validating the source IP address of a received packet by performing a reverse path lookup in FIB table, all the way to the source. If the path does not exist, the packet is dropped. Now path validation can do one more step of validation, by sending a request for proof-of-transit all the way back to the source. By sending the request to the source and collecting transit proof of every hop on the path, the router can validate if the currently stored path does not only exist but is also unexpired, potentially reducing the false negative rate.

Segment Routing Security In certain scenarios, user wishes to have explicit control over the path that network traffic takes, in order to meet certain performance, security or regulatory compliance requirements. Segment routing enables source-based packet steering through networks using segment lists. However current segment routing security is also implied by assuming the router will truthfully forward the packet according to the segment list. Path validation is a critical verification technique that checks whether the planned path was strictly followed, and could support segment routing as potential security extensions.

Out-of-scopes

• Illegal data copy: This refers to an attack where the router illegally copies and sends out the data he is currently forwarding. We believe this is out-of-scope because data is intangible by nature. Once fully obtained in the plaintext, there is no mechanism to trace it unless using a data watermark technique, which is out-of-scope.
• Stealth nodes: Stealth nodes are the inferior nodes that not perceivable in the current layer. They could be old or computationally weak nodes, or nodes within transparent tunnels. We believe this is out-of-scope because layered design of the Internet purposely makes tunnels and inferior nodes not perceivable. It does not make sense to violate layered design principle just trying to perceive stealth nodes. To the very least, it is a problem that the control plane (BGPSec) also suffers from , and the goal of this work is to fill the gap between the control and data planes thus leaving the problem out-of-scope.

Security Considerations This document has no further security considerations.

IANA Considerations This document has no IANA actions.

References Normative References This document describes BGPsec, an extension to the Border Gateway Protocol (BGP) that provides security for the path of Autonomous Systems (ASes) through which a BGP UPDATE message passes. BGPsec is implemented via an optional non-transitive BGP path attribute that carries digital signatures produced by each AS that propagates the UPDATE message. The digital signatures provide confidence that every AS on the path of ASes listed in the UPDATE message has explicitly authorized the advertisement of the route. BCP 38, RFC 2827, is designed to limit the impact of distributed denial of service attacks, by denying traffic with spoofed addresses access to the network, and to help ensure that traffic is traceable to its correct source network. As a side effect of protecting the Internet against such attacks, the network implementing the solution also protects itself from this and other attacks, such as spoofed management access to networking equipment. There are cases when this may create problems, e.g., with multihoming. This document describes the current ingress filtering operational mechanisms, examines generic issues related to ingress filtering, and delves into the effects on multihoming in particular. This memo updates RFC 2827. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. This document identifies a need for and proposes improvement of the unicast Reverse Path Forwarding (uRPF) techniques (see RFC 3704) for detection and mitigation of source address spoofing (see BCP 38). Strict uRPF is inflexible about directionality, the loose uRPF is oblivious to directionality, and the current feasible-path uRPF attempts to strike a balance between the two (see RFC 3704). However, as shown in this document, the existing feasible-path uRPF still has shortcomings. This document describes enhanced feasible-path uRPF (EFP-uRPF) techniques that are more flexible (in a meaningful way) about directionality than the feasible-path uRPF (RFC 3704). The proposed EFP-uRPF methods aim to significantly reduce false positives regarding invalid detection in source address validation (SAV). Hence, they can potentially alleviate ISPs' concerns about the possibility of disrupting service for their customers and encourage greater deployment of uRPF techniques. This document updates RFC 3704. Informative References This document examines the implications of hop-by-hop forwarding, route aggregation, and route filtering on the concept of validation within a BGP Autonomous System (AS) Path. This memo provides information for the Internet community. Remote Triggered Black Hole (RTBH) filtering is a popular and effective technique for the mitigation of denial-of-service attacks. This document expands upon destination-based RTBH filtering by outlining a method to enable filtering by source address as well. This memo provides information for the Internet community. Cisco Systems, Inc. Thoughtspot Huawei Network.IO Innovation Lab Seconize JP Morgan Chase Several technologies such as Traffic Engineering (TE), Service Function Chaining (SFC), and policy based routing are used to steer traffic through a specific, user-defined path. This document defines mechanisms to securely prove that traffic transited a defined path. These mechanisms allow to securely verify whether, within a given path, all packets traversed all the nodes that they are supposed to visit. This document specifies a data model to enable these mechanisms using YANG. Cisco Systems, Inc. Cisco Systems, Inc. Cisco Systems, Inc. Broadcom Swisscom Alibaba, Inc SoftBank Goldman Sachs Arrcus Path Tracing provides a record of the packet path as a sequence of interface ids. In addition, it provides a record of end-to-end delay, per-hop delay, and load on each egress interface along the packet delivery path. Path Tracing allows to trace 14 hops with only a 40-bytes IPv6 Hop- by-Hop extension header. Path Tracing supports fine grained timestamp. It has been designed for linerate hardware implementation in the base pipeline. SPIRL Bespoke Engineering Microsoft Venafi Workload identity systems like SPIFFE provide a unique set of security challenges, constraints, and possibilities that affect the larger systems they are a part of. This document seeks to collect use cases within that space, with a specific look at both the OAuth and SPIFFE technologies. Discussion Venues This note is to be removed before publishing as an RFC. Source for this draft and an issue tracker can be found at https://github.com/bspk/draft-gilman-wimse-use-cases.