BGP AS_PATH Verification Based on Autonomous System Provider Authorization (ASPA) Objects

The Border Gateway Protocol (BGP) as originally designed is known to be vulnerable to prefix (or route) hijacks and BGP route leaks . Some existing BGP extensions can partially solve these problems. For example, Resource Public Key Infrastructure (RPKI) based route origin validation (RPKI-ROV) can be used to detect and filter accidental mis-originations. or can be used to detect and mitigate accidental route leaks. While RPKI-ROV can prevent accidental prefix hijacks, malicious forged-origin prefix hijacks can still occur . RFC9319 includes some recommendations for reducing the attack surface for forged-origin prefix hijacks. This document describes procedures that make use of Autonomous System Provider Authorization (ASPA) objects in the RPKI to verify properties of the BGP AS_PATH attribute of advertised routes. ASPA-based AS_PATH verification provides detection and mitigation of route leaks. It also provides protection, to some degree, against prefix hijacks with forged-origin or forged-path-segment (). These new ASPA-based procedures automatically detect such anomalous AS_PATHs in BGP Updates that are advertised between ASes. Both route leaks and hijacks have similar effects on ISP operations. They redirect traffic and can result in denial of service (DoS), eavesdropping, increased latency, and packet loss. The level of risk, however, depends significantly on the extent of propagation of the anomalies. For example, a route leak or hijack that is propagated only to customers may cause bottlenecking within an ISP's customer cone, but if the anomaly propagates through lateral (i.e., non-transit) peers or transit providers, then the ill effects will likely be amplified and may be experienced worldwide. The ability to constrain the propagation of BGP anomalies to transit providers and lateral peers -- without requiring support from the source of the anomaly (which is critical if the source has malicious intent) -- should significantly improve the robustness of the global inter-domain routing system.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

The following terms are used with special meanings. The term has the same meaning as in , i.e., "route is ineligible to be installed in Loc-RIB and will be excluded from the next phase of route selection." Customer AS (). Provider AS (). Set of Provider ASes (). For path verification purposes in this document, the peering relationships an AS can have in relation to a neighbor AS are Customer, Provider, Peer, Route Server (RS), RS-client, and Complex. These peering relationships are defined in . A special case of the Complex relation is mutual-transit when ASes MAY export everything (both customer and non-customer routes) to each other, i.e., customer-to-provider relationship applies in each direction. All peering relationships are defined locally.

An ASPA record is a digitally signed object that binds a set of PAS numbers to a CAS number and is signed by the CAS . The ASPA attests that the CAS indicated a Set of Provider ASes (SPAS), which applies only to the IPv4 and IPv6 address families (i.e., AFI = 1 and AFI = 2) and only to Network Layer Reachability Information used for unicast forwarding (SAFI = 1). The notation (AS x, {AS y1, AS y2, ...}), is used to represent an ASPA object for a CAS denoted as AS x . In this notation, the comma-separated set {AS y1, AS y2, ...} represents the Set of Provider ASes (SPAS) of the CAS (AS x). A CAS is expected to register a single ASPA listing all its Provider ASes (see ). If a CAS has a single cryptographically valid ASPA, then the Union SPAS (U-SPAS) for the CAS equals to SPAS. In case a CAS has multiple cryptographically valid ASPAs, then the U-SPAS for the CAS is the union of AS listed in all SPAS of these ASPAs.

A compliant AS or Route Server AS (RS AS) MUST have an ASPA. An AS SHOULD NOT have more than one ASPA. An AS MUST list in its SPAS the union of all its Provider AS(es) and non-transparent RS AS(es) at which it is an RS-client. An AS MUST include a Provider AS in its SPAS regardless of whether it provides connectivity for only IPv4 or only IPv6 or both. An ASPA object showing only AS 0 as a provider AS is referred to as an AS0 ASPA. A non-transparent Route Server AS (RS AS) is one that includes its AS number in the AS_PATH. Registering as AS0 ASPA is a statement by the registering AS that it has no transit providers, and it is also not an RS-client at a non-transparent RS AS. If that statement is true, then the AS MUST register an AS0 ASPA. A compliant AS SHOULD register a single ASPA object. A single ASPA record for an AS ought to prevent race conditions during ASPA updates that might affect prefix propagation. The software that provides hosting for ASPA records SHOULD support enforcement of this practice. An AS may have providers that may be used on certain occasions, for an example in case of a DDoS attack. It is RECOMMENDED to add such providers in ASPA in advance, so there will be no race conditions between ASPA distribution and route propagation. During a transition process between different certificate authority (CA) registries, the ASPA records SHOULD be kept identical in all relevant registries. Normally, a U-SPAS (see ) is not expected to contain both an AS 0 and other Provider ASes, but an unexpected presence of AS 0 has no influence on the AS path verification procedures (see , ). In the Complex relationship case (), an AS MUST include the neighbor AS in its SPAS if neighbor plays Provider role for a subset of received or sent prefixes. Each of the two ASes in a mutual-transit pair MUST register its ASPA including the other AS in its SPAS. The ASes on the boundary of an AS Confederation MUST register ASPAs using the Confederation's global AS number (ASN) as the CAS.

Let AS x and AS y represent two unique ASes. A provider authorization function, authorized(AS x, AS y), checks if the ordered pair of ASNs, (AS x, AS y), has the property that AS y is an attested provider of AS x per U-SPAS of AS x. By term "Provider+" the function should signal if AS y plays role of Provider, non-transparent RS, or mutual-transit neighbor. This function is specified as follows:

Provider authorization function. The "No Attestation" result is returned only when no ASPA is retrieved for the CAS or none of its ASPAs are cryptographically valid. The provider authorization function is used in the ASPA-based AS_PATH verification algorithms described in and .

The procedures described in this document are applicable only to four-octet AS number compatible BGP speakers . If such a BGP speaker receives both AS_PATH and AS4_PATH attributes in an UPDATE, then the procedures are applied on the reconstructed AS path (Section 4.2.3 of ). So, the term AS_PATH is used in this document to refer to the usual AS_PATH as well as the reconstructed AS path. If an attacker creates a route leak intentionally, they may try to strip their AS from the AS_PATH. To partly guard against that, a check is necessary to match the most recently added AS in the AS_PATH to the BGP neighbor's ASN. This check MUST be performed as specified in Section 6.3 of . If the check fails, then the AS_PATH is considered a Malformed AS_PATH and the UPDATE is considered to be in error (Section 6.3 of ). The case of transparent RS MUST also be appropriately taken care of (e.g., by suspending the neighbor ASN check). If the AS_PATH is empty (zero length), then also the UPDATE is considered to be an error. specifies that "treat-as-withdraw" error handling SHOULD be applied to routes with AS_SET in the AS_PATH. In the current document, routes with AS_SET are given Invalid evaluation in the AS_PATH verification procedures ( and ). See for how routes with Invalid AS_PATH are handled.

Let the sequence {AS(N), AS(N-1),..., AS(2), AS(1)} represent the AS_PATH in terms of unique ASNs, where AS(1) is the origin AS and AS(N) is the most recently added AS and neighbor of the receiving/verifying AS. N is the length of the received AS_PATH in unique ASes. Let AS(N+1) represent the receiving/verifying AS.

Illustration of up-ramp and down-ramp. The AS_PATH may in general have both an up-ramp (on the right starting at AS(1)) and a down-ramp (on the left starting at AS(N)). The up-ramp starts at AS(1) and each hop AS(i) to AS(i+1) represents Customer and Provider peering relationship. The down-ramp runs backward from AS(N) to AS(L). In the down-ramp, each pair AS(j) to AS(j-1) represents Customer and Provider peering relationship. If there are no hops or just one hop between the apexes of the up-ramp and the down-ramp, then the AS_PATH is valid (valley free). If the sum of lengths of up-ramp and down-ramp is less than N, it is invalid: the prefix was leaked or AS_PATH was malformed. ASPA can be used to check if AS y is an attested provider of AS x, and thus the provider authorization function can be used to measure the bounds on up-ramp and down-ramp lengths. The "Not Provider+" outcome of the provider authorization function can be used to calculate the upper boundary of ramp length and the 'No Attestation' outcome can be used to calculate its lower boundary. Below are the formal definitions. Determine the maximum up-ramp length as I, where I is the minimum index for which authorized(A(I), A(I+1)) returns "Not Provider+". If there is no such I, the maximum up-ramp length is set equal to the AS_PATH length N. This parameter is defined as max_up_ramp. The minimum up-ramp length can be determined as I, where I is the minimum index for which authorized(A(I), A(I+1)) returns "No Attestation" or "Not Provider+". If there is no such I, the AS_PATH consists of only "Provider+" pairs; so the minimum up-ramp length is set equal to the AS_PATH length N. This parameter is defined as min_up_ramp. Similarly, the maximum down-ramp length can be determined as N - J + 1 where J is the maximum index for which authorized(A(J), A(J-1)) returns "Not Provider+". If there is no such J, the maximum down-ramp length is set equal to the AS_PATH length N. This parameter is defined as max_down_ramp. The minimum down-ramp length can be determined as N - J + 1 where J is the maximum index for which authorized(A(J), A(J-1)) returns "No Attestation" or "Not Provider+". If there is no such J, the minimum down-ramp length is set equal to the AS_PATH length N. This parameter is defined as min_down_ramp. If the sum of max_up_ram and max_down_ramp is less than N, the AS path is Invalid. Else, if the sum of min_up_ram and min_down_ramp is less than N, enough information is not available to perform full AS path verification, and the outcome is set to Unknown. Else, the AS path is Valid. Below are formal procedures for path verification depending on the peering relationship between the receiving AS and its neighbour. These procedures use the compressed sequence representation of AS_PATH {AS(N), AS(N-1),..., AS(2), AS(1)} and the above-defined parameters max_up_ramp, min_up_ramp, max_down_ramp, and min_up_ramp

The upstream verification algorithm described here is applied when a route is received from a Customer or Peer, or is received by an RS from an RS-client, or is received by an RS-client from an RS. In all these cases, the receiving/validating eBGP router expects the AS_PATH to have only an up-ramp (no down-ramp) for it to be Valid. Therefore, max_down_ramp and min_down_ramp are set to 0. The upstream path verification procedure is specified as follows: If the AS_PATH is empty, then the procedure halts with the outcome "Invalid". If the receiving AS is not an RS-client and the most recently added AS in the AS_PATH does not match the neighbor AS, then the procedure halts with the outcome "Invalid". If the AS_PATH has an AS_SET, then the procedure halts with the outcome "Invalid". If max_up_ramp < N, the procedure halts with the outcome "Invalid". If min_up_ramp < N, the procedure halts with the outcome "Unknown". Else, the procedure halts with the outcome "Valid".

The downstream verification algorithm described here is applied when a route is received from a Provider. If the AS_PATH is empty, then the procedure halts with the outcome "Invalid". If the most recently added AS in the AS_PATH does not match the neighbor AS, then the procedure halts with the outcome "Invalid". If the AS_PATH has an AS_SET, then the procedure halts with the outcome "Invalid". If max_up_ramp + max_down_ramp < N, the procedure halts with the outcome "Invalid". If min_up_ramp + min_down_ramp < N, the procedure halts with the outcome "Unknown". Else, the procedure halts with the outcome "Valid".

The specific configuration of a mitigation policy based on AS_PATH verification using ASPA is at the discretion of the network operator. However, the following mitigation policy is highly recommended. Invalid: If the AS_PATH is determined to be Invalid, then the route SHOULD be considered ineligible for route selection (see ) and MUST be kept in the Adj-RIB-In for potential future re-evaluation (see ). Valid or Unknown: When a route is evaluated as Unknown (using ASPA-based AS_PATH verification), it SHOULD be treated at the same preference level as a route evaluated as Valid.

This section describes practical deployment recommendations.

The verification procedures described in this document MUST be applied to BGP routes with {AFI, SAFI} combinations {AFI 1 (IPv4), SAFI 1} and {AFI 2 (IPv6), SAFI 1} . The procedures MUST NOT be applied to other address families by default. The procedures for ASPA-based AS_PATH verification are intended for implementation on edge routers on the ingress side. This includes edge routers on the boundary of an AS Confederation facing external ASes. However, the procedures are NOT RECOMMENDED for use on internal BGP (iBGP) sessions or eBGP sessions internal to an AS Confederation.

The BGP Role configuration parameter and its cross-check in BGP OPEN message as specified in are RECOMMENDED. The configured BGP Roles SHOULD be used to automate the use of the above-described AS path verification procedures helping to distinguish whether upstream or downstream procedures should be applied. The automatic BGP Role cross-check should facilitate more accurate and effective deployment of ASPA.

If multiple eBGP sessions can segregate the Complex peering relationship into eBGP sessions with normal peering relationships the receiving/verifying AS SHOULD select the algorithm (per or ) for each of the normal sessions based on its peering relation type. If Complex peering relation can't be segregated (i.e., when a Complex BGP relationship occurs within one single BGP session), an operator may want to achieve an equivalent outcome by configuring policies on a per-prefix basis corresponding to the peering relation for the prefix. If this option is not feasible, the operator MAY apply .

For any route with an Invalid AS_PATH, the cause of the Invalid state SHOULD be logged for monitoring and diagnostic purposes. The cause of the Invalid state can be recorded in the form of listing the AS hops which were evaluated by the provider authorization function to be "Not Provider+". The logging router, however, cannot necessarily determine the AS that caused the route leak.

The U-SPAS contain the union of Providers for a CAS for both IPv4 and IPv6 unicast connectivity. This design choice consequently means that if a customer-provider relationship exists for one address family but doesn't exist for the other address family, AS_PATH verification outcomes for the latter AFI will be as permissive as verification outcomes for the former AFI. That is believed to be a reasonable compromise as both the ASPA registration and verification processes are simplified, and no false positive outcomes are yielded (e.g. inadvertent Invalid evaluation).

Since an upstream provider becomes a trusted point, in theory, it might be able to propagate some instances of hijacked prefixes with forged-origin or forged-path-segment or even routes with manipulated AS_PATHs, and such attacks might go undetected by its customers or upper providers. While such attacks may happen, it does not seem to be a realistic scenario. Normally a customer and their transit provider would have a signed agreement, and a policy violation (of the above kind) should have legal consequences or the customer can just drop the relationship with such a provider and remove the corresponding ASPA record.

The ASPA verification procedures cannot detect the removal (or addition) of repeats of AS numbers in the AS path. However, this attack by itself does not affect ASPA's route leak detection capability.

ASPA issuers should be aware of the implications of ASPA-based AS path verification. Network operators must keep their ASPA objects correct and up to date. Otherwise, for example, if a provider AS is left out of the SPAS, then routes containing the CAS (in the ASPA) and said provider AS may be incorrectly labeled as Invalid and considered ineligible for route selection (see , ).

BGPsec was designed to solve the problem of AS_PATH verification by including cryptographic signatures in BGP Update messages. It offers protection against unauthorized path modifications and assures that the BGPsec Update traveled the path shown in the BGPsec_PATH Attribute. However, it does not detect route leaks (valley-free violations). Thus, BGPsec and ASPA are complementary technologies.

The Peerlock mechanism has a similar objective as the ASPA-based route leak protection mechanism described in this document. It is commonly deployed by large Internet carriers to protect each other from route leaks. Peerlock depends on a laborious manual process in which operators coordinate the distribution of unstructured Provider Authorizations through out-of-band means in a many-to-many fashion. On the other hand, ASPA's use of the RPKI allows for automated, scalable, and ubiquitous deployment, making the protection mechanism available to a wider range of network operators. The ASPA mechanism implemented in router code (in contrast to Peerlock's AS_PATH regular expressions) also provides a way to detect anomalies propagated from transit providers and IX route servers. ASPA is intended to be a complete solution and replacement for existing Peerlock deployments.

While the ASPA-based AS_PATH verification method (, ) detects and mitigates route leaks that were created by preceding ASes listed in the AS_PATH, it lacks the ability to prevent the local AS from initiating a route leak towards its neighbor. ASPA verification may also fail to detect route leaks in case of presence of Complex relations in the AS_PATH. The use of the Only to Customer (OTC) Attribute fills in that gap (see Section 5, ). The implementation of the procedures utilizing the OTC Attribute is RECOMMENDED to complement the ASPA-based AS_PATH verification.

This document includes no request to IANA.

Implementation Status This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft. The inclusion of this section here follows the process described in . The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist. According to , "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit".

A BGP implementation OpenBGPD (version 7.8 and higher), written in C, was provided by Claudio Jeker, Theo Buehler, and Job Snijders.
The implementation NIST-BGP-SRx is a software suite that provides a validation engine (BGP-SRx) and a Quagga-based BGP router (Quagga-SRx). It includes unit test cases for testing the ASPA-based path verification. It was provided by Oliver Borchert, Kyehwan Lee, and their colleagues at US NIST. It requires some additional work to incorporate the latest changes in the draft specifications related to IXP RS AS and RS-client.
Implementation of ASPA-based AS path verification in the BIRD Internet Routing Daemon [BIRD] is provided in a side branch (branch mq-aspa) by Katerina Kubecova and Maria Matejka. Its release is expected after RTR v2 is finalized.

Peerlock NTT Communications Flexsealing BGP Against Route Leaks: Peerlock Active Measurement and Analysis University of Tennesse University of Tennesse University of Tennesse ASPA-based BGP AS_PATH Verification and Route Leaks Solution Address Family Numbers IANA Subsequent Address Family Identifiers (SAFI) Parameters IANA OpenBGPD OpenBSD BGP Secure Routing Extension (BGP-SRx) Software Suite BIRD Internet Routing Daemon; branch mq-aspa

The authors wish to thank Claudio Jeker, Jakob Heitz, Amir Herzberg, Igor Lubashev, Ben Maddison, Russ Housley, Jeff Haas, Nan Geng, Nick Hilliard, Shunwan Zhuang, Yangyang Wang, Martin Hoffmann, Jay Borkenhagen, Amreesh Phokeer, Aftab Siddiqui, Dai Zhibin, Doug Montgomery, Padma Krishnaswamy, Rich Compton, Andrei Robachevsky, Rudiger Volk, Iljitsch van Beijnum, Tassilo Tanneberger, Matthias Waehlisch, Moritz Schulz, and Carl Seifert for comments, suggestions, and discussion on the path verification procedures or the text in the document. For the implementation and testing of the procedures in the document, the authors wish to thank Claudio Jeker and Theo Buehler , Kyehwan Lee and Oliver Borchert , and Katerina Kubecova and Maria Matejka .

The ASPA method has the properties (i.e., anomaly detection capabilities) listed below. Partial deployment scenarios and early adoption benefits are considered. In the case of Property 1, it is assumed that the attacks involve route leaks but not malicious removal of ASes with ASPA records from the AS path. Property 1 (Route Leak Detection): Let AS A and AS B be any two ASes in the Internet doing ASPA (registration and path verification) and no assumption is made about the ASPA deployment status of other ASes. Consider a route propagated from AS A to a customer or lateral peer. The route is subsequently leaked by an offending AS in the AS path before being received at AS B on a customer or lateral peer interface. The ASPA-based path verification at AS B always detects such a route leak though it may not be able to identify the AS that caused the leak. Corollary of Property 1: An observation that follows from Property #1 above is that if any two ISP ASes register ASPAs and implement the detection and mitigation procedures, then any route received from one of them and leaked to the other by an AS in their overlapping customer cones (ASPA compliant or not) will be automatically detected and mitigated. In effect, if most major ISPs are compliant, the propagation of route leaks in the Internet will be severely limited. Property 2 (Detection of Forged-Origin Prefix Hijack): Again, let AS A and AS B be any two ASes in the Internet doing ASPA (registration and path verification) and no assumption is made about the ASPA deployment status of other ASes. Consider a route received at AS B on a customer or lateral peer interface that is a forged-origin prefix hijack involving AS A as the forged-origin. Assume that the offending AS X is not included in the ASPA of AS A. The ASPA-based path verification at AS B always detects such a forged-origin prefix hijack. Property 3 (Detection of Forged-Path-Segment Prefix Hijack): This is an extension of Property 2 above to the case of prefix hijacking with a forged-path-segment. Such hijacking refers to the forging of multiple contiguous ASes in an AS path beginning with the origin AS. Again, let AS A and AS B be any two ASes in the Internet doing ASPA (registration and path verification). Assume that AS A's providers, AS P and AS Q, also register ASPA. No assumption is made about the ASPA deployment status of any other ASes in the Internet. Consider a route received at AS B on a customer or lateral peer interface that is a prefix hijack with a forged-path-segment {AS P, AS A} or {AS Q, AS A}. That is, the offending AS X attaches this path-segment at the beginning of its (AS X's) route announcement. Assume that AS X is not included in the ASPA of AS P or AS Q. The ASPA-based path verification at AS B always detects such a forged-path-segment prefix hijack. For a chance to be successful (remain undetected by AS B), the hijacker may resort to a forged-path-segment with three ASes including a provider AS of AS P (or AS Q). But even that can be foiled (detected) if the providers of AS P and AS Q also register ASPA. The forged-path-segment hijack in consideration is entirely prevented (for any forged-path-segment length) if all ASes in the contiguous C2P hops from AS A up to its Tier 1 have ASPA registrations. The above properties show that ASPA-based path verification offers significant benefits to early adopters. Limitations of the method with regard to some forms of malicious AS path manipulations are discussed in .