IETF Logo Mail Archive

[Idr] Re: I-D Action: draft-ietf-idr-deprecate-as-set-confed-set-15.txt

Claudio Jeker <cjeker@diehard.n-r-g.com> Tue, 20 August 2024 13:29 UTC

Return-Path: <cjeker@diehard.n-r-g.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EB1DC15106F for <idr@ietfa.amsl.com>; Tue, 20 Aug 2024 06:29:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4yDfAqFCMJu6 for <idr@ietfa.amsl.com>; Tue, 20 Aug 2024 06:29:20 -0700 (PDT)
Received: from diehard.n-r-g.com (diehard.n-r-g.com [62.48.3.9]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7881C14F619 for <idr@ietf.org>; Tue, 20 Aug 2024 06:29:18 -0700 (PDT)
Received: (qmail 96526 invoked by uid 1000); 20 Aug 2024 13:29:17 -0000
Date: Tue, 20 Aug 2024 15:29:17 +0200
From: Claudio Jeker <cjeker@diehard.n-r-g.com>
To: idr@ietf.org
Message-ID: <ZsSaLa0WH8tGu5rY@diehard.n-r-g.com>
References: <172409169774.1909130.7745685666245560135@dt-datatracker-6df4c9dcf5-t2x2k>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <172409169774.1909130.7745685666245560135@dt-datatracker-6df4c9dcf5-t2x2k>
Message-ID-Hash: QARX6HUAJG3CGI3MCSPFPRKXPWSXPUFB
X-Message-ID-Hash: QARX6HUAJG3CGI3MCSPFPRKXPWSXPUFB
X-MailFrom: cjeker@diehard.n-r-g.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-idr.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Idr] Re: I-D Action: draft-ietf-idr-deprecate-as-set-confed-set-15.txt
List-Id: Inter-Domain Routing <idr.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/-CAgi25-0smWeogPZLaKC2Kb7Z4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Owner: <mailto:idr-owner@ietf.org>
List-Post: <mailto:idr@ietf.org>
List-Subscribe: <mailto:idr-join@ietf.org>
List-Unsubscribe: <mailto:idr-leave@ietf.org>

On Mon, Aug 19, 2024 at 11:21:37AM -0700, internet-drafts@ietf.org wrote:
> Internet-Draft draft-ietf-idr-deprecate-as-set-confed-set-15.txt is now
> available. It is a work item of the Inter-Domain Routing (IDR) WG of the IETF.
> 
>    Title:   Deprecation of AS_SET and AS_CONFED_SET in BGP
>    Authors: Warren Kumari
>             Kotikalapudi Sriram
>             Lilia Hannachi
>             Jeffrey Haas
>    Name:    draft-ietf-idr-deprecate-as-set-confed-set-15.txt
>    Pages:   15
>    Dates:   2024-08-19
> 
> Abstract:
> 
>    BCP 172 (i.e., RFC 6472) recommends not using AS_SET and
>    AS_CONFED_SET AS_PATH segment types in the Border Gateway Protocol
>    (BGP).  This document advances that recommendation to a standards
>    requirement in BGP; it prohibits the use of the AS_SET and
>    AS_CONFED_SET path segment types in the AS_PATH.  This is done to
>    simplify the design and implementation of BGP and to make the
>    semantics of the originator of a BGP route clearer.  This will also
>    simplify the design, implementation, and deployment of various BGP
>    security mechanisms.  This document updates RFC 4271 by deprecating
>    the origination of BGP routes with AS_SET (Type 1 AS_PATH segment)
>    and updates RFC 5065 by deprecating the origination of BGP routes
>    with AS_CONFED_SET (Type 4 AS_PATH segment).  Finally, it obsoletes
>    RFC 6472.
> 

I had a look at this draft and think
Section 3.1 Considerations for AS4_PATH needs to be adjusted.

3.1.  Considerations for AS4_PATH

   [RFC6793] created support for four-octet AS numbers in BGP using the
   optional transitive AS4_PATH attribute.  The mandatory AS_PATH
   attribute is always present in a route [RFC4271], while the AS4_PATH
   may or may not be present.  If both AS_PATH and AS4_PATH attributes
   are present, an AS_SET present in one would also be necessarily
   present in the other.  So, it is sufficient to perform the "treat-as-
   withdraw" error handling as specified above using the AS_PATH alone.

I think this is incorrect. You can not assume anything about AS4_PATH. The
only thing RFC6793 mandates is that aspath length of AS4_PATH is smaller
or equal to the aspath length of AS_PATH.

If a router sends you an AS_PATH without AS_SET and an AS4_PATH with AS_SET
then the reconstruction will introduce an AS_SET. This is possible and
since AS4_PATH is transitive you can not even assume it was your peer
playing games with you.

So instead I would suggest what OpenBGPD does. By default reject AS4_PATH
attributes that contain AS_SET and use "attribute discard" for them.
If the AS_PATH had a AS_SET as well then the prefix will be withdrawn
anyway but if not then there will be no merge of this bad AS4_PATH.
If the user explicitly allows AS_SET then skip the above.

I hope that after deprecating AS_SET for good we will be able to deprecate
old 2-byte ASnum sessions as well since the hoops introduced by RFC6793
give me the heebie-jeebies.

-- 
:wq Claudio

v2.40.4 | Report a Bug | By Email | System Status