IETF Logo Mail Archive

Re: [Idr] Validation for BGP Flow-Spec Redirect to IP Action

"Simpson, Adam 1. (Nokia - CA/Ottawa)" <adam.1.simpson@nokia.com> Wed, 02 May 2018 16:32 UTC

Return-Path: <adam.1.simpson@nokia.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8F66129C6C for <idr@ietfa.amsl.com>; Wed, 2 May 2018 09:32:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id POQZxYSK4cA6 for <idr@ietfa.amsl.com>; Wed, 2 May 2018 09:32:29 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0132.outbound.protection.outlook.com [104.47.1.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15B1212D94B for <idr@ietf.org>; Wed, 2 May 2018 09:32:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=U7ufmsbR//t4UarvNGEowlPK/1ANUEu1BlxOGGfh/W0=; b=SlousdLRoc0YTZTaZbMEFse8BQj4TEYd0rUcrPAcAH5joOop0U5he0/RxDFGsmvPPgo3S9ZbTVBwtBwtX0MOmEIox2ddUShGTEJ56u2LUw5PQYpEg8nOcL04M4EVPnqtbxHoQEQA0NZXvyfKWh9SWxyRkw0VOi0ZLZZtAMH5YqU=
Received: from VI1PR07MB1453.eurprd07.prod.outlook.com (10.165.238.23) by VI1PR07MB1662.eurprd07.prod.outlook.com (10.166.142.156) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.755.10; Wed, 2 May 2018 16:32:24 +0000
Received: from VI1PR07MB1453.eurprd07.prod.outlook.com ([fe80::3c29:e90c:210b:3e7f]) by VI1PR07MB1453.eurprd07.prod.outlook.com ([fe80::3c29:e90c:210b:3e7f%2]) with mapi id 15.20.0735.006; Wed, 2 May 2018 16:32:23 +0000
From: "Simpson, Adam 1. (Nokia - CA/Ottawa)" <adam.1.simpson@nokia.com>
To: PVLR Pavana Murthy <pvlrpm@gmail.com>
CC: idr wg <idr@ietf.org>
Thread-Topic: Validation for BGP Flow-Spec Redirect to IP Action
Thread-Index: AQHT3qvIvgs0k9FZ1kqdZpgXcrBfhqQX4/2AgAD2agCAAFWDAIAAYAoAgALV6oA=
Date: Wed, 02 May 2018 16:32:23 +0000
Message-ID: <9F0BBBEA-C850-4E18-A3D1-39E788D44A1E@nokia.com>
References: <CAN-MQG6bDyzcyuVs1vmka-JZFrD9Ya1uOuU_AFxfu0GnYgdmbA@mail.gmail.com> <aaa4916758a34ed99cb7432cff257f25@XCH-RCD-012.cisco.com> <CAN-MQG6R_LCLAM5xgaak3W_oRkuQFQsgZtEodacpeiLCQV8p-g@mail.gmail.com> <CAN-MQG4oyycFhFzWGrKcQUG_B5eatan9y3PJJG1O-2vSLmhttg@mail.gmail.com> <3A1793BA-DB42-49E2-AC8C-FBAD1C433DEA@nokia.com> <CAN-MQG5ZrrDKx5f2XypLACM8soEM7jW8YdMA0WGLnJ6SeDDG_g@mail.gmail.com> <717912C0-D4C4-4656-A4A7-5ADCBBE93CE6@nokia.com> <CAN-MQG7g9UX0OSY=WeLUfErpmdRYKnwxAySu1h4-sjwDdviHcg@mail.gmail.com>
In-Reply-To: <CAN-MQG7g9UX0OSY=WeLUfErpmdRYKnwxAySu1h4-sjwDdviHcg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.c.0.180410
x-originating-ip: [135.245.20.18]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR07MB1662; 7:tptX5CABTG8rx6gtE1BEQorf/6NN4Kk7m4HBuacH5G3b5XUYCrDio62baCFYSwJmZOTZP3odVM9OCmYMMonSPBw4PCuxir3QdQx9W6Z1z+s4tjwdvDrkH3LueVUmulqzzgdkDmAeuRveYW2/2Oek5G5E3jj5lPu6124Lvol5oPNxUax6qkJiJOxawEbBr65MhvPqy1gicJn/DGS1k+EIOocAa6UNbHKoE23pV9j/CVCiAzOy/B+z7bkore+BQSbK
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:(109105607167333); BCL:0; PCL:0; RULEID:(7020095)(4652020)(8989080)(48565401081)(4534165)(4627221)(201703031133081)(201702281549075)(8990040)(5600026)(2017052603328)(7193020); SRVR:VI1PR07MB1662;
x-ms-traffictypediagnostic: VI1PR07MB1662:
x-microsoft-antispam-prvs: <VI1PR07MB1662753CC7522B259743427F9A800@VI1PR07MB1662.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(131327999870524)(138986009662008)(82608151540597)(85827821059158)(109105607167333)(114627819485645)(95692535739014)(240845254718375)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(3002001)(3231254)(11241501184)(806099)(944501410)(52105095)(10201501046)(93006095)(93001095)(6055026)(6041310)(20161123560045)(20161123558120)(20161123564045)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:VI1PR07MB1662; BCL:0; PCL:0; RULEID:; SRVR:VI1PR07MB1662;
x-forefront-prvs: 06607E485E
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(39860400002)(39380400002)(366004)(396003)(346002)(469094003)(51914003)(57704003)(53484002)(199004)(189003)(2616005)(446003)(39060400002)(11346002)(25786009)(486006)(4326008)(83716003)(86362001)(21615005)(476003)(478600001)(33656002)(36756003)(6486002)(606006)(6436002)(76176011)(2900100001)(99286004)(105586002)(229853002)(6246003)(5660300001)(106356001)(6916009)(186003)(54896002)(6306002)(6512007)(97736004)(236005)(53946003)(6506007)(102836004)(82746002)(5250100002)(53546011)(59450400001)(53936002)(26005)(14454004)(16200700003)(7736002)(66066001)(6116002)(6346003)(3846002)(8676002)(68736007)(1411001)(2906002)(3660700001)(3280700002)(8936002)(81166006)(316002)(9326002)(81156014)(58126008)(93886005)(579004)(559001)(569006); DIR:OUT; SFP:1102; SCL:1; SRVR:VI1PR07MB1662; H:VI1PR07MB1453.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=adam.1.simpson@nokia.com;
x-microsoft-antispam-message-info: eYUU6vnMWx0E0zZv7lYZsB5bpU44mGBQtpvDS0GCBHeMv1LMpDbyF58qYwKcEOitFL+vr7tcbkTqaGm1Igzc3XFEaR5nDtWJYV880MA7ZPxWONHVZrQ3lBeqZ18a/8v/SQZp/UlZ8DudsChQyq5MQLMRyjUmerPBu3661flOEuXJbkZrl989p72tiYZf3YfzLNHPyiKGEN/DU/YyWIGjdvHI5wAH+wOqmVBr+hD+gRdNKcmunFPRRyMF6M9ISAjP
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_9F0BBBEAC8504E18A3D139E788D44A1Enokiacom_"
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: e1e970f9-4967-48db-6da0-08d5b04a48a7
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e1e970f9-4967-48db-6da0-08d5b04a48a7
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 May 2018 16:32:23.4543 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB1662
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/2bvqbRrxiOZLSvYFxIKySnqoJrE>
Subject: Re: [Idr] Validation for BGP Flow-Spec Redirect to IP Action
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 May 2018 16:32:33 -0000

Hi Pavana,

I view draft-ietf-idr-bgp-flowspec-oid-06 as a more general specification of validation procedures – that would apply to all flow-spec routes, whatever actions they encode.

The validation procedure described in draft-ietf-idr-flowspec-redirect-ip-02.txt is very specific to flow-spec routes carrying this specific action.

So to me the recommendations layer on top of each other. If you think there is an inconsistency then we can try to address it in one or the other draft.

-Adam


From: PVLR Pavana Murthy <pvlrpm@gmail.com>
Date: Monday, April 30, 2018 at 1:14 PM
To: "Simpson, Adam 1. (Nokia - CA/Ottawa)" <adam.1.simpson@nokia.com>
Cc: idr wg <idr@ietf.org>
Subject: Re: Validation for BGP Flow-Spec Redirect to IP Action

Hi Adam,
   In draft-ietf-idr-bgp-flowspec-oid-06(Revised Validation Procedure for BGP Flow Specifications), the following is mentioned.  Probably this could be the reason to use the  peer-as.

"Note, comparing only the last ASes is
sufficient for EBGP learned flow specification NLRIs. Requiring a
full AS_PATH match would limit origination of inter-domain flow
specifications to the origin (or first) AS of the best-match unicast
route for the destination prefix embedded in the flow specification
only. As such, a full AS_PATH validity check may prevent transit
ASes from originating inter-domain flow specifications which is not
desirable."


Also in draft-ietf-idr-flowspec-redirect-ip-00.txt, the term 'las AS' is used instead of 'Origin As'. Even the CISCO document (https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r5-2/routing/configuration/guide/b_routing_cg52xasr9k/b_routing_cg52xasr9k_chapter_011.html)  uses the term 'last AS'.




Anyways, thanks for explaining the philosophy behind the validation.



-Pavana.

On Mon, Apr 30, 2018 at 9:00 PM, Simpson, Adam 1. (Nokia - CA/Ottawa) <adam.1.simpson@nokia.com<mailto:adam.1.simpson@nokia.com>> wrote:
Hi Pavana,

Peer-AS is not a consideration in draft -02. I don’t recall why it was mentioned in an earlier version of the draft.

If the routers inside B and C enable the extra validation check (it is optional as explained in the draft) then they would only install a flowspec route originated by a router inside A ,with a redirect-to-IP action, if the redirect IP address itself was observed to originate inside A as well.

So flow-spec routes originated by one AS can be valid in another AS, but only under restrictive circumstances.

-Adam

From: PVLR Pavana Murthy <pvlrpm@gmail.com<mailto:pvlrpm@gmail.com>>
Date: Monday, April 30, 2018 at 2:24 AM
To: "Simpson, Adam 1. (Nokia - CA/Ottawa)" <adam.1.simpson@nokia.com<mailto:adam.1.simpson@nokia.com>>
Cc: "David Smith (djsmith)" <djsmith@cisco.com<mailto:djsmith@cisco.com>>, idr wg <idr@ietf.org<mailto:idr@ietf.org>>, Pradosh Mohapatra <mpradosh@yahoo.com<mailto:mpradosh@yahoo.com>>, "draft-ietf-idr-bgp-flowspec-oid@ietf.org<mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org>" <draft-ietf-idr-bgp-flowspec-oid@ietf.org<mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org>>, "ju1738@att.com<mailto:ju1738@att.com>" <ju1738@att.com<mailto:ju1738@att.com>>, "jhaas@juniper.net<mailto:jhaas@juniper.net>" <jhaas@juniper.net<mailto:jhaas@juniper.net>>, "akarch@cisco.com<mailto:akarch@cisco.com>" <akarch@cisco.com<mailto:akarch@cisco.com>>, "sairay@cisco.com<mailto:sairay@cisco.com>" <sairay@cisco.com<mailto:sairay@cisco.com>>, "pmohapat@cumulusnetworks.com<mailto:pmohapat@cumulusnetworks.com>" <pmohapat@cumulusnetworks.com<mailto:pmohapat@cumulusnetworks.com>>, "wim.henderickx@alcatel-lucent.be<mailto:wim.henderickx@alcatel-lucent.be>" <wim.henderickx@alcatel-lucent.be<mailto:wim.henderickx@alcatel-lucent.be>>, "mtexier@arbor.net<mailto:mtexier@arbor.net>" <mtexier@arbor.net<mailto:mtexier@arbor.net>>

Subject: Re: Validation for BGP Flow-Spec Redirect to IP Action

Hi Adam,
  Thanks for the reply. If its the first AS that is added to the AS_PATH, then "the redirect IP" action received from the AS's that are not directly connected may be invalid always.

eg:
    A---B----C

A, B and C are 3 routers in different AS's  1, 2 and 3 respectively.
A advertises a route for target X and also a Flowspec route with "redirect  IP(target X)". C receives these routes via B.
Now the the origin AS or first AS in the AS_PATH of the route to target X is 1 but the peer-AS is 2 since the route is received from B.
Since the peer-AS does not match the first AS of the best route target X,  this redirect IP action is considered invalid.


Please let me know if that's expected.

--Pavana.

On Mon, Apr 30, 2018 at 1:12 AM, Simpson, Adam 1. (Nokia - CA/Ottawa) <adam.1.simpson@nokia.com<mailto:adam.1.simpson@nokia.com>> wrote:
Hi Pavana,

The purpose of this text in the draft was to close the door on the ability for an accidental/malicious originator of a flow-spec route in AS=x from redirecting flows towards a target IP address in some other AS=y.

So, in this context we are interested in looking at the first AS in AS_PATH of the flow-spec route, not the most recently added AS in the AS_PATH (which would be the ‘neighbor AS’).

The route that resolves the target redirect IP address could be a BGP route or it could be a non-BGP route, despite the wording in the draft. If it is a BGP route the origin AS is determined as described above. If is a non-BGP route it would probably be appropriate to consider the route as locally originated (i.e. the same as a BGP route with null/empty AS_PATH or having only confed related elements).

I hope this helps.

-Adam


From: PVLR Pavana Murthy <pvlrpm@gmail.com<mailto:pvlrpm@gmail.com>>
Date: Saturday, April 28, 2018 at 12:45 AM
To: "David Smith (djsmith)" <djsmith@cisco.com<mailto:djsmith@cisco.com>>
Cc: idr wg <idr@ietf.org<mailto:idr@ietf.org>>, Pradosh Mohapatra <mpradosh@yahoo.com<mailto:mpradosh@yahoo.com>>, "draft-ietf-idr-bgp-flowspec-oid@ietf.org<mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org>" <draft-ietf-idr-bgp-flowspec-oid@ietf.org<mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org>>, "ju1738@att.com<mailto:ju1738@att.com>" <ju1738@att.com<mailto:ju1738@att.com>>, "jhaas@juniper.net<mailto:jhaas@juniper.net>" <jhaas@juniper.net<mailto:jhaas@juniper.net>>, "akarch@cisco.com<mailto:akarch@cisco.com>" <akarch@cisco.com<mailto:akarch@cisco.com>>, "sairay@cisco.com<mailto:sairay@cisco.com>" <sairay@cisco.com<mailto:sairay@cisco.com>>, "pmohapat@cumulusnetworks.com<mailto:pmohapat@cumulusnetworks.com>" <pmohapat@cumulusnetworks.com<mailto:pmohapat@cumulusnetworks.com>>, "wim.henderickx@alcatel-lucent.be<mailto:wim.henderickx@alcatel-lucent.be>" <wim.henderickx@alcatel-lucent.be<mailto:wim.henderickx@alcatel-lucent.be>>, "Simpson, Adam 1. (Nokia - CA/Ottawa)" <adam.1.simpson@nokia.com<mailto:adam.1.simpson@nokia.com>>, "mtexier@arbor.net<mailto:mtexier@arbor.net>" <mtexier@arbor.net<mailto:mtexier@arbor.net>>
Subject: Re: Validation for BGP Flow-Spec Redirect to IP Action

Hello,
  Including all the authors mentioned in draft-ietf-idr-flowspec-redirect-ip-02, as the alias did not work. Also pasting doubts again here.

In the draft  draft-ietf-idr-flowspec-redirect-ip-02.txt, the following procedure is mentioned to validate the extended community of 'Flowspec
redirect to IP'.


   BGP speakers that support the extended communities defined in this

   draft MUST also, by default, enforce the following check when

   receiving a flow-spec route from an EBGP peer: if the received flow-

   spec route has a 'redirect to IP' extended community with a 'target

   address' X (in the global administrator field) and the best matching

   route to X is not a BGP route with origin AS matching the peer AS

   then the extended community should be discarded and not propagated

   along with the flow-spec route to other peers.



I have 2 doubts related to this statement.



What is 'origin AS' here? Is it the AS no. that is first added to the AS_PATH?
In the previous version of the draft its mentioned as the last AS in the AS_PATH.
Is it the last AS no. that has been added to the AS_PATH or the last AS no. from left in AS_PATH?



What if the redirect target X is directly connected or reachable by a static route and its not advertised by EBGP?

Do we need to consider that action invalid in that case?

Thanks,
Pavana.


On Sat, Apr 28, 2018 at 10:10 AM, PVLR Pavana Murthy <pvlrpm@gmail.com<mailto:pvlrpm@gmail.com>> wrote:
Hi Dave,
   Thanks for the reply and including respective draft author aliases.

I went through the latest draft-ietf-idr-bgp-flowspec-oid-06. It calls the first AS the Origin AS. Is it so?
If that's the case, the validation will fail for any 'redirect IP' actions coming from the AS other than neighbor AS. Is that the intention?
Also In  draft-ietf-idr-flowspec-redirect-ip-00.txt, instead of 'origin AS', the word 'last AS' is used.It is confusing.   Does the validation need to consider the first AS or last AS?

Regarding my second doubt, I could not get any pointers from  draft-ietf-idr-bgp-flowspec-oid-06 .  Do we need to consider only BGP routes always?

Thanks,
Pavana.


On Sat, Apr 28, 2018 at 3:37 AM, David Smith (djsmith) <djsmith@cisco.com<mailto:djsmith@cisco.com>> wrote:
Hi Pavana,

Your points are valid. With that said, I’ll defer you to draft-ietf-idr-bgp-flowspec-oid-05 (and later) and, specifically, section 4 (revised validation procedure) which addresses your points below.

Co-incidentally, a WG last call was issued for draft-ietf-idr-bgp-flowspec-oid-06 yesterday.

Regards,

/dave


From: PVLR Pavana Murthy <pvlrpm@gmail.com<mailto:pvlrpm@gmail.com>>
Sent: Friday, April 13, 2018 1:51 AM
To: idr wg <idr@ietf.org<mailto:idr@ietf.org>>; pmohapat@cumulusnetworks.com<mailto:pmohapat@cumulusnetworks.com>; David Smith (djsmith) <djsmith@cisco.com<mailto:djsmith@cisco.com>>
Subject: Validation for BGP Flow-Spec Redirect to IP Action

Hello,
  In the draft  draft-ietf-idr-flowspec-redirect-ip-02.txt, the following procedure is mentioned to validate the extended community of 'Flowspec
redirect to IP'.



   BGP speakers that support the extended communities defined in this

   draft MUST also, by default, enforce the following check when

   receiving a flow-spec route from an EBGP peer: if the received flow-

   spec route has a 'redirect to IP' extended community with a 'target

   address' X (in the global administrator field) and the best matching

   route to X is not a BGP route with origin AS matching the peer AS

   then the extended community should be discarded and not propagated

   along with the flow-spec route to other peers.



I have 2 doubts related to this statement.



What is 'origin AS' here? Is it the AS no. that is first added to the AS_PATH?
In the previous version of the draft its mentioned as the last AS in the AS_PATH.
Is it the last AS no. that has been added to the AS_PATH or the last AS no. from left in AS_PATH?



What if the redirect target X is directly connected or reachable by a static route and its not advertised by EBGP?

Do we need to consider that action invalid in that case?





Thanks,

Pavana.

v2.23.0 | Report a Bug | By Email