Re: [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route Propagation Behavior Without Policies) to Proposed Standard

"Jakob Heitz (jheitz)" <jheitz@cisco.com> Fri, 05 May 2017 22:09 UTC

Return-Path: <jheitz@cisco.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81668128D40; Fri, 5 May 2017 15:09:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.522
X-Spam-Level:
X-Spam-Status: No, score=-14.522 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F83QivRlhhgp; Fri, 5 May 2017 15:09:22 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58E5E126E64; Fri, 5 May 2017 15:09:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=34181; q=dns/txt; s=iport; t=1494022162; x=1495231762; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=8K4qNcY1N1wODb4QOMt6LWi9tcQnjSakP4Ypjho8ofk=; b=Sdq1sUvqejsUxr3ENKDuSSI7waqK/9xS/QNju37ywTGQuOZQsofZBjdX OUCH+opXYsibDwURH3WsS20iBS7LXngLm0qH7hrxTm+jwMAyJ9vy8YVcj /swyrSYtGQzLXs+wcBFXuLKqek1GxdmkLWmEeQl1I5/kPdZjFve/46obh k=;
X-Files: showbgp2policy.c : 17650
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CeAQCH9wxZ/4MNJK1dGgEBAQECAQEBA?= =?us-ascii?q?QgBAQEBgm5nYoEMB4NhihiSSI9GhTiCDyyFeAIahC8/GAECAQEBAQEBAWsohRY?= =?us-ascii?q?GIwQGXAIBCDsHAgICMCUCBAESCAYGigwOsHGBbDqKaAEBAQEBAQEBAQEBAQEBA?= =?us-ascii?q?QEBAQEBAQ4Phl+BXQGCZzSEQDGCeIJAHwWQGoZHhw4BhAyCE3uDM4hAgg1VgUK?= =?us-ascii?q?HCIZFlDYBHziBCm8VRoRzHBmBSnaGGIEvAYEMAQEB?=
X-IronPort-AV: E=Sophos;i="5.38,294,1491264000"; d="c'?scan'208,217";a="420331806"
Received: from alln-core-1.cisco.com ([173.36.13.131]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 05 May 2017 22:09:21 +0000
Received: from XCH-ALN-012.cisco.com (xch-aln-012.cisco.com [173.36.7.22]) by alln-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id v45M9LB6032239 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 5 May 2017 22:09:21 GMT
Received: from xch-aln-014.cisco.com (173.36.7.24) by XCH-ALN-012.cisco.com (173.36.7.22) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 5 May 2017 17:09:20 -0500
Received: from xch-aln-014.cisco.com ([173.36.7.24]) by XCH-ALN-014.cisco.com ([173.36.7.24]) with mapi id 15.00.1210.000; Fri, 5 May 2017 17:09:20 -0500
From: "Jakob Heitz (jheitz)" <jheitz@cisco.com>
To: idr wg <idr@ietf.org>, "grow@ietf.org" <grow@ietf.org>
Thread-Topic: [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route Propagation Behavior Without Policies) to Proposed Standard
Thread-Index: AQHSuS0M5jIx7MGdxkC4vGLrHY5gKKHNfK+AgAAERQCAAALDgIAAEt4AgAACugCAB6DegIAF+msAgAAJeICAAIr0gIAAEDgAgAAGkwCAAANTAIAAQPsAgABRBYCACezjQA==
Date: Fri, 5 May 2017 22:09:20 +0000
Message-ID: <0b84d588d67e420d9286f56ee45d49c2@XCH-ALN-014.cisco.com>
References: <D4E812E8-AA7B-4EA2-A0AC-034AA8922306@juniper.net> <9047A5A0-ED12-43C2-B2C5-D2A71CBB4373@arrcus.com> <D51D46A7.A9732%acee@cisco.com> <0A49219D-E721-4DA8-B9BF-A55C2FA36FBE@puck.nether.net> <D95C67A4-AEBF-400B-A360-61C342FD6E4A@arrcus.com> <CA+b+ER=hq0=JNRfF8VA76_aqeRMBCeyQm5aTbapysXGTgaGS_g@mail.gmail.com> <CAL9jLaakVACiZKjk6XUi9mwkrCRsPqONUQmrTBCN7V43y+RtrQ@mail.gmail.com> <m2y3uk7h8p.wl-randy@psg.com> <CAL9jLaZXqA8-LnAdNOfhCQA+pq1fh1site_shSH+-gH0hCNeqQ@mail.gmail.com> <m2o9vg6snc.wl-randy@psg.com> <CAH1iCirW2qnmXyGQb5Db0UYjKhODhbeRxdZEGCWfiQRjWnkn5w@mail.gmail.com> <m27f246ovd.wl-randy@psg.com> <CA+b+ER=Dj=F6rCmZVtOuYmGQyO5fBZx0=18MdbuOhj3fB=XVKA@mail.gmail.com> <m24lx76djx.wl-randy@psg.com> <CA+b+ERm6LuJv+psrE9+DJSgfMSnSHO1LXsFt274J+Btz3WH_1A@mail.gmail.com>
In-Reply-To: <CA+b+ERm6LuJv+psrE9+DJSgfMSnSHO1LXsFt274J+Btz3WH_1A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [128.107.147.38]
Content-Type: multipart/mixed; boundary="_004_0b84d588d67e420d9286f56ee45d49c2XCHALN014ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/38bPnhvPno7QYjBi1fDiyNP10DY>
Subject: Re: [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route Propagation Behavior Without Policies) to Proposed Standard
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 May 2017 22:09:26 -0000

Even if violating router-os's are updated, leaks will continue for a long time.
I hope I can help on the filtering side. No RFC or vendor code change required.

I wrote an app in C that takes the output of "show bgp" and creates
a set of route-policies that will prevent the leaks.
It looks at the as-paths, finds your neighbors and then all their upstreams.
Then it writes as-path policies to allow only those upstreams for your neighbors.
You then use the policy in your neighbor inbound policies to either drop
or set a low localpref. There is a way to show the routes that are disallowed.
Sorry, it only works with Cisco.
The source is free for anyone to do whatever they want.
Other vendors can adapt it at will.

Compile it at a Linux command line; "cc showbgp2policy.c".
Sorry about the C, but python is not my mother tongue.
Start with num_policies of 30 and see how it looks.


Thanks,
Jakob.