IETF Logo Mail Archive

Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-oid-01 as IDR WG document

Robert Raszuk <robert@raszuk.net> Wed, 16 May 2012 21:24 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AE5B21F874C for <idr@ietfa.amsl.com>; Wed, 16 May 2012 14:24:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.514
X-Spam-Level:
X-Spam-Status: No, score=-2.514 tagged_above=-999 required=5 tests=[AWL=0.085, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZcNFnosSMpMf for <idr@ietfa.amsl.com>; Wed, 16 May 2012 14:24:21 -0700 (PDT)
Received: from mail1310.opentransfer.com (mail1310.opentransfer.com [76.162.254.103]) by ietfa.amsl.com (Postfix) with ESMTP id 6F7CD21F872E for <idr@ietf.org>; Wed, 16 May 2012 14:24:21 -0700 (PDT)
Received: (qmail 13376 invoked by uid 399); 16 May 2012 21:24:20 -0000
Received: from unknown (HELO ?192.168.1.58?) (pbs:robert@raszuk.net@83.31.240.29) by mail1310.opentransfer.com with ESMTPM; 16 May 2012 21:24:20 -0000
X-Originating-IP: 83.31.240.29
Message-ID: <4FB41B06.5050709@raszuk.net>
Date: Wed, 16 May 2012 23:24:22 +0200
From: Robert Raszuk <robert@raszuk.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: Keyur Patel <keyupate@cisco.com>
References: <CBD9681C.253D5%keyupate@cisco.com>
In-Reply-To: <CBD9681C.253D5%keyupate@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "idr@ietf.org List" <idr@ietf.org>
Subject: Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-oid-01 as IDR WG document
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: robert@raszuk.net
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/idr>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 May 2012 21:24:22 -0000

Hi Keyur,

Actually you bring a good point. Going by section 6 would preclude 
reception of flow-spec routes across IX route servers as in those cases 
enforcing-first-as must be disabled on the IX client.

Perhaps as you suggest we should replace section 6 of current 5575 with 
the full AS_PATH check regardless if enforce-first-as is in effect there 
or not.

Comments ?

Thx,
R.

> One comment and one question on the draft.
>
> 1) I believe the rule should cover checks for AS4_PATH as well.
>
> 2) Section 6 from RFC5575
>
> <snip>
> BGP implementations MUST also enforce that the AS_PATH attribute of a
>     route received via the External Border Gateway Protocol (eBGP)
>     contains the neighboring AS in the left-most position of the AS_PATH
>     attribute.  While this rule is optional in the BGP specification, it
>     becomes necessary to enforce it for security reasons.
> <snip>
>
> Do we need to do a complete aspath check instead? Otherwise, a neighboring
> AS can inject a bogus flowspec route?
>
> Regards,
> Keyur
>
>
> On 5/16/12 1:19 PM, "Robert Raszuk"<robert@raszuk.net>  wrote:
>
>> Hi,
>>
>> I support the adoption of this draft as WG document.
>>
>> However the new text authors added between -00 and -01 seems too
>> restrictive to the original theme/direction.
>>
>> It says:
>>
>> ".. or the AS_PATH attribute of the flow specification is empty."
>>
>> That precludes injecting and honoring the flow routes even within the
>> same administrative domain in the presence of confederations.
>>
>> I recommend that this limitation should be removed in next version.
>>
>> Regards,
>> R.

v2.23.0 | Report a Bug | By Email