Re: [Idr] draft-keyupate-idr-bgp-prefix-sid-00 & SP isolations
<bruno.decraene@orange.com> Tue, 18 November 2014 17:30 UTC
Return-Path: <bruno.decraene@orange.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 057D91A1B5B for <idr@ietfa.amsl.com>; Tue, 18 Nov 2014 09:30:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.598
X-Spam-Level:
X-Spam-Status: No, score=-1.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kzBCg015hZvb for <idr@ietfa.amsl.com>; Tue, 18 Nov 2014 09:30:50 -0800 (PST)
Received: from relais-inet.francetelecom.com (relais-ias244.francetelecom.com [80.12.204.244]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97EBA1A1B13 for <idr@ietf.org>; Tue, 18 Nov 2014 09:30:49 -0800 (PST)
Received: from omfeda05.si.francetelecom.fr (unknown [xx.xx.xx.198]) by omfeda14.si.francetelecom.fr (ESMTP service) with ESMTP id C0BFE2ACEC5; Tue, 18 Nov 2014 18:30:47 +0100 (CET)
Received: from Exchangemail-eme1.itn.ftgroup (unknown [10.114.1.183]) by omfeda05.si.francetelecom.fr (ESMTP service) with ESMTP id A5AF618009D; Tue, 18 Nov 2014 18:30:47 +0100 (CET)
Received: from PEXCVZYM11.corporate.adroot.infra.ftgroup ([fe80::a441:e6a9:6143:6f0f]) by PEXCVZYH02.corporate.adroot.infra.ftgroup ([::1]) with mapi id 14.03.0210.002; Tue, 18 Nov 2014 18:30:47 +0100
From: bruno.decraene@orange.com
To: Robert Raszuk <robert@raszuk.net>
Thread-Topic: [Idr] draft-keyupate-idr-bgp-prefix-sid-00 & SP isolations
Thread-Index: AQHQA1J6HL0qWHQeWEu6rmUFtB0XXpxmotlQ
Date: Tue, 18 Nov 2014 17:30:46 +0000
Message-ID: <7375_1416331847_546B8247_7375_486_1_53C29892C857584299CBF5D05346208A07265BDE@PEXCVZYM11.corporate.adroot.infra.ftgroup>
References: <8569_1416329672_546B79C8_8569_2021_1_53C29892C857584299CBF5D05346208A07265A06@PEXCVZYM11.corporate.adroot.infra.ftgroup> <CA+b+ER=MbsHbSU=qY7mwLEvjQPqKEjy3rW2WqCQqoTXfzqmpEQ@mail.gmail.com>
In-Reply-To: <CA+b+ER=MbsHbSU=qY7mwLEvjQPqKEjy3rW2WqCQqoTXfzqmpEQ@mail.gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.197.38.4]
Content-Type: multipart/alternative; boundary="_000_53C29892C857584299CBF5D05346208A07265BDEPEXCVZYM11corpo_"
MIME-Version: 1.0
X-PMX-Version: 6.0.3.2322014, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2014.10.23.30920
Archived-At: http://mailarchive.ietf.org/arch/msg/idr/7UjGt7T070V1-_9P7_9AgseK7HE
Cc: "idr@ietf. org" <idr@ietf.org>
Subject: Re: [Idr] draft-keyupate-idr-bgp-prefix-sid-00 & SP isolations
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Nov 2014 17:30:53 -0000
Hi Robert, Please see inlined [Bruno] Bruno From: rraszuk@gmail.com [mailto:rraszuk@gmail.com] On Behalf Of Robert Raszuk Subject: Re: [Idr] draft-keyupate-idr-bgp-prefix-sid-00 & SP isolations Some routes may be received unlabeled (from untrusted sources) and redistributed as labeled. e.g. IPv6 → 6PE, IP --> VPN IP How would the AS protect itself (from SID collision) from non labeled/trusted routes received with a SID attributes, and then re-advertised as labelled? Hi Bruno, Doesn't the above concern is solved by the below sentence from the draft: "The BGP Label Index attribute SHOULD only be announced with BGP Prefixes carried in a labeled address-family (SAFI value 4 or SAFI value 128)." With this in mind how can you receive SID attribute with unlabeled route ? [Bruno] Someone doing an “experiment” or an attack and attaching this attribute deliberately. (also it’s only a SHOULD; implementation may have bugs) Cheers, R. " A BGP speaker receiving a BGP Label index attribute from its EBGP neighbor SHOULD discard the attribute unless it is configured to accept the attribute from the EBGP neighbor." Is good but may not be sufficient as the above BGP speaker (ASBR) may not support this document and hence will propagate the attribute over iBGP sessions. (unless we require that all routers support this document in which case we may not need a transitive attribute, which would by itself address the problem) One option would be to mandate that by default a BGP session/peer group/AFI remove the received SID attribute. (or at least do not honor it, but I don't see the use case to keep the attribute that we don't want to use) e.g. something like "To contain distribution of the BGP Label Index attribute beyond its intended scope of applicability, attribute filtering MAY be deployed." But for _received_ routes and with :s/MAY/SHOULD. At least the currently empty security consideration section should probably discuss this. Thanks, Regards. Bruno PS: On a side note "Segment Routing Architecture" should probably be a normative reference. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _______________________________________________ Idr mailing list Idr@ietf.org<mailto:Idr@ietf.org> https://www.ietf.org/mailman/listinfo/idr _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
- [Idr] draft-keyupate-idr-bgp-prefix-sid-00 & SP i… bruno.decraene
- Re: [Idr] draft-keyupate-idr-bgp-prefix-sid-00 & … Robert Raszuk
- Re: [Idr] draft-keyupate-idr-bgp-prefix-sid-00 & … bruno.decraene
- Re: [Idr] draft-keyupate-idr-bgp-prefix-sid-00 & … Robert Raszuk