Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspec-oid-12

Alvaro Retana <> Tue, 16 March 2021 18:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CADD23A0C32; Tue, 16 Mar 2021 11:21:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2OR68W6xSujy; Tue, 16 Mar 2021 11:21:21 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EA6263A0C31; Tue, 16 Mar 2021 11:21:20 -0700 (PDT)
Received: by with SMTP id ci14so73626378ejc.7; Tue, 16 Mar 2021 11:21:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc:content-transfer-encoding; bh=YESlJyjm0hnUT/o/1Wo18Nk78IjZMyM/NJwiASKU/lc=; b=hM0HC148/ht2csninek/xS5v4e5nAsN0OvGLHUISXRRfAtReqWs5kAYnQCTZKK3KUR uNywnFkurnx3qkrSP5g8OT9Bmw7cGYbMcofEhdhKE4Ei4zKi0kuF8iSzkznmoMSApNDl xZYXqrxnqxGj4M2zbYumCztl+cyVB5rLsWBn9B1Tup3hkCu2jUZMy5SKyeNUrPRs5ag2 4T9qDtkm2De7sjiommuamy9UH05VLg880HltQkM3Rg2x0At2HndGpBI0pUkqWqKOQWOx 3ftl77EgjQMBXoCk6o2HuJPIkEgWEYfS5dZZbSArotOw9PsPHWa2Txt6677GkpSr9bzy xt5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc:content-transfer-encoding; bh=YESlJyjm0hnUT/o/1Wo18Nk78IjZMyM/NJwiASKU/lc=; b=Ka/NmPbdee1Cjnu4TlxkECfGWsvodwkLNxoeOtZ2Sgr88WvyqwFIIzFh9t714TUF1A OBUdIywZd7uujdCwe0I3b+hFYEsnLmkDr1h79jdjpqQ9HRBz9dgtJA1yXpTAbDWzcsTr +iTaRXNyx2dOoi+E4KjMRZdAdbpgIariHRfECTic84DjkS71Dx1kdXCEpbOy7wl7ZsQ+ btf9Ub18d7JRZTa6oXnSaKNYKSN4gMRptFbL+ubyZgtXdNO8LSy5Gy5R1bWdcuKk3EL2 SyUfoe8cfTtTEcMX6Bgv1zQQUnUICX8CxfiTZSPt84ejOXaNDzPirbNdUwNHexu5LtEh 3JeQ==
X-Gm-Message-State: AOAM531clL8a8j17xvl7gBL2Y4TEwyvNZkXJyA67y0Vd7hxEsaIc0ohu pjd9PeeW4WicD/YwRm/807hEluGh4lE7x4mOxZa7Zw8T
X-Google-Smtp-Source: ABdhPJx/FkDFQsTvCPCoCwLPDUxbnwbAc5bfLiObDa2V1PhNWkx/rI4WAnoCTqdzxtSG1MrSja5w1k8NcqngNp0sUlI=
X-Received: by 2002:a17:906:d554:: with SMTP id cr20mr31326914ejc.61.1615918877611; Tue, 16 Mar 2021 11:21:17 -0700 (PDT)
Received: from 1058052472880 named unknown by with HTTPREST; Tue, 16 Mar 2021 11:21:16 -0700
From: Alvaro Retana <>
In-Reply-To: <>
References: <> <> <> <>
MIME-Version: 1.0
Date: Tue, 16 Mar 2021 11:21:16 -0700
Message-ID: <>
To: "" <>, "Juan Alcaide (jalcaide)" <>
Cc: Susan Hares <>, "" <>, IDR List <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspec-oid-12
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 16 Mar 2021 18:21:23 -0000

On March 15, 2021 at 8:32:06 PM, Juan Alcaide wrote:


> For my dismay, I realized I only had gotten part of your email (till review
> line 118). I think a weird problem with my email server. It was more in-deep
> review that I thought.

Yeah...there seems to be an issue with long messages and Outlook (as
far as I can see): the messages are truncated.  The IETF archive
always gets the whole message.  I have also been including an "[End of
Review]" signal. :-)

> My changes will reflect more or less your suggestions.

Ok -- I'll take a look at the details when you post -13.

> Before, I have some contentious points I’d like to raise:
> Any alternative naming to ‘ingress border routers’ ? They are just the
> routers receiving traffic and far away from FS peering

Right -- that is what is confusing: these routers are not at the
border or are ingress routers.

I don't have a better suggestion.  The name is used only 3 times, so
perhaps the simply describe where they are...

> Around line 311...

[It is better if you reply we make sure we're both
talking about the same thing. ;-)]

> mention a new security hole because of the new AS_PATH validation rule.
> You are referring to the case of a route-server, right? Let’s say
> AS1—(route-server)—AS2. AS1, instead of AS_PATH = 1, could send us AS_PATH =
> 100 for the -rogue - FS route. The best-match unicast route could be actually
> coming from another route-server client om AS 100 (that is sending -correctly
> -the unicast route with AS_PATH=100)

This is what I wrote:

306	      Redefinition of this AS_PATH validation rule for a Flow
307	      Specification does not mean that the original rule in [I-D.ietf-
308	      idr-rfc5575bis] cannot be enforced as well.  Its enforcement
309	      remains optional per [RFC4271] section 6.3.  That is, we can
310	      enforce the first AS in the AS_PATH to be the same as the neighbor
311	      AS for any address-family route (including a Flow Specification).

[major] Both rfc5575 and rfc8955 mentioned that the enforcement is
required "for security reasons".  I'm sure the question will come up
about the potential security holes that are now opened if the
enforcement is not performed.  Please add (preferably in the Security
Considerations section) text including any recommendations on when the
enforcement can/should be performed.

For the general eBGP case, for example, there is the possibility that
the left-most ASN matches for both the FS/unicast routes, but that it
doesn't correspond to the peer AS.  I believe this is a case where an
additional vulnerability is introduced --- but also one that can be
mitigated by recommending/requiring the enforcement in this type of
cases (with appropriate caveats).

Yes. The route-server case is a subcase of the "general eBGP case".

> Around line 322, you mention we could use the new AS_PATH check for
> eBGP-confed routes as well. If we did, then we should also extend it for iBGP
> peers. But I don’t see much of a point to it, as long as we do the right
> check of the eBGP received routes any further check is redundant. Same
> concept that checking on AS_PATH loops only for eBGP received routes.

318	      Using the new rule to validate a Flow Specification route received
319	      from an External Border Gateway Protocol (eBGP) peer belonging to
320	      the same local domain (in the case that the local AS belongs to a
321	      confederation of ASes) is out of the scope of this document.  Note
322	      that although it's possible, its utility is dubious.

[minor] Why can't the same check be applied?  The text above doesn't
talk about segments so it should be able to apply.

[minor] As for the value, you seem to be assuming that just because
the confederation is in the same administrative domain than there
won't be configuration errors or rogue routers.  I believe that is a
dangerous assumption.

The "normal" iBGP case is different than the confederation case where
we do find an eBGP relationship.

> Around line 324, you mention we should suppress ‘Other RFC5575bis
> Considerations.’. This section had more points that were trimmed when
> rfc8995 included those points. Only references left are about 2byte AS old
> speakers. Not sure if those references were ever considered for rfc8995. I
> guess the meaning of AS_PATH could be inferred w/o these references. rfc8955
> already seems to infer them (although it is basically a copy of the old
> rfc4271 rule). Is it assumed that the meaning of AS_PATH is also inferred for
> any rfc after rfc6793?

In short, yes.  rfc6793 formally Updated rfc4271, so any
interpretation of the AS_PATH has to consider what rfc6793 says.

> In the security section, you mention ‘ibgp are not trusted’. That’s strictly
> true, but in the sense of rfc8955 it would seem they are (rfc8955 is only
> concerned about trust for eBGP peerings). I can add a note, but is anything
> else is required?

412	   BGP updates learned from iBGP peers are trusted so the Traffic Flow
413	   Specifications contained in BGP updates are trusted.  Therefore it is
414	   not required to validate that the originator of an intra-domain
415	   Traffic Flow Specification matches the originator of the best-match
416	   unicast route for the flow destination prefix.  This proposal
417	   continues to enforce the validation Procedure for eBGP learned
418	   Traffic Flow Specifications, as per [I-D.ietf-idr-rfc5575bis] rules.
419	   In this way, the security properties of [I-D.ietf-idr-rfc5575bis] are
420	   maintained such that an EBGP peer cannot cause a denial-of-service
421	   attack by advertising an inter-domain Flow Specification for a
422	   destination prefix that it does not provide reachability information
423	   for.

[major] "iBGP peers are trusted"   This is a flawed assumption because
it doesn't take into account the possibility of a rogue iBGP speaker.
Consider the case where an attacker takes control of a router and
creates (or limits) Flow Specifications -- not checking would open the
network up to any router becoming an attack point.

Yes, I understand that this is not a new vulnerability introduced in
this draft.  However, the type of risk (creating a Flow Specification)
is new to this work and a direct result.

Because the origin check won't happen for iBGP, you should mention the
risk clearly.

As you mention, rfc8955 considers eBGP.  The fact that it doesn't say
anything about iBGP shouldn't be interpreted as trusting those peers.
Even if that was the intent in rfc8955, this document deals directly
with iBGP so it makes it the best place to call the risk out.