IETF Logo Mail Archive

Re: [Idr] draft-uttaro-idr-bgp-persistence-00: Security Considerations

Robert Raszuk <robert@raszuk.net> Thu, 03 November 2011 06:06 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AF661F0C55 for <idr@ietfa.amsl.com>; Wed, 2 Nov 2011 23:06:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_13=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DWfxwXoQR-3q for <idr@ietfa.amsl.com>; Wed, 2 Nov 2011 23:06:09 -0700 (PDT)
Received: from mail37.opentransfer.com (mail37.opentransfer.com [76.162.254.37]) by ietfa.amsl.com (Postfix) with SMTP id 1FA671F0C54 for <idr@ietf.org>; Wed, 2 Nov 2011 23:06:08 -0700 (PDT)
Received: (qmail 3202 invoked by uid 399); 3 Nov 2011 06:06:07 -0000
Received: from unknown (HELO ?192.168.1.57?) (178.42.163.36) by mail37.opentransfer.com with SMTP; 3 Nov 2011 06:06:07 -0000
Message-ID: <4EB22F4F.9080604@raszuk.net>
Date: Thu, 03 Nov 2011 07:06:07 +0100
From: Robert Raszuk <robert@raszuk.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: erosen@cisco.com
References: <14153.1320288579@erosen-linux>
In-Reply-To: <14153.1320288579@erosen-linux>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "idr@ietf.org List" <idr@ietf.org>, "UTTARO, JAMES" <ju1738@att.com>
Subject: Re: [Idr] draft-uttaro-idr-bgp-persistence-00: Security Considerations
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: robert@raszuk.net
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/idr>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2011 06:06:10 -0000

Eric,

> If PE1 happens to have noticed that PE2 blinked out, it may be wise for PE1
> to invalidate the routes for which PE2 is the next hop.  If PE1 did not
> notice that PE2 blinked out, it will continue to make use PE2's old VPN-IP
> routes.

So when RR is down PE2's BGP process restarts while IGP not - PE1 has no 
chance to notice any next hop blink - hence till RR comes up and cleans 
up the mess pretty much network is in a bad state.

How long RR will wait after coming up to get his previous IBGP peering 
reestablished before starting the cleanup ?

Thx,
R.


>> If we have a below scenario:
>>
>>            / PE2
>> PE1 -- RR
>>            \ PE3
>
>> When PE2 disappears RR will re-advertise his routes as persistent to PE1
>> with some labels - for simplicity let's assume those are L3VPN labels.
>
> In the case being discussed (I think), the RR is down at the time PE2
> disappears, but PE1 is still using the routes previously distributed to it
> by the RR.
>
>> There are two options ...
>
>> * PE2 went down for good - RR by advertising persistent routes may at
>> most cause to blackhole the traffic - that is why I started by
>> recommending a MUST for next hop reachability
>
>> * PE2 restarted - here I assume RR would withdraw previous STALE routes
>> by both implicit withdraw and explicit withdraw
>
> The RR can't withdraw any routes because it is down.
>
> If PE1 happens to have noticed that PE2 blinked out, it may be wise for PE1
> to invalidate the routes for which PE2 is the next hop.  If PE1 did not
> notice that PE2 blinked out, it will continue to make use PE2's old VPN-IP
> routes.  Unfortunately, all these routes will now have incorrect labels, and
> packets from one VPN may get forwarded by PE2 to another VPN.
>
> As far as I can tell, until the RR comes back up, there is no assurance that
> PE1 will notice PE2's restart, so random cross-connection of VPNs is
> certainly possible.
>
> But it's not obvious that random cross-connections of this sort are any
> worse than a complete loss of service.  While datagrams from one VPN might
> get sprayed into the other, it is hard to see how a TCP connection between
> the two VPNs could be set up or maintained, since there is not going to be a
> working reverse path.
>
>
>
>
>
>
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>
>

v2.23.0 | Report a Bug | By Email