IETF Logo Mail Archive

Re: [Idr] Adoption call for draft-wang-idr-bgp-ifit-capabilities-04 (3/10 to 3/24)

Jeffrey Haas <jhaas@pfrc.org> Fri, 11 March 2022 18:17 UTC

Return-Path: <jhaas@slice.pfrc.org>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96A133A0EAC for <idr@ietfa.amsl.com>; Fri, 11 Mar 2022 10:17:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ltKth49wzVfJ for <idr@ietfa.amsl.com>; Fri, 11 Mar 2022 10:17:16 -0800 (PST)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id 9C3543A1080 for <idr@ietf.org>; Fri, 11 Mar 2022 10:17:13 -0800 (PST)
Received: by slice.pfrc.org (Postfix, from userid 1001) id 7FD421E342; Fri, 11 Mar 2022 13:17:12 -0500 (EST)
Date: Fri, 11 Mar 2022 13:17:12 -0500
From: Jeffrey Haas <jhaas@pfrc.org>
To: Susan Hares <shares@ndzh.com>
Cc: idr@ietf.org
Message-ID: <20220311181711.GA29551@pfrc.org>
References: <00ca01d8348c$8b05d270$a1117750$@ndzh.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <00ca01d8348c$8b05d270$a1117750$@ndzh.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/BBE3N6m4HX21euJyVvK6VVa2IZI>
Subject: Re: [Idr] Adoption call for draft-wang-idr-bgp-ifit-capabilities-04 (3/10 to 3/24)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Mar 2022 18:17:21 -0000

Sue and Working Group,

I'm generally supportive of IFIT for BGP.  

For this particular document, I think it'd be helpful if the authors 
provided some more detail on the scoping of the BGP Extended Community 
attributes and their security considerations.

In particular:

On Thu, Mar 10, 2022 at 09:38:43AM -0500, Susan Hares wrote:
> This begins a 2 week WG Adoption call (3/10/2022 to 3/24/2022) 
> 
> for draft-wang-idr-bgp-ifit-capabilities-04
> 
> https://datatracker.ietf.org/doc/draft-wang-idr-bgp-ifit-capabilities/
> 
> In your comments please consider if: 
> 
> 1) Do the additions to BGP (2 Communities and 
> TLV for next-hop-capability attribute) 
> help the distribute information regarding the  IFIT options 
> from tail (egress) nodes to head nodes (ingress)?  
> 
> Are there any cases where these BGP 
> Communities should be removed or ignored?  

>From the Security Considerations for draft-ietf-idr-sr-policy-ifit-03:

:   IFIT data MUST be propagated in a limited domain in order to avoid
:   malicious attacks and solutions to ensure this requirement are
:   respectively discussed in [I-D.ietf-ippm-ioam-data] and
:   [I-D.ietf-6man-ipv6-alt-mark].

The NextHop Capability leveraged in this draft as part of prior learnings
has specified itself as an Optional, Non-Transitive Path Attribute.  This
means that behaviors can be enforced on a hop-by-hop basis.

BGP Extended Communities are only scoped for as-transitive or not.

It'd be useful for the authors to comment on what the expected behaviors for
BGP speakers downstream of not the IFIT egress. Also, potentially outside
of the IFIT domain.  What are the Security Considerations for such
additional propagation of these Extended Communities?

I'm unclear whether the intent of the Extended Communities is whether they
should ONLY be propagated with the NextHop Capability or not.

Please note that forms of this question were raised both on the mailing list
in prior threads and also during IDR IETF sessions.

-- Jeff

v2.23.0 | Report a Bug | By Email