IETF Logo Mail Archive

Re: [Idr] Bug in draft-ietf-idr-rfc5575bis, worth fixing?

John Scudder <jgs@juniper.net> Thu, 24 September 2020 01:31 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2DBB3A1649 for <idr@ietfa.amsl.com>; Wed, 23 Sep 2020 18:31:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.813
X-Spam-Level:
X-Spam-Status: No, score=-3.813 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.695, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=v8JyBota; dkim=pass (1024-bit key) header.d=juniper.net header.b=OUhwvwj0
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XzkVqQSPyqW1 for <idr@ietfa.amsl.com>; Wed, 23 Sep 2020 18:31:09 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B0BA3A1648 for <idr@ietf.org>; Wed, 23 Sep 2020 18:31:09 -0700 (PDT)
Received: from pps.filterd (m0108157.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 08O1NW31019642; Wed, 23 Sep 2020 18:31:08 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=kZnh5rT7M1JM/o5m5qxvxTO90qgW3V+jsdVObNGLV/Q=; b=v8JyBotadB/XUWw0jmwQ1RySkaAKP9kBQ62DOcD+esG5mv8rinAAS0mdbPkOEn05c+3f wnHVFqaYuTLtbLf3GMaP0nVPM+D8iCSfW+SMZWWB6AzEpsb7jqqr5b6zvCNfGWRzS0ST DuaE0qluW3h25ZwbrzwGtlCfkbzxRCMlDFDnE/BMrXKo1reHKJYkyibh9kyh52FnjXt2 b8hKPWmG5MDOVDRXdJ0sfglxtsdlV4Qjx8NiA1tkPWiHlldVxKtK6SJFS85witDZFF/3 UCYw66BbgFwXwP8MswJPj4Gx946vGde8+peZi4/ClOB/Dxpmr/bE8RoCRao/WGqUAn1f Qg==
Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2100.outbound.protection.outlook.com [104.47.55.100]) by mx0a-00273201.pphosted.com with ESMTP id 33r6s995t4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 23 Sep 2020 18:31:08 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FacghjZaaCXrVep2wRUKZrYIqEbxp45jyY6DdbKYPvr/YhdeETlhXZfrI8ECR6zirs1u/d0W3qXhIM/SGd1abEb8uFvFb5TEBhWhShize3dHBnbdyisH990wpRz4jY5BsbPw3JBosIX87Dru+FV2GiDr9DrQCilrS/maSiUcaNh+aMTXDyIaOZqjD4kDgS/ifgA+msm3DLb8XmcpfUS4ddBy4/aEsqvYrNJ364rVzHdD4d+oJWL5GqesLiDhzKIGIgCcE8WjDdsU0vQaAD+HN1K8vM2pDH4oBdAkJL+NffLMztANa675bGIIDngU1+5zHTmmcxZIhVnLDqtcfLOnNA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kZnh5rT7M1JM/o5m5qxvxTO90qgW3V+jsdVObNGLV/Q=; b=VBzQBhtgQPsAshfckOTvP8EZpLL+Y+PmnzFeWbGacZgkMXsP9carH3vcNZglIpfpi9dXPVUVgz4TZ6ZRS1rzhXloWprPGi0VnW2MNwWYkqjXSCnpP9BBzI599R/YobXTqw7q08lQZsAeTyXbW2W03Zsli4luAyh8Vrrkoma1zYWRdWNElEy/+W0V5LS6wpE9V9sNjLdteTzQbtUFo4yjUmf8GxnofXti7UCOp4/8hKgjKMPtnwstEUU65PjgJXkHPSxO/2Ff263j4Rl/ZtvTiUcgwqpA2cnvoM86b6NZehczMZQrJLd6QVtoafTHko5hWB4P6FNYl4B+qdCzs90nJg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kZnh5rT7M1JM/o5m5qxvxTO90qgW3V+jsdVObNGLV/Q=; b=OUhwvwj06mbPpsTe4nf3t3Qiyd++Hia9Pi7oJhc+vkmlCeeWt9+t1UpeeFvcbLuoRPOoDQVSKWzPXiU3lz8tY1DPA17JF3UUzg+eXQbslj7C9K/Bv8Grm72IUH7922n2olomLGrcrDP+xcrPobeKe/950d7CH6A0nVaFUO3TfmQ=
Received: from BL0PR05MB5076.namprd05.prod.outlook.com (2603:10b6:208:83::12) by BLAPR05MB7476.namprd05.prod.outlook.com (2603:10b6:208:297::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3412.10; Thu, 24 Sep 2020 01:31:05 +0000
Received: from BL0PR05MB5076.namprd05.prod.outlook.com ([fe80::e542:8237:ac48:ef5c]) by BL0PR05MB5076.namprd05.prod.outlook.com ([fe80::e542:8237:ac48:ef5c%7]) with mapi id 15.20.3412.020; Thu, 24 Sep 2020 01:31:05 +0000
From: John Scudder <jgs@juniper.net>
To: Robert Raszuk <robert@raszuk.net>
CC: Alvaro Retana <aretana.ietf@gmail.com>, Christoph Loibl <c@tix.at>, Hares Susan <shares@ndzh.com>, "idr@ietf. org" <idr@ietf.org>
Thread-Topic: Bug in draft-ietf-idr-rfc5575bis, worth fixing?
Thread-Index: AQHWke6RJ/7GqRzh40q9dKt5uqwGhKl2v4AAgAAMyQCAAALGgIAAMdAA
Date: Thu, 24 Sep 2020 01:31:05 +0000
Message-ID: <75DDE0A6-DB26-4BC3-ABB9-C189F5334411@juniper.net>
References: <303E54F6-833A-4458-B3E6-DE90E7CA121B@juniper.net> <CAMMESsy8uZb9GLgh12LD9SvYSxZeMczy52TDM30w88Fbx5+2Nw@mail.gmail.com> <CAOj+MMExdcyUP+eLdqPYRSYzg_9wVRRtSTGfQ4comC_pYteT7w@mail.gmail.com> <CAOj+MMHJ2n2Du1fpiz8TQuBi-F7SROrFDvRk-r4aqQqotS7osQ@mail.gmail.com>
In-Reply-To: <CAOj+MMHJ2n2Du1fpiz8TQuBi-F7SROrFDvRk-r4aqQqotS7osQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.120.23.2.1)
authentication-results: raszuk.net; dkim=none (message not signed) header.d=none;raszuk.net; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [162.225.191.192]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 4b5e9726-a516-496d-9a58-08d860298184
x-ms-traffictypediagnostic: BLAPR05MB7476:
x-microsoft-antispam-prvs: <BLAPR05MB74760A70B7A927F471FF99F3AA390@BLAPR05MB7476.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 9yp+j1+TTp96OxfaUi5ivJV2H+f7vOORZx7J965D2bzfwLjldzjwgoQQYc/U6iVGjYGJeW6Hzo2Bbb3SF5jYZeJMV7oQviysok7rwLoEOo+qYGqbZhdKeH1fMAVdDgT1H4vqYN2bEqhK0ielsjoXOuWugWAA4dQpqyS61308Y/bz1xlD/EnTGoTn/jvzCH6Vvfyh0qUeKYmmfMdnfGOGHZKTQ/H4hVVjrERIBcJzTXQXwW8ytri+0Io0K1mdEc5OJ2XBW7Wff6khz02/Juprajft6z2P7KqR8d3bVF3fStyYpL91r+rleYAJxSyKChijEWhxcs6KlKe+EH0N3xyt6lecIXiwGX3n39vb4nqq/tTOBOvmMvtH+n665D9e9TxocQWohCgWaNEZS14+2DL9Wg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR05MB5076.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(39860400002)(346002)(136003)(366004)(396003)(478600001)(8936002)(6486002)(2906002)(316002)(8676002)(66574015)(166002)(36756003)(4326008)(83380400001)(86362001)(54906003)(66946007)(6512007)(6916009)(2616005)(6506007)(26005)(66476007)(76116006)(91956017)(186003)(66446008)(64756008)(966005)(53546011)(66556008)(5660300002)(33656002)(71200400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: pFvKqaoPRvioPp2yZQ9huqIKNkLuC0WIkopPxUQCA27fu9dGuc7MrqzElfTv360tVPsljrrp0PfgSZqiXv+B+in6CAsNLCqP9owKdu7A203CffQfCLQLEp8QUTQfrwpHWZWzeI2NPkRPEbA0vlp/Le53GEfVItPAZdGFhPySoeUcGcM5+BzK3IzDGKe77Uy/qNLQO6C1krxMGuU+HpbckBFiokc3a2NN08aX8VXUFNRfOpRLjYVFoCvpWnp1BluSzonTkWRIJKzPAHAkQVdX4UlDISJ3fvWnVfKXMbDyRnMVHW/O4moDpf6jYekqgyxXhV9Tv8SAFjBRsMv7ezCQrLnw5prdvM2dXq23TmRPfKP5MSGIQ2l0RI3PXeSGKejFOrgMd4L8P9LiRU0TYSh3lpqN7yso+4NdVVqOBYuR2GJC52m2NmwxVdJ+3fCBwk2DIiijC6b+6oC56qjgh7WnitsWVUO+3y+ChFdEubvo65rDr87+QqDob71AhNqTCca6s1VI+NzVCuaTGgf337wG0v1O54otsWH+ZC3lOVwUk8tfxtMvLG2E0haEHpcCDK3QVrT/mPF1QX8Dn+EFcmBvIDuJMs88E+QVEE2mFBmkMVVo+ZObQNtCP7v1co7tQr1hS6mnEC6+vUGNhirlRM4FAw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_75DDE0A6DB264BC3ABB9C189F5334411junipernet_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR05MB5076.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4b5e9726-a516-496d-9a58-08d860298184
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Sep 2020 01:31:05.4622 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: nj1pFg0x3lB3ouq7MmVF0telPA+xinv4TjSwoVZhLWPeKm5bnBDkn7/xL1m8gEpi
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLAPR05MB7476
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-09-23_19:2020-09-23, 2020-09-23 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 clxscore=1011 adultscore=0 mlxlogscore=999 mlxscore=0 bulkscore=0 phishscore=0 impostorscore=0 spamscore=0 priorityscore=1501 lowpriorityscore=0 malwarescore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2009240007
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/EKZvn79buZmvjCq9qbvoaEIeKSI>
Subject: Re: [Idr] Bug in draft-ietf-idr-rfc5575bis, worth fixing?
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Sep 2020 01:31:12 -0000

Robert,

Thanks for the pointers! Some comments in line.

On Sep 23, 2020, at 6:32 PM, Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>> wrote:

Btw some pointers to the archives of the discussions on this very point below:

https://github.com/stoffi92/rfc5575bi/issues/20

In this one it seems the relevant comment is "This is a remain from the "old days" when FS should be opaque to BGP. In such an environment BGP has no understanding of components. Since the implementations do not treat the NLRI opaque the WG voted against this idea. Now BGP knows about components and is able to throw away useless combinations.” This makes sense to me and I agree, however I think that in addition, the change accidentally made it underspecified what to do with unknown component types.

By the way, I also noticed this later comment, "unknown flow components / NLRI that are not understood completely lead to treat-as-withdraw (and thus are not propagated) -> error handling. NLRI opaque has completely been removed from the draft.” Just as a by-the-way, I don’t think that’s what the final version of 5575bis says. As I remarked in my earlier email, it will lead to a session reset, not treat-as-withdraw. From my earlier: "Just as a side note, “error handling according to Section 10” points us to RFCs 7606 and 4760, which end up telling us to reset the session if the NLRI is malformed.” As I recall this was discussed in the WG and found to be acceptable.

https://github.com/stoffi92/rfc5575bis/issues/93

I don’t think this one is related.

Thx and all credit to Christoph for making is so open and transparent like no one has ever done it before when editing and reviewing an ietf document.

Agreed!

—John


Kind regards,
R.


On Thu, Sep 24, 2020 at 12:22 AM Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>> wrote:
Hi Alvaro & John

That change originated based on your below review comments:


[major] "...for the purposes of BGP route propagation, this prefix should still be transmitted since BGP route distribution is independent on NLRI semantics." I think this is a vulnerability: a (large) set of meaningless Flow Specifications may be injected in the routing system...

[major] Also, propagating these unknown components may result in a router down the line, which understands them, reacting. While the reaction shouldn't result in reset adjacencies, it may result in inconsistent forwarding or other unexpected outcomes...

[major] This treatment of unknown extensions is in conflict with the text in §11. See my comments there.

- - -

It seems clear we have few point of view here to consider:

a) Yes John is right that just because my RRs do not recognize the NLRI encoding should I block myself for propagating it ... well today it is dropped in all other AFI/SAFIs so why should flowspec be any different ?

b) Alvaro's review was (I believe) targeting more inter-as propagation cases and we discussed this and decided it is better to be safe than sorry and removed that text.

c) We are talking here about BGP NLRI ... not some opaque attribute. If you allow "garbage" to be sent within NLRI - which as we all know is a BGP db key to store information - I think we are opening a much bigger security hole as our imagination can reach.

To summarize at the end of the day I support current text.

Thx,
Robert (as co-author of this change).






On Wed, Sep 23, 2020 at 11:37 PM Alvaro Retana <aretana.ietf@gmail.com<mailto:aretana.ietf@gmail.com>> wrote:
John:

Hi!

Personal opinion:  I believe that the “specified here” part (meaning this document) is already covering the unknown case.  However, I have no objections to adding the phrase in.


Thanks!

Alvaro.


On September 23, 2020 at 5:14:50 PM, John Scudder (jgs@juniper.net<mailto:jgs@juniper.net>) wrote:

Hi All,

I’m a little concerned about a change I failed to notice earlier in 5575bis. Version 17 had this paragraph in Section 4.2:


   All combinations of component types within a single NLRI are allowed,
   even if the combination makes no sense from a semantical perspective.
   If a given component type within a prefix in unknown, the prefix in
   question cannot be used for traffic filtering purposes by the
   receiver.  Since a Flow Specification has the semantics of a logical
   AND of all components, if a component is FALSE, by definition it
   cannot be applied.  However, for the purposes of BGP route
   propagation, this prefix should still be transmitted since BGP route
   distribution is independent on NLRI semantics.


Version 18 removed the paragraph. I believe it was removed because of good and reasonable concerns about the “prefix should still be transmitted” part. But, it appears we threw out the baby with the bathwater: the final version of the draft has nothing that corresponds to the underlined part. It is underspecified with respect to what should be done with unknown component types. The closest it comes is this paragraph in Section 4.2 of version 26:


   A NLRI value not encoded as specified specified here is considered
   malformed and error handling according to Section 10<https://urldefense.com/v3/__https://tools.ietf.org/html/draft-ietf-idr-rfc5575bis-26*section-10__;Iw!!NEt6yMaO-gk!Xo1YqMazt-59s4p8GkRbq0Hp2fu3Q6xEX1ZMT53DOe2DQcBkgGz1xrxrqrAW_g$> is performed.


But I think this falls well short of being either clear or unambiguous, because what does “as specified here” mean exactly?

I’d like to open a discussion of whether the WG agrees that this is a bug and if so, whether it’s concerning enough to request a last-minute patch to the document, which is currently with the RFC Editor, so it’s almost an RFC. I think the least intrusive fix would be to insert the clause “including an NLRI that contains an unknown component type”, as in:


   A NLRI value not encoded as specified here,

   including an NLRI that contains an unknown component type,

   is considered
   malformed and error handling according to Section 10<https://urldefense.com/v3/__https://tools.ietf.org/html/draft-ietf-idr-rfc5575bis-26*section-10__;Iw!!NEt6yMaO-gk!Xo1YqMazt-59s4p8GkRbq0Hp2fu3Q6xEX1ZMT53DOe2DQcBkgGz1xrxrqrAW_g$> is performed.


Just as a side note, “error handling according to Section 10” points us to RFCs 7606 and 4760, which end up telling us to reset the session if the NLRI is malformed.

Until we get a chance to discuss this, I’ve sent a note to the RFC Editor asking them to hold publication.

Thanks,

—John

P.S.: The version 26 text also has a proofreading error, “specified specified”. But I assume the RFC Editor would fix that anyway.

v2.23.0 | Report a Bug | By Email