IETF Logo Mail Archive

Re: [Idr] Validation for BGP Flow-Spec Redirect to IP Action

"David Smith (djsmith)" <djsmith@cisco.com> Fri, 04 May 2018 17:53 UTC

Return-Path: <djsmith@cisco.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78DF9129C5D; Fri, 4 May 2018 10:53:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aqp__mJ3wZ2v; Fri, 4 May 2018 10:53:26 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07BBF129502; Fri, 4 May 2018 10:53:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=49936; q=dns/txt; s=iport; t=1525456405; x=1526666005; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=VhiNQhatibe9kb/KfQX2oThGzEKYD0MkaOQCLeHC31M=; b=ifYZNQNVcMH33qlIHAbKhWvjPav15k5n58uqL/ZE/CeH/P27YbZHmFI/ RN8scp88YdE2VJ9xo1lS9CQsoxK6FoKl8RIywh8Nu3RfcABJy+YhRUQjG agj94HtacmBWHZk4gl7QegrAAhduQSOLKlPCIRDNt00BEZBBUdXI29135 w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DdAgBanexa/5xdJa1cGQEBAQEBAQEBAQEBAQcBAQEBAYJNd2EXYygKg2OUdIF4dRqBQIU2jCWBeAsbhFECGoIeITYWAQIBAQEBAQECbBwMhSgBAQEBAyMKTBACAQgRBAEBIQEGAwICAh8REwEJCAIEDgUIDIQcTAMVqDCCHIcMDYErgkKIJYITgQ+CVgcugk+COx8IgkKCVAKGDgiBIolChncsCAKFYoVrBoJvgT08immHQYJJhhUCERMBgSQBIwEwgVJwFYJ+CYISBReGM4dkbwGNMiuBAYEYAQE
X-IronPort-AV: E=Sophos;i="5.49,363,1520899200"; d="scan'208,217";a="390583182"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 04 May 2018 17:53:24 +0000
Received: from xch-rcd-011.cisco.com (xch-rcd-011.cisco.com [173.37.102.21]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id w44HrOfO023564 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 4 May 2018 17:53:24 GMT
Received: from xch-rcd-012.cisco.com (173.37.102.22) by XCH-RCD-011.cisco.com (173.37.102.21) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Fri, 4 May 2018 12:53:23 -0500
Received: from xch-rcd-012.cisco.com ([173.37.102.22]) by XCH-RCD-012.cisco.com ([173.37.102.22]) with mapi id 15.00.1320.000; Fri, 4 May 2018 12:53:23 -0500
From: "David Smith (djsmith)" <djsmith@cisco.com>
To: PVLR Pavana Murthy <pvlrpm@gmail.com>
CC: idr wg <idr@ietf.org>, Pradosh Mohapatra <mpradosh@yahoo.com>, "draft-ietf-idr-bgp-flowspec-oid@ietf.org" <draft-ietf-idr-bgp-flowspec-oid@ietf.org>, "Simpson, Adam 1. (Nokia - CA/Ottawa)" <adam.1.simpson@nokia.com>
Thread-Topic: Validation for BGP Flow-Spec Redirect to IP Action
Thread-Index: AQHT0uuAIyyPj6TSKkC7hpPOOBsfrqQVHkWAgADlwwCACFzuAIABydMA///QDUA=
Date: Fri, 04 May 2018 17:53:23 +0000
Message-ID: <25145a9f2db04e23b211c1caf3b86d74@XCH-RCD-012.cisco.com>
References: <CAN-MQG6bDyzcyuVs1vmka-JZFrD9Ya1uOuU_AFxfu0GnYgdmbA@mail.gmail.com> <aaa4916758a34ed99cb7432cff257f25@XCH-RCD-012.cisco.com> <CAN-MQG6R_LCLAM5xgaak3W_oRkuQFQsgZtEodacpeiLCQV8p-g@mail.gmail.com> <bd31302086e4453daa60d19aff45133b@XCH-RCD-012.cisco.com> <CAN-MQG7o41bnMebez1iovpRqpr=2gy9FB8xXOFDTzRRN=kUeug@mail.gmail.com>
In-Reply-To: <CAN-MQG7o41bnMebez1iovpRqpr=2gy9FB8xXOFDTzRRN=kUeug@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.86.254.38]
Content-Type: multipart/alternative; boundary="_000_25145a9f2db04e23b211c1caf3b86d74XCHRCD012ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/FhZKd7IkU3QHE54JDCbhgbjtTnQ>
Subject: Re: [Idr] Validation for BGP Flow-Spec Redirect to IP Action
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2018 17:53:29 -0000

Hi Pavana,

The redirect-ip draft specifies this additional validation step as the default behavior, however, it also allows it to be disabled via configuration.

Regards,

/dave


From: PVLR Pavana Murthy <pvlrpm@gmail.com>
Sent: Friday, May 04, 2018 11:42 AM
To: David Smith (djsmith) <djsmith@cisco.com>
Cc: idr wg <idr@ietf.org>; Pradosh Mohapatra <mpradosh@yahoo.com>; draft-ietf-idr-bgp-flowspec-oid@ietf.org; Simpson, Adam 1. (Nokia - CA/Ottawa) <adam.1.simpson@nokia.com>
Subject: Re: Validation for BGP Flow-Spec Redirect to IP Action

Hi Dave and Adam,
  Thanks for the reply.

Lets take the example as I gave earlier.

    A----B----C

A, B and C are 3 routers in different AS's  1, 2 and 3 respectively.
A advertises a route for target X and also a Flowspec route with "redirect  IP(target X)". C receives these routes via B.
Now the the origin AS or first AS in the AS_PATH of the route to target X is 1 but the peer-AS of Flowspec route is 2

According to Dave,since the peer-AS 2 does not match the origin AS 1 of the best route for target X,  this redirect IP action will be  considered invalid for the flowspec route received at C.
This is a typical scenario. Like this, we can't propagate the Flowspec routes with "redirect IP" action, more than one AS. I think, that's not expected.

I feel, we should compare origin AS or neighbor-as for both Flowspec route and the best match route of target X. We should not be using peer-AS for flowspec route and nbr-as for best match route of target x. Otherwise the above typical scenarios never work.
Probably, we need to edit the draft for "redirect-ip" action.

Thanks,
Pavana.

On Thu, May 3, 2018 at 11:08 PM, David Smith (djsmith) <djsmith@cisco.com<mailto:djsmith@cisco.com>> wrote:
Hi Pavana,

>I went through the latest draft-ietf-idr-bgp-flowspec-oid-06. It calls the first AS the Origin AS. Is it so?

Correct, first AS = first AS added = last AS in AS_PATH_SEQ hex-string = origin AS.
last AS = last AS added = first AS in AS_PATH_SEQ hex-string = neighboring AS.
neighbor AS = peering AS: if update is coming from EBGP and enforce-first-AS used -as mandated by RFC 5575.

Note that draft-ietf-idr-bgp-flowspec-oid-06 uses 'last  AS *added*' in most cases, and when it does just use 'last AS', it can be inferred.

>If that’s the case, the validation will fail for any 'redirect IP' actions coming from the AS other than neighbor AS. Is that the intention?

The RFC 5575 validation procedure required that for EBGP learned flowspecs the ‘neighboring AS’ be in the left-most (or last) position of the AS_PATH attribute. Since this is not valid for all topologies, draft-ietf-idr-bgp-flowspec-oid-06 redefines the BGP flowspec validation procedures including AS_PATH attribute. Further, the redirect-ip draft imposes an additional AS_PATH validation check (specific for redirect-ip flowspecs only) to validate that the best matching route to the redirect-ip 'target address' is a BGP route with origin AS matching the last AS added within the AS_PATH attribute of the redirect-ip flowspec. As

>Also In  draft-ietf-idr-flowspec-redirect-ip-00.txt, instead of 'origin AS', the word 'last AS' is used. It is confusing.   Does the validation need to consider the first AS or last AS?

See feedback above. Draft-ietf-idr-bgp-flowspec-oid-06 only needs to consider last AS while redirect-ip draft needs to consider both per above.

>Regarding my second doubt, I could not get any pointers from  draft-ietf-idr-bgp-flowspec-oid-06 .  Do we need to consider only BGP routes always (for redirect-ip target address)?

The redirect-ip draft allows for its added validation check to be disabled via configuration. This allows for a non-BGP route to the redirect-ip target address.

Regards,

/dave


From: PVLR Pavana Murthy <pvlrpm@gmail.com<mailto:pvlrpm@gmail.com>>
Sent: Saturday, April 28, 2018 12:40 AM
To: David Smith (djsmith) <djsmith@cisco.com<mailto:djsmith@cisco.com>>
Cc: idr wg <idr@ietf.org<mailto:idr@ietf.org>>; Pradosh Mohapatra <mpradosh@yahoo.com<mailto:mpradosh@yahoo.com>>; draft-ietf-idr-flowspec-redirect-ip@ietf.org<mailto:draft-ietf-idr-flowspec-redirect-ip@ietf.org>; draft-ietf-idr-bgp-flowspec-oid@ietf.org<mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org>
Subject: Re: Validation for BGP Flow-Spec Redirect to IP Action

Hi Dave,
   Thanks for the reply and including respective draft author aliases.

I went through the latest draft-ietf-idr-bgp-flowspec-oid-06. It calls the first AS the Origin AS. Is it so?
If that's the case, the validation will fail for any 'redirect IP' actions coming from the AS other than neighbor AS. Is that the intention?
Also In  draft-ietf-idr-flowspec-redirect-ip-00.txt, instead of 'origin AS', the word 'last AS' is used.It is confusing.   Does the validation need to consider the first AS or last AS?

Regarding my second doubt, I could not get any pointers from  draft-ietf-idr-bgp-flowspec-oid-06 .  Do we need to consider only BGP routes always?

Thanks,
Pavana.


On Sat, Apr 28, 2018 at 3:37 AM, David Smith (djsmith) <djsmith@cisco.com<mailto:djsmith@cisco.com>> wrote:
Hi Pavana,

Your points are valid. With that said, I’ll defer you to draft-ietf-idr-bgp-flowspec-oid-05 (and later) and, specifically, section 4 (revised validation procedure) which addresses your points below.

Co-incidentally, a WG last call was issued for draft-ietf-idr-bgp-flowspec-oid-06 yesterday.

Regards,

/dave


From: PVLR Pavana Murthy <pvlrpm@gmail.com<mailto:pvlrpm@gmail.com>>
Sent: Friday, April 13, 2018 1:51 AM
To: idr wg <idr@ietf.org<mailto:idr@ietf.org>>; pmohapat@cumulusnetworks.com<mailto:pmohapat@cumulusnetworks.com>; David Smith (djsmith) <djsmith@cisco.com<mailto:djsmith@cisco.com>>
Subject: Validation for BGP Flow-Spec Redirect to IP Action

Hello,
  In the draft  draft-ietf-idr-flowspec-redirect-ip-02.txt, the following procedure is mentioned to validate the extended community of 'Flowspec
redirect to IP'.



   BGP speakers that support the extended communities defined in this

   draft MUST also, by default, enforce the following check when

   receiving a flow-spec route from an EBGP peer: if the received flow-

   spec route has a 'redirect to IP' extended community with a 'target

   address' X (in the global administrator field) and the best matching

   route to X is not a BGP route with origin AS matching the peer AS

   then the extended community should be discarded and not propagated

   along with the flow-spec route to other peers.



I have 2 doubts related to this statement.



What is 'origin AS' here? Is it the AS no. that is first added to the AS_PATH?
In the previous version of the draft its mentioned as the last AS in the AS_PATH.
Is it the last AS no. that has been added to the AS_PATH or the last AS no. from left in AS_PATH?



What if the redirect target X is directly connected or reachable by a static route and its not advertised by EBGP?

Do we need to consider that action invalid in that case?





Thanks,

Pavana.

v2.23.0 | Report a Bug | By Email