IETF Logo Mail Archive

Re: [Idr] Validation for BGP Flow-Spec Redirect to IP Action

"Simpson, Adam 1. (Nokia - CA/Ottawa)" <adam.1.simpson@nokia.com> Mon, 30 April 2018 15:30 UTC

Return-Path: <adam.1.simpson@nokia.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCCF01205D3 for <idr@ietfa.amsl.com>; Mon, 30 Apr 2018 08:30:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4F_qGvHj9ch4 for <idr@ietfa.amsl.com>; Mon, 30 Apr 2018 08:30:31 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30099.outbound.protection.outlook.com [40.107.3.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AD2B1201FA for <idr@ietf.org>; Mon, 30 Apr 2018 08:30:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=eqI1c9g1T5I9VVNpKFe1IZZcf6k8YG6AUjlvswCOCCY=; b=YMy+kfQaXJ1rk0pxaBoZmIaUtxW/5DlnoFRVA5Dj2vTBjbndishXaP3lgpGRHHmrtuhrFCugEaJXiEWEXijpYL1nP4uT2OzO33nh51OtEMNxPO4y6Ww3C1sxl+BG9bF45IMtWrq6LGDBJVe/ZfgS+xhh/j+Lc70Ov3j6Bj3BeDQ=
Received: from AM4PR07MB1442.eurprd07.prod.outlook.com (10.165.248.21) by AM4PR07MB3220.eurprd07.prod.outlook.com (10.171.188.161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.735.6; Mon, 30 Apr 2018 15:30:26 +0000
Received: from AM4PR07MB1442.eurprd07.prod.outlook.com ([fe80::b544:585e:d78:3b59]) by AM4PR07MB1442.eurprd07.prod.outlook.com ([fe80::b544:585e:d78:3b59%3]) with mapi id 15.20.0715.014; Mon, 30 Apr 2018 15:30:25 +0000
From: "Simpson, Adam 1. (Nokia - CA/Ottawa)" <adam.1.simpson@nokia.com>
To: PVLR Pavana Murthy <pvlrpm@gmail.com>
CC: idr wg <idr@ietf.org>
Thread-Topic: Validation for BGP Flow-Spec Redirect to IP Action
Thread-Index: AQHT3qvIvgs0k9FZ1kqdZpgXcrBfhqQX4/2AgAD2agCAAFWDAA==
Date: Mon, 30 Apr 2018 15:30:25 +0000
Message-ID: <717912C0-D4C4-4656-A4A7-5ADCBBE93CE6@nokia.com>
References: <CAN-MQG6bDyzcyuVs1vmka-JZFrD9Ya1uOuU_AFxfu0GnYgdmbA@mail.gmail.com> <aaa4916758a34ed99cb7432cff257f25@XCH-RCD-012.cisco.com> <CAN-MQG6R_LCLAM5xgaak3W_oRkuQFQsgZtEodacpeiLCQV8p-g@mail.gmail.com> <CAN-MQG4oyycFhFzWGrKcQUG_B5eatan9y3PJJG1O-2vSLmhttg@mail.gmail.com> <3A1793BA-DB42-49E2-AC8C-FBAD1C433DEA@nokia.com> <CAN-MQG5ZrrDKx5f2XypLACM8soEM7jW8YdMA0WGLnJ6SeDDG_g@mail.gmail.com>
In-Reply-To: <CAN-MQG5ZrrDKx5f2XypLACM8soEM7jW8YdMA0WGLnJ6SeDDG_g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.c.0.180410
x-originating-ip: [135.245.20.13]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM4PR07MB3220; 7:wHEKqgHT4LR6ZU3mTdsZxSYfap7I1tjIiZNV01sOUwScKbJ2GlVXJZbneIBW/8HRPyYELXciH73KEQ5DEt539B0fHxnn73yKRxwKCU6YipZfFbm/IzUalT3bwN/9vBtIvPZqOT7B5X4qxGu3YC7Uk5aDbNHeRLgelbIgCrz8XWldr54EOzxVC699YPTK1dyuJearR9OyoElzmo+OCnmVB3pIT8Yb1rRKORe5jLNLwwXbj4Y04w2nWppII+Zgap8v
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(2017052603328)(7193020); SRVR:AM4PR07MB3220;
x-ms-traffictypediagnostic: AM4PR07MB3220:
x-microsoft-antispam-prvs: <AM4PR07MB3220E9BE0BB1DA2D5A5F712D9A820@AM4PR07MB3220.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(131327999870524)(138986009662008)(82608151540597)(85827821059158)(97927398514766)(95692535739014)(240845254718375)(21748063052155)(17755550239193);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(3002001)(93006095)(93001095)(10201501046)(3231254)(11241501184)(806099)(944501410)(52105095)(6055026)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(20161123564045)(20161123558120)(6072148)(201708071742011); SRVR:AM4PR07MB3220; BCL:0; PCL:0; RULEID:; SRVR:AM4PR07MB3220;
x-forefront-prvs: 0658BAF71F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39380400002)(346002)(396003)(376002)(39860400002)(366004)(57704003)(53484002)(189003)(199004)(469094003)(51914003)(8676002)(1411001)(186003)(6486002)(105586002)(2900100001)(26005)(25786009)(6436002)(58126008)(2616005)(83716003)(6346003)(106356001)(4326008)(316002)(102836004)(476003)(11346002)(446003)(6116002)(3846002)(3660700001)(86362001)(93886005)(486006)(3280700002)(76176011)(5660300001)(97736004)(66066001)(54896002)(6246003)(5250100002)(14454004)(53936002)(6512007)(53946003)(229853002)(236005)(7736002)(99286004)(6916009)(68736007)(8936002)(36756003)(478600001)(33656002)(59450400001)(81156014)(6306002)(39060400002)(2906002)(53546011)(9326002)(82746002)(81166006)(6506007)(579004)(390805004); DIR:OUT; SFP:1102; SCL:1; SRVR:AM4PR07MB3220; H:AM4PR07MB1442.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=adam.1.simpson@nokia.com;
x-microsoft-antispam-message-info: IAUjMZ2CcEJsB+MEx9ZEfce3N3MikgCL942+6wANH+wRvOjiR6Z/C2P0h5lDCOI/yVL+4TQlNnF+HHKLcMirh35m4qrJz4rdRpAvr86VwHsG3CFwLT1v1IhDEkjiPZ+sqd+IkCCFh5kZNoNzPUFA0ixn3oEyVzVfwSv8Ksj6thSER4WVYlWisARFqLBsKXZh8EMd5plE2awcw4VPB9uyvLk7srNxFMZSzEe2vhM4sJSMLDHrT8jaOmPxgArc+FEU
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_717912C0D4C44656A4A75ADCBBE93CE6nokiacom_"
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 9093e563-f1b8-4d7d-afce-08d5aeaf4bdb
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9093e563-f1b8-4d7d-afce-08d5aeaf4bdb
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Apr 2018 15:30:25.6741 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR07MB3220
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/GIQ-jGlvFrydBmsaUnm0bGWrN3k>
Subject: Re: [Idr] Validation for BGP Flow-Spec Redirect to IP Action
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Apr 2018 15:30:35 -0000

Hi Pavana,

Peer-AS is not a consideration in draft -02. I don’t recall why it was mentioned in an earlier version of the draft.

If the routers inside B and C enable the extra validation check (it is optional as explained in the draft) then they would only install a flowspec route originated by a router inside A ,with a redirect-to-IP action, if the redirect IP address itself was observed to originate inside A as well.

So flow-spec routes originated by one AS can be valid in another AS, but only under restrictive circumstances.

-Adam

From: PVLR Pavana Murthy <pvlrpm@gmail.com>
Date: Monday, April 30, 2018 at 2:24 AM
To: "Simpson, Adam 1. (Nokia - CA/Ottawa)" <adam.1.simpson@nokia.com>
Cc: "David Smith (djsmith)" <djsmith@cisco.com>, idr wg <idr@ietf.org>, Pradosh Mohapatra <mpradosh@yahoo.com>, "draft-ietf-idr-bgp-flowspec-oid@ietf.org" <draft-ietf-idr-bgp-flowspec-oid@ietf.org>, "ju1738@att.com" <ju1738@att.com>, "jhaas@juniper.net" <jhaas@juniper.net>, "akarch@cisco.com" <akarch@cisco.com>, "sairay@cisco.com" <sairay@cisco.com>, "pmohapat@cumulusnetworks.com" <pmohapat@cumulusnetworks.com>, "wim.henderickx@alcatel-lucent.be" <wim.henderickx@alcatel-lucent.be>, "mtexier@arbor.net" <mtexier@arbor.net>
Subject: Re: Validation for BGP Flow-Spec Redirect to IP Action

Hi Adam,
  Thanks for the reply. If its the first AS that is added to the AS_PATH, then "the redirect IP" action received from the AS's that are not directly connected may be invalid always.

eg:
    A---B----C

A, B and C are 3 routers in different AS's  1, 2 and 3 respectively.
A advertises a route for target X and also a Flowspec route with "redirect  IP(target X)". C receives these routes via B.
Now the the origin AS or first AS in the AS_PATH of the route to target X is 1 but the peer-AS is 2 since the route is received from B.
Since the peer-AS does not match the first AS of the best route target X,  this redirect IP action is considered invalid.


Please let me know if that's expected.

--Pavana.

On Mon, Apr 30, 2018 at 1:12 AM, Simpson, Adam 1. (Nokia - CA/Ottawa) <adam.1.simpson@nokia.com<mailto:adam.1.simpson@nokia.com>> wrote:
Hi Pavana,

The purpose of this text in the draft was to close the door on the ability for an accidental/malicious originator of a flow-spec route in AS=x from redirecting flows towards a target IP address in some other AS=y.

So, in this context we are interested in looking at the first AS in AS_PATH of the flow-spec route, not the most recently added AS in the AS_PATH (which would be the ‘neighbor AS’).

The route that resolves the target redirect IP address could be a BGP route or it could be a non-BGP route, despite the wording in the draft. If it is a BGP route the origin AS is determined as described above. If is a non-BGP route it would probably be appropriate to consider the route as locally originated (i.e. the same as a BGP route with null/empty AS_PATH or having only confed related elements).

I hope this helps.

-Adam


From: PVLR Pavana Murthy <pvlrpm@gmail.com<mailto:pvlrpm@gmail.com>>
Date: Saturday, April 28, 2018 at 12:45 AM
To: "David Smith (djsmith)" <djsmith@cisco.com<mailto:djsmith@cisco.com>>
Cc: idr wg <idr@ietf.org<mailto:idr@ietf.org>>, Pradosh Mohapatra <mpradosh@yahoo.com<mailto:mpradosh@yahoo.com>>, "draft-ietf-idr-bgp-flowspec-oid@ietf.org<mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org>" <draft-ietf-idr-bgp-flowspec-oid@ietf.org<mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org>>, "ju1738@att.com<mailto:ju1738@att.com>" <ju1738@att.com<mailto:ju1738@att.com>>, "jhaas@juniper.net<mailto:jhaas@juniper.net>" <jhaas@juniper.net<mailto:jhaas@juniper.net>>, "akarch@cisco.com<mailto:akarch@cisco.com>" <akarch@cisco.com<mailto:akarch@cisco.com>>, "sairay@cisco.com<mailto:sairay@cisco.com>" <sairay@cisco.com<mailto:sairay@cisco.com>>, "pmohapat@cumulusnetworks.com<mailto:pmohapat@cumulusnetworks.com>" <pmohapat@cumulusnetworks.com<mailto:pmohapat@cumulusnetworks.com>>, "wim.henderickx@alcatel-lucent.be<mailto:wim.henderickx@alcatel-lucent.be>" <wim.henderickx@alcatel-lucent.be<mailto:wim.henderickx@alcatel-lucent.be>>, "Simpson, Adam 1. (Nokia - CA/Ottawa)" <adam.1.simpson@nokia.com<mailto:adam.1.simpson@nokia.com>>, "mtexier@arbor.net<mailto:mtexier@arbor.net>" <mtexier@arbor.net<mailto:mtexier@arbor.net>>
Subject: Re: Validation for BGP Flow-Spec Redirect to IP Action

Hello,
  Including all the authors mentioned in draft-ietf-idr-flowspec-redirect-ip-02, as the alias did not work. Also pasting doubts again here.

In the draft  draft-ietf-idr-flowspec-redirect-ip-02.txt, the following procedure is mentioned to validate the extended community of 'Flowspec
redirect to IP'.


   BGP speakers that support the extended communities defined in this

   draft MUST also, by default, enforce the following check when

   receiving a flow-spec route from an EBGP peer: if the received flow-

   spec route has a 'redirect to IP' extended community with a 'target

   address' X (in the global administrator field) and the best matching

   route to X is not a BGP route with origin AS matching the peer AS

   then the extended community should be discarded and not propagated

   along with the flow-spec route to other peers.



I have 2 doubts related to this statement.



What is 'origin AS' here? Is it the AS no. that is first added to the AS_PATH?
In the previous version of the draft its mentioned as the last AS in the AS_PATH.
Is it the last AS no. that has been added to the AS_PATH or the last AS no. from left in AS_PATH?



What if the redirect target X is directly connected or reachable by a static route and its not advertised by EBGP?

Do we need to consider that action invalid in that case?

Thanks,
Pavana.


On Sat, Apr 28, 2018 at 10:10 AM, PVLR Pavana Murthy <pvlrpm@gmail.com<mailto:pvlrpm@gmail.com>> wrote:
Hi Dave,
   Thanks for the reply and including respective draft author aliases.

I went through the latest draft-ietf-idr-bgp-flowspec-oid-06. It calls the first AS the Origin AS. Is it so?
If that's the case, the validation will fail for any 'redirect IP' actions coming from the AS other than neighbor AS. Is that the intention?
Also In  draft-ietf-idr-flowspec-redirect-ip-00.txt, instead of 'origin AS', the word 'last AS' is used.It is confusing.   Does the validation need to consider the first AS or last AS?

Regarding my second doubt, I could not get any pointers from  draft-ietf-idr-bgp-flowspec-oid-06 .  Do we need to consider only BGP routes always?

Thanks,
Pavana.


On Sat, Apr 28, 2018 at 3:37 AM, David Smith (djsmith) <djsmith@cisco.com<mailto:djsmith@cisco.com>> wrote:
Hi Pavana,

Your points are valid. With that said, I’ll defer you to draft-ietf-idr-bgp-flowspec-oid-05 (and later) and, specifically, section 4 (revised validation procedure) which addresses your points below.

Co-incidentally, a WG last call was issued for draft-ietf-idr-bgp-flowspec-oid-06 yesterday.

Regards,

/dave


From: PVLR Pavana Murthy <pvlrpm@gmail.com<mailto:pvlrpm@gmail.com>>
Sent: Friday, April 13, 2018 1:51 AM
To: idr wg <idr@ietf.org<mailto:idr@ietf.org>>; pmohapat@cumulusnetworks.com<mailto:pmohapat@cumulusnetworks.com>; David Smith (djsmith) <djsmith@cisco.com<mailto:djsmith@cisco.com>>
Subject: Validation for BGP Flow-Spec Redirect to IP Action

Hello,
  In the draft  draft-ietf-idr-flowspec-redirect-ip-02.txt, the following procedure is mentioned to validate the extended community of 'Flowspec
redirect to IP'.



   BGP speakers that support the extended communities defined in this

   draft MUST also, by default, enforce the following check when

   receiving a flow-spec route from an EBGP peer: if the received flow-

   spec route has a 'redirect to IP' extended community with a 'target

   address' X (in the global administrator field) and the best matching

   route to X is not a BGP route with origin AS matching the peer AS

   then the extended community should be discarded and not propagated

   along with the flow-spec route to other peers.



I have 2 doubts related to this statement.



What is 'origin AS' here? Is it the AS no. that is first added to the AS_PATH?
In the previous version of the draft its mentioned as the last AS in the AS_PATH.
Is it the last AS no. that has been added to the AS_PATH or the last AS no. from left in AS_PATH?



What if the redirect target X is directly connected or reachable by a static route and its not advertised by EBGP?

Do we need to consider that action invalid in that case?





Thanks,

Pavana.

v2.23.0 | Report a Bug | By Email