Re: [Idr] Can one Destination Address appear in both Tunnel Encap Attribute and in MP_REACH_NLRI ?

Keyur Patel <keyur@arrcus.com> Fri, 18 October 2019 00:43 UTC

Return-Path: <keyur@arrcus.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 292EA1200CC; Thu, 17 Oct 2019 17:43:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netorgft1331857.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YITaJPbaAYcv; Thu, 17 Oct 2019 17:43:03 -0700 (PDT)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-eopbgr780077.outbound.protection.outlook.com [40.107.78.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D233812003F; Thu, 17 Oct 2019 17:43:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jcuNPYqE3aE6TVvnJo64RbQqBY4ytGDava6Ff9L7NVsdc3yC8IlDHQlgyMWTur8BlV7uuWjGWm41oBNGEWm4Xe5U88lVmxcKTD8XhXk/NXHX1jm3zyKTfAubHqb7UEiO+s3Gu/O5xFa+yLqTeOIOolOUbBjIXuBCCdHHWGaJP/l5BAIASyj9PbYuc5ITrdU0V4Qf3ZMcuvgEK/4p6pTu29xJRcQh+XHa6lpyO8413JTiDgi8UA9LsGGbmJuWAvCN2K3+/giWmzH8R7mEKovvsCDKZNgGNx5ha1ooV4hJb9Cc5x1IWlINjvvujBw0aXJiDUwAYIMk7eiA23Eic3WPSA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fay1LsgRxJuXigfC7vyHCFP3Mgc5nwRkuTil17z/3/w=; b=cJN5DduuREKjhkofdwogBokw58Zniq1BdRevy5CY/VgRDfx9aP4v7JmIr9XRQLuocdV9XswrmkvWKuD6ztp1B0fJx0b+X7GrdsissC5dJGMi3p3SF4oc30SbQbTZZKNqwEMPXRo8X+KuFh4KrskQzMOUAdMH0psasH+kMJvR6QHLXUdNjl2ZeFNtNcRKBv3Ud5bQmstjsJGNRwNkmnaVFkFKlgn7RLXacfDeTBN/nBui6ApzqwNCNZk3MeoGXz4MiTUnchlv69wN087hZIWOl8AUmKqpFvJS5wVDLEZThf9pb3OCxVPFKd7joJMVnykT+hXkJTvLUd+OSYuJCey6vg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arrcus.com; dmarc=pass action=none header.from=arrcus.com; dkim=pass header.d=arrcus.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NETORGFT1331857.onmicrosoft.com; s=selector2-NETORGFT1331857-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fay1LsgRxJuXigfC7vyHCFP3Mgc5nwRkuTil17z/3/w=; b=KrNEuvYRgC4boxj4DLRAlZHDiKJkNRrl9+Jgy4Asmlgx+wV0sdrqfLJni3K6WwbpLr2JWLRhI/N/UKloQCohbWHocxM6+Xvd8Hr/DYSTAgxash5xsxaCmA3duAeQXG8JuKNIcZDYaMLNZCOAa3Mb2VPpEL14lRdd094xMEX8YIQ=
Received: from BYAPR18MB2856.namprd18.prod.outlook.com (20.179.59.30) by BYAPR18MB2359.namprd18.prod.outlook.com (20.179.90.156) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.18; Fri, 18 Oct 2019 00:43:01 +0000
Received: from BYAPR18MB2856.namprd18.prod.outlook.com ([fe80::6182:28f2:3566:d173]) by BYAPR18MB2856.namprd18.prod.outlook.com ([fe80::6182:28f2:3566:d173%3]) with mapi id 15.20.2347.024; Fri, 18 Oct 2019 00:43:01 +0000
From: Keyur Patel <keyur@arrcus.com>
To: Robert Raszuk <robert@raszuk.net>, "Rajiv Asati (rajiva)" <rajiva@cisco.com>
CC: Ondrej Zajicek <santiago@crfreenet.org>, "idr@ietf.org" <idr@ietf.org>, Linda Dunbar <linda.dunbar@futurewei.com>, Srihari Sangli <ssangli=40juniper.net@dmarc.ietf.org>, "draft-ietf-idr-tunnel-encaps@ietf.org" <draft-ietf-idr-tunnel-encaps@ietf.org>
Thread-Topic: [Idr] Can one Destination Address appear in both Tunnel Encap Attribute and in MP_REACH_NLRI ?
Thread-Index: AQHVhL8lFDuHxnzddkaD1lVXXD4SAKdeeoqAgAAEwoCAABL6AIAAECQAgADTL4CAAARggP//oSsA
Date: Fri, 18 Oct 2019 00:43:00 +0000
Message-ID: <A55F4BE5-9AD7-4776-9FE1-8A9A47E4F468@arrcus.com>
References: <MN2PR13MB3582A1E1FE3441CDD54A101985950@MN2PR13MB3582.namprd13.prod.outlook.com> <78F7A474-6F86-4EA3-93A3-001B4E2C2116@juniper.net> <CAOj+MMGqKj=zKbws92ni1fL2O-So=dbcW-mb02uRnQ+G55xm_w@mail.gmail.com> <0B48E5E7-3A1F-45C0-ACF9-B9A0FA323ED4@juniper.net> <CAOj+MMHs91BoMpgrN2-qtMAgVtiUE_e2bm=BG=+xVnfU9-6Aaw@mail.gmail.com> <20191017093308.GB2427@feanor.crfreenet.org> <CAOj+MMFs=StpLvK1dZO+ChBUN5i2AYq+CrhHMfMxifpxqegwiw@mail.gmail.com> <2A6A8F0A-82B2-4016-9148-10B4FC75FC03@cisco.com> <CAOj+MMECVbe-VOP2D5mB+zZWjLh_igOefeFYbK-OMtJ+bY9EGA@mail.gmail.com>
In-Reply-To: <CAOj+MMECVbe-VOP2D5mB+zZWjLh_igOefeFYbK-OMtJ+bY9EGA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=keyur@arrcus.com;
x-originating-ip: [70.234.233.187]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 576112e6-d719-403c-59f6-08d753642113
x-ms-traffictypediagnostic: BYAPR18MB2359:
x-microsoft-antispam-prvs: <BYAPR18MB2359FD8F7022CE5B332B0B7BC16C0@BYAPR18MB2359.namprd18.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 01949FE337
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(39830400003)(366004)(346002)(376002)(396003)(189003)(199004)(8676002)(71200400001)(6116002)(66476007)(66556008)(64756008)(229853002)(102836004)(11346002)(446003)(66066001)(2616005)(26005)(3846002)(486006)(66446008)(186003)(8936002)(66946007)(476003)(76116006)(5660300002)(2906002)(71190400001)(6436002)(14454004)(316002)(256004)(508600001)(76176011)(99286004)(5024004)(54906003)(53546011)(6506007)(25786009)(14444005)(86362001)(236005)(6512007)(33656002)(6306002)(54896002)(36756003)(81166006)(6246003)(7736002)(4326008)(81156014)(6486002)(110136005); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR18MB2359; H:BYAPR18MB2856.namprd18.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arrcus.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: y4UPtgJR6k7Qn2ubD/NKfxrjsHxWdJSKqrt8KaNWmB+DDTrVZeRDlkaIX2V4k3rnjbR0Q6tmVFgxatti//3DIX1VQQnZDWTwut183LiGJl8j+zyhPlsXOOoIOaWlKoxVHmJJHm5hCp7UiATv+1/qi6fReFKmSk8ZrwOfptyWXN5RgkDd/dhw7MhZyL8g7bjV25CLBe6DXJx9flAkyJn5YwGi9Vs6nsb6wMrPZpq6REHoqdleczBzPVjzxxfZZtNr1vW/Y4mmhC2DZX/m0VPpQpyWF9nD5ZkSdtgMNFhV7yQsiK2ykWRY6QIfZH9XvAXIeDdGkIkIE3MsEjXwjRhO+xOBwA1xfcD/DI9owQ4JLgHu4xi7TsowC0G38C8x2S6r3El6gafIA/JjEAVQRruYEKeouShLsBR43O34mlOTzOU=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_A55F4BE59AD747769FE18A9A47E4F468arrcuscom_"
MIME-Version: 1.0
X-OriginatorOrg: arrcus.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 576112e6-d719-403c-59f6-08d753642113
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Oct 2019 00:43:01.0347 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 697b3529-5c2b-40cf-a019-193eb78f6820
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: b6Rkn3Yd151RuX93IrQHdPi9cfBjqOSdRpG0BkWE5FvHuOwSCbmvJtEjp6mgnQKE99UYM60bxgu/mvr2ZfUb3w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR18MB2359
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/KHwUn1gCdtlpag3vLMac_dVQFUM>
Subject: Re: [Idr] Can one Destination Address appear in both Tunnel Encap Attribute and in MP_REACH_NLRI ?
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Oct 2019 00:43:08 -0000

Robert,

comments inlined #Keyur

From: Robert Raszuk <robert@raszuk.net>;
Date: Thursday, October 17, 2019 at 4:22 PM
To: "Rajiv Asati (rajiva)" <rajiva@cisco.com>;
Cc: Ondrej Zajicek <santiago@crfreenet.org>;, "idr@ietf.org"; <idr@ietf.org>;, Linda Dunbar <linda.dunbar@futurewei.com>;, Srihari Sangli <ssangli=40juniper.net@dmarc.ietf.org>;, "draft-ietf-idr-tunnel-encaps@ietf.org"; <draft-ietf-idr-tunnel-encaps@ietf.org>;
Subject: Re: [Idr] Can one Destination Address appear in both Tunnel Encap Attribute and in MP_REACH_NLRI ?
Resent-From: <alias-bounces@ietf.org>;
Resent-To: <keyur@arrcus.com>;, <gunter.van_de_velde@nokia.com>;, <ssangli@juniper.net>;
Resent-Date: Thursday, October 17, 2019 at 4:22 PM

Great point Rajiv !

Security consideration section lightly suggests to use BGP Origin Validation or even BGPSEC... well great !

But it does not define any behaviour when result of BGP Origin validation against tunnel attribute will now be different from results when compared against NLRI validation.

What do we do then ?

Not only this breaks all current show commands and accept/reject policies being applied to NLRI Origin Validation, but also reopens all implementations how Origin Validation works and how do we mark validated routes.

#Keyur: I believe you mean “show commands and accept/reject policies that are tunnel based needs to be augmented”. 😊
- - - -

So for all proponents of Tunnel Encapsulation Attribute - I would like to post a single question:

Why don't we use basic BGP recursion (in any AFI/SAFI required) and simply advertise within each applicable SAFI an NLRI = NH of endpoint/customer routes with NH = Tunnel Endpoint while attaching to such UPDATE  Encapsulation Extended Community indicating type of tunnels and parameters required ?

#Keyur: You can still announce the tunnel endpoint (underlay) route using tunnel endpoint attribute. The attribute gives you a common placeholder to carry tunnel parameters (including endpoint) and specifically as and when parameters grow beyond size of community/ext community/large community.
Regards,
Keyur

What use cases would not be addressed by doing just that ?

Thx,
R.





On Fri, Oct 18, 2019 at 1:06 AM Rajiv Asati (rajiva) <rajiva@cisco.com<mailto:rajiva@cisco.com>> wrote:

One of the things that is strikingly problematic in allowing BGP NH and Tunnel Endpoint to be different is that it could be used as an attack vector (node A advertises a route with NH =A & tunnel endpoint = node B, so node B gets bombarded with unwanted traffic (in fact, node B may not even have any BGP, or not have a particular BGP route, or..).

This would be a big red flag for many of us.

--
Cheers,
Rajiv

PS: Now, what if node A uses two IPv6 addresses – one as the NH, and the other as the tunnel endpoint. That’s a legit case, one could argue.


From: Idr <idr-bounces@ietf.org<mailto:idr-bounces@ietf.org>> on behalf of "robert@raszuk.net<mailto:robert@raszuk.net>" <robert@raszuk.net<mailto:robert@raszuk.net>>
Date: Thursday, October 17, 2019 at 6:32 AM
To: Ondrej Zajicek <santiago@crfreenet.org<mailto:santiago@crfreenet.org>>
Cc: "idr@ietf.org<mailto:idr@ietf.org>" <idr@ietf.org<mailto:idr@ietf.org>>, Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>>, Srihari Sangli <ssangli=40juniper.net@dmarc.ietf.org<mailto:40juniper.net@dmarc.ietf.org>>, "draft-ietf-idr-tunnel-encaps@ietf.org<mailto:draft-ietf-idr-tunnel-encaps@ietf.org>" <draft-ietf-idr-tunnel-encaps@ietf.org<mailto:draft-ietf-idr-tunnel-encaps@ietf.org>>
Subject: Re: [Idr] Can one Destination Address appear in both Tunnel Encap Attribute and in MP_REACH_NLRI ?

Well indeed the draft is very underspecified in this space..

The fun starts when next hop from NLRI is unreachable while tunnel end point is. Does it mean that given path is not going to be considered for best path selection ?

And we can go further ... say bgp uses selective next hops and is set to only consider /24 and higher and NH from NLRI does not meet those criteria ... but tunnel endpoint is reachable over default route - what happens then ?

See what strikes me the most is the mandatory nature of endpoint TLV and no good description of various cases when NH in NLRI != Tunnel endpoint address. If there are equal tunnel endpoint may be optional.

Thx,
R.

On Thu, Oct 17, 2019 at 5:33 AM Ondrej Zajicek <santiago@crfreenet.org<mailto:santiago@crfreenet.org>> wrote:
On Thu, Oct 17, 2019 at 10:25:13AM +0200, Robert Raszuk wrote:
> Srihari,
>
> Can you comment on the expected BGP next hop validation behaviour ?
>
> Can you also comment on the next hop BGP is installing the prefixes to RIB
> with ?
>
> Is tunnel endpoint now the NH BGP is asking RIB to track ?

My impression of the draft is that handling of BGP NH and address from
Tunnel Encap attribute is different. BGP NH is tracked in RIB and
recursivery resolved, could be used to daisy-chain encapsulation in RIB
(section 7). In contrast, the address from the Tunnel attribute is just
passed to FIB as encapsulation action argument.

But it is true that this part of the draft is a bit blurry and would
definitely need more clear wording.

--
Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org<mailto:santiago@crfreenet.org>)