Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspec-oid-12
Alvaro Retana <aretana.ietf@gmail.com> Tue, 20 April 2021 19:17 UTC
Return-Path: <aretana.ietf@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3673D3A122D; Tue, 20 Apr 2021 12:17:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TaAzKh41jRL8; Tue, 20 Apr 2021 12:17:49 -0700 (PDT)
Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83D603A1228; Tue, 20 Apr 2021 12:17:49 -0700 (PDT)
Received: by mail-ej1-x632.google.com with SMTP id mh2so38392550ejb.8; Tue, 20 Apr 2021 12:17:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc:content-transfer-encoding; bh=Ov8rW/L9pfep9O9BFwka9/RKngXoRzLspn8wFQNuzEA=; b=jbtnii06kmWzXJ9vgJw6bE0eeeIBU55WYRsQrGAwGwENzOBgA+OVKPlpwNuoRQIHtC UxdnpUBmBsiTP928TZh3sTUgDupScotREtW5uNa97ThYaQpG7Dec8O7nnhmq2u66Efyi DDbpLqzt5/kXMb+Ld3V3MkTMwYNsNtySAq1ALxy9OLQHUEnxnzAk1k9XnVkW5S1RUNxC sxaOnowZ1N4gM3Rz4E+xVOBnSiDnjBB4bgmD48yStVTACxU3OevLReQgNcLBxY6J3Bun 91QOAdBPT/6hueMST52g1/KxFB/GGqDaVGCs5UbCZUKBJcAEYq5Xonk7akH9oNsxzO5g kmXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc:content-transfer-encoding; bh=Ov8rW/L9pfep9O9BFwka9/RKngXoRzLspn8wFQNuzEA=; b=VoGGaZfKYIL0HJqv7TVG+dhOgchRY1ZYaZEgtTtEml44r+OIj0jbjF2GP/mEF9m/AO XSAt8p+euisLndw73I2ZkNzSBI7crTeKqmyn/uDXoHw8ze14+zQKtb4mEyUQWQNqzSDM 2BEq6PUbe/KllI6DPIxaKe5QNt4vn/zOSY4S6hZeW28iHVa6peKDnQ1KPW3DCGxkS8tI FJKDMCs9fJlxk8GAwIL81Y5KMMrMgOdAebnHE6lFU48ZUTKHbaV8C+x0F97a5e2uYa8r upG3lK9ElZqcdvBIR9sUmicxbFYwSb7pG9YmqjFoMa3z9xamKsVkAzHXY8Abt0anU2xm EvLA==
X-Gm-Message-State: AOAM5303PAV8a3eJXew9EenjcRKCMIjWlMMbrYw2N3a96w15G9jZgSAv Q76HeYrtPXN7pTsuP8NkePKLia1C0m2E6A8A6HI=
X-Google-Smtp-Source: ABdhPJxaobVMcK0fvRhZV/lqbjzhyK9S/iTmmLQUhc5IvvBHYODCua6U6pSHNT5oZ8WdoFxklmXgQE6mvZvRs90JVVk=
X-Received: by 2002:a17:907:2d89:: with SMTP id gt9mr13559568ejc.122.1618946265916; Tue, 20 Apr 2021 12:17:45 -0700 (PDT)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Tue, 20 Apr 2021 12:17:44 -0700
From: Alvaro Retana <aretana.ietf@gmail.com>
In-Reply-To: <DM6PR11MB3194CAFF7F6373A8B193D1A2CD709@DM6PR11MB3194.namprd11.prod.outlook.com>
References: <CAMMESsxqRWK2vDPyj-0_ruYoW7pkautFc09MoFBUTKxG23=tyA@mail.gmail.com> <000701d6f57c$6c20ff60$4462fe20$@ndzh.com> <DM6PR11MB319495819681585AA858E54BCDB29@DM6PR11MB3194.namprd11.prod.outlook.com> <CAMMESswvncvo68dYp95P+9gkgKgPpmgY3Yr-xC3=hdt-1YigYQ@mail.gmail.com> <SN6PR11MB320012D1B66CF35D18DCB212CD9F9@SN6PR11MB3200.namprd11.prod.outlook.com> <CAMMESszDCb70G6YbdpiAnv0mYEC52=abh89QW7cXaEdfgVzOxw@mail.gmail.com> <EBC0EE4B-063B-44A4-A74B-FCAE6EDBA511@cisco.com> <00f001d71500$db52a9d0$91f7fd70$@ndzh.com> <DM6PR11MB3194DEF968FD730D08FFFFBACD759@DM6PR11MB3194.namprd11.prod.outlook.com> <CAMMESsxjUetknSv=Q+PHxzQfx8VqgtGitr3jW84bJuZD41puOQ@mail.gmail.com> <DM6PR11MB3194CAFF7F6373A8B193D1A2CD709@DM6PR11MB3194.namprd11.prod.outlook.com>
MIME-Version: 1.0
Date: Tue, 20 Apr 2021 12:17:44 -0700
Message-ID: <CAMMESsxhx87=zz6jTni52814wnEnhaH6VapeRG9Z7Km66jnC=A@mail.gmail.com>
To: "Juan Alcaide (jalcaide)" <jalcaide@cisco.com>
Cc: "David Smith (djsmith)" <djsmith@cisco.com>, Susan Hares <shares@ndzh.com>, James Uttaro <ju1738@att.com>, "idr-chairs@ietf.org" <idr-chairs@ietf.org>, IDR List <idr@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/L9hsNhybfE27DE-GnPBOwBiRF2Q>
Subject: Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspec-oid-12
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2021 19:17:54 -0000
On April 12, 2021 at 7:32:04 PM, Juan Alcaide wrote: [+ WG + Chairs] Juan: Hi! > Here it goes: https://tools.ietf.org/html/draft-ietf-idr-bgp-flowspec-oid-13 I looked at the update and have some remaining comments -- mostly minor and nits. I am starting the IETF Last Call -- you can address my comments as part of other potential LC comments. Thanks! Alvaro. [Line numbers from idnits for -13.] == Unused Reference: 'RFC6793' is defined on line 487, but no explicit reference was found in the text ... 15 Abstract 17 This document describes a modification to the validation procedure 18 defined for the dissemination of BGP Flow Specifications. The 19 dissemination of BGP Flow Specifications requires that the originator 20 of the Flow Specification matches the originator of the best-match 21 unicast route for the destination prefix embedded in the Flow 22 Specification. For an iBGP received route, the originator is 23 typically a border router within the same autonomous system. The 24 objective is to allow only BGP speakers within the data forwarding 25 path to originate BGP Flow Specifications. Sometimes it is desirable 26 to originate the BGP Flow Specification any place within the 27 autonomous system itself, for example, from a centralized BGP route 28 controller. However, the validation procedure will fail in this 29 scenario. The modification proposed herein relaxes the validation 30 rule to enable Flow Specifications to be originated within the same 31 autonomous system as the BGP speaker performing the validation. 32 Additionally, this document revises AS_PATH validation rules so Flow 33 Specifications received from an eBGP peer can be validated when such 34 peer is a BGP route server. [nit] s/Specification any place/Specification from any place [nit] s/revises AS_PATH/revises the AS_PATH ... 93 2. Introduction ... 127 Figure 1 illustrates this principle. R1 (the upstream router) and RR 128 need to validate the Flow Specification whose embedded destination 129 prefix has a best-match unicast route (dest-route) originated by 130 ASBR2. ASBR2 could originate the Flow Specification, and it would be 131 validated when received by RR and R1. Sometimes the Flow 132 Specification needs to be originated on AS1. ASBR1 could originate 133 it, and Flow Specification would still be validated. In both cases, 134 the Flow Specification is originated by a router in the same 135 forwarding path as the dest-route. For the case where AS1 has 136 thousands of ASBRs, it becomes impractical to originate different 137 rules on each ASBR in AS1 based on which ASBR each dest- route is 138 learned from. The objective is to advertise all the Flow 139 Specifications from the same route-controller. [nit] s/originated on AS1/originated inside AS1 [minor] s/different rules/different Flow Specification rules [nit] s/dest- route/dest-route ... 159 3. Motivation ... 234 In addition, an operator MAY extend the requirements above for a 235 group of ASes via policy. This is described in section (b.2.3) of 236 the validation procedure. [minor] Let's keep the Normative actions to the mechanism: s/MAY/may ... 251 4.1. Revision of Route Feasibility ... 264 2. The AS_PATH attribute of the Flow Specification is empty or 265 contains only AS_CONFED_SEQUENCE and/or AS_CONFED_SET segments 266 [RFC5065]. [] I had suggested only AS_CONFED_SEQUENCE because of the recommendations in rfc6472 and draft-ietf-idr-deprecate-as-set-confed-set. I'm ok if you want to leave the current text -- an alternative would be to mention (in the "Explanation" below) that only AS_CONFED_SEQUENCE should be present and to add an Informative reference to draft-ietf-idr-deprecate-as-set-confed-set. 268 1. This condition SHOULD be enabled by default (it may be 269 disabled by explicit configuration as described on the 270 next list item (b.2.1)).. an empty AS_PATH. [] The update left some orphaned text. Also, the new text above (b.2) now mentions the empty AS_PATH so there's no need for this bullet. And it refers to itself (b.2.1). 272 2. This condition MAY be disabled by explicit configuration 273 on a BGP speaker. A possible case would be if we know for 274 a fact that only the right egress border routers (i.e. 275 those that are also egress border routers for the best 276 routes) are originating a Flow Specification NLRI. [nit] Who are "we"? s/if we know for a fact /if it is known 278 3. As an extension to this rule, a given non-empty AS_PATHs 279 (or AS_PATHS containing only AS_CONFED_SEQUENCE and/or 280 AS_CONFED_SET segments), MAY be validated by policy. A 281 possible case would be if the AS_SEQUENCE and AS_SET 282 contained only ASes that are known to belong to our own 283 administrative domain. [minor] The new text is confusing mentioning first AS_CONFED_* and then AS_*. Suggestion> 3. As an extension to this rule, a given non-empty AS_PATH MAY be validated by policy. A possible case would be if AS_PATH contained only ASNs that are known to belong to a common administrative domain. ... 306 4.2. Revision of AS_PATH Validation 308 [RFC8955] states: 310 BGP implementations MUST also enforce that the AS_PATH attribute of a 311 route received via the External Border Gateway Protocol (eBGP) 312 contains the neighboring AS in the left-most position of the AS_PATH 313 attribute. [minor] Indent this paragraph to show that it is a quote from rfc8955. 315 This rule prevents the exchange of BGP Flow Specification NLRIs at 316 Internet exchanges with BGP route servers [RFC7947]. Therefore, this 317 document also redefines the [RFC8955] AS_PATH validation procedure 318 referenced above as follows: 320 BGP Flow Specification implementations MUST enforce that the AS in 321 the left-most position of the AS_PATH attribute of a Flow 322 Specification route received via the External Border Gateway Protocol 323 (eBGP) matches the AS in the left-most position of the AS_PATH 324 attribute of the best-match unicast route for the destination prefix 325 embedded in the Flow Specification NLRI. [minor] Indent this paragraph to show that it is the updated text. ... 370 5. Topology Considerations 372 [RFC8955] indicates that the originator may refer to the originator 373 path attribute (ORIGINATOR_ID) or (if the attribute is not present) 374 the transport address of the peer from which the BGP speaker received 375 the update. If the latter applies, a network should be designed so 376 it has a congruent topology amongst ipv4 unicast routes and Flow 377 Specification routes. By congruent topology, it is understood that 378 for the two equivalent routes (i.e. the Flow Specification route and 379 its best-match unicast route) are learned from the same peer accross 380 the AS. That would likely not be true, for instance, if some peers 381 only negotiated one type of address-family or if each address-family 382 had a different set of policies. [minor] the generic text should apply to any AF. s/ipv4 unicast routes/unicast routes ... 389 Explanation: 391 Consider the validation procedure preceding this document. The 392 second condition (b.2) does not exist. The two following 393 scenarios have a non-congruent topology: [] The original text made sense. Suggestion> Consider the following scenarios of a non-congruent topology without the second condition (b.2) being added to the validation procedure: ... 430 7. Security Considerations 432 This document updates the route feasibility validation procedures for 433 Flow Specifications learned from iBGP peers and through route 434 servers. This change is in line with the procedures in [rfc8955] and 435 thus maintain security characteristics equivalent to the existing 436 security properties of BGP unicast routing. [nit] s/rfc8955/RFC8955 [End -13.]
- [Idr] AD Review of draft-ietf-idr-bgp-flowspec-oi… Alvaro Retana
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Susan Hares
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Juan Alcaide (jalcaide)
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Alvaro Retana
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Juan Alcaide (jalcaide)
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Alvaro Retana
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… David Smith (djsmith)
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Susan Hares
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Alvaro Retana
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Juan Alcaide (jalcaide)
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Alvaro Retana
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Juan Alcaide (jalcaide)
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Alvaro Retana
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Juan Alcaide (jalcaide)
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Alvaro Retana
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Juan Alcaide (jalcaide)
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Alvaro Retana
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Alvaro Retana
- Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Juan Alcaide (jalcaide)