Re: [Idr] RFC-4893 handling malformed AS4_PATH attributes

Enke Chen <enkechen@cisco.com> Mon, 15 December 2008 20:10 UTC

Return-Path: <idr-bounces@ietf.org>
X-Original-To: idr-archive@megatron.ietf.org
Delivered-To: ietfarch-idr-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E1C4728C122; Mon, 15 Dec 2008 12:10:09 -0800 (PST)
X-Original-To: idr@core3.amsl.com
Delivered-To: idr@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9ACA328C0FE for <idr@core3.amsl.com>; Mon, 15 Dec 2008 12:10:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u+2bRKLUw64H for <idr@core3.amsl.com>; Mon, 15 Dec 2008 12:10:06 -0800 (PST)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id E967128C122 for <idr@ietf.org>; Mon, 15 Dec 2008 12:10:05 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.36,226,1228089600"; d="scan'208";a="213309049"
Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by sj-iport-6.cisco.com with ESMTP; 15 Dec 2008 20:09:59 +0000
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-4.cisco.com (8.12.11/8.12.11) with ESMTP id mBFK9xmg005224; Mon, 15 Dec 2008 12:09:59 -0800
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-5.cisco.com (8.13.8/8.13.8) with ESMTP id mBFK9xWk001289; Mon, 15 Dec 2008 20:09:59 GMT
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 15 Dec 2008 12:09:59 -0800
Received: from enke-linux.cisco.com ([128.107.130.57]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 15 Dec 2008 12:09:58 -0800
Message-ID: <4946B996.4040907@cisco.com>
Date: Mon, 15 Dec 2008 12:09:58 -0800
From: Enke Chen <enkechen@cisco.com>
User-Agent: Thunderbird 2.0.0.18 (X11/20081105)
MIME-Version: 1.0
To: Danny McPherson <danny@tcb.net>
References: <CD705FABA8532448AA1FB7A96C88FF140898F8A4@emailbng1.jnpr.net> <4D86C4C6-F7CD-46B9-ABBE-04530F4D1278@juniper.net> <164BE5B4-1A18-42D7-A11B-DE2056890C78@tcb.net> <4946AC94.2080605@cisco.com> <5340D990-F446-4C37-8307-1DB31ADF2273@tcb.net>
In-Reply-To: <5340D990-F446-4C37-8307-1DB31ADF2273@tcb.net>
X-OriginalArrivalTime: 15 Dec 2008 20:09:58.0662 (UTC) FILETIME=[1ACE3260:01C95EF1]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2123; t=1229371799; x=1230235799; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=enkechen@cisco.com; z=From:=20Enke=20Chen=20<enkechen@cisco.com> |Subject:=20Re=3A=20[Idr]=20RFC-4893=20handling=20malformed =20AS4_PATH=20attributes |Sender:=20; bh=SnjwRI6FrbTcUlauK3IjaMzcQTx5DXS8jxVdKpCS0X4=; b=pizeRkFQbr26lMKl+c7CJ0621ibg0VpTJNWwMRh+LhXJdrp5YV3SYj4pSS 9CQWlVFCvJxN4O3rthNieK75bImVaHICDIeMj/Ui0D1LOQVrcI7Mr9LNvq/U q99HlqUpVU;
Authentication-Results: sj-dkim-4; header.From=enkechen@cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
Cc: Inter-Domain Routing List <idr@ietf.org>, quaizar.vohra@gmail.com
Subject: Re: [Idr] RFC-4893 handling malformed AS4_PATH attributes
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/idr>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: idr-bounces@ietf.org
Errors-To: idr-bounces@ietf.org

Danny McPherson wrote:
>
> On Dec 15, 2008, at 12:14 PM, Enke Chen wrote:
>>
>> The issue of receiving unexpected AS_CONFED_xxx segment was actually 
>> considered when we were working on the 4byte AS document before. The 
>> thinking was that it's a generic issue with the confederation that 
>> has been addressed by the confederation document.
>
> But it's not, because you're now tunneling these attributes
> in AS4_PATH and can result in *remote* non-adjacent session
> tear downs or even craft targeted attacks with such a behavior,
> not just adjacent eBGP speakers.
>
>> While the confederation document (RFC 5056) treats it as an error 
>> condition to maintain the protocol correctness, the implementations 
>> commonly just ignore the segments.  "be conservative in what you 
>> send, and be liberal in what you accept".
>
> I'm not sure what that means, are you saying that you propagate
> those segments and ignore the spec?  or that you discard them
> and ignore the spec?  If the latter, you're saying that's what you
> currently do, but the spec need not be updated to reflect this?

For the implementations of confederation that I am familiar with, the 
AS_CONFED_xxx segments are discarded if received unexpectedly (e.g., 
from eBGP).  The offense is not considered serious enough to tear down 
the session.

Regarding the confederation spec, do not ask me.  You are one of the 
co-authors of the latest version.

>
> And what if those segments were there because a broken generating
> implementation put them, rather than a confederation identifier,
> in the AS4_PATH attribute?  Could this not result in routing
> information loops?  Should the operator not be notified of this?

These questions have been answered by 15 years of confederation 
deployment.  Don't they?

>
> Either way, I get the "people do stupid things, don't let them
> hurt you bit", but the fact that RFC 4893 enables this is a
> problem.

Again, I do not see any reason why RFC 4893 should be different from RFC 
5056 w.r.t. the processing of unexpected confed segments.

-- Enke




_______________________________________________
Idr mailing list
Idr@ietf.org
https://www.ietf.org/mailman/listinfo/idr