Re: [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route Propagation Behavior Without Policies) to Proposed Standard

Jeffrey Haas <> Tue, 25 April 2017 22:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1B45F1275AB for <>; Tue, 25 Apr 2017 15:03:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YZkQuhuZ5P2N for <>; Tue, 25 Apr 2017 15:03:45 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 43350128BB6 for <>; Tue, 25 Apr 2017 15:03:45 -0700 (PDT)
Received: by (Postfix, from userid 1001) id AC2F71E358; Tue, 25 Apr 2017 18:11:04 -0400 (EDT)
Date: Tue, 25 Apr 2017 18:11:04 -0400
From: Jeffrey Haas <>
To: Jared Mauch <>
Cc:, "Alvaro Retana (aretana)" <>
Message-ID: <>
References: <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <>
Subject: Re: [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route Propagation Behavior Without Policies) to Proposed Standard
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 25 Apr 2017 22:03:47 -0000

[I'm picking on this specific message to make my points.]

On Thu, Apr 20, 2017 at 09:40:13AM -0400, Jared Mauch wrote:
> > On Apr 19, 2017, at 6:26 PM, Robert Raszuk <> wrote:
> > 
> > Keyur,
> > 
> > You can not set "insecure mode" before you reload the OS as current OS does not have such knob. Unless you delay the deployment across N releases and enforce sequenced upgrade.
> Infact, this is the recommendation that I’ve provided to vendors that have expressed concerns.  There are many defaults that have not always been displayed, but things like IOS have “show run all” so you can see these.  
> Something like the ‘bgp unsafe-ebgp-policy’ could be generated on their respective implementations.  I didn’t think that GROW/IDR needed to tell implementors this level of how to manage their release, so this does seem somewhat out of scope, but a concern I can see needs to be thought about.

My own thoughts on this draft haven't really changed since my original
comments at the microphone and in the halls after grow when it was

- I'm supportive of this idea.  Safe by default is significantly better than
  unsafe by default.
- Moving to this as a new behavior will be extremely painful.  The word I've
  used internally has been "excruciating".

The tenor of this thread has really taken a disservice by conflating the
"this is a good idea" and the "we're going to make long-standing
implementations non-conformant" via the document status bludgeon.  The
latter isn't the fault of the document authors, but it's where I think we
took a wrong turn.

My personal recommendation is, presuming Alvaro and the IESG can live with
the particular bending of the meaning of BCP, that we go for that status.

This thread has generated a lot of good ideas about how to mitigate the pain
of moving existing implementations to support this practice.  It'd be good
if we summarize those some place.  Perhaps that place should be in the

That said, even with some of the techniques involved, implementors will take
considerable pain in making these changes.  Defaults do change.  Impacted
operators get cranky with them and they cause outages.  Sane developers do
not tend to want to be the one tagged as responsible for the change because
the hate mail in the form of bug reports, regressions, broken tests that comes
back to them. :-)

I'm not the most sane of our developers and I've been spending time since
this was originally proposed in grow to allow such a change in our
implementation and mitigate the results.  The change is easy, the mitigation
is not.  And even I'm sensitive to how much pain this will be.  I dare say
my operator friends can't buy me quite enough beer to make it "easy".

But it's worth continuing the conversation.

-- Jeff