IETF Logo Mail Archive

Re: [Idr] Kathleen Moriarty's No Objection on draft-ietf-idr-add-paths-14: (with COMMENT)

"John G. Scudder" <jgs@juniper.net> Thu, 12 May 2016 16:08 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46A6412B05B; Thu, 12 May 2016 09:08:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HBPXChc2Tuwt; Thu, 12 May 2016 09:08:32 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0109.outbound.protection.outlook.com [207.46.100.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 250B612D1A9; Thu, 12 May 2016 09:08:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=junipernetworks.onmicrosoft.com; s=selector1-juniper-net; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=CoUO1wKTFLiWP8XcJKGg9WPU210WiWK6JodccpL5Pj4=; b=Ipnk3AQysvDOvkgj+hPpzitLLByU6cXnKmG99rzAfQSgwkoBkU00iKhxkeOLlJBWr6H+5fDNOczAen/E5DBZpzlQQeISeUTT1GDXWYYaZK3oyo3nwQ4eVJZpfn0vn/pANd5yHJG8RTwnKXsyBbjVxKKGcUufLyHYmwvM1f4UMCc=
Authentication-Results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=juniper.net;
Received: from [172.29.39.101] (66.129.241.11) by BL2PR05MB194.namprd05.prod.outlook.com (10.242.198.147) with Microsoft SMTP Server (TLS) id 15.1.492.11; Thu, 12 May 2016 16:08:28 +0000
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: "John G. Scudder" <jgs@juniper.net>
In-Reply-To: <CAHbuEH54U8MDaRVp882ZDyzNwsMnsp=4_rKV86ft5jC2VALFAg@mail.gmail.com>
Date: Thu, 12 May 2016 12:08:22 -0400
Content-Transfer-Encoding: quoted-printable
Message-ID: <AD40AFD7-66CF-4811-9D9F-54AB072377DA@juniper.net>
References: <20160502175801.15655.80242.idtracker@ietfa.amsl.com> <20160511143210.GC7636@pfrc.org> <CAHbuEH54U8MDaRVp882ZDyzNwsMnsp=4_rKV86ft5jC2VALFAg@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Mailer: Apple Mail (2.3124)
X-Originating-IP: [66.129.241.11]
X-ClientProxiedBy: BY1PR17CA0039.namprd17.prod.outlook.com (10.162.18.177) To BL2PR05MB194.namprd05.prod.outlook.com (10.242.198.147)
X-MS-Office365-Filtering-Correlation-Id: 863136ee-d21a-416d-0578-08d37a7fa939
X-Microsoft-Exchange-Diagnostics: 1; BL2PR05MB194; 2:HKRfAtjsbCJeynp594GoIuRAEGSDS5SmcXAjSqe95uLYfExJX45Ef9FEECS+fGdqeyxb29osX5ilrQvJeCDJ7sIVbQeBPfyHpj2QZ+VJr/EuIA4D7CSU3SKHRBxP7WRHKxUGFjQ3jv0Sz0hXKkWH2Z6a+vIWFSm0uKggpoyCfBl29l8oZSYmCbUB7zM6zdcC; 3:uXQC4ChHN6dP/aMCBPqPkAFHv9bYActWwsBYW0UD67pjBvT6jdf9KxL/8bfO37EUC0xDTDJDGaln3UXd8NkOq9OsviF232aPFywrmQ35++C/GrsdzVhnO8+XwaaQtL+a; 25:/ZVFn79Hfk9HrHnmZWHyKH4fE+Rewv4QcQtAQp4wOMFwb6vv9hcLcFW0o/2UkyoaNJ0lGViftYLkWgtOcfV+7OVGv9G3O0SWiFKJvhVbrcCUygdm2kNC7xMQt7G9O791m+IEUSnArHGdkzNFN9+/W9yuJPwl7Zyy+vg1RvdCSHvMK7ZetXZtf+fFNlOU92FFRKLvsu3KLjzVgtVrKyjRqqYonFRTAD7Q/NK4ZUn6cgjgFYdIYxUX2W5WpG2Pq9h1pKy8zEJNpPqK1BngpyUa6Vm+JP9u3gWpXudTWgk9wz7zoKjKs+GErO0njnJqU6UxaCuDq2x0FDneXiAKTkMxR7cjY2tXcOFEjGmDrLu9TO09arxOzAhu6+VNIibkLej+Z74imQltbCfjMVvNBDlTzXW5r8aAh7htGfrzFQSsKU4=
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BL2PR05MB194;
X-Microsoft-Exchange-Diagnostics: 1; BL2PR05MB194; 20:trZOORjUcLgYKXq7/9JKtIMWXsG+oL3kmSUPzIhbWt2T/DehV92EVScCQLwrY3Tb9ckyEYZP1Th1efjQEdlu3HGSXCecLHwkEFBK0j6aDmw083JDFFWW0OevIW7oX/xYxHzwePuVkLG2FfKQMcbh6BMpaQP0YTy1Jtz7qoTMzozklSA15FwDRRk/lyM4ws4lQx5A7ff8CbDDkPWtiYiWwvYFL/bLhoaiVxhhoJnsYveezIHBxrgtTWSmwDaw1I8nJA4rt50DKvyjTFRODs3PovbwmpqR8t9v7j4ArmNJumIji5OixkXxdpSq7FlftHqdhvxCMsEXlwShOmg3EVFvXrsZRYQ2Lcf5YahASvNUdP9cvARG8tcNllE2zF7BJSa6JCKu63wgWPgd7qPv8Bfko6BeKushKr9MRam3f4MmuOxJ7rvuVteKuCIGk5kcAfJxS4qO77KkOixdJiiUN7k91UmXXeGwI/pP5hf3b5xxs/HZLTcLOSf4VjpAfP67j5KT; 4:mJeITCVT7WS2zI06sXtwKwsxFdtY8Q9MklGwOM41m6/ReE+rJNuE9w01vR1inziTTnuHthPiY43GmVrxlTSnnYFWNgYI7hIgbs/Mvkgb4R4MoDTTpp91oeYufaxPHS/9pWMr3qlSuj0auhfw7JUTCD2nV8m6XeVBgFNn3AhWfRM5JpeOHTkaVf0tPARcwPMlVaXuOdpcksuiu2KgIJB7EHKIC9jIGnD2KCRxxijMv2uRO7bnLo1C4stwVTDAEEovxrlzdMp82rMk9uAsfOsSAnkPpgShypgVRvCCIV/sGBec5n/T6x5OE34tJGEYHtRu8G1qz0b42Zx8i50Es79PJvi03r+5IMxTwiAt89PcArH76gHgZGy/sj9r5gCWQGfdWloK8URWHmk0ow24XwTphA==
X-Microsoft-Antispam-PRVS: <BL2PR05MB19473C8FEB1B2BBD6DB9ECBAA730@BL2PR05MB194.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026); SRVR:BL2PR05MB194; BCL:0; PCL:0; RULEID:; SRVR:BL2PR05MB194;
X-Forefront-PRVS: 0940A19703
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(4630300001)(6009001)(6049001)(52314003)(377454003)(24454002)(76176999)(6116002)(3846002)(50986999)(4326007)(50466002)(5004730100002)(23726003)(46406003)(110136002)(19580405001)(82746002)(92566002)(86362001)(19580395003)(83716003)(5008740100001)(586003)(77096005)(50226002)(47776003)(2950100001)(230783001)(42186005)(97756001)(189998001)(15975445007)(8746002)(66066001)(57306001)(2906002)(81166006)(33656002)(36756003)(42262002)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:BL2PR05MB194; H:[172.29.39.101]; FPR:; SPF:None; MLV:sfv; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; BL2PR05MB194; 23:j/n/LPSU2LPlan6iTUak/0ekwNvjPVAxAcimAoamJfjsxgZ2voBbkG73UriMpHP6R/qvwqTSJx1/UW0Wkhpqu/1XSBRgCQz7XnTbz1WAfGzD3c/ilTG5GA+GjAsLwU8acz0fExuZuZ4tAPmsNx5ZV1vVWhxLFhL7FiAxTE5iTcHyeEm+nFq9qOMbenGwjs0INiTorz4UTWVWXgu+mJOQlVKBLRQXSXYEh5fivtbbd4VwOdskqEgZC01jHhpw40uta3VE1ayHmBfgeH/+dXIMf5MNJi/9Yv8m69neFh9me0HiXLXn7revNUQCof78wilOwM0y/FPxON82RJY5pVwcGzx5zB1N85MiQPGgOA2c247OKcIVlBXjBmpgyXKJCy/Ip4purw/2rRNnZ6BRwdoFdLqwA9f9oJq33sXZUt6dc+95GNZbV7A+EK6Rg8ii9zWqS1L6rmIvAQBs+HH4heMsSvin63cotuTD8vGrr1HrxhxLaMZQ8hiEZK4DAJ1uIlCpRV6ZSGaLgulgR1rq6HkEfRDQrlxpQVByGgJ1Eqt2FolldfOWYpDpUyAb8zUcBQQzIMptrIAbbYm/rxWG4qzmZMTVEQ8y9e8MN8KGdUBRGa1y7TcJFhxms4yMRgkVRpTNNM/BZ4zzHREncGYABd0A9Z9nPBn/HOXBljQs/8hm8O8C8f0qs9KeAHj6vcVjT/6GPhH2HP1M0CRx/+b6DhAh+vtXqD2anbgMJ8wjeH3OYArZoKnLdlvgHwCzipnULDUpr15yJE0IkdIUNHDLswbiAJQJw2VUodP1Uo5/TMojUlTlN6EFAeTO0dskUV3phJHYCvc+luZBTd9Nc7lapa3fND+DR34NN8IZSPITKrZirU65L+9SI+n7C0kL3rL5VQNPetGqNlg+nu44tfPKPHHlAoql326euba5UnGg6xp0W69oGwj8tiKsYlQXIzZEHLz7qTTN7jG+k9pHS6BSYHKtoMiNXWFLP045anbCpH/Z1mf2LiZOrGjgR/clsPQPHuxjKSfcw4AfWQV4cDd6p2ToxvMtV9v4INpv/12CuqA+N+ZpMeIZJQP8fOzlIJbXA2ntgCpha7ogJTf+HX7KlW66Qw==
X-Microsoft-Exchange-Diagnostics: 1; BL2PR05MB194; 5:fpNkyarPcivc4XdXQ5m1yinefDz5kdt8zMGsg62UP911aqhperzCxRkQcMhxHC463x1OANpeW6hLnJI7Cl7dnLaJGZg96PaIjaskE0gkmG0UFn9+rO3nh61isXdyKoQI11aHOUvA583U/tvwNfJBZg==; 24:vP4cmXw/DSO/mN5oLi8xsyWPe8tuDv+VsVm94By6OaPQBlBQkiMayw/M4RnhqK+63JkIHMTbEN4kmjq5GmNBF6gr9Su2rQi1Q8vCjbbOb60=; 7:BWzznDTQKREiPZYiIVnKfyxwT3r1moBGmo+YBDZUWWwk/dRHG9o2LQbD3LVuYvHuh3p+UFIZqpBOpo6/b0NJAXXYXX42EljjIEeOBw1iL3KCd5GzkdPJoxT4EYFKUtDjuB7W1jV8CxxB+j1i1h/i9/cUOI6UH9UrGJsIyZMgJQRSqrJJtp2gT0z7ldDkkgW1
SpamDiagnosticOutput: 1:23
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 May 2016 16:08:28.9953 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2PR05MB194
Archived-At: <http://mailarchive.ietf.org/arch/msg/idr/O_RHRv6bP4d9nUAiWIdY6l53Iwc>
Cc: idr wg <idr@ietf.org>, russ@riw.us, idr-chairs@ietf.org, draft-ietf-idr-add-paths@ietf.org, The IESG <iesg@ietf.org>
Subject: Re: [Idr] Kathleen Moriarty's No Objection on draft-ietf-idr-add-paths-14: (with COMMENT)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2016 16:08:34 -0000

Hi Kathleen,

On May 11, 2016, at 10:29 AM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote:
> On Wed, May 11, 2016 at 10:32 AM, Jeffrey Haas <jhaas@pfrc.org> wrote:
>> Kathleen,
>> 
>> On Mon, May 02, 2016 at 10:58:01AM -0700, Kathleen Moriarty wrote:
>>> 1. I'd like to see the security considerations explicitly state that this
>>> could result in a denial of service attack.  The resource consumption is
>>> stated nicely, but it would be good (following RFC3552) to state the type
>>> of attack.
>>> 
>>>  "This document defines a BGP extension that allows the advertisement
>>>   of multiple paths for the same address prefix without the new paths
>>>   implicitly replacing any previous ones.  As a result, multiple paths
>>>   for a large number of prefixes may be received by a BGP speaker
>>>   potentially depleting memory resources or even causing network-wide
>>>   instability."
>>> 
>>> Adding something like: "This could result in a denial of service
>>> attack."
>> 
>> The considerations of a BGP peer's normal protocol interactions with a BGP
>> speaker - with or without add-paths - being considered a Denial of Service
>> seems to be unnecessary scare words.
>> 
>> While the add-paths case does permit a much larger number of paths to be
>> propagated, the same issue may apply to simply sending along a much larger
>> amount of some routing table than expected.  This could include sending a
>> full Internet routing table to a router scaled for a few thousands of
>> routes.
>> 
>> I recommend against this change.
> 
> This is just a comment, so it's up to the shepherd and AD, but adding
> this would be in line with the guidance from RFC3552.
> 
> https://tools.ietf.org/html/rfc3552

Looking at RFC 3552 S. 2.3.3 ("Denial of Service") it does suggest that DoS be considered and identified when relevant. I think Jeff's point (which I agree with) is that add-path doesn't change the fundamentals of BGP with respect to DoS -- the peer can send me a bazillion routes, differentiating them by prefix, or by path-id, or both. It just comes down to which bits in the NLRI are used to make the routes unique.

Anyway, point taken that we should think about this more before making any definite conclusion, and if add-path does create any new DoS vulnerability we should identify it.

Regards,

--John

v2.23.0 | Report a Bug | By Email