IETF Logo Mail Archive

Re: [Idr] Validation for BGP Flow-Spec Redirect to IP Action

PVLR Pavana Murthy <pvlrpm@gmail.com> Sat, 28 April 2018 04:40 UTC

Return-Path: <pvlrpm@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEFFB126CD8; Fri, 27 Apr 2018 21:40:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.997
X-Spam-Level:
X-Spam-Status: No, score=-0.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zH23A3uEQRZq; Fri, 27 Apr 2018 21:40:27 -0700 (PDT)
Received: from mail-ot0-x22d.google.com (mail-ot0-x22d.google.com [IPv6:2607:f8b0:4003:c0f::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6CBF126BF7; Fri, 27 Apr 2018 21:40:27 -0700 (PDT)
Received: by mail-ot0-x22d.google.com with SMTP id l12-v6so4274675oth.6; Fri, 27 Apr 2018 21:40:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=7dDvAGAY3EbPUP0nQ+wv18e/7D5xVBKENVPYfWbvta0=; b=rrswC4f+JIZSBg9Se/WLNsvdeSqN4AdoMBzYMh8HHcCLl+VmobfgyFy/BnO/ivIxvE yg0rMC/MjWIMdN7rOAnb6O/d5w/IAwamNMdGPQwrWEqL+Ik6juYqmGC/zfTJZYn+pa36 Lv5IALq6Iz5Z4CAht31fBu75zK0qnU3qTpe+axaPIw+64J2EoZsGUsLmGU41FnUslV+W tH/DnnPMCwx9B2sZn62bEig1cIKnAJL9EmnHJWwKU3+p87RFExTNlIK5dHPdltQ2rG6f PtLQqAwyDm4JiAqJ9hMRit1VKifV8+UAKPc6IztH9Hkv/dmZ+36+xxDc8idRHDAPesjw hoTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=7dDvAGAY3EbPUP0nQ+wv18e/7D5xVBKENVPYfWbvta0=; b=jZTlaktAc8nIpFWRlBFEER7iLSBxsJiHehdb93TFG2aYi+EaTPUbU8noAxdXLuToVj iFX3FeCvrxJ91dcDIlsSeNaEtRFEI5YKfvvXo8XDLQ8ARKROxkwv3crOeOodJAG6fJPJ rt7gQDCmfSoAkQwMrcy5cR8CvksjqcEukeR/N/tpH0pmdS3kSjKKILt5ZO2cqgo2eKwI 178oSxH724PIfZgBFNdJN4TSuKrdjkuWrQNJ64wS/sFf7Ylr457s4DMnTU2y4EfB2ySk pe4mwNE9wWjGB8tJJrdQfAknhmRZfvE4pdFzxXUsSIOxSRfdC4iLeX5kua8z7xWuEuxf h7Wg==
X-Gm-Message-State: ALQs6tAqEvpFzURLj34AdZJUXqXx27MQiAjz3O+7as/WxVY5ijHGVqYQ NOtG9Up8WHngvW3oOCThd/itT1Pr/wVb7ojY2Cg=
X-Google-Smtp-Source: AB8JxZq4gAcgjMAJMCovk5P9AgfGvGh/wwUmKng00rMrUHBws2fc2xbOg2BJSbFU4PjFPwurS3+cawMbNF+BisQM2ro=
X-Received: by 2002:a9d:2c64:: with SMTP id f91-v6mr3010041otb.263.1524890427094; Fri, 27 Apr 2018 21:40:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.47.9 with HTTP; Fri, 27 Apr 2018 21:40:26 -0700 (PDT)
In-Reply-To: <aaa4916758a34ed99cb7432cff257f25@XCH-RCD-012.cisco.com>
References: <CAN-MQG6bDyzcyuVs1vmka-JZFrD9Ya1uOuU_AFxfu0GnYgdmbA@mail.gmail.com> <aaa4916758a34ed99cb7432cff257f25@XCH-RCD-012.cisco.com>
From: PVLR Pavana Murthy <pvlrpm@gmail.com>
Date: Sat, 28 Apr 2018 10:10:26 +0530
Message-ID: <CAN-MQG6R_LCLAM5xgaak3W_oRkuQFQsgZtEodacpeiLCQV8p-g@mail.gmail.com>
To: "David Smith (djsmith)" <djsmith@cisco.com>
Cc: idr wg <idr@ietf.org>, Pradosh Mohapatra <mpradosh@yahoo.com>, "draft-ietf-idr-flowspec-redirect-ip@ietf.org" <draft-ietf-idr-flowspec-redirect-ip@ietf.org>, "draft-ietf-idr-bgp-flowspec-oid@ietf.org" <draft-ietf-idr-bgp-flowspec-oid@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003a7c00056ae138da"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/P3-JqmdJM01xR9qUkB6Cu7feICM>
Subject: Re: [Idr] Validation for BGP Flow-Spec Redirect to IP Action
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Apr 2018 04:40:30 -0000

Hi Dave,
   Thanks for the reply and including respective draft author aliases.

I went through the latest draft-ietf-idr-bgp-flowspec-oid-06. It calls the
first AS the Origin AS. Is it so?
If that's the case, the validation will fail for any 'redirect IP' actions
coming from the AS other than neighbor AS. Is that the intention?
Also In  draft-ietf-idr-flowspec-redirect-ip-00.txt, instead of 'origin
AS', the word 'last AS' is used.It is confusing.   Does the validation need
to consider the first AS or last AS?

Regarding my second doubt, I could not get any pointers from  d
raft-ietf-idr-bgp-flowspec-oid-06 .  Do we need to consider only BGP routes
always?

Thanks,
Pavana.


On Sat, Apr 28, 2018 at 3:37 AM, David Smith (djsmith) <djsmith@cisco.com>
wrote:

> Hi Pavana,
>
>
>
> Your points are valid. With that said, I’ll defer you to d
> raft-ietf-idr-bgp-flowspec-oid-05 (and later) and, specifically, section
> 4 (revised validation procedure) which addresses your points below.
>
>
>
> Co-incidentally, a WG last call was issued for d
> raft-ietf-idr-bgp-flowspec-oid-06 yesterday.
>
>
>
> Regards,
>
>
>
> /dave
>
>
>
>
>
> *From:* PVLR Pavana Murthy <pvlrpm@gmail.com>
> *Sent:* Friday, April 13, 2018 1:51 AM
> *To:* idr wg <idr@ietf.org>; pmohapat@cumulusnetworks.com; David Smith
> (djsmith) <djsmith@cisco.com>
> *Subject:* Validation for BGP Flow-Spec Redirect to IP Action
>
>
>
> Hello,
>
>   In the draft  draft-ietf-idr-flowspec-redirect-ip-02.txt, the following
> procedure is mentioned to validate the extended community of 'Flowspec
>
> redirect to IP'.
>
>
>
>
>
>    BGP speakers that support the extended communities defined in this
>
>    draft MUST also, by default, enforce the following check when
>
>    receiving a flow-spec route from an EBGP peer: if the received flow-
>
>    spec route has a 'redirect to IP' extended community with a 'target
>
>    address' X (in the global administrator field) and the best matching
>
>    route to X is not a BGP route with *origin AS* matching the peer AS
>
>    then the extended community should be discarded and not propagated
>
>    along with the flow-spec route to other peers.
>
>
>
> *I have 2 doubts related to this statement.*
>
>
>
> *What is 'origin AS' here? Is it the AS no. that is first added to the AS_PATH? *
> *In the previous version of the draft its mentioned as the last AS in the AS_PATH.*
> *Is it the last AS no. that has been added to the AS_PATH or the last AS no. from left in AS_PATH? *
>
>
>
> *What if the redirect target X is directly connected or reachable by a static route and its not advertised by EBGP?*
>
> *Do we need to consider that action invalid in that case?*
>
>
>
>
>
> Thanks,
>
> Pavana.
>
>
>
>
>
>
>

v2.23.0 | Report a Bug | By Email