Re: [Idr] ttRE: FW: New Version Notification for draft-ietf-idr-bgp-open-policy-22.txt

[bruno.decraene@orange.com]

Alexander,

Please see inline [Bruno]



Orange Restricted
From: Alexander Azimov <a.e.azimov@gmail.com>
Sent: Wednesday, February 16, 2022 5:24 PM
To: DECRAENE Bruno INNOV/NET <bruno.decraene@orange.com>
Cc: Sriram, Kotikalapudi (Fed) <kotikalapudi.sriram@nist.gov>; idr@ietf.org; Alvaro Retana (aretana) <aretana@cisco.com>; idr-chairs@ietf.org; Susan Hares <shares@ndzh.com>; Jeffrey Haas <jhaas@pfrc.org>
Subject: Re: ttRE: [Idr] FW: New Version Notification for draft-ietf-idr-bgp-open-policy-22.txt

Bruno,

Please see the quote from 7.8 of RFC7606 which I see as good example:


   The error handling of [RFC1997<https://datatracker.ietf.org/doc/html/rfc1997>] is revised as follows:



   o  The Community attribute SHALL be considered malformed if its

      length is not a non-zero multiple of 4.



   o  An UPDATE message with a malformed Community attribute SHALL be

      handled using the approach of "treat-as-withdraw".



As you can see, there is no difference between processing communities with malformed length whether they are received thorugh eBGP or iBGP.



[Bruno] Please see https://datatracker.ietf.org/doc/html/rfc7606#section-7.10 where there is a difference between eBGP and iBGP, both in term of error condition and action taken:


The error handling of [RFC4456<https://datatracker.ietf.org/doc/html/rfc4456>] is revised as follows:


   o  if the CLUSTER_LIST attribute is received from an external
      neighbor, it SHALL be discarded using the approach of "attribute
      discard"; or

   o  if received from an internal neighbor, it SHALL be considered
      malformed if its length is not a non-zero multiple of 4.  If
      malformed, the UPDATE message SHALL be handled using the approach
      of "treat-as-withdraw".





And in the context of OTC inside AS one can say that OTC use case and community use case that are marking routes to prevent leaking is very much the same, do you agree?
[Bruno] Not sure what your point is. I don't agree in the general case:
- community allows for very flexible usage, including having an effect on route selection or installation
- OTC is defined to not be used inside iBGP hence is guaranteed to have no effect on route selection or installation within the AS


And btw, getting back to your original example, how your proposal will help to prevent loops if for some reason the internal sessions are configured as eBGP with private ASNs?
[Bruno] Not sure what you mean by "internal session configured as eBGP". A priori, if you configure eBGP you have an AS boundary and you may filter/change preference of routes on this boundary. (without creating loops)

Your last suggestion that restricts route advertisement in all directions including Customers may improve the situation but in the partial deploy scenario still may lead to hard to debug issues when routes with malformed attribute will travel beyond single administrative domain.
[Bruno] I'm not sure to see your case:
- if the ASBR supports OTC, the proposal would be to filter the route on all eBGP sessions hence the malformed attribute will not travel beyond single administrative domain
- if the ASBR does not support OTC, by definition of optional transitive, it will propagate the route and the malformed attributes regardless of the error handling specified for OTC.

--Bruno

ср, 16 февр. 2022 г. в 17:18, <bruno.decraene@orange.com<mailto:bruno.decraene@orange.com>>:
Hi Sriram,

Please see inline [Bruno2]



Orange Restricted
From: Sriram, Kotikalapudi (Fed) <kotikalapudi.sriram@nist.gov<mailto:kotikalapudi.sriram@nist.gov>>
Sent: Tuesday, February 15, 2022 11:52 PM
To: DECRAENE Bruno INNOV/NET <bruno.decraene@orange.com<mailto:bruno.decraene@orange.com>>; Alexander Azimov <a.e.azimov@gmail.com<mailto:a.e.azimov@gmail.com>>; Jeffrey Haas <jhaas@pfrc.org<mailto:jhaas@pfrc.org>>
Cc: idr@ietf.org<mailto:idr@ietf.org>; Alvaro Retana (aretana) <aretana@cisco.com<mailto:aretana@cisco.com>>; idr-chairs@ietf.org<mailto:idr-chairs@ietf.org>; Susan Hares <shares@ndzh.com<mailto:shares@ndzh.com>>
Subject: RE: [Idr] FW: New Version Notification for draft-ietf-idr-bgp-open-policy-22.txt

Hi Bruno,

Comments inline marked with [Sriram].

>[Bruno] - RFC7606 provides a guidance https://datatracker.ietf.org/doc/html/rfc7606#section-8<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc7606%23section-8&data=04%7C01%7Ckotikalapudi.sriram%40nist.gov%7Cb7a059d3cee145ca531c08d9f0a3c35f%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637805408436586543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Fsbz%2B8gTR8c0r94m4SoaamR4O%2BmHiMYH5tY9uRCXTHk%3D&reserved=0> . It's only half a page so anyone interested could read. I don't think it can be summarized as per you above sentence.

[Sriram] Section 8 of RFC 7606 that you cite, says:

   A document that specifies a new BGP attribute MUST provide specifics
   regarding what constitutes an error for that attribute and how that
   error is to be handled.  Allowable error-handling approaches are
   detailed in Section 2.

[Sriram] From the list of error-handling approaches detailed in Section 2, only treat-as-withdraw and attribute discard are relevant for us. Since the RFC says, "Allowable error-handling approaches are detailed in Section 2",  it does not allow for applying none of the approaches as an option.

[Bruno2] First step that RFC7606 does is to define (i.e. choose) what constitute an error. We could define that length is not checked for IBGP because we don't care about the content (or even the attribute). Alternatively, I'm also fine with attribute discard if we consider that the attribute is in error and hence could not be trusted.

>[Bruno] In particular there is not such "SHALL be handled using the approach of "treat-as-withdraw".

[Sriram] Regarding attribute discard, RFC 7606 says: "This approach MUST NOT be used except in the case of an attribute that has no effect on route selection or installation." This implies: This approach MUST NOT be used in the case of an attribute that has an effect on route selection or installation. Do you agree? The route does propagate from iBGP (ingress) to eBGP (in the ASBR), where the attribute plays a role in route selection for propagation.

[Bruno2] 1) For IBGP, OTC attribute has no effect on route selection and installation. 2) Since you seem to be calling for "treat-as-withdraw", I would argue that "treat-as-withdraw" has also an effect on route selection or installation, and a bigger one. So it's not really safer in term of side effect.

>[Bruno] It also specifically calls for attention to optional transitive attributes (such as OTC) for which "the damage inflicted may be multiplied  manyfold >

[Sriram] The "damage inflicted may be multiplied manyfold" is about session reset. That is why the RFC urges the use of treas-as-withdraw or attribute discard instead.
[Bruno2] It's discussed in the context as session reset, but the cause is the optional transitive attribute. Cf following text which only refers to the type of attribute and not the action taken
   although the problematic attributes may have
   originated with a single update transmitted by a single BGP speaker,
   by the time they encounter a router that checks them they may have
   been replicated many times and thus may cause the reset of many
   peering sessions.  Thus, the damage inflicted may be multiplied
   manyfold.



>[Bruno] Without double checking, I don't recall that OTC is acted upon within IBGP. So in this case it does not affect routing selection. Let's just specify to not even look at it (it's optional) and problem is solved.

[Sriram] iBGP and eBGP within an ASBR are not isolated operations. Please see my comment above.
Not to look at OTC is not an option.
[Bruno2] If this were true, we could not define the OTC as an optional transitive attribute, because essentially some routers will not look at OTC. Pick your option.


A compliant router checks syntax errors in iBGP (just as in eBGP) based on its expectations of the OTC Attribute. If the length value does not match, the Attribute is malformed.

[Sriram] If the OTC attribute is malformed for any reason, we cannot be sure that even the Attribute type value is correct (or as intended).
[Bruno2] 1) That's not the path chosen by RFC 7606 in case of a length error. 2) I would find debatable to assume an error on a field (type) when you don't see an error on this field. TLV construct provides hierarchy: I agree that what is inside the TLV (i.e. after/below the error) can't be trusted; but for what is before the error, there is little to no reason to assume an error (and if we do, we could imagine anything and in particular an attribute for which the error handling is "session reset".)

[Sriram] Then must it be propagated from iBGP to eBGP (in the ASBR) and then to eBGP neighbors?
[Bruno2] Current text proposes to _not_ propagate to eBGP neighbors except for Customer. If length is wrong, I would be fine to also not propagate to Customerif you find this better.

Thanks for the discussion
--Bruno

Thanks.

Sriram



_________________________________________________________________________________________________________________________



Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.



This message and its attachments may contain confidential or privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.


--
Best regards,
Alexander Azimov

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.