[Idr] BGP Auto-Discovery Protocol State Requirements

Jeffrey Haas <jhaas@pfrc.org> Tue, 16 March 2021 20:40 UTC

Return-Path: <jhaas@slice.pfrc.org>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A60E93A0905 for <idr@ietfa.amsl.com>; Tue, 16 Mar 2021 13:40:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RrFHTdzNZxhb for <idr@ietfa.amsl.com>; Tue, 16 Mar 2021 13:40:40 -0700 (PDT)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id 5A4503A08F9 for <idr@ietf.org>; Tue, 16 Mar 2021 13:40:40 -0700 (PDT)
Received: by slice.pfrc.org (Postfix, from userid 1001) id F29841E446; Tue, 16 Mar 2021 17:02:03 -0400 (EDT)
Date: Tue, 16 Mar 2021 17:02:03 -0400
From: Jeffrey Haas <jhaas@pfrc.org>
To: idr@ietf.org
Message-ID: <20210316210203.GC29692@pfrc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/VGFkpYrKOu1HMDhxHiMHAhrKyLU>
Subject: [Idr] BGP Auto-Discovery Protocol State Requirements
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Mar 2021 20:40:43 -0000

https://tools.ietf.org/html/draft-ietf-idr-bgp-autoconf-considerations-00

To avoid cluttering the adoption call thread, this is sent separately.

Section 2.3 lists the following requirements.  This thread is to discuss
them.

: BGP Session Transport State:
: o  IP addresses
: o  Transport security parameters
: o  GTSM [RFC5082] configuration, if any
: o  BFD [RFC5880] configuration, if any
: 
: BGP Session Protocol State:
: o  AS Numbers
: o  BGP Identifier
: o  Supported AFI/SAFIs
: o  Device Role

A valid criticism I'll take as editor of the document is the session
protocol state section should have had additional material noting that it
may be procedurally optional.  Whether it's optional depends on the desired
behavior of the protocol.  The proposals to date in most cases cover one or
more of these items and tend to universally lack justification as to why
they're in a given document - or not.  

The following attempts to discuss the motivations from design team
discussion during 2021.

-----

To get to a stage where BGP can even send an OPEN message, you have to 
be able to get TCP to connect.  This state is covered by the BGP Session
Transport State.

IP address: MANDATORY
BGP can't come up without knowing what the IP address is.

This state may be carried explicitly in the protocol, or potentially derived
from the protocol transport.  For example, the source address of the
discovery protocol, if it uses IP.  

Even if it uses IP, there are design choices:
- Do you require a discovery protocol message in the address family of the
  peer?  For example, IPv4 discovery message to carry only IPv4?

  + This doubles messages if you support v4 and v6.

- What do you do about mixed-mode peering, e.g. RFC 5549?

---

Transport security parameters: MANDATORY
That parameter may be "NONE" and thus plain TCP.  

If you're requiring TCP-MD5, TCP-AO, or something a bit more exotic like
IPsec, the TCP state machine may not even advance unless you're using the
correct parameters.  

Keychain hints may be needed if you want to use one of these.  

---

GTSM: MANDATORY
If you're using GTSM for your sessions, TCP may not even establish unless
it's on.

Robert points out existing security considerations about using GTSM.
They apply here as well.

---

BFD Configuration: OPTIONAL?

Some BGP implementations don't let their sessions come up or stay up if
there's a mis-match in BFD between the systems.

See draft-ietf-idr-bgp-bfd-strict-mode.  Making support for this draft
mandatory would let this state requirement be dropped.

======================================================================

Once you have the capability of bringing up a BGP session, you have to
decide if you even want to.  There are at least two design choices, each
with specific consequences:

1. The implementation is willing to determine if a peer is acceptable or not
   based on the information exchanged in the BGP OPEN message.  Call this
   "discover at OPEN".  A further implication of this mode is the
   implementation must be willing to service incoming sessions that may drop
   just so they can figure out if they find each other mutually agreeable.
   This becomes a scaling discussion.

2. The implementation wants to know the properties of its potential peer to
   decide if it wants even try to bring up a session.  This enables "peer
   selection".

   The good property is that the peer sending such messages doesn't have to
   service sessions only to immediately drop them.

   The bad property is that this increases disclosure of some BGP
   information to parties that may not eventually be permitted to peer.
   (Security consideration.)

---

A concomitant consideration for implementations using either strategy is the
retry mechanism.  Presume that upon discovering a BGP speaker using the
auto-configuration mechanism that either participant decides that it doesn't
want to continue peering.  Simple examples may be wrong AS number (relevant
for data center fabrics), existing peering session on a different link
(resolved by BGP Identifier), or mis-match in capabilities.

When things aren't acceptable, how should you retry?

1. If you use "discover at OPEN", you have to figure out how often to try to
   bring up a session to see if things have changed.  Perhaps you require a
   manual reset after some interval.  Either way, you're repeatedly trying to
   establish a session and thus it's a scaling consideration.

2. If the peer selection criteria is present in the auto-discovery
   mechanism, the discovering peer can simply wait until it discovers sessions
   with acceptable properties.

   Such a mechanism does introduce the edge case where the discovered
   session's propeties may not match those in the BGP OPEN message.

Auto-discovery protocols need to document how retry will be expected to
work.  The security and transport ADs will want the considerations dealt
with prior to moving to RFC.

-----

The typical state for session selection are the AS Number(s), BGP
Identifier, and supported AFI/SAFIs.  Multiple of the proposed protocols
carry this state.

Device role should not have been in the MUST state, but discussion on how to
auto-configuration is deployed specifically for BGP datacenter fabrics has
raised questions that point to some form of this repeatedly.  This items is
understood to be a contentious point and was going to require IDR list
discussion.


-- Jeff