Re: [Idr] John Scudder's No Objection on draft-ietf-idr-bgp-flowspec-oid-13: (with COMMENT)
"Juan Alcaide (jalcaide)" <jalcaide@cisco.com> Thu, 13 May 2021 23:08 UTC
Return-Path: <jalcaide@cisco.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A65CF3A180D; Thu, 13 May 2021 16:08:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.896
X-Spam-Level:
X-Spam-Status: No, score=-11.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=fQhOoEts; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=LTrOhp5g
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FdqfVJvZ0wg7; Thu, 13 May 2021 16:08:02 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 018BB3A180C; Thu, 13 May 2021 16:08:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=17304; q=dns/txt; s=iport; t=1620947282; x=1622156882; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=un008DN99zuj0pergZqao8PeiOolLpU6sQclvbixIBk=; b=fQhOoEtsl0sIBucX79sIVUcPfXb4OfDZNS0eZPHZOz4Dxo+AQubqVEYt 6xxdfjhsB0TTbR/arcLbUkOrr6Jgp4u39m6WOc8/b3Z6+6lfhlnScIn94 wBaXv8kvW8Hs5n3vfJwGKD52jasrMyZWgp8Eh++TxdhUtZ4l7QZRLirLG M=;
IronPort-PHdr: A9a23:jKA5xRSAyW3Ex4+7LahF+Q5DhNpso13LVj580XJvo7BTdKW78o6kOkHDtr1hj17MCIPc7f8My+/bqLvpVmFI55Gd+GsDf5pBW15g640WkgUsDdTDBRj9K/jnPC4nGsVaWUUj+XynYgBZHc/kbAjUpXu/pTcZBhT4M19zIeL4Uo7fhsi6zaa84ZrWNg5JnzG6J7h1KUbekA==
IronPort-HdrOrdr: A9a23:eXXKoKzDcw+1u9KhuVB8KrPx+eskLtp133Aq2lEZdPULSK2lfpGV8sjziyWatN9IYgBepTiBUJPwJk80hqQFn7X5Wo3SHTUO2VHYYr2KiLGD/9SOIVyEygcw79YET0E6MqyNMbEYt7e73ODbKadb/DDvysnB7o2yowYPPGNXguNbnnpE422gYytLrXx9dOIE/e2nl7N6TlSbCBAqR/X+IkNAc/nIptXNmp6jSwUBHQQb5A6Hii7twKLmEjCDty1uEA9n8PMHyyzoggb57qKsv7WQ0RnHzVLe6JxQhZ/I1sZDPsqRkcIYQw+cyDpAJb4RHoFqjgpF591H22xa1uUkZC1QZvib3kmhOl1dZyGdgzUIngxesEMKgmXo8EcL6faJNA7STfAx376wtnDimhYdVBYW6tMX44vRjeslMTrQ2Cv6/NTGTBdsiw69pmcji/caizhFXZIZc6I5l/1SwKp5KuZLIMvB0vFrLACuNrCU2B9cSyLUU5kYhBgl/DWIZAVEIv6reDl3hiWl6UkfoJki9Tps+CU2pAZ2yHsSceg329j5
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AoAQDUr51g/5tdJa1aGQEBAQEBAQEBAQEBAQEBAQEBARIBAQEBAQEBAQEBAQFAgVeBU1EHd1o2MQuEPINIA4U5iH8DgQyJLo8mgUKBEQNUCwEBAQ0BATUKAgQBAYRPAheBXQIlOBMCBAEBARIBAQUBAQECAQYEcROFUA2GRAEBAQQjBA0MAQE3AQsEAgEIDgMEAQEDAiYCAgIfERUICAIEAQ0FCIJqglUDLwEDC50pAoofen8zgQGCBgEBBgQEgUhBgz8NC4ITAwaBECoBgnqEDoJjg3cnHIFJRIEVQ4FfSjY+gh9CAgECgSgBEgEJGoMVNoItgVkCAQ5aBgIsLQkEFA4ZFgIUQwYWDAYTGBIIHhQFCwYMDQYIAxGRGoJ3AUKlcTpbCoMWigGNfASFWhGDWYsShh+QLJU0ghaJcIMij22EagIEAgQFAg4BAQaBayNpWBEHcBU7gmlQFwIOjh8HBRYVgzmFFIVJcwI2AgYBCQEBAwl8iU8tgQcBMl4BAQ
X-IronPort-AV: E=Sophos;i="5.82,296,1613433600"; d="scan'208";a="895813186"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 13 May 2021 23:08:00 +0000
Received: from mail.cisco.com (xbe-aln-007.cisco.com [173.36.7.22]) by rcdn-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 14DN80D4014972 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Thu, 13 May 2021 23:08:00 GMT
Received: from xfe-rcd-004.cisco.com (173.37.227.252) by xbe-aln-007.cisco.com (173.36.7.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Thu, 13 May 2021 18:08:00 -0500
Received: from xfe-aln-001.cisco.com (173.37.135.121) by xfe-rcd-004.cisco.com (173.37.227.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Thu, 13 May 2021 18:07:59 -0500
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (173.37.151.57) by xfe-aln-001.cisco.com (173.37.135.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3 via Frontend Transport; Thu, 13 May 2021 18:07:59 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fHBhJXFZxZ2q08j5ZrawdcLA4xQIZGbu9ntI7aCsQTft7tHYhoyDkqY2N43dpoTzDKSgouQ0WUiM7TGVRZPnV0cw/FEieNR5bF84zwJ4QskXMIPu7ugLvNtpnl3E+qsVLwWSfHIJ/IP3Ad2dNBULdpgRjl8YcZUrRVA3qSlYUDJpoXDpcmY19HXdZ1V/NpeoeAmJI3BDObu0pNU47dmpVdT1d0tkiHJv44KIuAqDy1BMze1PdNhUa2nSF5+crrXUkl8kb0aTB8nRjQtcQJqJ+slXhK0N64YznnqpHit7kU1Lp6oLyB+CIyQKigHHXw98dM/EL20xRqdxR1GxQ10dhg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=un008DN99zuj0pergZqao8PeiOolLpU6sQclvbixIBk=; b=Yvr9TR56Y31+tRmNd4a4l5NM+D+OAyFv5vlcKwuiEOF56nmmL8vcQoqPNHaZy4T6kbc/CBCy7UeNz0PbILsLyt3z38OUIXMxXtowmdNgVk3gypA9+c556qlkyJB40MfQYsyFNrdzE0lceud/o9aHKDh7wG4z2+DTQlYfgMcHrMesEhqcbwvf2fY6eyWCUt8nLbUoPTKC0EJwwZ7C/+JzomU+kwrmsr763sToth6Qa4GNxoSoeXc5zOY2Tx9Ptdr18op29e7KCiaeb/nUY+gqO/x0UBdhwaVdcvZSxLBs/A2THutS5uf7ko8Q7ZexFTHot/hmHSypzTEllGeMlFtzNQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=un008DN99zuj0pergZqao8PeiOolLpU6sQclvbixIBk=; b=LTrOhp5gVQpKrd2mIv97DdM2Zg+zF/mdvyWR7/QNITwwKdQvtt5KDR6HpOyap/pG9mOi6V1cqMmuT2Af1QTvNJqRPLOrvZFN7l3Nh7jBgRtUblNnWF1TAjJmjGYc2krl7otEv8fn0IYz+2Ihy3TNV6qboxQuw85cxUJhMNFclJc=
Received: from DM6PR11MB3194.namprd11.prod.outlook.com (2603:10b6:5:5c::25) by DM6PR11MB4642.namprd11.prod.outlook.com (2603:10b6:5:2a2::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4129.26; Thu, 13 May 2021 23:07:58 +0000
Received: from DM6PR11MB3194.namprd11.prod.outlook.com ([fe80::e4e0:cf18:7be1:8019]) by DM6PR11MB3194.namprd11.prod.outlook.com ([fe80::e4e0:cf18:7be1:8019%7]) with mapi id 15.20.4129.026; Thu, 13 May 2021 23:07:58 +0000
From: "Juan Alcaide (jalcaide)" <jalcaide@cisco.com>
To: John Scudder <jgs@juniper.net>, The IESG <iesg@ietf.org>
CC: "draft-ietf-idr-bgp-flowspec-oid@ietf.org" <draft-ietf-idr-bgp-flowspec-oid@ietf.org>, "idr-chairs@ietf.org" <idr-chairs@ietf.org>, "idr@ietf.org" <idr@ietf.org>, Susan Hares <shares@ndzh.com>, "aretana.ietf@gmail.com" <aretana.ietf@gmail.com>, Lars Eggert <lars@eggert.org>, "David Smith (djsmith)" <djsmith@cisco.com>, Magnus Nyström <magnusn@gmail.com>
Thread-Topic: John Scudder's No Objection on draft-ietf-idr-bgp-flowspec-oid-13: (with COMMENT)
Thread-Index: AQHXQ3tJiP7jAt0U4UqyoDg/3TXRCKriDsNQ
Date: Thu, 13 May 2021 23:07:57 +0000
Message-ID: <DM6PR11MB3194EAEC2799AD9213E2B527CD519@DM6PR11MB3194.namprd11.prod.outlook.com>
References: <162041746726.16037.6421894058933171338@ietfa.amsl.com>
In-Reply-To: <162041746726.16037.6421894058933171338@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: juniper.net; dkim=none (message not signed) header.d=none;juniper.net; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [83.38.90.229]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e06ceb11-4cbf-4d64-d683-08d91663f2c7
x-ms-traffictypediagnostic: DM6PR11MB4642:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <DM6PR11MB4642B05798318AF3BD3DEAD9CD519@DM6PR11MB4642.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: NnASe0pz7SURs2otUXzLf+Nege4Ey/iN7sENbrxO1VCr5afmE9Wzv9TE2mu8KnXdV1CmP9qX8QolOj9P97i9OYS7fapPVxiYZz4cIhPBQnWA2hi6rpV4zxCeYEN6uGp+3J8ZsBjCnfZDJLefOKW/XYLAzlM2+ml6hmFoSlqn5NLovOuqAm8NxVp9qi/6mRSTPThac5xXdMkgrTzmuYHfA6591+ijLxkp+H5JA+SAiaGe2QlHZOWxbZvLo6VkEXRWRkWPVhljo9MuqfC0RHofmQnYq98mXMAMNPcEgoxR3yimCrw5hjsLbUe3t42OluQkfGXH4pRpImRK524zycxtcZ3+E5bMZw5lRKkMMpmifzNYSy/zVCIcsLy1+Xq+9IfI/Bdyyco6WHGejwqwBQogsKOzwS5Ao1VauhHfqIpLmwzMnLvs5Y0tzk41Kj27CxVICKW4j4J5vhqcBYgh1krElVrHfyi4NHmSl44ZAq6Wz1fG/08bjKXcz44mqfymt+M3FttKqstZsbf9QzzyOYh+wkHGYnAqARzpSAh3Cg9bH9N7QwjtM7L87xB8Ya5eduX0w7J+zcQX3OI0AeMQhTUByrAy0WxxlKlPnG7PqjZlTz80yErCYUpNyAZgleddlSOOcXQ9YJZUB3IkpOsbdC2cj46xPYY4vsRL9dQHqQ7WmJgEoJivro+qeXG6xxV/PnWMbs6KJGYf75N5pjw1GLjVciArY3GypGZcWQcOhqj66lA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR11MB3194.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(376002)(366004)(39860400002)(346002)(396003)(71200400001)(86362001)(7696005)(8936002)(8676002)(66574015)(6506007)(53546011)(26005)(966005)(122000001)(54906003)(83380400001)(33656002)(38100700002)(66476007)(66946007)(478600001)(55016002)(52536014)(5660300002)(66446008)(64756008)(2906002)(4326008)(30864003)(110136005)(316002)(186003)(66556008)(76116006)(9686003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: +ruLM09gSPEIaTS1a4IMrOqHUR2OLye3DxtXFAAH8WOVfqsRqQWBpU3lk7Rs7u5kcS7IRtedwcVPCxm2GK2yh3hDED+ArajiED+0/B63+5uQe5zf5BzfIq/x8eJbl0d6Vzbq0fSGkqQ8hPqwty7tVgZevbeHoV+mhp02emoriVPM8v6dt9T+Iv3/PazLGL7fxG8sl3ghnpwprLNuNg+mmjxy76RmKuA+6rTN+iD82zooJdcF05ng67iBofZq48CGo53OWoDTOJfNEcsrWbR1Jk9WFrRtX/RFnRMBm2lYlZogqJCejp+Rk3fnGYk4sPUOKdGb81QAHhZs2/ja33GkU57Uu1IN+5w8b9pECdH4dvnbec9rNfP+tcQzURsaGXmNpms6Isr//ScRZfmg9DETK1JcidXYp5lVl60l/jioYYCUViGzrVftfWXNkyOo6lswNw3JbIDf4nuABhtKlzwW9es/kS0/dYCrGlAdxCunR3I3gH0VYIdhHuMjNzPw7fradhEViRVDGXwwiBilC+2m4oVKznVafNsDDEPmaHceGjR84j3a/x23sK/YoFLnHCARiY59g5cR25+VV4s+co4LTbclzC4UJhjj96RsTL7aLr0PLTDhJVDmYXauLXRVC/a6MjqlLBRPA6bg0Zp6tK5o+jxYlpHOf82LYkDn9sBHF0s53TzalDkpDYg89a2X895F3dIdpToxAtHRTuCbhwn9pX62FgkQ+FNteVxfPNLtjWxtxGCcr1fyKo6WnGUKP4HLwHHwt2vbVzHF66Wmyo6xLHL80jQXNmfOWy06Ol+z7nm4YxOJYKzIK6mRjJrGHW0Vbn7DgbNsLxNkV0dbrKkO2Hd4CY7kQKsyW4cmUJm1bQIoVTrdNSXhT0c540U1DmlTA27PBLWTOf9uQozhZLGkxXrFNh8YAkP48CqIyk43Pv4VTwF5o4iVNRhg33qTYU9/DRLIuUYE15c5JvXQcnv8pckX3wymzr0UaMpv7EJ8eFjCXzP7br/NbPklWzgNS9XPeLwBqeCnUA1jYOuzEjkrdrIEgjZ0veNLDADRV1X8KZYrOIM/YVenT1SfEKzFAha28f4truAAq0VnG+nB5k5+71/xSt64V8zDXLE1y/CNzzI+3eZA3FpGR7eM48KOUZz9Nej2orfrblaI2WjDMO1efyc9qyGxDv40bGbnXbNZX1lj9cpV7IaPfNOIax+xxBYDf2eSdYOvn+9TMkxlUjKHjRZ2WMNxpaYFuC5SdwQz2o4DeIN8oacNVJhf80Ox/gvKNHYahCmj+F6Umlit6Yf/fSZOG648KVwT4ePM0InRs0k=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB3194.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e06ceb11-4cbf-4d64-d683-08d91663f2c7
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 May 2021 23:07:57.9312 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: RG9jgSEGWspULlVZnD9amWfjXEPaSlQRsJwBYFGLnjKD0S6YM3IRo6Z/NhSaCrA+xldhP9A2tZbO0lMvXDMnVQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB4642
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.22, xbe-aln-007.cisco.com
X-Outbound-Node: rcdn-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/VmS03vOmycqI-XEM_t1SW4V6F1k>
X-Mailman-Approved-At: Fri, 14 May 2021 08:23:14 -0700
Subject: Re: [Idr] John Scudder's No Objection on draft-ietf-idr-bgp-flowspec-oid-13: (with COMMENT)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 May 2021 23:08:07 -0000
Hi John,
Thanks a lot for your detailed comments. Sorry, also I missed them before publishing -14. Some of the changes on -14 already address your concerns.
I'll incorporate your comments. But some of them I'd like to discuss are:
#4
Your suggestion
For clarity, the AS in the left-most position of the AS_PATH means
the AS that was most recently added to the AS_PATH.
I used AS_SEQUENCE on purpose. You are not receiving the route from the same confederation. And it would not apply to AS_SET.
But rfc4271 uses directly AS_PATH. So it's fine to use AS_PATH even if it's not that specific?
#6
You didn't like:
Using the new rule to validate a Flow Specification route received
from an External Border Gateway Protocol (eBGP) peer belonging to
the same local domain (in the case of a confederation) is out of
the scope of this document. Note that although it's possible, its
utility is dubious. Although it is conceivable that a router in
the same local domain (both iBGP and eBGP within the same local
domain) could send a rogue update, only eBGP (outside the local
domain) risk is considered within this document (in the same
spirit of the mentioned beforehand AS_PATH validation in
[RFC4271]).
What about this rewrite:
"
Using that same original AS_PATH validation rule for a route learned from a confed-ebgp peer (i.e. a peer in another sub-AS within the same local domain)
is outside of the scope of this document. Note that although it's possible, its utility is dubious, since that confed-ebgp peer may be considered
trusted. Although it is conceivable that a router in the same local domain (both iBGP and eBGP within the same local domain) could send a rogue update,
only eBGP (outside the local domain) risk is considered within this document. Note also that [RFC5065] does not mandate to enforce this AS_PATH validation
rule for a route learned from a confed-ebgp peer.
"
This paragraph was built as a part of trying to include and mix toguether several review comments. But honestly I don't think it adds that much value. So
I wouldn't mind to remove it.
I keep using 'local domain' just to specify that I am refering to either 1) a standalone AS or 2 ) to a confederation of ASes. If you have a better way, I'll be happy to use it.
#10.
Section 7 was rewritten in draft -14 using some of the points you also raised. Does it look Ok now?
Trying to make it clear the enforcement paragraph for both you, Lars, and Magnus, I would rewrite it like this, if nobody objects.
"
If configuration (or other means beyond the scope of this document) indicates that the peer is not a route server,
that optional rule SHOULD be enforced. If the indication is that the peer is not a route server or there is no conclusive
indication, that optional rule SHOULD NOT be enforced.
"
#OTHER
Nobody complained, so not sure if I'm over thinking it. But this doesn't seem 100% correct
"
This document updates the route feasibility validation procedures for
Flow Specifications learned from iBGP peers and through route
servers. This change is in line with the procedures described in
[RFC8955] and, thus, the security characteristics equivalent to the
existing security properties of BGP unicast routing are maintained.
"
Aren't we introducing a bit more of a risk than unicast routing, because of the AS_PATH validation rule? (as stated in " If that original rule is not enforced for Flow
Specification it may introduce some new security risks")
When rfc8955 says " As long as Flow Specifications are restricted to match the corresponding unicast routing paths for the relevant prefixes
(Section 6)," it's not making reference to AS_PATH validation rule. Shouldn't it?
-J
-----Original Message-----
From: John Scudder via Datatracker <noreply@ietf.org>
Sent: Friday, May 7, 2021 9:58 PM
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-idr-bgp-flowspec-oid@ietf.org; idr-chairs@ietf.org; idr@ietf.org; Susan Hares <shares@ndzh.com>; aretana.ietf@gmail.com; shares@ndzh.com
Subject: John Scudder's No Objection on draft-ietf-idr-bgp-flowspec-oid-13: (with COMMENT)
John Scudder has entered the following ballot position for
draft-ietf-idr-bgp-flowspec-oid-13: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)
Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about DISCUSS and COMMENT positions.
The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-idr-bgp-flowspec-oid/
----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------
Thanks for this document, I'm glad to see it finally close to publication. I have a few comments I hope will help improve it, below.
1. Section 2
[RFC8955] defines a BGP NLRI [RFC4271] that can be used to distribute
RFC 4271 is the right citation for “BGP” but for “BGP NLRI” other than IPv4 unicast you want RFC 4760.
the Flow Specification. The aim is making sure that only speakers on
making -> to make
originated in any location within the same autonomous system than the
than -> as
Flow Specification received from an iBGP peer, it could be possible
to disseminate such Flow Specification NLRIs directly from the
“It could be possible”? Or “it would be necessary”?
validated when received by RR and R1. Sometimes the Flow
Specification needs to be originated on AS1. ASBR1 could originate
on -> within
2. Section 4.1
1. This condition SHOULD be enabled by default (it may be
disabled by explicit configuration as described on the
next list item (b.2.1)).. an empty AS_PATH.
Looks as though “an empty AS_PATH” is a cut-n-paste error that should be deleted?
3. As an extension to this rule, a given non-empty AS_PATHs
AS_PATHs -> AS_PATH (agreement in number)
AS_CONFED_SET segments), MAY be validated by policy. A
I think “permitted” would be clearer than “validated”.
Also, policy may be useful to validate a specific set of non-empty
AS_PATHs (b.2.3). For example, it could validate a Flow
Specification whose AS_PATH contains only an AS_SEQUENCE with ASes
that are all known to belong to the same administrative domain.
Same point, I suggest “permit”.
3. Section 4.2
This rule prevents the exchange of BGP Flow Specification NLRIs at
Internet exchanges with BGP route servers [RFC7947].
Since it may not be common knowledge that route servers don’t insert their own AS number, I suggest a change something like this, for clarity:
This rule prevents the exchange of BGP Flow Specification NLRIs at
Internet exchanges with BGP route servers, which by design don’t insert
their own AS number into the AS_PATH ([RFC7947] Section 2.2.2.1).
4. Section 4.2
For clarity, the AS in the left-most position of the AS_PATH means
the AS that was last added to the AS_SEQUENCE.
I suggest changing “last” to “most recently”. This is just personal preference, though. I also suggest changing “AS_SEQUENCE” somehow, probably to “AS_PATH”.
The reason for this is there could be more than one AS_SEQUENCE in the AS_PATH so the definite article isn’t quite correct. There is however only one AS_PATH, and you can make the change without loss of generality or correctness. So, the full suggested rewrite is:
For clarity, the AS in the left-most position of the AS_PATH means
the AS that was most recently added to the AS_PATH.
5. Section 4.2
Specifications. This is a security BGP threat, but out of the
“Security BGP threat” -> “security threat” (or “BGP security threat” if you
prefer)
6. Section 4.2
Using the new rule to validate a Flow Specification route received
from an External Border Gateway Protocol (eBGP) peer belonging to
the same local domain (in the case of a confederation) is out of
the scope of this document. Note that although it's possible, its
utility is dubious. Although it is conceivable that an router in
the same local domain (both iBGP and eBGP within the same local
domain) could send a rogue update, only eBGP (outside the local
domain) risk is considered within this document (in the same
spirit of the mentioned beforehand AS_PATH validation in
[RFC4271]).
I’m having a hard time understanding this paragraph. This is at least partly due to the use of “local domain“, which isn’t a well-defined term of art. You could try something like “under the same administration“? But, even if I make that change in my head as I read the paragraph, I still don’t get your point.
:-(
Is the whole paragraph strictly about confederations, and what you’re talking about is a BGP session between a router in one member-AS and a router in another member-AS of the confederation? If that’s it, I can probably propose some new text.
Also, “an router” -> “a router”.
Also, you should cite RFC 5065 when you mention confederations.
7. Section 5
its best-match unicast route) are learned from the same peer accross
accross-> across
8. Section 5
Consider the validation procedure preceding this document. The
I think what you mean here is “consider the validation procedure defined in RFC 8955“. If that’s correct, I suggest saying it that way. (If that’s not correct, what did you mean?)
9. Section 7
thus maintain security characteristics equivalent to the existing
Maintain -> maintains
10. Section 7
The original AS_PATH validation rule ([RFC4271] section 6.3) becomes
hereby optional (section 4.2).
I don’t think you’re actually updating RFC 4271, are you? The way you’ve written this makes it sound as though you are. You’re relaxing the rule in RFC 8955, but as you point out in section 4.2, RFC 4271 makes AS_PATH neighbor AS insertion enforcement optional to begin with:
If the UPDATE message is received from an external peer, the local
system MAY check whether the leftmost (with respect to the position
of octets in the protocol message) AS in the AS_PATH attribute is
equal to the autonomous system number of the peer that sent the
message. If the check determines this is not the case, the Error
Subcode MUST be set to Malformed AS_PATH.
Maybe you could rewrite something like this: “As per section 4.2, it is becomes optional to enforce that the AS_PATH attribute of a route received via the External Border Gateway Protocol (eBGP) contains the neighboring AS in the leftmost position of the AS_PATH attribute. Then we continue:
If that original rule is actually not
enforced it may introduce some security risks. A peer (or a client
of a route server peer) in AS X could advertise a rogue Flow
Specification route whose first AS in AS_PATH was Y (assume Y is the
first AS in the AS_PATH of the best-match unicast route). This risk
is impossible to prevent if the Flow Specification route is received
from a route server peer.
I think you’ve missed out on the opportunity to point out that the risk can also be mitigated if the route server itself enforces the optional rule of RFC
4271 section 6.3.. I think it’s fair to say that at an exchange point, the administrator of the route server enjoys more trust then the administrators of other routers at the exchange point.
If that peer is known for a fact not to be
a route server, that optional rule SHOULD be enforced for Flow
Specification routes.
It may be necessary to say a little more about how you would get this knowledge about the peer not being a route server. Possibly a rewrite could be something
like: "Unless configuration (or other means beyond the scope of this document) indicates that the peer is a route server, that optional rule SHOULD be enforced for Flow Specification routes from EBGP peers."
11. Section 7
absolute and the new possibility than an iBGP speaker could send a
Than -> that
- [Idr] John Scudder's No Objection on draft-ietf-i… John Scudder via Datatracker
- Re: [Idr] John Scudder's No Objection on draft-ie… Juan Alcaide (jalcaide)
- Re: [Idr] John Scudder's No Objection on draft-ie… John Scudder
- Re: [Idr] John Scudder's No Objection on draft-ie… Juan Alcaide (jalcaide)
- Re: [Idr] John Scudder's No Objection on draft-ie… John Scudder
- Re: [Idr] John Scudder's No Objection on draft-ie… Juan Alcaide (jalcaide)