Re: [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route Propagation Behavior Without Policies) to Proposed Standard

Jared Mauch <jared@puck.nether.net> Thu, 20 April 2017 13:40 UTC

Return-Path: <jared@puck.nether.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7ACD913145A for <idr@ietfa.amsl.com>; Thu, 20 Apr 2017 06:40:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.203
X-Spam-Level:
X-Spam-Status: No, score=-4.203 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0r5IjVNIg6EC for <idr@ietfa.amsl.com>; Thu, 20 Apr 2017 06:40:35 -0700 (PDT)
Received: from puck.nether.net (puck.nether.net [204.42.254.5]) by ietfa.amsl.com (Postfix) with ESMTP id F1164124BE8 for <idr@ietf.org>; Thu, 20 Apr 2017 06:40:34 -0700 (PDT)
Received: from [IPv6:2603:3015:3603:8e00:25c2:4c02:5849:c73d] (unknown [IPv6:2603:3015:3603:8e00:25c2:4c02:5849:c73d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by puck.nether.net (Postfix) with ESMTPSA id D6AE8540901; Thu, 20 Apr 2017 09:40:30 -0400 (EDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <CA+b+ER=hq0=JNRfF8VA76_aqeRMBCeyQm5aTbapysXGTgaGS_g@mail.gmail.com>
Date: Thu, 20 Apr 2017 09:40:13 -0400
Cc: Keyur Patel <keyur@arrcus.com>, "Acee Lindem (acee)" <acee@cisco.com>, Hares Susan <shares@ndzh.com>, "idr@ietf.org" <idr@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <50353B76-1323-4828-88D6-25954DA1E344@puck.nether.net>
References: <D4E812E8-AA7B-4EA2-A0AC-034AA8922306@juniper.net> <9047A5A0-ED12-43C2-B2C5-D2A71CBB4373@arrcus.com> <D51D46A7.A9732%acee@cisco.com> <0A49219D-E721-4DA8-B9BF-A55C2FA36FBE@puck.nether.net> <D95C67A4-AEBF-400B-A360-61C342FD6E4A@arrcus.com> <CA+b+ER=hq0=JNRfF8VA76_aqeRMBCeyQm5aTbapysXGTgaGS_g@mail.gmail.com>
To: Robert Raszuk <robert@raszuk.net>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/Y-YKXgMVCfhnHvSFVjYSiuQac3I>
Subject: Re: [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route Propagation Behavior Without Policies) to Proposed Standard
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Apr 2017 13:40:37 -0000

> On Apr 19, 2017, at 6:26 PM, Robert Raszuk <robert@raszuk.net>; wrote:
> 
> Keyur,
> 
> You can not set "insecure mode" before you reload the OS as current OS does not have such knob. Unless you delay the deployment across N releases and enforce sequenced upgrade.

Infact, this is the recommendation that I’ve provided to vendors that have expressed concerns.  There are many defaults that have not always been displayed, but things like IOS have “show run all” so you can see these.  

Something like the ‘bgp unsafe-ebgp-policy’ could be generated on their respective implementations.  I didn’t think that GROW/IDR needed to tell implementors this level of how to manage their release, so this does seem somewhat out of scope, but a concern I can see needs to be thought about.

> The only way to prevent massive reachability failure upon reload due to complete silent bgp prefix drop is to configure inbound policy for all EBGP sessions before the reload and run with new image. 

Since we’re talking about how to operate a network:
- People who are taking advantage of an undefined behavior will always be surprised
- Vendors can take the N+1.x and N+2.x release strategy, where in N and N+1 they generate their equivalent of IOS-XR and the "bgp unsafe-ebgp-policy” policy to prevent their customers from breaking
- In a release N+2(or more) that would become the “default”.

> Of course this is all assuming that someone will read carefully the release notes :) 

Most people don’t, and I’ve always suggested to vendors they implement some sort of incremental approach to resolving this.

What worries me is that there is a major incumbent provider who doesn’t see this as the serious (and well-documented) security issue that it is for those operating large networks.

> If they do not the troubleshooting of this will be really painful ! CE will see EBGP session as UP, will get all the routes and will send his routes. CE will have no clue if PE dropped or accepted his routes. Likewise on the other end .. Only imagine a network which has 10s of thousands of VPN CEs as Bruno mentioned and their provider not following all releases CEs are running. 


If they don’t know how to troubleshoot BGP, that isn’t the vendors fault.

> At least doing it as part of OPEN msg will be immediately indicated to both ends. 

This is you promoting a different draft, I recommend another thread for that draft.

- Jared

> 
> //R
> 
> 
> On Thu, Apr 20, 2017 at 12:16 AM, Keyur Patel <keyur@arrcus.com>; wrote:
> And that would be good enough if that would allow exemptions of DC networks and any other networks that may need exemption.
> 
> In that case I support the publication.
> 
> Regards,
> Keyur
> 
> On 4/19/17, 2:08 PM, "Jared Mauch" <jared@puck.nether.net>; wrote:
> 
>     If someone sets insecure mode they can  e as promiscuous as they want.
> 
>     That mode can have a very low bar IMO.
> 
>     Jared Mauch
> 
>     > On Apr 19, 2017, at 4:58 PM, Acee Lindem (acee) <acee@cisco.com>; wrote:
>     >
>     > I would agree with Keyur, For better or worse, our Cisco NX-OS BGP
>     > implementation does not require configuration of a peer policy.
>     >
>     > In fact, this requirement is contrary to some of the auto-discovery
>     > mechanisms we are exploring where only knowledge of the mutual address
>     > families is required.
>     >
>     > Thanks,
>     > Acee
>     >
>     > On 4/19/17, 4:43 PM, "Idr on behalf of Keyur Patel" <idr-bounces@ietf.org
>     > on behalf of keyur@arrcus.com>; wrote:
>     >
>     >> Thank you John for bringing it on IDR.
>     >>
>     >> As an update to RFC4271, I am not sure if I agree with the EBGP policy
>     >> configuration. There are lot of DC networks (for example) that use EBGP
>     >> within their CLOS. This extension may not be applicable in such networks.
>     >>
>     >> I would request authors to consider refining text to include appropriate
>     >> EBGP use cases and not make it generic for EBGP sessions (defined in
>     >> 4271).
>     >>
>     >> Regards,
>     >> Keyur
>     >>
>     >>
>     >> On 4/19/17, 9:49 AM, "Idr on behalf of John G. Scudder"
>     >> <idr-bounces@ietf.org on behalf of jgs@juniper.net>; wrote:
>     >>
>     >>   IDR folks,
>     >>
>     >>   As many of you have already noticed, draft-ietf-grow-bgp-reject-05
>     >> has completed GROW WGLC and is now in IETF LC.
>     >>
>     >>   As nobody other than Alvaro noticed (thank you for noticing, Alvaro!)
>     >> draft-ietf-grow-bgp-reject-05 represents an update to RFC 4271, in that
>     >> it mandates what a BGP implementation MUST do. See section 2 of the draft
>     >> for the details. It's short and easy to read.
>     >>
>     >>   If we had noticed this earlier, we would have either chosen to home
>     >> the document in IDR, or explicitly made an exception to have GROW do the
>     >> work. Given that we didn't, though, the plan is to continue progressing
>     >> the draft as a GROW document. However:
>     >>
>     >>   - As I understand it, the authors will add the Updates: 4271 header
>     >> in addition to potentially taking in other comments from AD review.
>     >>   - If anyone has a strong objection to the unusual procedure, please
>     >> say so (either on-list, or to the chairs + AD).
>     >>   - Please send any last call comments to the IETF LC (see below)
>     >> although it's also OK to discuss here on the IDR list of course.
>     >>
>     >>   Many IDR participants are also active in GROW and have had their say,
>     >> but if you haven't, now's your chance.
>     >>
>     >>   Thanks,
>     >>
>     >>   --John
>     >>
>     >>> Begin forwarded message:
>     >>>
>     >>> From: The IESG <iesg-secretary@ietf.org>;
>     >>> Subject: Last Call: <draft-ietf-grow-bgp-reject-05.txt> (Default
>     >> EBGP Route Propagation Behavior Without Policies) to Proposed Standard
>     >>> Date: April 18, 2017 at 5:16:05 PM EDT
>     >>> To: "IETF-Announce" <ietf-announce@ietf.org>;
>     >>> Cc: grow-chairs@ietf.org, grow@ietf.org,
>     >> draft-ietf-grow-bgp-reject@ietf.org, christopher.morrow@gmail.com
>     >>> Reply-To: ietf@ietf.org
>     >>>
>     >>>
>     >>> The IESG has received a request from the Global Routing Operations
>     >> WG
>     >>> (grow) to consider the following document:
>     >>> - 'Default EBGP Route Propagation Behavior Without Policies'
>     >>> <draft-ietf-grow-bgp-reject-05.txt> as Proposed Standard
>     >>>
>     >>> The IESG plans to make a decision in the next few weeks, and
>     >> solicits
>     >>> final comments on this action. Please send substantive comments to
>     >> the
>     >>> ietf@ietf.org mailing lists by 2017-05-02. Exceptionally, comments
>     >> may be
>     >>> sent to iesg@ietf.org instead. In either case, please retain the
>     >>> beginning of the Subject line to allow automated sorting.
>     >>>
>     >>> Abstract
>     >>>
>     >>> This document defines the default behavior of a BGP speaker when
>     >>> there is no import or export policy associated with an External BGP
>     >>> session.
>     >>>
>     >>>
>     >>> The file can be obtained via
>     >>> https://datatracker.ietf.org/doc/draft-ietf-grow-bgp-reject/
>     >>>
>     >>> IESG discussion can be tracked via
>     >>> https://datatracker.ietf.org/doc/draft-ietf-grow-bgp-reject/ballot/
>     >>>
>     >>> This IETF LC, which originally concluded on 2017-04-18, is being
>     >>> extended to allow for additional input to be provided. Ops AD (for
>     >> GROW)
>     >>> and Routing AD (for IDR) wish to ensure that cross WG discussions
>     >> have
>     >>> had a chance to occur.
>     >>>
>     >>> No IPR declarations have been submitted directly on this I-D.
>     >>
>     >>   _______________________________________________
>     >>   Idr mailing list
>     >>   Idr@ietf.org
>     >>   https://www.ietf.org/mailman/listinfo/idr
>     >>
>     >>
>     >> _______________________________________________
>     >> Idr mailing list
>     >> Idr@ietf.org
>     >> https://www.ietf.org/mailman/listinfo/idr
>     >
>     > _______________________________________________
>     > Idr mailing list
>     > Idr@ietf.org
>     > https://www.ietf.org/mailman/listinfo/idr
> 
> 
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>