Re: [Idr] Validation for BGP Flow-Spec Redirect to IP Action
"David Smith (djsmith)" <djsmith@cisco.com> Fri, 27 April 2018 22:07 UTC
Return-Path: <djsmith@cisco.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E822D120727; Fri, 27 Apr 2018 15:07:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nevFDfu_IKlJ; Fri, 27 Apr 2018 15:07:15 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D592124F57; Fri, 27 Apr 2018 15:07:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=18030; q=dns/txt; s=iport; t=1524866835; x=1526076435; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=Wvz/FKjcnZMwfS2XHRXffjAd1UtDuwrOPIzs/YK2thA=; b=PiSi7kdEttblAEJRKGcRTDqNCSUp11kOs+cMeHGa9ZqqwJotqQvXiYSc KipusKILI23HFi21EikHVxDhkCGld6JcxHA2kZmXQsoBdCEGyyht/ee1A ZVJ15kyadiZ7HrG40wfeZYOAXaRL0Bm+HqZrZPOsijvKCN8vZmgdqG6p1 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DxAAB8nuNa/4oNJK1cGQEBAQEBAQEBAQEBAQcBAQEBAYJNdmEXYygKg2GIAox6gXR1GoZyhzGEcYF4C4RsAhqCNCE0GAECAQEBAQEBAmwohSgBAQEBAyMKTBACAQgRBAEBKwICAh8RHQgCBA4FCAyEF0wDFahTghyHDQ2BK4I3iBSCE4EPglYHLoJPhSSCVAKHN4k7hm8sCAKLS4J1jF2KAYYSAhETAYEkARw4gVJwFYJ+ghsFF44Xb453K4EBgRgBAQ
X-IronPort-AV: E=Sophos;i="5.49,336,1520899200"; d="scan'208,217";a="384610383"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Apr 2018 22:07:14 +0000
Received: from XCH-ALN-011.cisco.com (xch-aln-011.cisco.com [173.36.7.21]) by alln-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id w3RM7EqN026975 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 27 Apr 2018 22:07:14 GMT
Received: from xch-rcd-012.cisco.com (173.37.102.22) by XCH-ALN-011.cisco.com (173.36.7.21) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Fri, 27 Apr 2018 17:07:13 -0500
Received: from xch-rcd-012.cisco.com ([173.37.102.22]) by XCH-RCD-012.cisco.com ([173.37.102.22]) with mapi id 15.00.1320.000; Fri, 27 Apr 2018 17:07:13 -0500
From: "David Smith (djsmith)" <djsmith@cisco.com>
To: PVLR Pavana Murthy <pvlrpm@gmail.com>
CC: idr wg <idr@ietf.org>, Pradosh Mohapatra <mpradosh@yahoo.com>, "draft-ietf-idr-flowspec-redirect-ip@ietf.org" <draft-ietf-idr-flowspec-redirect-ip@ietf.org>, "draft-ietf-idr-bgp-flowspec-oid@ietf.org" <draft-ietf-idr-bgp-flowspec-oid@ietf.org>
Thread-Topic: Validation for BGP Flow-Spec Redirect to IP Action
Thread-Index: AQHT0uuAIyyPj6TSKkC7hpPOOBsfrqQVHkWA
Date: Fri, 27 Apr 2018 22:07:13 +0000
Message-ID: <aaa4916758a34ed99cb7432cff257f25@XCH-RCD-012.cisco.com>
References: <CAN-MQG6bDyzcyuVs1vmka-JZFrD9Ya1uOuU_AFxfu0GnYgdmbA@mail.gmail.com>
In-Reply-To: <CAN-MQG6bDyzcyuVs1vmka-JZFrD9Ya1uOuU_AFxfu0GnYgdmbA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.133.151]
Content-Type: multipart/alternative; boundary="_000_aaa4916758a34ed99cb7432cff257f25XCHRCD012ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/YyeUT6wb_NGfJcPJqeDmFAYhkjA>
Subject: Re: [Idr] Validation for BGP Flow-Spec Redirect to IP Action
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Apr 2018 22:07:18 -0000
Hi Pavana, Your points are valid. With that said, I’ll defer you to draft-ietf-idr-bgp-flowspec-oid-05 (and later) and, specifically, section 4 (revised validation procedure) which addresses your points below. Co-incidentally, a WG last call was issued for draft-ietf-idr-bgp-flowspec-oid-06 yesterday. Regards, /dave From: PVLR Pavana Murthy <pvlrpm@gmail.com> Sent: Friday, April 13, 2018 1:51 AM To: idr wg <idr@ietf.org>; pmohapat@cumulusnetworks.com; David Smith (djsmith) <djsmith@cisco.com> Subject: Validation for BGP Flow-Spec Redirect to IP Action Hello, In the draft draft-ietf-idr-flowspec-redirect-ip-02.txt, the following procedure is mentioned to validate the extended community of 'Flowspec redirect to IP'. BGP speakers that support the extended communities defined in this draft MUST also, by default, enforce the following check when receiving a flow-spec route from an EBGP peer: if the received flow- spec route has a 'redirect to IP' extended community with a 'target address' X (in the global administrator field) and the best matching route to X is not a BGP route with origin AS matching the peer AS then the extended community should be discarded and not propagated along with the flow-spec route to other peers. I have 2 doubts related to this statement. What is 'origin AS' here? Is it the AS no. that is first added to the AS_PATH? In the previous version of the draft its mentioned as the last AS in the AS_PATH. Is it the last AS no. that has been added to the AS_PATH or the last AS no. from left in AS_PATH? What if the redirect target X is directly connected or reachable by a static route and its not advertised by EBGP? Do we need to consider that action invalid in that case? Thanks, Pavana.
- [Idr] Validation for BGP Flow-Spec Redirect to IP… PVLR Pavana Murthy
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… David Smith (djsmith)
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… PVLR Pavana Murthy
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… PVLR Pavana Murthy
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… Simpson, Adam 1. (Nokia - CA/Ottawa)
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… PVLR Pavana Murthy
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… Simpson, Adam 1. (Nokia - CA/Ottawa)
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… PVLR Pavana Murthy
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… Simpson, Adam 1. (Nokia - CA/Ottawa)
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… David Smith (djsmith)
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… PVLR Pavana Murthy
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… David Smith (djsmith)
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… PVLR Pavana Murthy
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… David Smith (djsmith)
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… PVLR Pavana Murthy
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… David Smith (djsmith)