Re: [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route Propagation Behavior Without Policies) to Proposed Standard

Jared Mauch <jared@puck.Nether.net> Thu, 20 April 2017 15:59 UTC

Return-Path: <jared@puck.nether.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60C5A129513 for <idr@ietfa.amsl.com>; Thu, 20 Apr 2017 08:59:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.203
X-Spam-Level:
X-Spam-Status: No, score=-4.203 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1j7UUc-4Wrzb for <idr@ietfa.amsl.com>; Thu, 20 Apr 2017 08:59:01 -0700 (PDT)
Received: from puck.nether.net (puck.nether.net [IPv6:2001:418:3f4::5]) by ietfa.amsl.com (Postfix) with ESMTP id 7D82E129AF6 for <idr@ietf.org>; Thu, 20 Apr 2017 08:58:58 -0700 (PDT)
Received: by puck.nether.net (Postfix, from userid 162) id 30C27540DFC; Thu, 20 Apr 2017 11:58:58 -0400 (EDT)
Date: Thu, 20 Apr 2017 11:58:58 -0400
From: Jared Mauch <jared@puck.Nether.net>
To: Enke Chen <enkechen@cisco.com>
Cc: Jared Mauch <jared@puck.nether.net>, John G Scudder <jgs@juniper.net>, idr@ietf.org, Hares Susan <shares@ndzh.com>
Message-ID: <20170420155858.GA15676@puck.nether.net>
References: <D4E812E8-AA7B-4EA2-A0AC-034AA8922306@juniper.net> <abe393d3-d1e4-7841-4620-38dab751765b@cisco.com> <68B29403-9AD9-4F06-9FE4-3F077E793D9F@puck.nether.net> <275cf744-1f64-bcbc-dabe-a47479921230@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <275cf744-1f64-bcbc-dabe-a47479921230@cisco.com>
User-Agent: Mutt/1.8.0 (2017-02-23)
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/ZI0ZsUouOMoL8RqB__ZRnVD-Blc>
Subject: Re: [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route Propagation Behavior Without Policies) to Proposed Standard
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Apr 2017 15:59:03 -0000

On Thu, Apr 20, 2017 at 08:36:17AM -0700, Enke Chen wrote:
> Hi, Jared:
> 
> If it is not obvious, let me state the I participate in IDR WG as an individual
> contributor, just like you do I suppose.

	Of course.

	:-)

> Let me rephrase what I said, for a code base with a large and diverse customer base
> I do not foresee any possibility for the default behavior change in this case. Again
> please treat it as my personal opinion.
> 
> I am certainly aware of other cases where the default behavior has been changed. But
> this one is different.  This case seems similar to the default behavior ("permit" or
> "deny") for an empty ACL.  Once the "permit" or "deny" is set in the code and is
> widely deployed for a long time, it is just not possible to make the switch between
> "permit" and "deny".

	I think there is a very distinct issue here, I would of course love
for existing vendors to come in compliance with a "secure-by-default" strategy.
Many othr people with far more devices than BGP speakers have seen this
necessity and made the change, claiming that BGP is somehow unique or that
operators do not deserve this safety is inconsiderate.

	My intent isn't to update 4271, it's Alvaro that has raised that
spectre.

	Cisco (as an example) has many cases where defaults have changed,
the same is true of many pieces of software, either in development or after
deployment.  Sometimes thse are called bugs, sometimes a feature.

	I've outlind my recommendation of how I would like to see 
nvgen function work in Ciscos case, that these devices can simply
expose these defaults, just as config bits often are massively reordered
betwen even minor interims or rebuilds.

	If you take the line-by-line interpreted vs atomic model of
driving configuration, it is not possible to apply policy to a session before
the FSM starts running.  This is unsafe.

	I'm seeing the GROW WG advise what an operational safe default
practice is as there is no codified standard of the behavior.  Operators
value consistent behavior, and it's clear with much of the ongoing work
in IETF around standards based models that the vendors see value as well.

	I suspect many people in IDR have not seen a bank be MITM'ed
for months due to routing leakage.  They would say this must be the
intended policy of 'pass all'.

	With further BGP speakers coming online, we need to address
this technical debt that many of us bear the burden of.

	Re: the draft under discussion, did you look at any of the prior
versions of the text?  I suspect that many people have not.

The pre-GROW-WG text said:

https://tools.ietf.org/html/draft-mauch-bgp-reject-00

-- snip --
3.  Solution Requirements

   The following requirements apply to the solution described in this
   document:

   o  Software MUST NOT accept routes from an eBGP peer without an
      operator configuring a policy

   o  Software MUST NOT require a configuration directive to operate in
      this mode.

   o  Software MUST NOT send routes to an eBGP peer without an operator
      configuring a policy

   o  Software MUST provide protection from internal failures preventing
      the advertisement and acceptance of routes

   o  Software MAY provide a configuration option to disable this
      security capability.
-- snip --


After advisement of BGP implementors, and post-adoption it seemed
an implementor may require a pointer to actually when and how to
reject the routes, as this guidance was seen as unclear.

This is when section 3 was updated:

https://tools.ietf.org/html/draft-ietf-grow-bgp-reject-00

-- snip --
   o  Software MUST mark any routes from an eBGP peer as 'invalid' in
      the Adj-RIB-In, if no explicit policy was configured.
-- snip --

And eventually morphed into something that cited a Informative Reference
and gave detailed guidance:

https://tools.ietf.org/html/draft-ietf-grow-bgp-reject-05

-- snip --

   o  A BGP speaker MUST consider any routes advertised by an EBGP peer
      ineligible for route selection (section 9.1.1 [RFC4271]), if no
      import policy was configured for the peer.

-- snip --

Is one of these previous iterations of the text more acceptable to you
or the IDR WG?

	- Jared

-- 
Jared Mauch  | pgp key available via finger from jared@puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.