Re: [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route Propagation Behavior Without Policies) to Proposed Standard

Job Snijders <job@ntt.net> Thu, 20 April 2017 08:58 UTC

Return-Path: <job@instituut.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0464A12EB8C for <idr@ietfa.amsl.com>; Thu, 20 Apr 2017 01:58:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xp_bt_P90XWT for <idr@ietfa.amsl.com>; Thu, 20 Apr 2017 01:57:59 -0700 (PDT)
Received: from mail-wm0-f46.google.com (mail-wm0-f46.google.com [74.125.82.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74C4812EB9F for <idr@ietf.org>; Thu, 20 Apr 2017 01:57:59 -0700 (PDT)
Received: by mail-wm0-f46.google.com with SMTP id y18so1425542wmh.0 for <idr@ietf.org>; Thu, 20 Apr 2017 01:57:59 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=2bpz0WLPazyMSkimDkjJNRIU1cAAJz9KKDt3JcbMh/A=; b=C3S0RIfdveHC9NmQ2SPGhNs3t18erjSp+DiWmexZWbKbMDbRyPX6FxjOUpqfa8svLB yUf4uMQfM36tFFiv7mn5EMiWWXpn4XJ7eXz3pEdk9GON3f+eUXRM+0nUhyz8KePcRZYU 2J0jCGFlPsYhbFJG+WUQQR36A57KQsALVTv1lvZ/aGiICFtHDBV9r+aY6r2Mjrt7kmva BuCbn14GpHmdSgPnzv+L0sSr2DaVacLpy6fkR8BbTalxheOA4xfC/67GAQDUEMpEGICh YIdqeYErqugY4ZrDi+OmkTSdRyncMzW5LCRNLigrj42/Q3Hv2Fz8AGZLQoqkb+yrwqSV lwCA==
X-Gm-Message-State: AN3rC/4vxrWvqOY+KKRIqMct3UyKgiNhBsi2/OAfqgu4ZY7+VWQUj7DR +Co+moZbBW/wbg==
X-Received: by 10.28.218.67 with SMTP id r64mr2037362wmg.36.1492678677878; Thu, 20 Apr 2017 01:57:57 -0700 (PDT)
Received: from localhost ([2001:67c:208c:10:4cc4:bdef:de0c:32e0]) by smtp.gmail.com with ESMTPSA id v23sm6188245wra.65.2017.04.20.01.57.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Apr 2017 01:57:56 -0700 (PDT)
Date: Thu, 20 Apr 2017 10:57:55 +0200
From: Job Snijders <job@ntt.net>
To: bruno.decraene@orange.com
Cc: "John G. Scudder" <jgs@juniper.net>, "idr@ietf.org" <idr@ietf.org>, Hares Susan <shares@ndzh.com>
Message-ID: <20170420085755.sbzdtcjhirdoi3b3@hanna.meerval.net>
References: <D4E812E8-AA7B-4EA2-A0AC-034AA8922306@juniper.net> <19878_1492639968_58F7E0E0_19878_13298_1_53C29892C857584299CBF5D05346208A31CBE742@OPEXCLILM21.corporate.adroot.infra.ftgroup>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <19878_1492639968_58F7E0E0_19878_13298_1_53C29892C857584299CBF5D05346208A31CBE742@OPEXCLILM21.corporate.adroot.infra.ftgroup>
X-Clacks-Overhead: GNU Terry Pratchett
User-Agent: NeoMutt/20170306 (1.8.0)
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/a01c09lhllWvfNYf_cAUjSuJ0fg>
Subject: Re: [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route Propagation Behavior Without Policies) to Proposed Standard
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Apr 2017 08:58:01 -0000

On Wed, Apr 19, 2017 at 10:12:48PM +0000, bruno.decraene@orange.com wrote:
> Thanks John for bringing this in IDR.
> 
> I admit that I was not following this subject so my comments might be redundant or even stupid.
> 
> 1) Am I missing something or would this break all existing EBGP
> sessions deployed with no policy?

Yes, you are missing the fact that a wild variety of defaults has been
deployed in the wild:

    o some reject on ingress, promiscuous on egress
    o some reject on both ingress and egress
    o some accept and announce everything

This documents aims to align those on a singular safe default: on EBGP
you'll need to configure a policy for something to happen.

> If so this would definitely not be deployment friendly. Especially for
> BGP/MPLS VPN networks using EBGP for PE-CE routing and which have
> little use of filtering policies.

This is what release notes are for.

> 2) BTW, what is exactly eligible as an "import policy"? e.g.
> - is an explicit policy capping the number of received routes eligible as an "import policy"? 
> - is Route Target filtering (either automatic or manual) a routing policy?
> 
> Same question of "export policy". e.g.
> Is an expert policy tagging community eligible?

i do not understand what you mean. Can you elaborate or phrase
differently?

> 3) From the introduction
> "   There are BGP routing security issues that need to be addressed to
>    make the Internet more stable. [...]  This document provides guidance to BGP [RFC4271]
>    implementers to improve the default level of Internet routing
>    security."
> 
> Does this mean that this proposition should be restricted to Internet
> routing? (while BGP is used for many others applications)

It is restricted to EBGP.

> 4) Alternatively, there could be a (capability) signaling during the
> OPEN of the EBGP session. With one end requesting this behavior to its
> peer. (or alternatively it's peer advertising the presence of a policy
> and the receiver taking its own decision).
> 
> Possibly, some of the requirements may already be addressed by
> configuring a policy limiting the number of routes acceptable from a
> peer/customers, and closing the EBGP sessions when this limit is
> reached. This seems this would catch customers/peers advertising the
> full routing by mistake/misconfiguration.

no.

Kind regards,

Job