Re: [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route Propagation Behavior Without Policies) to Proposed Standard

Job Snijders <> Thu, 20 April 2017 08:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0464A12EB8C for <>; Thu, 20 Apr 2017 01:58:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Xp_bt_P90XWT for <>; Thu, 20 Apr 2017 01:57:59 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 74C4812EB9F for <>; Thu, 20 Apr 2017 01:57:59 -0700 (PDT)
Received: by with SMTP id y18so1425542wmh.0 for <>; Thu, 20 Apr 2017 01:57:59 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=2bpz0WLPazyMSkimDkjJNRIU1cAAJz9KKDt3JcbMh/A=; b=C3S0RIfdveHC9NmQ2SPGhNs3t18erjSp+DiWmexZWbKbMDbRyPX6FxjOUpqfa8svLB yUf4uMQfM36tFFiv7mn5EMiWWXpn4XJ7eXz3pEdk9GON3f+eUXRM+0nUhyz8KePcRZYU 2J0jCGFlPsYhbFJG+WUQQR36A57KQsALVTv1lvZ/aGiICFtHDBV9r+aY6r2Mjrt7kmva BuCbn14GpHmdSgPnzv+L0sSr2DaVacLpy6fkR8BbTalxheOA4xfC/67GAQDUEMpEGICh YIdqeYErqugY4ZrDi+OmkTSdRyncMzW5LCRNLigrj42/Q3Hv2Fz8AGZLQoqkb+yrwqSV lwCA==
X-Gm-Message-State: AN3rC/4vxrWvqOY+KKRIqMct3UyKgiNhBsi2/OAfqgu4ZY7+VWQUj7DR +Co+moZbBW/wbg==
X-Received: by with SMTP id r64mr2037362wmg.36.1492678677878; Thu, 20 Apr 2017 01:57:57 -0700 (PDT)
Received: from localhost ([2001:67c:208c:10:4cc4:bdef:de0c:32e0]) by with ESMTPSA id v23sm6188245wra.65.2017. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Apr 2017 01:57:56 -0700 (PDT)
Date: Thu, 20 Apr 2017 10:57:55 +0200
From: Job Snijders <>
Cc: "John G. Scudder" <>, "" <>, Hares Susan <>
Message-ID: <>
References: <> <19878_1492639968_58F7E0E0_19878_13298_1_53C29892C857584299CBF5D05346208A31CBE742@OPEXCLILM21.corporate.adroot.infra.ftgroup>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <19878_1492639968_58F7E0E0_19878_13298_1_53C29892C857584299CBF5D05346208A31CBE742@OPEXCLILM21.corporate.adroot.infra.ftgroup>
X-Clacks-Overhead: GNU Terry Pratchett
User-Agent: NeoMutt/20170306 (1.8.0)
Archived-At: <>
Subject: Re: [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route Propagation Behavior Without Policies) to Proposed Standard
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 20 Apr 2017 08:58:01 -0000

On Wed, Apr 19, 2017 at 10:12:48PM +0000, wrote:
> Thanks John for bringing this in IDR.
> I admit that I was not following this subject so my comments might be redundant or even stupid.
> 1) Am I missing something or would this break all existing EBGP
> sessions deployed with no policy?

Yes, you are missing the fact that a wild variety of defaults has been
deployed in the wild:

    o some reject on ingress, promiscuous on egress
    o some reject on both ingress and egress
    o some accept and announce everything

This documents aims to align those on a singular safe default: on EBGP
you'll need to configure a policy for something to happen.

> If so this would definitely not be deployment friendly. Especially for
> BGP/MPLS VPN networks using EBGP for PE-CE routing and which have
> little use of filtering policies.

This is what release notes are for.

> 2) BTW, what is exactly eligible as an "import policy"? e.g.
> - is an explicit policy capping the number of received routes eligible as an "import policy"? 
> - is Route Target filtering (either automatic or manual) a routing policy?
> Same question of "export policy". e.g.
> Is an expert policy tagging community eligible?

i do not understand what you mean. Can you elaborate or phrase

> 3) From the introduction
> "   There are BGP routing security issues that need to be addressed to
>    make the Internet more stable. [...]  This document provides guidance to BGP [RFC4271]
>    implementers to improve the default level of Internet routing
>    security."
> Does this mean that this proposition should be restricted to Internet
> routing? (while BGP is used for many others applications)

It is restricted to EBGP.

> 4) Alternatively, there could be a (capability) signaling during the
> OPEN of the EBGP session. With one end requesting this behavior to its
> peer. (or alternatively it's peer advertising the presence of a policy
> and the receiver taking its own decision).
> Possibly, some of the requirements may already be addressed by
> configuring a policy limiting the number of routes acceptable from a
> peer/customers, and closing the EBGP sessions when this limit is
> reached. This seems this would catch customers/peers advertising the
> full routing by mistake/misconfiguration.


Kind regards,