Re: [Idr] [GROW] Choice of Large vs. Extended Community for Route Leaks Solution

Brian Dickson <brian.peter.dickson@gmail.com> Thu, 01 April 2021 20:55 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E17EB3A2320; Thu, 1 Apr 2021 13:55:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6eWh4CvuQ_0j; Thu, 1 Apr 2021 13:55:34 -0700 (PDT)
Received: from mail-vk1-xa2d.google.com (mail-vk1-xa2d.google.com [IPv6:2607:f8b0:4864:20::a2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 742C63A231E; Thu, 1 Apr 2021 13:55:34 -0700 (PDT)
Received: by mail-vk1-xa2d.google.com with SMTP id d82so746481vkd.3; Thu, 01 Apr 2021 13:55:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LtKyz1ZenkDDWHrgfPcu+CN+kfkY6E2I9alS/EGciVE=; b=JUg+v9P4IOGgGvAEDFcjPvv5pAh6xAKOKdTmuIC42v4llG5ivBjtWexIv8roMCJt47 ZAbXc5W/HeSvwqbuiM8XLKsDNFQyM3exgxhRANsJYug7pQxWAT6HqJxcMlBpoOPt5x21 0NjZ3oE7YpN7G8ntqRPzhP+vIYieSWgySjcJGR0eqKpQ+N56jtXjPnFUb4gsxynoJk/a MR2ki00DCsFmk7fUFrBjAnW8spthaSzRZjAPl8/SzqRCVI/iICjC4HRKbhlCkdvDY3tI 2k9/wr2gGHTwmPJAhPvUHDLyLlYjv9vldpRLmUUUqdOkjgq0jMJ3uKsXl1cx/J6qvpKD Cq+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LtKyz1ZenkDDWHrgfPcu+CN+kfkY6E2I9alS/EGciVE=; b=TeMfbOZe+oZsiwRCz4bIp+hjAH0Aa6FzDDHS232FttGHf2qDSQj+PXVeZq3jQDv36z z3jtaHTlfZiiZ409MkzTl0gp37PCnkuvRsA5wKU57os15lQaG80k8Ic2TvgyPfr3XFiZ 7Q34bEnljLVvYVRKW0PNvestWVb0HbAwGTdrHUmSZZmoO52j5KvvLfEEo9LSmqQlMzYk 2nX4lkFLzqCxZksIh6aseqJDa3HoMRlKDx4YvmgXc4kuR8QG4Rj6L3Ys3IrF/pOeg7Ar /xlsHYHNEENgf5B/1gidcIlJCuoPIFqIcJ/bJ5ljvrH54GGFqMSRH1l6scoAVZJ2n+to K57A==
X-Gm-Message-State: AOAM533wVHii/AS+W/dDA6DkFXszA6QtOW+2JFF96btYeEqRP2r1l4FT oVZ03F5xy2gkW2eFTZmxygVY91SW46MXCLWlbjA=
X-Google-Smtp-Source: ABdhPJz3XyaLKVv2fPpVSgv+R9M8JGDSO9bJ0VF6Dxi7kNjqi2E+JxPcS7wZD650meznkoJ31QWf5IP5i4A+OEAbTGo=
X-Received: by 2002:a1f:978e:: with SMTP id z136mr7425855vkd.17.1617310532883; Thu, 01 Apr 2021 13:55:32 -0700 (PDT)
MIME-Version: 1.0
References: <SA1PR09MB814269138AEE1567CEED703B847C9@SA1PR09MB8142.namprd09.prod.outlook.com> <CAH1iCip6WaQFaBM2DAjf++vW3WTm_NHmXvLTgOhpTdpRdFKigg@mail.gmail.com> <20210401133309.GN24667@pfrc.org>
In-Reply-To: <20210401133309.GN24667@pfrc.org>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Thu, 1 Apr 2021 13:55:21 -0700
Message-ID: <CAH1iCir_85XCjn_nJ9LOe9wf6s3u8uKqfB1OEJXL5FdxYquH9g@mail.gmail.com>
To: Jeffrey Haas <jhaas@pfrc.org>
Cc: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>, "idr@ietf.org" <idr@ietf.org>, "grow@ietf.org" <grow@ietf.org>, "draft-heitz-idr-wklc@ietf.org" <draft-heitz-idr-wklc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cdd79a05beef7381"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/an5BtEdXsBQ9Py6I4SE-O6GEbb8>
Subject: Re: [Idr] [GROW] Choice of Large vs. Extended Community for Route Leaks Solution
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2021 20:55:40 -0000

On Thu, Apr 1, 2021 at 6:11 AM Jeffrey Haas <jhaas@pfrc.org> wrote:

> [Note, commenting as an individual contributor...]
>
> On Wed, Mar 31, 2021 at 03:10:08PM -0700, Brian Dickson wrote:
> > On Wed, Mar 31, 2021 at 7:57 AM Sriram, Kotikalapudi (Fed) <
> > kotikalapudi.sriram@nist.gov> wrote:
> > > We (authors of the WKLC draft) can continue working on creating an IANA
> > > WKLC registry for the future but I think the route leaks solution
> draft can
> > > switch to using Transitive Extended Community. Especially, if that
> could
> > > help expedite the route leaks draft and its deployment? I would like to
> > > seek advice regarding that (I'm cc'ing GROW also here).
> >
> >
> > Sorry to argue in public, but I disagree very strongly on the second part
> > here.
> >
> > We would like to continue proceeding with use of a LC range for
> > implementation, using a single (or small number) of Global Administrator
> > values.
> >
> > I think we should request that a small block of GAs surrounding the
> initial
> > assignments be tentatively marked something like Reserved for IANA
> > assignment.
> > That is different from actually establishing a registry or assigning them
> > specifically for WKLCs, but would be compatible with subsequent WKLC
> work.
>
> The issue being faced here for WKLC is a few related items:
> - There needs to be some number of global admin (AS) reserved for generic
> use.
> - Since this was not done at the time the feature was shipped, there is no
>   support in anyone's code to treat subsequently allocated ranges as
>   "special".
>


This is correct. However, I am making the claim that lack of special
handling in anyone's code is NOT a blocker to use by operators.
Specifically, the proposed route-leak-detection-mitigation LC range
(assuming a very small number of fixed GA values) would be able
to be used by operators for arbitrary LC matching, which would be
sufficient to implement the detection/mitigation mechanisms.

While code would facilitate automatically doing the mitigation stuff, it is
not the only way mitigation can be achieved.

Having GA values assigned for this is necessary. Having code is not
necessary, but would be desirable (and should be a long-term goal).

The code side of things is true regardless of mechanism used, BTW -- it
could be LC, EC, WC, new attribute, or anything like that.


>
> The two larger criticisms of the WKLC draft to date is that it wanted a LOT
> of the AS space to be used, and that its transitivity functionality would
> not fit well into an incremental deployment of the feature.  If the
> transitivity requirements are removed and the space is narrowed, that at
> least moves it closer to existing community operational practices.  E.g. a
> single AS allocated for the purpose that leaves two unstructured fields, or
> a small number of ASes.
>
> This then would require implementations that want to treat the new
> well-known fields as "special" to have code to do so.  So, we're already
> looking at some level of new code.
>

It is not necessary that this be done in code.

In fact, that is the precise motivation for using LC: no code is strictly
required.

Existing code for matching LC values is sufficient for operators to both
mark prefixes, and match LC values for implementing policy.

E.g. In vendor-agnostic pseudo-code:
IF(PEER_GROUP == MY_CUSTOMER && LC.GA == TBD1 && LC.VALUE1 == TBD2) THEN
DROP # Customer is sending us a marked prefix -- marked prefixes can only
be sent provider->customer
IF(PEER_GROUP == MY_PEER || PEER_GROUP == MY_TRANSIT) THEN ADD LC{LC.GA =
TBD1, LC.VALUE1 = TBD2, LC.VALUE2 = MY_ASN}


>
> Absent that new code, what we have is generic policy, along with the
> implementation's normal propagation behavior - which is behind a knob for
> some implementations.
>

This is correct.

>
> > The move to using LC values was precipitated by the observation that the
> > path for getting attributes deployed would be very long, and that
> operators
> > (actual network operators) are looking for a solution which can be
> deployed
> > *now*.
>
> If the state can fit into an extended community, that similarly can be done
> NOW.  A significant portion of the extended community space is available on
> first-come, first-serve basis.
>
>
> https://www.iana.org/assignments/bgp-extended-communities/bgp-extended-communities.xhtml
>
> But it doesn't change the above issues.
>
> > Nothing has changed in this regard; the WKLC draft is IMHO still the
> right
> > path, and only the size of the initial allocation is problematic.
> >
> > Having 1-4 GA values (from the 32-bit range of potential values) is not
> > burdensome IMNSHO, and is a lot less of a concern than the 1/64 (or 1/16)
> > of the range of 32-bit ASNs originally requested/suggested.
> >
> > If we can all agree that 1-4 GA values assigned for this is acceptable, I
> > suggest a revised version of the draft and assessment of consensus on the
> > revised draft for adoption and last call.
> >
> > LC is the ONLY viable path, given the nebulous state of implementation
> and
> > use for EC/WC or attributes. LC is already deployed, and assigning a few
> > GAs by IDR is the only roadblock to the draft in GROW getting approved.
>
> I question your conclusion.
>
> The desire is to have an attribute that is used for route leak mitigation
> purposes.
>
> This thread illustrates that it's very easy for such a control community in
> any flavor (regular, extended, large) to be stripped because the service
> provider hasn't proactively acted to permit it.
>
> Does this really solve the problem?


It solves the problem on an expedited basis.

It is not the exclusive solution, which would be to augment this initial
solution with additional mechanisms (e.g. codify WKLCs generally and this
WKLC specifically; codify the behavior using a new optional transitive
attribute or possibly mandatory transitive attribute).

What is also true about this (proposed mechanism + WKLC) is that there is
an incentive for providers (i.e. ISPs) to ask or tell their customers to
turn the knob on.

Having customers turn the knob on provides a convenient way to detect and
block route leaks.
Observe that any route leak from a customer, if not blocked by other means
or any means (e.g. if the ISP does not filter based on prefix or as_path),
harms the ISP directly.
Turning the knob on is comparatively easy, as it is a session configuration
element, rather than a policy mechanism.
ISPs who want to confirm that their customers have enabled the knob, can
provide further instructions to set an ISP-specific LC on routes the
customer sends, which can be used to validate that LCs are being sent.
(Ideally that should be a "test and remove" step, or a "confirm and apply
LC-stripping on the specific LC" so as to avoid causing more garbage being
sent to the DFZ.

Additionally, this range of WKLCs should never be seen within the DFZ. They
are only set when sending prefixes to customers. Any observed instances of
the GA can and should be addressed via non-technical (out of band, human to
human) processes, to get the leak stopped.

This is one of the rare cases where the problem and (however suboptimal)
solution are not asymmetric. The benefit is seen by the party doing the
thing rather than having to have someone else do the thing to get the
benefit.

Brian