IETF Logo Mail Archive

Re: [Idr] draft-uttaro-idr-bgp-persistence-00: Security Considerations

Jakob Heitz <jakob.heitz@ericsson.com> Thu, 03 November 2011 03:51 UTC

Return-Path: <jakob.heitz@ericsson.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99DC511E8098 for <idr@ietfa.amsl.com>; Wed, 2 Nov 2011 20:51:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.16
X-Spam-Level:
X-Spam-Status: No, score=-5.16 tagged_above=-999 required=5 tests=[AWL=0.839, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t5RPr-GxbY0d for <idr@ietfa.amsl.com>; Wed, 2 Nov 2011 20:51:57 -0700 (PDT)
Received: from imr3.ericy.com (imr3.ericy.com [198.24.6.13]) by ietfa.amsl.com (Postfix) with ESMTP id 11E7811E8080 for <idr@ietf.org>; Wed, 2 Nov 2011 20:51:57 -0700 (PDT)
Received: from eusaamw0707.eamcs.ericsson.se ([147.117.20.32]) by imr3.ericy.com (8.13.8/8.13.8) with ESMTP id pA33pMmI030372 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 2 Nov 2011 22:51:22 -0500
Received: from EUSAACMS0701.eamcs.ericsson.se ([169.254.1.52]) by eusaamw0707.eamcs.ericsson.se ([147.117.20.32]) with mapi; Wed, 2 Nov 2011 23:51:21 -0400
From: Jakob Heitz <jakob.heitz@ericsson.com>
To: "erosen@cisco.com" <erosen@cisco.com>, "robert@raszuk.net" <robert@raszuk.net>
Date: Wed, 02 Nov 2011 23:51:19 -0400
Thread-Topic: [Idr] draft-uttaro-idr-bgp-persistence-00: Security Considerations
Thread-Index: AcyZ0z95EN6aLCCQQUunxZ2ZpCErUQABBXlg
Message-ID: <7309FCBCAE981B43ABBE69B31C8D21391A447FB512@EUSAACMS0701.eamcs.ericsson.se>
References: Your message of Wed, 02 Nov 2011 23:35:02 +0100. <4EB1C596.5030306@raszuk.net> <14153.1320288579@erosen-linux>
In-Reply-To: <14153.1320288579@erosen-linux>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "idr@ietf.org List" <idr@ietf.org>, "UTTARO, JAMES" <ju1738@att.com>
Subject: Re: [Idr] draft-uttaro-idr-bgp-persistence-00: Security Considerations
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/idr>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2011 03:51:57 -0000

On Wednesday, November 02, 2011 7:50 PM, Eric Rosen <mailto:erosen@cisco.com> wrote:

>> If we have a below scenario:
>> 
>>           / PE2
>> PE1 -- RR
>>           \ PE3
> 
>> When PE2 disappears RR will re-advertise his routes as persistent to
>> PE1 with some labels - for simplicity let's assume those are L3VPN
>> labels. 
> 
> In the case being discussed (I think), the RR is down at the time PE2
> disappears, but PE1 is still using the routes previously distributed
> to it 
> by the RR.
> 
>> There are two options ...
> 
>> * PE2 went down for good - RR by advertising persistent routes may at
>> most cause to blackhole the traffic - that is why I started by
>> recommending a MUST for next hop reachability
> 
>> * PE2 restarted - here I assume RR would withdraw previous STALE
>> routes by both implicit withdraw and explicit withdraw
> 
> The RR can't withdraw any routes because it is down.
> 
> If PE1 happens to have noticed that PE2 blinked out, it may be wise
> for PE1 
> to invalidate the routes for which PE2 is the next hop.  If PE1 did
> not 
> notice that PE2 blinked out, it will continue to make use PE2's old
> VPN-IP 
> routes.  Unfortunately, all these routes will now have incorrect
> labels, and 
> packets from one VPN may get forwarded by PE2 to another VPN.
> 
> As far as I can tell, until the RR comes back up, there is no
> assurance that 
> PE1 will notice PE2's restart, so random cross-connection of VPNs is
> certainly possible.
> 
> But it's not obvious that random cross-connections of this sort are
> any 
> worse than a complete loss of service.  While datagrams from one VPN
> might 
> get sprayed into the other, it is hard to see how a TCP connection
> between 
> the two VPNs could be set up or maintained, since there is not going
> to be a 
> working reverse path.

I didn't think a stray packet could set up a TCP connection
either. I was wondering if stray packets could cause
disruptions of other kinds. Also, as a customer of a VPN
service, I would not like the possibility of my packets being
sprayed into other VPNs.

-- 
Jakob Heitz.

v2.23.0 | Report a Bug | By Email