IETF Logo Mail Archive

Re: [Idr] Validation for BGP Flow-Spec Redirect to IP Action

PVLR Pavana Murthy <pvlrpm@gmail.com> Mon, 30 April 2018 06:24 UTC

Return-Path: <pvlrpm@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 250071252BA; Sun, 29 Apr 2018 23:24:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.998
X-Spam-Level:
X-Spam-Status: No, score=-0.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pShplBiyE44F; Sun, 29 Apr 2018 23:24:22 -0700 (PDT)
Received: from mail-oi0-x243.google.com (mail-oi0-x243.google.com [IPv6:2607:f8b0:4003:c06::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5FA71242F5; Sun, 29 Apr 2018 23:24:21 -0700 (PDT)
Received: by mail-oi0-x243.google.com with SMTP id b130-v6so6555866oif.12; Sun, 29 Apr 2018 23:24:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=WDqaxI30Zp0q0xb0DkKC1ZWcg3BTscQGiw5tNayoGQM=; b=ih9zscf7y9LPqIOQYI2fckbHZFqBa3SF3qEma8KHIVza8ug2L3CJkocnw9gWsl3frg cB+cp3pjkKKZ9QObMyxRG5aRiYGGAom/GRLmqT8HbydQRpaJ81qd3ALWHLhi/jzOgdap Ik+mYtKG+qvPEA0kP69mcXI+Dr9M9fpaY8rBLChbItezFcZTXdSMhX2CjQx8cyJ1MUT0 6p+VXsy2t2CuOizQPfKbxyzclsvnVFo5NJr2mNFAB9w0jCJpqrcZuyILIenRmeCmIwAn 8epEXcqGxlSAykcA3cwOcsC4m40oskqrjTQ/006mVqP5XM0H/BDd+vKo31Q92yMQUcsU CYHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=WDqaxI30Zp0q0xb0DkKC1ZWcg3BTscQGiw5tNayoGQM=; b=XX3sbShyMVClm/d8d81HFF6kAHzI1tR8fUkdbd0vHLUcm01J+R4ce8WXOt4t2CXDrA ifwii2XuMeirUjQClwbl9oSMVKWaEH1GFmwVIjgsS3XEAcMAhWNeQk83zMUs54JZ349J Aw6KVwICxwJoDOxR7/fw3ZjXyLZKSkxr2k7uowPTRlft2ESIHyMi/HlO2cmYdDIH6izW v0SQCAaNP1rQy+brJrlSgKY8aDnwWrO01cWHNcj6OcGGWri7QOsC/5N7RBauND6UkZp+ tsdbg60y2bilMnuzYmNHTSX3XFPS6pTDsQB9vlNJD7bCa6Qpk7AMuJ9FAmu/Ckf7ef7K zf5g==
X-Gm-Message-State: ALQs6tAmmWtgIXm9XwUX9j7KTrMhAlw8F4zFuNT7nuUQ6heK+QisD3fo eg6x7zjVP+9O6yUMLhR93I3Q3dGqgQkSNKyAJ/g=
X-Google-Smtp-Source: AB8JxZrqRyYKnxkHcKxOTYzoPueB/P0CqLRiRSgDglNLRN/fP+g2g2g1lnC+KmaqAfurpsfy/v2EUR/E8vL1etkwlSY=
X-Received: by 2002:aca:d593:: with SMTP id m141-v6mr115508oig.346.1525069461221; Sun, 29 Apr 2018 23:24:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.88.154 with HTTP; Sun, 29 Apr 2018 23:24:20 -0700 (PDT)
In-Reply-To: <3A1793BA-DB42-49E2-AC8C-FBAD1C433DEA@nokia.com>
References: <CAN-MQG6bDyzcyuVs1vmka-JZFrD9Ya1uOuU_AFxfu0GnYgdmbA@mail.gmail.com> <aaa4916758a34ed99cb7432cff257f25@XCH-RCD-012.cisco.com> <CAN-MQG6R_LCLAM5xgaak3W_oRkuQFQsgZtEodacpeiLCQV8p-g@mail.gmail.com> <CAN-MQG4oyycFhFzWGrKcQUG_B5eatan9y3PJJG1O-2vSLmhttg@mail.gmail.com> <3A1793BA-DB42-49E2-AC8C-FBAD1C433DEA@nokia.com>
From: PVLR Pavana Murthy <pvlrpm@gmail.com>
Date: Mon, 30 Apr 2018 11:54:20 +0530
Message-ID: <CAN-MQG5ZrrDKx5f2XypLACM8soEM7jW8YdMA0WGLnJ6SeDDG_g@mail.gmail.com>
To: "Simpson, Adam 1. (Nokia - CA/Ottawa)" <adam.1.simpson@nokia.com>
Cc: "David Smith (djsmith)" <djsmith@cisco.com>, idr wg <idr@ietf.org>, Pradosh Mohapatra <mpradosh@yahoo.com>, "draft-ietf-idr-bgp-flowspec-oid@ietf.org" <draft-ietf-idr-bgp-flowspec-oid@ietf.org>, "ju1738@att.com" <ju1738@att.com>, "jhaas@juniper.net" <jhaas@juniper.net>, "akarch@cisco.com" <akarch@cisco.com>, "sairay@cisco.com" <sairay@cisco.com>, "pmohapat@cumulusnetworks.com" <pmohapat@cumulusnetworks.com>, "wim.henderickx@alcatel-lucent.be" <wim.henderickx@alcatel-lucent.be>, "mtexier@arbor.net" <mtexier@arbor.net>
Content-Type: multipart/alternative; boundary="0000000000007e73ae056b0ae7a9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/f3pqIs8LWKZbvkoJM_zYuzyA_Aw>
X-Mailman-Approved-At: Mon, 30 Apr 2018 05:43:07 -0700
Subject: Re: [Idr] Validation for BGP Flow-Spec Redirect to IP Action
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Apr 2018 06:24:25 -0000

Hi Adam,
  Thanks for the reply. If its the first AS that is added to the AS_PATH,
then "the redirect IP" action received from the AS's that are not directly
connected may be invalid always.

eg:
    A---B----C

A, B and C are 3 routers in different AS's  1, 2 and 3 respectively.
A advertises a route for target X and also a Flowspec route with "redirect
IP(target X)". C receives these routes via B.
Now the the origin AS or first AS in the AS_PATH of the route to target X
is 1 but the peer-AS is 2 since the route is received from B.
Since the peer-AS does not match the first AS of the best route target X,
this redirect IP action is considered invalid.


Please let me know if that's expected.

--Pavana.

On Mon, Apr 30, 2018 at 1:12 AM, Simpson, Adam 1. (Nokia - CA/Ottawa) <
adam.1.simpson@nokia.com> wrote:

> Hi Pavana,
>
>
>
> The purpose of this text in the draft was to close the door on the ability
> for an accidental/malicious originator of a flow-spec route in AS=x from
> redirecting flows towards a target IP address in some other AS=y.
>
>
>
> So, in this context we are interested in looking at the first AS in
> AS_PATH of the flow-spec route, not the most recently added AS in the
> AS_PATH (which would be the ‘neighbor AS’).
>
>
>
> The route that resolves the target redirect IP address could be a BGP
> route or it could be a non-BGP route, despite the wording in the draft. If
> it is a BGP route the origin AS is determined as described above. If is a
> non-BGP route it would probably be appropriate to consider the route as
> locally originated (i.e. the same as a BGP route with null/empty AS_PATH or
> having only confed related elements).
>
>
>
> I hope this helps.
>
>
>
> -Adam
>
>
>
>
>
> *From: *PVLR Pavana Murthy <pvlrpm@gmail.com>
> *Date: *Saturday, April 28, 2018 at 12:45 AM
> *To: *"David Smith (djsmith)" <djsmith@cisco.com>
> *Cc: *idr wg <idr@ietf.org>, Pradosh Mohapatra <mpradosh@yahoo.com>, "
> draft-ietf-idr-bgp-flowspec-oid@ietf.org" <draft-ietf-idr-bgp-flowspec-
> oid@ietf.org>, "ju1738@att.com" <ju1738@att.com>, "jhaas@juniper.net" <
> jhaas@juniper.net>, "akarch@cisco.com" <akarch@cisco.com>, "
> sairay@cisco.com" <sairay@cisco.com>, "pmohapat@cumulusnetworks.com" <
> pmohapat@cumulusnetworks.com>, "wim.henderickx@alcatel-lucent.be" <
> wim.henderickx@alcatel-lucent.be>, "Simpson, Adam 1. (Nokia - CA/Ottawa)"
> <adam.1.simpson@nokia.com>, "mtexier@arbor.net" <mtexier@arbor.net>
> *Subject: *Re: Validation for BGP Flow-Spec Redirect to IP Action
>
>
>
> Hello,
>
>   Including all the authors mentioned in draft-ietf-idr-flowspec-redirect-ip-02,
> as the alias did not work. Also pasting doubts again here.
>
>
>
> In the draft  draft-ietf-idr-flowspec-redirect-ip-02.txt, the following
> procedure is mentioned to validate the extended community of 'Flowspec
>
> redirect to IP'.
>
>
>
>    BGP speakers that support the extended communities defined in this
>
>    draft MUST also, by default, enforce the following check when
>
>    receiving a flow-spec route from an EBGP peer: if the received flow-
>
>    spec route has a 'redirect to IP' extended community with a 'target
>
>    address' X (in the global administrator field) and the best matching
>
>    route to X is not a BGP route with *origin AS* matching the peer AS
>
>    then the extended community should be discarded and not propagated
>
>    along with the flow-spec route to other peers.
>
>
>
> *I have 2 doubts related to this statement.*
>
>
>
> *What is 'origin AS' here? Is it the AS no. that is first added to the AS_PATH? *
> *In the previous version of the draft its mentioned as the last AS in the AS_PATH.*
> *Is it the last AS no. that has been added to the AS_PATH or the last AS no. from left in AS_PATH? *
>
>
>
> *What if the redirect target X is directly connected or reachable by a static route and its not advertised by EBGP?*
>
> *Do we need to consider that action invalid in that case?*
>
>
>
> Thanks,
>
> Pavana.
>
>
>
>
>
> On Sat, Apr 28, 2018 at 10:10 AM, PVLR Pavana Murthy <pvlrpm@gmail.com>
> wrote:
>
> Hi Dave,
>
>    Thanks for the reply and including respective draft author aliases.
>
>
>
> I went through the latest draft-ietf-idr-bgp-flowspec-oid-06. It calls
> the first AS the Origin AS. Is it so?
>
> If that's the case, the validation will fail for any 'redirect IP' actions
> coming from the AS other than neighbor AS. Is that the intention?
>
> Also In  draft-ietf-idr-flowspec-redirect-ip-00.txt, instead of 'origin
> AS', the word 'last AS' is used.It is confusing.   Does the validation need
> to consider the first AS or last AS?
>
>
>
> Regarding my second doubt, I could not get any pointers from
> draft-ietf-idr-bgp-flowspec-oid-06 .  Do we need to consider only BGP
> routes always?
>
>
>
> Thanks,
>
> Pavana.
>
>
>
>
> On Sat, Apr 28, 2018 at 3:37 AM, David Smith (djsmith) <djsmith@cisco.com>
> wrote:
>
> Hi Pavana,
>
>
>
> Your points are valid. With that said, I’ll defer you to
> draft-ietf-idr-bgp-flowspec-oid-05 (and later) and, specifically, section
> 4 (revised validation procedure) which addresses your points below.
>
>
>
> Co-incidentally, a WG last call was issued for draft-ietf-idr-bgp-flowspec-oid-06
> yesterday.
>
>
>
> Regards,
>
>
>
> /dave
>
>
>
>
>
> *From:* PVLR Pavana Murthy <pvlrpm@gmail.com>
> *Sent:* Friday, April 13, 2018 1:51 AM
> *To:* idr wg <idr@ietf.org>; pmohapat@cumulusnetworks.com; David Smith
> (djsmith) <djsmith@cisco.com>
> *Subject:* Validation for BGP Flow-Spec Redirect to IP Action
>
>
>
> Hello,
>
>   In the draft  draft-ietf-idr-flowspec-redirect-ip-02.txt, the following
> procedure is mentioned to validate the extended community of 'Flowspec
>
> redirect to IP'.
>
>
>
>
>
>    BGP speakers that support the extended communities defined in this
>
>    draft MUST also, by default, enforce the following check when
>
>    receiving a flow-spec route from an EBGP peer: if the received flow-
>
>    spec route has a 'redirect to IP' extended community with a 'target
>
>    address' X (in the global administrator field) and the best matching
>
>    route to X is not a BGP route with *origin AS* matching the peer AS
>
>    then the extended community should be discarded and not propagated
>
>    along with the flow-spec route to other peers.
>
>
>
> *I have 2 doubts related to this statement.*
>
>
>
> *What is 'origin AS' here? Is it the AS no. that is first added to the AS_PATH? *
> *In the previous version of the draft its mentioned as the last AS in the AS_PATH.*
> *Is it the last AS no. that has been added to the AS_PATH or the last AS no. from left in AS_PATH? *
>
>
>
> *What if the redirect target X is directly connected or reachable by a static route and its not advertised by EBGP?*
>
> *Do we need to consider that action invalid in that case?*
>
>
>
>
>
> Thanks,
>
> Pavana.
>
>
>
>
>
>
>
>
>
>
>

v2.23.0 | Report a Bug | By Email