Re: [Idr] John Scudder's No Objection on draft-ietf-idr-bgp-flowspec-oid-13: (with COMMENT)

John Scudder <jgs@juniper.net> Fri, 14 May 2021 19:10 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E3213A3CF1; Fri, 14 May 2021 12:10:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.796
X-Spam-Level:
X-Spam-Status: No, score=-2.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=uHdEWJuY; dkim=pass (1024-bit key) header.d=juniper.net header.b=gEYzo4/a
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id woEGvFp_R7E6; Fri, 14 May 2021 12:10:10 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CA503A3CEE; Fri, 14 May 2021 12:10:10 -0700 (PDT)
Received: from pps.filterd (m0108158.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14EJ9OQU016342; Fri, 14 May 2021 12:10:02 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=ioOrs7w1j/cHSr4q9EUhSXmd9kv3c895MFf2LOW4RNg=; b=uHdEWJuYOez9Rxl0k+eR/r2LtwBwoqmQQuGX616RvezkKk3xP1Ueq4fbePTn3AhtUN+G qqtrS1egxfX6s5P5V+o+vhFfAH/p+KnDkdc/EPoaCFbpYyoA93Q85uGSdOYl/eVPMepG LcOq2b0wmjmJPNvnS5yPCSH+DX5ZJNsG/+rdtDRLUHjjEFaWR4PM+1UvLX99hOb5fhou q/JKbsufEjOUivJ1CIn+Ka4OCQBNFQEh6UZOsd/S7QcojCRUGyIlSdaHGN3OsxsO1T9m fJ1sANAry7XFuVUH6nQpClNNcaNlxFLLfNHEwoT4y857087tz8EdeFocSTr6Fpyu5yK7 IA==
Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2105.outbound.protection.outlook.com [104.47.70.105]) by mx0a-00273201.pphosted.com with ESMTP id 38h97st0su-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 14 May 2021 12:10:02 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HphJDuq/d4eUUE7JVuVFLLlqsUP3S5hLKqdsWNKOF+j5qFt28gKJHNJbwm+SH33wgieVaMifbCHOKKA1gU8Nvy0I4qEt38dPDJ4mRpHowhbcdA6FUQNV0fSBbt+40o4bIqo1s0AK2c3z2jmkxWSil2B+lGKDc9IaDLYlNqzfM1CvQ0jMgt6Twd1skp77BcnxdqEp6drHJa/uHzNYYmO1zkMRj6xhi8zSx0n3NDGgPn0/9Qp37xubq3jcodPfzovCKvXpjf8Ydmq8HXfHdjrXMRQ1IyOi92UWj0d3JHI7wGfFwP09uiCuLPqSTg+sgFYurB1b1+XF2ZC7mmUZOgwMfw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ioOrs7w1j/cHSr4q9EUhSXmd9kv3c895MFf2LOW4RNg=; b=La5hV19Xp3S3ihZMWBe/D7i8HUPMJX8uobgU/hSve9uD6lMhIERKZ1XZLHo2Hd5WTy5mhMG/1HEtLlSzvtsF/qfzwPNfXR9P4W4+HwgJisDQX2Rv6ghDxXzA58kiLJey1nX9+dY8H5tZnBgwtjTSn6PII1C/TUwi0abRb98usC7QkBoFvDew4BYMaFUDJpoMBmjD1nElVvPvFjIsTGvN6OC4VU4jnj/11/b3rfGf7BGWrl+qr3BnsM/yLf/DNt390HIy44QvHOcxxUx2tJa2NCDn0CJT54LHOzpsz0wAJIMsTSrXbY+4tJ9BWvz75FpFd+JQTNfopoBLpOuHl3dZDA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ioOrs7w1j/cHSr4q9EUhSXmd9kv3c895MFf2LOW4RNg=; b=gEYzo4/aofQ/+PSYnSdqkGvr5GG4z5pz4qXvLtHVm0lBneLG6O91vVKe1Ef5a3mWEODKmNODYQItZpb2EQYN/8gKBMWLwpEfe/X9OI0xje2ZAfPIALWMVYcNNWf8r/Km+VOHiO6XIcoN2P2EGJJM2E4lrrDPk9tVN4um69qRO9A=
Received: from MN2PR05MB6109.namprd05.prod.outlook.com (2603:10b6:208:c4::20) by MN2PR05MB6495.namprd05.prod.outlook.com (2603:10b6:208:dd::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4129.23; Fri, 14 May 2021 19:09:55 +0000
Received: from MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::3020:ac3:590d:83f1]) by MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::3020:ac3:590d:83f1%5]) with mapi id 15.20.4129.026; Fri, 14 May 2021 19:09:54 +0000
From: John Scudder <jgs@juniper.net>
To: "Juan Alcaide (jalcaide)" <jalcaide@cisco.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-idr-bgp-flowspec-oid@ietf.org" <draft-ietf-idr-bgp-flowspec-oid@ietf.org>, "idr-chairs@ietf.org" <idr-chairs@ietf.org>, "idr@ietf.org" <idr@ietf.org>, Hares Susan <shares@ndzh.com>, "aretana.ietf@gmail.com" <aretana.ietf@gmail.com>, Lars Eggert <lars@eggert.org>, "David Smith (djsmith)" <djsmith@cisco.com>, Magnus Nyström <magnusn@gmail.com>
Thread-Topic: John Scudder's No Objection on draft-ietf-idr-bgp-flowspec-oid-13: (with COMMENT)
Thread-Index: AQHXQ3tGhk+zQAZH7EKlGeJnkvwDVKriEqiAgAFP0wA=
Date: Fri, 14 May 2021 19:09:54 +0000
Message-ID: <3A5161A8-6187-4CB9-A796-7381EC598388@juniper.net>
References: <162041746726.16037.6421894058933171338@ietfa.amsl.com> <DM6PR11MB3194EAEC2799AD9213E2B527CD519@DM6PR11MB3194.namprd11.prod.outlook.com>
In-Reply-To: <DM6PR11MB3194EAEC2799AD9213E2B527CD519@DM6PR11MB3194.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.120.23.2.6)
authentication-results: cisco.com; dkim=none (message not signed) header.d=none;cisco.com; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [162.225.191.192]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3376ff72-ae5f-4efc-af74-08d9170bdbce
x-ms-traffictypediagnostic: MN2PR05MB6495:
x-microsoft-antispam-prvs: <MN2PR05MB6495CA12D5B3C3F5AC9C2E03AA509@MN2PR05MB6495.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0+xUX1T0tNtXYErqJYUUfOImZNetziH7hudv8CZRvMqib01d/5nceKyDxv46bwatpitaJlFXu/oCGFAYxFjtcluZoPRa4VkTsPhYjtPH8wS8f6VM353Sg9RtBoiEXgAdAHeUeng8vNJ1hmkyTtclOjecyKzBSs3VTiIY0s4wQYJKYXjAVkVcwcZbzZhbTxGT9qwPwBAbhegajQ1KFNPC11XGqv8thOM0QPF4W3CXPsCwt6Zs1Z5saKjzc3tsKm1h4Uomo7LVCmShK4EPF00J4EmPYt6RIxJbyweZTGYA2NSsf/P1EuP/82zBpXelNKgOEZ2Ie4B16Yyu9I1qH0YH1gdc3ZPeg5sCrNJrhbd8WnyUqR2fC43cZgL2axKOjxw8xL6iysYqYRoMDQinDmWe9RA2sXzNWceH4/uqzs31bAWMuaJdE1fkGvrMVZ4PBuf6Uso9BaPR2jGHjAx4i2HnfxFFvLGPb8LQ9QH8DJy98a9mAGzLp4Fc6WTaax+cC79BrcLNLbvNd/1yQq9x/pyRXJxtsVmXbniiGzLkGji18A+9wsga0rAWb78WxjsNr98l5YwI6AoqEwqeEMNm9xDAHCbRzcK2xivz8KAQBN2yc+Fx+J0rQo7E/TP7JpmhiBhg6t8PukGd8aKQE881dw14zQ7gFX/JHsLNu846l5oD86jSLNvEqzyAWZnD2qBiakHT1NAGS8o6pJAXVzacXErtiLACGyDouvbIogC2U9UtLJZFbmFq0UScWq5kyKavHwgOQGGL/tazIDMgu1Xk82S74A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR05MB6109.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(376002)(366004)(136003)(396003)(346002)(66574015)(6506007)(966005)(4326008)(83380400001)(316002)(478600001)(54906003)(7416002)(36756003)(8676002)(6486002)(2906002)(6916009)(38100700002)(26005)(66476007)(71200400001)(66446008)(91956017)(66556008)(64756008)(186003)(86362001)(76116006)(8936002)(33656002)(30864003)(2616005)(122000001)(5660300002)(66946007)(6512007)(18074004)(53546011)(45980500001)(579004); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: hKN2nWAZ4uKRphjh4UMCSRRjKd7FuxgIHCliPaozvLvj1czZQ9Y1TpL3JvxVkjeHfzvMmQ7YUY/tmjoddCH5mNtNjqFJoOFITnNDma1Xue/T1tICQZx1PCOItKmN5zrjLT+gBAFcxmWhfQ23sHxcQpyWPxrGxsW9fMTMhm7CXJPVu+4a1rj9MWfeRidzmfAxEJrSUFE7mGaXaqtNxLA9VNV0bBTo8r+xQQnQS0OgXXQ9ktyxmox9L0X4LOfh3olmtD76WBgRTNyPHqEbq3kdK/Xxui6om3OpRobBvurRX7sW3G3JZoNTSoJxRljlp3duJY+QaHgHwayJiIJsMi6FTeRMdAGtSuYMUpTV3P69j7W7W2EEsIis6fJZlfWxomSTwJ0FdCJu8y8SEDb05OwWkj86p3+zm8AGZFd07FyDPmPpLEmh3TinyyqFdrElAS2faMe05sqHQ0ww9dH/wFUJlpXYZUm+QlxlIXSdUmrsal16Q6Sc4fwy6AtyUqUVYlhZpkoLvwE9qINms4yNrKX+1imLCPUBxf5hgqsR7T4SphEkuZOwr0mmgIKNYVpMloc9ks3lghkOngleswO00Zm1rPZ+pRvibGgUB4ODYRf/lMHrQ+jhta0GdY2oXCOG4+IQyuKaMa+1gjtTUeuSBSwYPVrh6ofBti5ZvbwzDfQVZ3smMiy16W0uMBPv4WWgZ3COu6DBhJNjdDo674hoq//AanNbOyd8PTC9FB5Ql174Aws9flUYb2muwqWVkvPB29rEZplmuAtrRPBB8X0MX4kiTkB3D4/rsXKQihzLPFtcYfzJ3Hl4jOi8yOhCy92dSoq7nz/3M2htySWd1TfDkwq4QY3x9wh4btk6dBNRaRs64F6Rcm+7iD6PQW5lVy0oDxSsL10Utp4mAB+djRyg/WvNy/mwCEcnF/29MT6/WNwYoSn+nDLKd1EghpWyP3h8GupsXyae9nc2PTu4koO9/xKS7LDPJkTSyYGE334xNIwkVp7OWhLivab5rfbcmTgmscnQ0nUhjcZSuq0Jb6YVqjg7JLJQLrIw3Omz8vCiurvYCdUi82ppMvBtSyuLS7uf8SrAzxCXu7rlOhnOBm+IGR/L/tnBkXIqjqZCt4pOeCTn0YrJj5Ov0gml4NRl93hgoEI2bqayynCy2oudMwlqKWVbsKZLhx47NGTDUFQ/unzy8kJLBqSn0hG63eeVgzjmOqxj92IiNhJaVUJUPAfPiilu6rBG0QXELCcca5NPDdIoZbnPHJM9RM6Ob7Fx7udFcCzeYvuUGqAKcP9oreTZrwViUSnOjoCdCaWP0xBR8FtVk0UnHwEKWaLPfne4ZRk5GQmPFts8bWbiUErIXdHH+eelkw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <864F6C681DABB44B8A5A704CC8A8CF3B@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR05MB6109.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3376ff72-ae5f-4efc-af74-08d9170bdbce
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 May 2021 19:09:54.7541 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Lt88xRqtaA48uP42SGU60DuFKHRgi0hLhDBnc7A95J7NbUudvTqf8yFK4lWi158V
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR05MB6495
X-Proofpoint-GUID: KzXbBGX8MOCom6E3PZYQsKflPMa4v8ry
X-Proofpoint-ORIG-GUID: KzXbBGX8MOCom6E3PZYQsKflPMa4v8ry
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-05-14_08:2021-05-12, 2021-05-14 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 spamscore=0 suspectscore=0 clxscore=1011 phishscore=0 bulkscore=0 mlxscore=0 lowpriorityscore=0 malwarescore=0 mlxlogscore=999 adultscore=0 impostorscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105140150
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/f8FIvmYtK7m8N15a7mNzkwWveR4>
X-Mailman-Approved-At: Fri, 14 May 2021 12:10:59 -0700
Subject: Re: [Idr] John Scudder's No Objection on draft-ietf-idr-bgp-flowspec-oid-13: (with COMMENT)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 May 2021 19:10:17 -0000

Hi Juan,

Thanks for your reply.

> On May 13, 2021, at 7:07 PM, Juan Alcaide (jalcaide) <jalcaide@cisco.com> wrote:
> 
> Hi John,
> 
> Thanks a lot for your detailed comments. Sorry, also I missed them before publishing -14. Some of the changes on -14 already address your concerns.

Great, thanks.

> I'll incorporate your comments. But some of them I'd like to discuss are:
> 
> #4
> 
> Your suggestion
> 
>      For clarity, the AS in the left-most position of the AS_PATH means
>      the AS that was most recently added to the AS_PATH.
> 
> I used AS_SEQUENCE on purpose. You are not receiving the route from the same confederation. And it would not apply to AS_SET.
> But rfc4271 uses directly AS_PATH. So it's fine to use AS_PATH even if it's not that specific?

It would be a protocol violation to receive an EBGP route with an AS_SET in the leftmost position, since the neighbor is required to add its own AS to an AS_SEQUENCE before sending you the update. However, it’s a good point regarding confederations. If we are being excruciatingly correct we have to account for at least two annoying details:

- In a confederation, the leftmost element could be an AS_CONFED_SEQUENCE
- An AS_PATH can, and occasionally does, contain more than a single AS_SEQUENCE

The second observation was what led to my earlier suggestion. Now that you’ve made your observation, I think maybe a simpler rewrite would cover both:

     For clarity, the AS in the left-most position of the AS_PATH means
     the AS that was last added to an AS_SEQUENCE.

(Changed “the AS_SEQUENCE” to “an AS_SEQUENCE”. You could also say “the left-most AS_SEQUENCE” but then it just moves the problem.) 

I’m not sure how helpful this is to an implementor standing alone, since it relies on the idea of recency which also isn’t defined, but it’s correct and I think there’s a wealth of other information that would help the implementor get it right. I don’t think lack of perfection here will, realistically, hurt implementability. IRL, as far as I know “leftmost” is well-understood by BGP implementors.

> #6
> 
> You didn't like:
> 
>      Using the new rule to validate a Flow Specification route received
>      from an External Border Gateway Protocol (eBGP) peer belonging to
>      the same local domain (in the case of a confederation) is out of
>      the scope of this document.  Note that although it's possible, its
>      utility is dubious.  Although it is conceivable that a router in
>      the same local domain (both iBGP and eBGP within the same local
>      domain) could send a rogue update, only eBGP (outside the local
>      domain) risk is considered within this document (in the same
>      spirit of the mentioned beforehand AS_PATH validation in
>      [RFC4271]).
> 
> 
> What about this rewrite:
> 
> "
> Using that same original AS_PATH validation rule for a route learned from a confed-ebgp peer (i.e. a peer in another sub-AS within the same local domain)
> is outside of the scope of this document. Note that although it's possible, its utility is dubious, since that confed-ebgp peer may be considered
> trusted.  Although it is conceivable that a router in the same local domain (both iBGP and eBGP within the same local domain) could send a rogue update,
> only eBGP (outside the local domain) risk is considered within this document. Note also that [RFC5065] does not mandate to enforce this AS_PATH validation
> rule for a route learned from a confed-ebgp peer.
> "
> 
> This paragraph was built as a part of trying to include and mix toguether several review comments. But honestly I don't think it adds that much value. So
> I wouldn't mind to remove it.

That would be a simple fix! I wouldn’t object, although I don’t insist.

> I keep using 'local domain' just to specify that I am refering to either 1) a standalone AS  or 2 ) to a confederation of ASes. If you have a better way, I'll be happy to use it.

In looking back over the spec I do see you’ve supplied a definition of “local domain” in §4.1:

      In this context, a local domain includes the local AS or the local
      confederation [RFC5065]. 

That actually helps a lot, my bad for not noticing it the first time, sorry. But I think it should be made more obvious to the reader. How about adding a “terminology” or “definitions” section up front (some people place the RFC 2119 language in such a section as well, but I don’t have an opinion about that), and putting a few definitions there:

- "Local Domain” (so capitalized): defined as quoted above. Then whenever referring to local domain, use the capitalized form to make it clear you’re using your defined term.
- “EBGP” (or “eBGP” if you prefer): “BGP peering to a router not within the Local Domain” (or something like that) to make it clear that whenever you mention EBGP you mean real EBGP?
- “IBGP”: means both classic IBGP and any form of BGP peering with a router within the same confederation. 

With those definitions, I think I would be almost happy with the original paragraph. Here’s a suggested minor rewrite:

“Using the new rule to validate a Flow Specification route received from a peer belonging to the same Local Domain is out of the scope of this document. Note that although it’s possible, its utility is dubious. Although it is conceivable that a router in the same Local Domain could send a rogue update, only EBGP risk is considered within this document (in the same spirit as the aforementioned AS_PATH validation in [RFC4271]).”

If you decide you like this approach, I think you can also replace “local autonomous system” with “Local Domain” in §2.

Oh by the way, while I was writing this reply, I noticed this nit in §4.2:

      Comparing only the last ASes added is sufficient for eBGP learned

Shouldn’t that be “last AS added”, singular?
 
> #10.
> 
> Section 7 was rewritten in draft -14  using some of the points you also raised. Does it look Ok now?

Yes it does. Below I’ve included some editorial nits, but the content seems fine.

> Trying to make it clear the enforcement paragraph for both you, Lars, and Magnus, I would rewrite it like this, if nobody objects.
> 
> "
> If configuration (or other means beyond the scope of this document) indicates that the peer is not a route server,
> that optional rule SHOULD be enforced. If the indication is that the peer is not a route server or there is no conclusive
> indication, that optional rule SHOULD NOT be enforced.
> "

I think that option is fine. (I am also OK with what’s in -14.)

   This document updates the route feasibility validation procedures for
   Flow Specifications learned from iBGP peers and through route
   servers.  This change is in line with the procedures described in
   [RFC8955] and, thus, the security characteristics equivalent to the

Delete “the”, so “thus, security characteristics”.

   existing security properties of BGP unicast routing are maintained.

   The security considerations discussed in [RFC8955] apply to this
   specification as well.

   This document makes the original AS_PATH validation rule ([RFC4271]
   section 6.3) again optional (section 4.2) for Flow Specification
   Address Family (the rule is no longer mandatory as it was specified

Suggest “as had been specified”.

   by [RFC8955]).  If that original rule is not enforced for Flow
   Specification it may introduce some new security risks.  A peer (or a
   client of a route server peer) in AS X could advertise a rogue Flow
   Specification route whose first AS in AS_PATH was Y (assume Y is the
   first AS in the AS_PATH of the best-match unicast route).  This risk
   is impossible to prevent if the Flow Specification route is received
   from a route server peer.  If that peer is known for a fact not to be
   a route server, that optional rule SHOULD be enforced for Flow
   Specification routes.  Note that identifying those peers that are
   route servers may suppose an operational challenge.  If the condition

“Suppose” -> “pose”

   of the peer is unknown, the rule SHOULD not be enforced.

   A route server itself may be in a good position to enforce the
   AS_PATH validation rule described in the previous paragraph.  If a
   route server knowns it's not peering with any other route server, it
   can enforce the AS_PATH validation rule across all its peers.  If, in
   addition to that, the route server is trusted, the security threat
   described above disappears.

   BGP updates learned from iBGP peers are considered trusted, so the
   Traffic Flow Specifications contained in BGP updates are also
   considered trusted.  Therefore, it is not required to validate that
   the originator of an intra-domain Traffic Flow Specification matches
   the originator of the best-match unicast route for the destination
   prefix embedded in that Flow Specification.  Note that this
   trustworthy consideration is not absolute and the new possibility

“Trustworthy” -> “trustworthiness”

   than an iBGP speaker could send a rogue Flow Specification is
   introduced.

   The changes in Section 4.1 don't affect the validation procedures for
   eBGP-learned routes.

> #OTHER
> 
> Nobody complained, so not sure if I'm over thinking it. But this doesn't seem 100% correct
> 
> "
>   This document updates the route feasibility validation procedures for
>   Flow Specifications learned from iBGP peers and through route
>   servers.  This change is in line with the procedures described in
>   [RFC8955] and, thus, the security characteristics equivalent to the
>   existing security properties of BGP unicast routing are maintained.
> "
> 
> Aren't we introducing a bit more of a risk than unicast routing, because of the AS_PATH validation rule? (as stated in " If that original rule is not enforced for Flow
>   Specification it may introduce some new security risks")

I guess you’re right. You could probably make the paragraph even more correct by adding “, except as detailed below” to the end of the sentence? I do think you cover that topic pretty well in the third paragraph, and in particular this:

                 If that peer is known for a fact not to be
   a route server, that optional rule SHOULD be enforced for Flow
   Specification routes. 

> When rfc8955 says "   As long as Flow Specifications are restricted to match the corresponding unicast routing paths for the relevant prefixes
>   (Section 6)," it's not making reference to AS_PATH validation rule. Shouldn't it?

Well RFC 8955 is already published :-) but since that text refers to Section 6, and since §6 says

   BGP implementations MUST also enforce that the AS_PATH attribute of a
   route received via the External Border Gateway Protocol (eBGP)
   contains the neighboring AS in the left-most position of the AS_PATH
   attribute.  While this rule is optional in the BGP specification, it
   becomes necessary to enforce it here for security reasons.

it seems to me as though it has, indeed, made reference to the AS_PATH validation rule. No?

Regards,

—John


> 
> -J
> 
> 
> 
> 
> 
> -----Original Message-----
> From: John Scudder via Datatracker <noreply@ietf.org>
> Sent: Friday, May 7, 2021 9:58 PM
> To: The IESG <iesg@ietf.org>
> Cc: draft-ietf-idr-bgp-flowspec-oid@ietf.org; idr-chairs@ietf.org; idr@ietf.org; Susan Hares <shares@ndzh.com>; aretana.ietf@gmail.com; shares@ndzh.com
> Subject: John Scudder's No Objection on draft-ietf-idr-bgp-flowspec-oid-13: (with COMMENT)
> 
> John Scudder has entered the following ballot position for
> draft-ietf-idr-bgp-flowspec-oid-13: No Objection
> 
> When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)
> 
> 
> Please refer to https://urldefense.com/v3/__https://www.ietf.org/iesg/statement/discuss-criteria.html__;!!NEt6yMaO-gk!QLCeaGKX3jpp4rLrE_k8iSduOkCXEr6Pdyj6AXwU8zsm-hg6xFZnm-1skqoj2w$
> for more information about DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-idr-bgp-flowspec-oid/__;!!NEt6yMaO-gk!QLCeaGKX3jpp4rLrE_k8iSduOkCXEr6Pdyj6AXwU8zsm-hg6xFZnm-1uegg6yg$
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Thanks for this document, I'm glad to see it finally close to publication. I have a few comments I hope will help improve it, below.
> 
> 1. Section 2
> 
>   [RFC8955] defines a BGP NLRI [RFC4271] that can be used to distribute
> 
> RFC 4271 is the right citation for “BGP” but for “BGP NLRI” other than IPv4 unicast you want RFC 4760.
> 
>   the Flow Specification.  The aim is making sure that only speakers on
> 
> making -> to make
> 
>   originated in any location within the same autonomous system than the
> 
> than -> as
> 
>   Flow Specification received from an iBGP peer, it could be possible
>   to disseminate such Flow Specification NLRIs directly from the
> 
> “It could be possible”? Or “it would be necessary”?
> 
>   validated when received by RR and R1.  Sometimes the Flow
>   Specification needs to be originated on AS1.  ASBR1 could originate
> 
> on -> within
> 
> 2. Section 4.1
> 
>          1.  This condition SHOULD be enabled by default (it may be
>              disabled by explicit configuration as described on the
>              next list item (b.2.1))..  an empty AS_PATH.
> 
> Looks as though “an empty AS_PATH” is a cut-n-paste error that should be deleted?
> 
>          3.  As an extension to this rule, a given non-empty AS_PATHs
> 
> AS_PATHs -> AS_PATH (agreement in number)
> 
>              AS_CONFED_SET segments), MAY be validated by policy.  A
> 
> I think “permitted” would be clearer than “validated”.
> 
>      Also, policy may be useful to validate a specific set of non-empty
>      AS_PATHs (b.2.3).  For example, it could validate a Flow
>      Specification whose AS_PATH contains only an AS_SEQUENCE with ASes
>      that are all known to belong to the same administrative domain.
> 
> Same point, I suggest “permit”.
> 
> 3. Section 4.2
> 
>   This rule prevents the exchange of BGP Flow Specification NLRIs at
>   Internet exchanges with BGP route servers [RFC7947].
> 
> Since it may not be common knowledge that route servers don’t insert their own AS number, I suggest a change something like this, for clarity:
> 
>   This rule prevents the exchange of BGP Flow Specification NLRIs at
>   Internet exchanges with BGP route servers, which by design don’t insert
>   their own AS number into the AS_PATH  ([RFC7947] Section 2.2.2.1).
> 
> 4. Section 4.2
> 
>      For clarity, the AS in the left-most position of the AS_PATH means
>      the AS that was last added to the AS_SEQUENCE.
> 
> I suggest changing “last” to “most recently”. This is just personal preference, though. I also suggest changing “AS_SEQUENCE” somehow, probably to “AS_PATH”.
> The reason for this is there could be more than one AS_SEQUENCE in the AS_PATH so the definite article isn’t quite correct. There is however only one AS_PATH, and you can make the change without loss of generality or correctness. So, the full suggested rewrite is:
> 
>      For clarity, the AS in the left-most position of the AS_PATH means
>      the AS that was most recently added to the AS_PATH.
> 
> 5. Section 4.2
> 
>      Specifications.  This is a security BGP threat, but out of the
> 
> “Security BGP threat” -> “security threat” (or “BGP security threat” if you
> prefer)
> 
> 6. Section 4.2
> 
>      Using the new rule to validate a Flow Specification route received
>      from an External Border Gateway Protocol (eBGP) peer belonging to
>      the same local domain (in the case of a confederation) is out of
>      the scope of this document.  Note that although it's possible, its
>      utility is dubious.  Although it is conceivable that an router in
>      the same local domain (both iBGP and eBGP within the same local
>      domain) could send a rogue update, only eBGP (outside the local
>      domain) risk is considered within this document (in the same
>      spirit of the mentioned beforehand AS_PATH validation in
>      [RFC4271]).
> 
> I’m having a hard time understanding this paragraph. This is at least partly due to the use of “local domain“, which isn’t a well-defined term of art. You could try something like “under the same administration“? But, even if I make that change in my head as I read the paragraph, I still don’t get your point.
> :-(
> 
> Is the whole paragraph strictly about confederations, and what you’re talking about is a BGP session between a router in one member-AS and a router in another member-AS of the confederation? If that’s it, I can probably propose some new text.
> 
> Also, “an router” -> “a router”.
> 
> Also, you should cite RFC 5065 when you mention confederations.
> 
> 7. Section 5
> 
>   its best-match unicast route) are learned from the same peer accross
> 
> accross-> across
> 
> 8. Section 5
> 
>      Consider the validation procedure preceding this document.  The
> 
> I think what you mean here is “consider the validation procedure defined in RFC 8955“. If that’s correct, I suggest saying it that way. (If that’s not correct, what did you mean?)
> 
> 9. Section 7
> 
>   thus maintain security characteristics equivalent to the existing
> 
> Maintain -> maintains
> 
> 10. Section 7
> 
>   The original AS_PATH validation rule ([RFC4271] section 6.3) becomes
>   hereby optional (section 4.2).
> 
> I don’t think you’re actually updating RFC 4271, are you? The way you’ve written this makes it sound as though you are. You’re relaxing the rule in RFC 8955, but as you point out in section 4.2, RFC 4271 makes AS_PATH neighbor AS insertion enforcement optional to begin with:
> 
>   If the UPDATE message is received from an external peer, the local
>   system MAY check whether the leftmost (with respect to the position
>   of octets in the protocol message) AS in the AS_PATH attribute is
>   equal to the autonomous system number of the peer that sent the
>   message.  If the check determines this is not the case, the Error
>   Subcode MUST be set to Malformed AS_PATH.
> 
> Maybe you could rewrite something like this: “As per section 4.2, it is becomes optional to enforce that the AS_PATH attribute of a route received via the External Border Gateway Protocol (eBGP) contains the neighboring AS in the leftmost position of the AS_PATH attribute. Then we continue:
> 
>             If that original rule is actually not
>   enforced it may introduce some security risks.  A peer (or a client
>   of a route server peer) in AS X could advertise a rogue Flow
>   Specification route whose first AS in AS_PATH was Y (assume Y is the
>   first AS in the AS_PATH of the best-match unicast route).  This risk
>   is impossible to prevent if the Flow Specification route is received
>   from a route server peer.
> 
> I think you’ve missed out on the opportunity to point out that the risk can also be mitigated if the route server itself enforces the optional rule of RFC
> 4271 section 6.3.. I think it’s fair to say that at an exchange point, the administrator of the route server enjoys more trust then the administrators of other routers at the exchange point.
> 
>               If that peer is known for a fact not to be
>   a route server, that optional rule SHOULD be enforced for Flow
>   Specification routes.
> 
> It may be necessary to say a little more about how you would get this knowledge about the peer not being a route server. Possibly a rewrite could be something
> like: "Unless configuration (or other means beyond the scope of this document) indicates that the peer is a route server, that optional rule SHOULD be enforced for Flow Specification routes from EBGP peers."
> 
> 11. Section 7
> 
>   absolute and the new possibility than an iBGP speaker could send a
> 
> Than -> that
> 
> 
>