Re: [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route Propagation Behavior Without Policies) to Proposed Standard

Gert Doering <gert@space.net> Thu, 20 April 2017 17:29 UTC

Return-Path: <gert@space.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E9E1129B31 for <idr@ietfa.amsl.com>; Thu, 20 Apr 2017 10:29:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qgvNnzFmpdCq for <idr@ietfa.amsl.com>; Thu, 20 Apr 2017 10:29:07 -0700 (PDT)
Received: from mobil.space.net (mobil.space.net [IPv6:2001:608:2:81::67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 300B2129B26 for <idr@ietf.org>; Thu, 20 Apr 2017 10:29:06 -0700 (PDT)
X-Original-To: idr@ietf.org
Received: from mobil.space.net (localhost [IPv6:::1]) by mobil.space.net (Postfix) with ESMTP id 471F160A24 for <idr@ietf.org>; Thu, 20 Apr 2017 19:29:05 +0200 (CEST)
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
Received: from moebius4.space.net (moebius4.space.net [IPv6:2001:608:2:2::251]) by mobil.space.net (Postfix) with ESMTP id F2FC8609A1; Thu, 20 Apr 2017 19:29:04 +0200 (CEST)
Received: by moebius4.space.net (Postfix, from userid 1007) id E325922E8D; Thu, 20 Apr 2017 19:29:04 +0200 (CEST)
Date: Thu, 20 Apr 2017 19:29:04 +0200
From: Gert Doering <gert@space.net>
To: Robert Raszuk <robert@raszuk.net>
Cc: Job Snijders <job@ntt.net>, idr wg <idr@ietf.org>, Hares Susan <shares@ndzh.com>
Message-ID: <20170420172904.GD25069@Space.Net>
References: <D4E812E8-AA7B-4EA2-A0AC-034AA8922306@juniper.net> <abe393d3-d1e4-7841-4620-38dab751765b@cisco.com> <68B29403-9AD9-4F06-9FE4-3F077E793D9F@puck.nether.net> <275cf744-1f64-bcbc-dabe-a47479921230@cisco.com> <20170420154142.lacvtplusepy3qcf@hanna.meerval.net> <b57162ec-f806-6e86-7713-58608f72c468@cisco.com> <20170420164314.av26kcxvxglg4oet@hanna.meerval.net> <3b681e50-bf6d-df75-eb61-86be79a2fbb8@cisco.com> <20170420165757.safd32x2xu5awwxp@hanna.meerval.net> <CA+b+ER=4gRPGf6rZRvwmB8SX51Pfq5CDQE3p2z=2akFRdettLg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CA+b+ER=4gRPGf6rZRvwmB8SX51Pfq5CDQE3p2z=2akFRdettLg@mail.gmail.com>
X-NCC-RegID: de.space
User-Agent: Mutt/1.7.2 (2016-11-26)
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/fwsAi3jfOrFQw8UFPuX4DWoUsJE>
Subject: Re: [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route Propagation Behavior Without Policies) to Proposed Standard
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Apr 2017 17:29:09 -0000

Hi,

On Thu, Apr 20, 2017 at 07:15:07PM +0200, Robert Raszuk wrote:
> *A* Must it be per neighbor ? Can it be per VRF/table/bRIB  ?

per neighbour, or per peer-group/neighbour-group

> *B* Does enabling BGP Origin Validation should be considered as such policy
> or not ?

certainly not for egress.

for ingress, it *is* a policy, so I'd see it as "good enough"

> *C* Should received routes still reside in Adj_RIB_In ? Should BMP still
> send all routes to collector even if those would be considered not
> complaint with RFC ?

I see this as an issue of minor importance.  Both approaches serve the
goal of avoiding to send or accept prefixes unless said activity is
enabled by policy.

> *D* If we do eBGP auto discovery in IX env of peers would that overwrite
> such RFC ?
> 
> *E* If someone does LLDP based eBGP peer discovery on p2p would that also
> be exempt from such enforcement ?

Both would be something that the box wouldn't do out of the box, so 
I would expect some sort of parent/inheritance config for IX/p2p 
magic config, which would be able to specify policy.

As such, *of course* eBGP sessions at IXPs or p2p to customers/peers/
upstreams, MUST follow the same rules: no policy = no prefixes.

Which is the whole point: do not leak full tables to any random peer, 
unless you *want* to do so - and if so, it must be turned ON.

Gert Doering
        -- Operator, having received his share of full-table leaks over time
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444           USt-IdNr.: DE813185279