IETF Logo Mail Archive

Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-oid-01 as IDR WG document

Keyur Patel <keyupate@cisco.com> Wed, 16 May 2012 21:43 UTC

Return-Path: <keyupate@cisco.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8968321F8745 for <idr@ietfa.amsl.com>; Wed, 16 May 2012 14:43:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.532
X-Spam-Level:
X-Spam-Status: No, score=-8.532 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, RCVD_NUMERIC_HELO=2.067]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id thVIwIXdbVhh for <idr@ietfa.amsl.com>; Wed, 16 May 2012 14:43:28 -0700 (PDT)
Received: from mtv-iport-4.cisco.com (mtv-iport-4.cisco.com [173.36.130.15]) by ietfa.amsl.com (Postfix) with ESMTP id DC4F421F874A for <idr@ietf.org>; Wed, 16 May 2012 14:43:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=keyupate@cisco.com; l=2090; q=dns/txt; s=iport; t=1337204609; x=1338414209; h=date:subject:from:to:cc:message-id:in-reply-to: mime-version:content-transfer-encoding; bh=SN5h6sL+AfxVfaoAbRb1MQgEEJZDXgfhX/WaCq855C8=; b=URXoZmrA2BDqzQpQ9sFFsFpfRHzL0ZzTgsn1EXzOkq2h/LWoT03ofGwp 58x5zBaE0eThPSAWaucjbH8SyP9/RevuplvwErlojAb4VR17n6r9AVrim OAFw4wQjbVjiYRh0z43zaVCLjumohVSbVHYHvFUdm8+odFQ3HJGwgJt8w A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Am0MADsftE+rRDoH/2dsb2JhbABEsmUEgR8CgQeCFQEBAQMBEgEnAgE8BQ0BCBiBBQEBBA4FIodnBAGbZJ9/i06BeYMjA4hjjReOVyeBQoMJ
X-IronPort-AV: E=Sophos;i="4.75,604,1330905600"; d="scan'208";a="44997332"
Received: from mtv-core-2.cisco.com ([171.68.58.7]) by mtv-iport-4.cisco.com with ESMTP; 16 May 2012 21:43:28 +0000
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by mtv-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id q4GLhSTd031598; Wed, 16 May 2012 21:43:28 GMT
Received: from xmb-sjc-239.amer.cisco.com ([128.107.191.105]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 16 May 2012 14:43:28 -0700
Received: from 128.107.163.90 ([128.107.163.90]) by xmb-sjc-239.amer.cisco.com ([128.107.191.105]) via Exchange Front-End Server email.cisco.com ([128.107.191.32]) with Microsoft Exchange Server HTTP-DAV ; Wed, 16 May 2012 21:43:27 +0000
User-Agent: Microsoft-Entourage/12.31.0.110725
Date: Wed, 16 May 2012 14:46:20 -0700
From: Keyur Patel <keyupate@cisco.com>
To: robert@raszuk.net
Message-ID: <CBD96E3C.253EA%keyupate@cisco.com>
Thread-Topic: [Idr] Adoption of draft-djsmith-bgp-flowspec-oid-01 as IDR WG document
Thread-Index: Ac0zrVRI1lFMYRqBeUyb6uRKGoljtw==
In-Reply-To: <4FB41B06.5050709@raszuk.net>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
X-OriginalArrivalTime: 16 May 2012 21:43:28.0417 (UTC) FILETIME=[EE02E110:01CD33AC]
Cc: "idr@ietf.org List" <idr@ietf.org>
Subject: Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-oid-01 as IDR WG document
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/idr>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 May 2012 21:43:29 -0000

Yep. In that case, the enforce-first-as text [RFC5575] could be relaxed and
modified as well (We would need a uniform enforce-first-as policy between
the flowspec and unicast afi/safis and that would work when comparing
aspaths).

Regards,
Keyur


On 5/16/12 2:24 PM, "Robert Raszuk" <robert@raszuk.net> wrote:

> Hi Keyur,
> 
> Actually you bring a good point. Going by section 6 would preclude
> reception of flow-spec routes across IX route servers as in those cases
> enforcing-first-as must be disabled on the IX client.
> 
> Perhaps as you suggest we should replace section 6 of current 5575 with
> the full AS_PATH check regardless if enforce-first-as is in effect there
> or not.
> 
> Comments ?
> 
> Thx,
> R.
> 
>> One comment and one question on the draft.
>> 
>> 1) I believe the rule should cover checks for AS4_PATH as well.
>> 
>> 2) Section 6 from RFC5575
>> 
>> <snip>
>> BGP implementations MUST also enforce that the AS_PATH attribute of a
>>     route received via the External Border Gateway Protocol (eBGP)
>>     contains the neighboring AS in the left-most position of the AS_PATH
>>     attribute.  While this rule is optional in the BGP specification, it
>>     becomes necessary to enforce it for security reasons.
>> <snip>
>> 
>> Do we need to do a complete aspath check instead? Otherwise, a neighboring
>> AS can inject a bogus flowspec route?
>> 
>> Regards,
>> Keyur
>> 
>> 
>> On 5/16/12 1:19 PM, "Robert Raszuk"<robert@raszuk.net>  wrote:
>> 
>>> Hi,
>>> 
>>> I support the adoption of this draft as WG document.
>>> 
>>> However the new text authors added between -00 and -01 seems too
>>> restrictive to the original theme/direction.
>>> 
>>> It says:
>>> 
>>> ".. or the AS_PATH attribute of the flow specification is empty."
>>> 
>>> That precludes injecting and honoring the flow routes even within the
>>> same administrative domain in the presence of confederations.
>>> 
>>> I recommend that this limitation should be removed in next version.
>>> 
>>> Regards,
>>> R.
> 
> 
>

v2.23.0 | Report a Bug | By Email