Re: [Idr] Feedback on 5575-bis
Christoph Loibl <c@tix.at> Tue, 09 October 2018 13:38 UTC
Return-Path: <c@tix.at>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7EF9131320 for <idr@ietfa.amsl.com>; Tue, 9 Oct 2018 06:38:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pye0CynOIKCq for <idr@ietfa.amsl.com>; Tue, 9 Oct 2018 06:38:38 -0700 (PDT)
Received: from mail.hated.at (mail.hated.at [IPv6:2001:858:2:8::235]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F97213131B for <idr@ietf.org>; Tue, 9 Oct 2018 06:38:37 -0700 (PDT)
Received: from [2a01:190:1702:0:21f9:79eb:f8e3:f19] by mail.hated.at with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <c@tix.at>) id 1g9rpi-0003qF-3h; Tue, 09 Oct 2018 15:13:54 +0200
From: Christoph Loibl <c@tix.at>
Message-Id: <30E23B18-092D-4C21-A2D4-363C69B73D0F@tix.at>
Content-Type: multipart/alternative; boundary="Apple-Mail=_76DC2A51-D241-485B-A3B7-049CE79F52DF"
Mime-Version: 1.0 (Mac OS X Mail 12.0 \(3445.100.39\))
Date: Tue, 09 Oct 2018 15:38:33 +0200
In-Reply-To: <20181004162737.GD17157@pfrc.org>
Cc: idr@ietf.org
To: Jeffrey Haas <jhaas@pfrc.org>
References: <20180712185855.GQ12853@pfrc.org> <46D2DE8D-F552-444B-82C8-46DF301B1D10@tix.at> <20181004162737.GD17157@pfrc.org>
X-Mailer: Apple Mail (2.3445.100.39)
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/gJo5wtLPzphr91lusWEVEF-bBvA>
Subject: Re: [Idr] Feedback on 5575-bis
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Oct 2018 13:38:42 -0000
Hi Jeff, IDR, I am trying to write a summary on FS propagation in a non-opaque way (=BGP fully understanding of the NLRI + regenerating the byte-string) - Jeff: as you pointed out this is already the case with some of the implementations. I just want to better understand what we need to think of in case we want to go into that direction. (Questions at the end) In one of my last emails I wrote that I think re-encoding of the FS NLRI may be dangerous because it may result in a different NLRIs getting created and propagated (see below). For example a simple tcp-port filter (port 137,138) can be encoded as: port == 137 || port == 138 port == 138 || port == 137 port >= 137 && port <= 138 … The NLRI itself can express the same filter in multiple ways (I doubt, that we can change the specification to have a 1:1 mapping filter to NLRI without throwing the hole thing away - which I think is not at all desirable). > On 04.10.2018, at 18:27, Jeffrey Haas <jhaas@pfrc.org> wrote: > >> CL: NLRI re-en-coding is not acceptable since it introduces a hole lot of problems. Opaqueness of the NLRI to BGP is somehow vital to avoid such situations altogether. See also the comment above [1]. > > See again prior comments. Many implementations build data structurres from > received NLRI. If you understand it, you may regenerate it in canonical > order. I agree. Actually, I think that some of the behaviour that we observed in the lab years ago can be explained very well by this. My questions here: ------------------------ *) If the NLRI itself can express the same filter in multiple ways (see above). May regenerating the NLRI from a data structure produce a different NLRI byte-string (“ghost”)? (I would say yes? - potentially) *) What are the implications if “ghost” NLRIs get propagated? The propagation of the NLRI follows a tree from neighbor to neighbor (loops getting resolved by As-path, cluster-lists, … = independently from the NLRI itself) … withdraw follows the same mechanisms. However BGP-speakers may receive different byte-string versions of the same NLRI and maybe even treat both as two different routes (maybe propagating 2 NLRIs instead of one)? Is this something, that can also happen with other NLRIs? Is this dangerous? Cheers Christoph -- Christoph Loibl c@tix.at | CL8-RIPE | PGP-Key-ID: 0x4B2C0055 | http://www.nextlayer.at
- [Idr] Feedback on 5575-bis Jeffrey Haas
- Re: [Idr] Feedback on 5575-bis Christoph Loibl
- Re: [Idr] Feedback on 5575-bis Christoph Loibl
- Re: [Idr] Feedback on 5575-bis Jeffrey Haas
- Re: [Idr] Feedback on 5575-bis Christoph Loibl
- Re: [Idr] Feedback on 5575-bis Jeffrey Haas
- Re: [Idr] Feedback on 5575-bis Christoph Loibl
- Re: [Idr] Feedback on 5575-bis Jeffrey Haas
- Re: [Idr] Feedback on 5575-bis Christoph Loibl
- Re: [Idr] Feedback on 5575-bis Dongjie (Jimmy)
- Re: [Idr] Feedback on 5575-bis Christoph Loibl
- Re: [Idr] Feedback on 5575-bis Jeffrey Haas