IETF Logo Mail Archive

[Idr] draft-djsmith-bgp-flowspec-oid-01.txt

Randy Bush <randy@psg.com> Wed, 16 May 2012 22:25 UTC

Return-Path: <randy@psg.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF3769E8022 for <idr@ietfa.amsl.com>; Wed, 16 May 2012 15:25:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wwyaC2iy9MaL for <idr@ietfa.amsl.com>; Wed, 16 May 2012 15:25:27 -0700 (PDT)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id 1DCC521F8796 for <idr@ietf.org>; Wed, 16 May 2012 15:25:27 -0700 (PDT)
Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <randy@psg.com>) id 1SUmeq-000IU6-FY; Wed, 16 May 2012 22:25:24 +0000
Date: Wed, 16 May 2012 12:25:23 -1000
Message-ID: <m2bolnbw6k.wl%randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Keyur Patel <keyupate@cisco.com>
In-Reply-To: <CBD9681C.253D5%keyupate@cisco.com>
References: <4FB40BC1.1070604@raszuk.net> <CBD9681C.253D5%keyupate@cisco.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Cc: "idr@ietf.org List" <idr@ietf.org>, robert@raszuk.net
Subject: [Idr] draft-djsmith-bgp-flowspec-oid-01.txt
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/idr>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 May 2012 22:25:27 -0000

first, we are now discussing the draft, not whether it should be a wg
item.  so i have changed $subject

> Do we need to do a complete aspath check instead? Otherwise, a
> neighboring AS can inject a bogus flowspec route?

this draft has wonderful text in the security section

   No new security issues are introduced by relaxing the validation
   procedure for IBGP learned flow specifications. With this proposal,
   the security characteristics of BGP flow specifications remain
   equivalent to the existing security properties of BGP unicast
   routing.  Traffic flow specifications learned from IBGP peers are
   trusted, hence, its not required to validate that the originator of
   an intra-domain traffic flow specification matches the originator of
   the best-match unicast route for the flow destination prefix.
   Conversely, this proposal continues to enforce the validation
   procedure for EBGP learned traffic flow specifications. In this way,
   the security properties of RFC 5575 are maintained such that an EBGP
   peer cannot cause a denial-of-service attack by advertising an
   inter-domain flow specification for a destination prefix that it does
   not provide reachability information for.

you gotta love the ref to 5575 which essentially says you have no
protection, abandon all hope ye who enter

randy

v2.23.0 | Report a Bug | By Email