Re: [Idr] Validation for BGP Flow-Spec Redirect to IP Action
PVLR Pavana Murthy <pvlrpm@gmail.com> Mon, 30 April 2018 17:14 UTC
Return-Path: <pvlrpm@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A68612D893 for <idr@ietfa.amsl.com>; Mon, 30 Apr 2018 10:14:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.998
X-Spam-Level:
X-Spam-Status: No, score=-0.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fANhrXUuxTQp for <idr@ietfa.amsl.com>; Mon, 30 Apr 2018 10:14:10 -0700 (PDT)
Received: from mail-ot0-x22b.google.com (mail-ot0-x22b.google.com [IPv6:2607:f8b0:4003:c0f::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D8CB1201F8 for <idr@ietf.org>; Mon, 30 Apr 2018 10:14:10 -0700 (PDT)
Received: by mail-ot0-x22b.google.com with SMTP id m11-v6so4113347otf.3 for <idr@ietf.org>; Mon, 30 Apr 2018 10:14:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=3YEMGA+Te9+vQGISV2aUuYIb/XyZWyQNRf9U9YsPZ9I=; b=TUPltqbfmmRvXamqyXbkQq4qff+YmP48HQNAbja7O/htxja3k3/iLJWel0C0TbJpMa AxHbotIIXaVMumsYgCelZzT31nnBwI6fo8/zontfV4HCyqKRY7siUWPbmtU9R1CF/Tdv 5yFYd30sl9YKKJ2Z7oB7kphb1STVCCax4oMKjPOUFQXu+h2sYI7IXPneUqgH787Jriq9 CTQ0zjznSKS3FIFG1baj+xvYIAL5SidYxCIIzraeIIXUroMU91RN5h5TMP6RvtlvlZTF Sjtnrp2p8XfoXksuiE22CvZnGkQEMrkO/4QxuBazmGzgkZANxLeIT1rCMR2TVh818EvP pKEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=3YEMGA+Te9+vQGISV2aUuYIb/XyZWyQNRf9U9YsPZ9I=; b=OUMjbvjazJFx2MJ7jXekSpMw2dxOTed9KqkvhYfWZGkkXXSBuwNq3vQyiOAibmLeND 10k+JJrZS4wKWSHrzp32E/rojrscaNGK2Oi5epaWcYXM8sdTvrp6RsErIionl/HXGXEH vpnfTUSJSBZt28YkL54+6+mmJWZWJdDrERpv518tWCjZNSkHxysNh59F5fbPz0Rx2uWv A5r1nZqolNqbdu8wVZknjyH9Q6za50sg1HnSVaKQ84ZzgeIKVQrJp0L+ORVWxkgwFSwE wzawOJC2R5/0lt+Zrffo1q43N/iBuGU9NwBLxnY77IxEOGpp2kYbfnyNpyxeqhC9FEXK hdmw==
X-Gm-Message-State: ALQs6tAxU1DL86pZw2zEs11xNPKEGJZ+zhwAbNdtxKu162/C962d0YI/ qXf/aCYl/++Gel3IfRptZ+MuLduoMQkEmSI0q70=
X-Google-Smtp-Source: AB8JxZrWugHqh3mH4xN/yrVMOIJMRSRmeyEjtkwQ4VZXYHn4Ft9it3clpO8PUby/aix2/+GDiy4xPxodiOa06ftleaI=
X-Received: by 2002:a9d:2b72:: with SMTP id f47-v6mr8378421otd.69.1525108449736; Mon, 30 Apr 2018 10:14:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.88.154 with HTTP; Mon, 30 Apr 2018 10:14:08 -0700 (PDT)
In-Reply-To: <717912C0-D4C4-4656-A4A7-5ADCBBE93CE6@nokia.com>
References: <CAN-MQG6bDyzcyuVs1vmka-JZFrD9Ya1uOuU_AFxfu0GnYgdmbA@mail.gmail.com> <aaa4916758a34ed99cb7432cff257f25@XCH-RCD-012.cisco.com> <CAN-MQG6R_LCLAM5xgaak3W_oRkuQFQsgZtEodacpeiLCQV8p-g@mail.gmail.com> <CAN-MQG4oyycFhFzWGrKcQUG_B5eatan9y3PJJG1O-2vSLmhttg@mail.gmail.com> <3A1793BA-DB42-49E2-AC8C-FBAD1C433DEA@nokia.com> <CAN-MQG5ZrrDKx5f2XypLACM8soEM7jW8YdMA0WGLnJ6SeDDG_g@mail.gmail.com> <717912C0-D4C4-4656-A4A7-5ADCBBE93CE6@nokia.com>
From: PVLR Pavana Murthy <pvlrpm@gmail.com>
Date: Mon, 30 Apr 2018 22:44:08 +0530
Message-ID: <CAN-MQG7g9UX0OSY=WeLUfErpmdRYKnwxAySu1h4-sjwDdviHcg@mail.gmail.com>
To: "Simpson, Adam 1. (Nokia - CA/Ottawa)" <adam.1.simpson@nokia.com>
Cc: idr wg <idr@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000063fc7d056b13fbc1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/gmkwaOZneFrq7cY2hpT64ovjhWE>
Subject: Re: [Idr] Validation for BGP Flow-Spec Redirect to IP Action
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Apr 2018 17:14:13 -0000
Hi Adam, In draft-ietf-idr-bgp-flowspec-oid-06(Revised Validation Procedure for BGP Flow Specifications), the following is mentioned. Probably this could be the reason to use the peer-as. "Note, comparing only the last ASes is sufficient for EBGP learned flow specification NLRIs. Requiring a full AS_PATH match would limit origination of inter-domain flow specifications to the origin (or first) AS of the best-match unicast route for the destination prefix embedded in the flow specification only. As such, a full AS_PATH validity check may prevent transit ASes from originating inter-domain flow specifications which is not desirable." Also in draft-ietf-idr-flowspec-redirect-ip-00.txt, the term 'las AS' is used instead of 'Origin As'. Even the CISCO document ( https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r5-2/routing/configuration/guide/b_routing_cg52xasr9k/b_routing_cg52xasr9k_chapter_011.html ) uses the term 'last AS'. Anyways, thanks for explaining the philosophy behind the validation. -Pavana. On Mon, Apr 30, 2018 at 9:00 PM, Simpson, Adam 1. (Nokia - CA/Ottawa) < adam.1.simpson@nokia.com> wrote: > Hi Pavana, > > > > Peer-AS is not a consideration in draft -02. I don’t recall why it was > mentioned in an earlier version of the draft. > > > > If the routers inside B and C enable the extra validation check (it is > optional as explained in the draft) then they would only install a flowspec > route originated by a router inside A ,with a redirect-to-IP action, if the > redirect IP address itself was observed to originate inside A as well. > > > > So flow-spec routes originated by one AS can be valid in another AS, but > only under restrictive circumstances. > > > > -Adam > > > > *From: *PVLR Pavana Murthy <pvlrpm@gmail.com> > *Date: *Monday, April 30, 2018 at 2:24 AM > *To: *"Simpson, Adam 1. (Nokia - CA/Ottawa)" <adam.1.simpson@nokia.com> > *Cc: *"David Smith (djsmith)" <djsmith@cisco.com>, idr wg <idr@ietf.org>, > Pradosh Mohapatra <mpradosh@yahoo.com>, "draft-ietf-idr-bgp-flowspec- > oid@ietf.org" <draft-ietf-idr-bgp-flowspec-oid@ietf.org>, "ju1738@att.com" > <ju1738@att.com>, "jhaas@juniper.net" <jhaas@juniper.net>, " > akarch@cisco.com" <akarch@cisco.com>, "sairay@cisco.com" <sairay@cisco.com>, > "pmohapat@cumulusnetworks.com" <pmohapat@cumulusnetworks.com>, " > wim.henderickx@alcatel-lucent.be" <wim.henderickx@alcatel-lucent.be>, " > mtexier@arbor.net" <mtexier@arbor.net> > > *Subject: *Re: Validation for BGP Flow-Spec Redirect to IP Action > > > > Hi Adam, > > Thanks for the reply. If its the first AS that is added to the AS_PATH, > then "the redirect IP" action received from the AS's that are not directly > connected may be invalid always. > > > > eg: > > A---B----C > > > > A, B and C are 3 routers in different AS's 1, 2 and 3 respectively. > > A advertises a route for target X and also a Flowspec route with > "redirect IP(target X)". C receives these routes via B. > > Now the the origin AS or first AS in the AS_PATH of the route to target X > is 1 but the peer-AS is 2 since the route is received from B. > > Since the peer-AS does not match the first AS of the best route target X, > this redirect IP action is considered invalid. > > > > > > Please let me know if that's expected. > > > > --Pavana. > > > > On Mon, Apr 30, 2018 at 1:12 AM, Simpson, Adam 1. (Nokia - CA/Ottawa) < > adam.1.simpson@nokia.com> wrote: > > Hi Pavana, > > > > The purpose of this text in the draft was to close the door on the ability > for an accidental/malicious originator of a flow-spec route in AS=x from > redirecting flows towards a target IP address in some other AS=y. > > > > So, in this context we are interested in looking at the first AS in > AS_PATH of the flow-spec route, not the most recently added AS in the > AS_PATH (which would be the ‘neighbor AS’). > > > > The route that resolves the target redirect IP address could be a BGP > route or it could be a non-BGP route, despite the wording in the draft. If > it is a BGP route the origin AS is determined as described above. If is a > non-BGP route it would probably be appropriate to consider the route as > locally originated (i.e. the same as a BGP route with null/empty AS_PATH or > having only confed related elements). > > > > I hope this helps. > > > > -Adam > > > > > > *From: *PVLR Pavana Murthy <pvlrpm@gmail.com> > *Date: *Saturday, April 28, 2018 at 12:45 AM > *To: *"David Smith (djsmith)" <djsmith@cisco.com> > *Cc: *idr wg <idr@ietf.org>, Pradosh Mohapatra <mpradosh@yahoo.com>, " > draft-ietf-idr-bgp-flowspec-oid@ietf.org" <draft-ietf-idr-bgp-flowspec- > oid@ietf.org>, "ju1738@att.com" <ju1738@att.com>, "jhaas@juniper.net" < > jhaas@juniper.net>, "akarch@cisco.com" <akarch@cisco.com>, " > sairay@cisco.com" <sairay@cisco.com>, "pmohapat@cumulusnetworks.com" < > pmohapat@cumulusnetworks.com>, "wim.henderickx@alcatel-lucent.be" < > wim.henderickx@alcatel-lucent.be>, "Simpson, Adam 1. (Nokia - CA/Ottawa)" > <adam.1.simpson@nokia.com>, "mtexier@arbor.net" <mtexier@arbor.net> > *Subject: *Re: Validation for BGP Flow-Spec Redirect to IP Action > > > > Hello, > > Including all the authors mentioned in draft-ietf-idr-flowspec-redirect-ip-02, > as the alias did not work. Also pasting doubts again here. > > > > In the draft draft-ietf-idr-flowspec-redirect-ip-02.txt, the following > procedure is mentioned to validate the extended community of 'Flowspec > > redirect to IP'. > > > > BGP speakers that support the extended communities defined in this > > draft MUST also, by default, enforce the following check when > > receiving a flow-spec route from an EBGP peer: if the received flow- > > spec route has a 'redirect to IP' extended community with a 'target > > address' X (in the global administrator field) and the best matching > > route to X is not a BGP route with *origin AS* matching the peer AS > > then the extended community should be discarded and not propagated > > along with the flow-spec route to other peers. > > > > *I have 2 doubts related to this statement.* > > > > *What is 'origin AS' here? Is it the AS no. that is first added to the AS_PATH? * > *In the previous version of the draft its mentioned as the last AS in the AS_PATH.* > *Is it the last AS no. that has been added to the AS_PATH or the last AS no. from left in AS_PATH? * > > > > *What if the redirect target X is directly connected or reachable by a static route and its not advertised by EBGP?* > > *Do we need to consider that action invalid in that case?* > > > > Thanks, > > Pavana. > > > > > > On Sat, Apr 28, 2018 at 10:10 AM, PVLR Pavana Murthy <pvlrpm@gmail.com> > wrote: > > Hi Dave, > > Thanks for the reply and including respective draft author aliases. > > > > I went through the latest draft-ietf-idr-bgp-flowspec-oid-06. It calls > the first AS the Origin AS. Is it so? > > If that's the case, the validation will fail for any 'redirect IP' actions > coming from the AS other than neighbor AS. Is that the intention? > > Also In draft-ietf-idr-flowspec-redirect-ip-00.txt, instead of 'origin > AS', the word 'last AS' is used.It is confusing. Does the validation need > to consider the first AS or last AS? > > > > Regarding my second doubt, I could not get any pointers from > draft-ietf-idr-bgp-flowspec-oid-06 . Do we need to consider only BGP > routes always? > > > > Thanks, > > Pavana. > > > > > On Sat, Apr 28, 2018 at 3:37 AM, David Smith (djsmith) <djsmith@cisco.com> > wrote: > > Hi Pavana, > > > > Your points are valid. With that said, I’ll defer you to > draft-ietf-idr-bgp-flowspec-oid-05 (and later) and, specifically, section > 4 (revised validation procedure) which addresses your points below. > > > > Co-incidentally, a WG last call was issued for draft-ietf-idr-bgp-flowspec-oid-06 > yesterday. > > > > Regards, > > > > /dave > > > > > > *From:* PVLR Pavana Murthy <pvlrpm@gmail.com> > *Sent:* Friday, April 13, 2018 1:51 AM > *To:* idr wg <idr@ietf.org>; pmohapat@cumulusnetworks.com; David Smith > (djsmith) <djsmith@cisco.com> > *Subject:* Validation for BGP Flow-Spec Redirect to IP Action > > > > Hello, > > In the draft draft-ietf-idr-flowspec-redirect-ip-02.txt, the following > procedure is mentioned to validate the extended community of 'Flowspec > > redirect to IP'. > > > > > > BGP speakers that support the extended communities defined in this > > draft MUST also, by default, enforce the following check when > > receiving a flow-spec route from an EBGP peer: if the received flow- > > spec route has a 'redirect to IP' extended community with a 'target > > address' X (in the global administrator field) and the best matching > > route to X is not a BGP route with *origin AS* matching the peer AS > > then the extended community should be discarded and not propagated > > along with the flow-spec route to other peers. > > > > *I have 2 doubts related to this statement.* > > > > *What is 'origin AS' here? Is it the AS no. that is first added to the AS_PATH? * > *In the previous version of the draft its mentioned as the last AS in the AS_PATH.* > *Is it the last AS no. that has been added to the AS_PATH or the last AS no. from left in AS_PATH? * > > > > *What if the redirect target X is directly connected or reachable by a static route and its not advertised by EBGP?* > > *Do we need to consider that action invalid in that case?* > > > > > > Thanks, > > Pavana. > > > > > > > > > > > > >
- [Idr] Validation for BGP Flow-Spec Redirect to IP… PVLR Pavana Murthy
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… David Smith (djsmith)
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… PVLR Pavana Murthy
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… PVLR Pavana Murthy
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… Simpson, Adam 1. (Nokia - CA/Ottawa)
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… PVLR Pavana Murthy
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… Simpson, Adam 1. (Nokia - CA/Ottawa)
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… PVLR Pavana Murthy
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… Simpson, Adam 1. (Nokia - CA/Ottawa)
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… David Smith (djsmith)
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… PVLR Pavana Murthy
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… David Smith (djsmith)
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… PVLR Pavana Murthy
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… David Smith (djsmith)
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… PVLR Pavana Murthy
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… David Smith (djsmith)