Re: [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route Propagation Behavior Without Policies) to Proposed Standard

Job Snijders <job@instituut.net> Fri, 21 April 2017 09:01 UTC

Return-Path: <job@instituut.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92379129A9F for <idr@ietfa.amsl.com>; Fri, 21 Apr 2017 02:01:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=instituut-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YQ5AvI0hmwnV for <idr@ietfa.amsl.com>; Fri, 21 Apr 2017 02:01:52 -0700 (PDT)
Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50CF8129B1A for <idr@ietf.org>; Fri, 21 Apr 2017 02:01:49 -0700 (PDT)
Received: by mail-wm0-x229.google.com with SMTP id y18so6273124wmh.0 for <idr@ietf.org>; Fri, 21 Apr 2017 02:01:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=instituut-net.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=qjxLGrivmj01hHKA523/Nk76iX+BgwgDtuI2yzfgWOQ=; b=RtjxaUu+mzNYhEoqsHXdLyeooO5/0hdfOikW3RyrVomwp1VjlKBrKM9z+n2SO1FCkC Jyx4rwx1B9YWHy3XqnXR1DFzaAktxhGzWcWcl21ycQP9O8dT1eix1497alRz6r5eGNRx LDeVdGImRhfcQXE1whgZrge1YjxNTnDjHS3tkdf4Ik9hEt4VGDa4F9gxSBtBQZRIlAlE xyHRJcPLSqmES6PfwIK9AeY0Mhur0KmbJNOVf334/zoGdhiZU23azcbTCcCFqRD+R28J 5osmanE7GglPceC3gSGMj/H3wLg/+rP3gFdyHzYDf/NQlWQWsjKl/3cah7Fa4s3MA1J2 Mqww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=qjxLGrivmj01hHKA523/Nk76iX+BgwgDtuI2yzfgWOQ=; b=h7mfoMeasMUZU+Vq8swfwgy9BebVM4+CABWY3zaQAu4s0nKlkHe9Kt0TU8eaodNdXL iM1NM2HHUjJOSvhquc/qEuqQZuBznQl5Q4BeQ/+VmRYPbbU90trMwzForFzv3YKNg5/u i+bL8yFqf+x/ZABx7n6H1X8NarlsXt5HD8UyK1Tud6tTMFE8Z1jF8peyXL/Do+grH9AB GLfl51mprJZGfNnoGULQ5CnkYxKMxSriikHhqRox7cDByNVQwikl95h5U2+jULBJ/jxN NNfyXO+OebNNhK3yB+Gthn2F899dGeSHn94K+RBGMZ55aXWLZq7kHZ1LtYZZXHQzhvpq FjvA==
X-Gm-Message-State: AN3rC/4ridXlRpFfZPKQ6/AFp0czCrOZ3eKbC5f3nWYmdMzDUFtmoaVw tnQtIETvxCjNjQ==
X-Received: by 10.80.174.230 with SMTP id f35mr48927edd.157.1492765307730; Fri, 21 Apr 2017 02:01:47 -0700 (PDT)
Received: from localhost ([2001:67c:208c:10:154d:67d1:53a6:3be]) by smtp.gmail.com with ESMTPSA id o14sm267514edc.53.2017.04.21.02.01.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 21 Apr 2017 02:01:46 -0700 (PDT)
Date: Fri, 21 Apr 2017 11:01:45 +0200
From: Job Snijders <job@instituut.net>
To: bruno.decraene@orange.com
Cc: Eric C Rosen <erosen@juniper.net>, Tony Przygienda <tonysietf@gmail.com>, Brian Dickson <brian.peter.dickson@gmail.com>, "idr@ietf.org" <idr@ietf.org>
Message-ID: <20170421090145.f5yuhimb4qg7knrf@Vurt.local>
References: <68B29403-9AD9-4F06-9FE4-3F077E793D9F@puck.nether.net> <275cf744-1f64-bcbc-dabe-a47479921230@cisco.com> <20170420154142.lacvtplusepy3qcf@hanna.meerval.net> <b57162ec-f806-6e86-7713-58608f72c468@cisco.com> <20170420160736.GB15676@puck.nether.net> <75AC1A50-3DF8-4852-8FC6-BC302B121946@cisco.com> <CAH1iCirf=ha1mrw8EUzPp34R-DF=4J+=aFyMwVn2udi1UKNifw@mail.gmail.com> <CA+wi2hMPYcwbNhHtuWKWUXb4Lg3x81p786yLqeNEHFV1okGRvg@mail.gmail.com> <dc04fe80-f844-29b1-2676-8f2bbda0ecbe@juniper.net> <28014_1492762849_58F9C0E0_28014_6541_1_53C29892C857584299CBF5D05346208A31CC3773@OPEXCLILM21.corporate.adroot.infra.ftgroup>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <28014_1492762849_58F9C0E0_28014_6541_1_53C29892C857584299CBF5D05346208A31CC3773@OPEXCLILM21.corporate.adroot.infra.ftgroup>
X-Clacks-Overhead: GNU Terry Pratchett
User-Agent: NeoMutt/20170306 (1.8.0)
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/hlBXb8jKeJ_L-3NSRxYnikmgFhM>
Subject: Re: [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route Propagation Behavior Without Policies) to Proposed Standard
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Apr 2017 09:02:00 -0000

Hi Bruno,

You create a false dilemma stating that it is not clear to you whether
this is a "requirement draft or a solution draft", and that those need
to be separate. 

Did you review Alvaro's suggested changes which prompted the third IDR
consultation on this topic? They are viewable here:

    http://htmlpreview.github.io/?https://github.com/jaredmauch/draft-mauch-bgp-reject/blob/alvaro/draft-ietf-grow-bgp-reject-06-from-5.diff.html

I'm disappointed that you've taken a CLI example I've provided as the
sole driver behind this effort. I did not mean to offer the CLI example
as an exhaustive list of reasons.

Kind regards,

Job

ps. For additional advise on how to derail this effort, let us please
take the ideas offered in
http://www.businessinsider.com/oss-manual-sabotage-productivity-2015-11?international=true&r=US&IR=T
also in consideration.

On Fri, Apr 21, 2017 at 08:20:47AM +0000, bruno.decraene@orange.com wrote:
> > From: Eric C Rosen  > Sent: Thursday, April 20, 2017 10:01 PM
> > 
>  > On 4/20/2017 2:24 PM, Tony Przygienda wrote:
>  > > Can't miss that food fight ;-)
>  > 
>  > It did seem to degenerate rapidly into "if you don't agree with my
>  > proposal, you don't care about security".  ;-(
>  > 
>  > I agree with Enke that surprising your customers with a change in
>  > behavior due to altered defaults is generally considered to be a big no-no.
>  > 
>  > When the customers complain about a change in behavior, it is not
>  > considered appropriate to respond with "it's not my fault, you should
>  > have read the release notes", or "it's not my fault that you don't know
>  > how to troubleshoot BGP", or "it's not my fault that you didn't do your
>  > due diligence".
>  > 
>  > Phasing in a change of behavior over several releases is not a practical
>  > solution, because:
>  > 
>  > a) Customers will still be surprised when the default behavior finally
>  > changes, and
>  > b) Many customers won't deploy all the releases anyway.
>  > 
>  > >
>  > > Having said that, I think this is BCP material at best and if this is
>  > > a BCP then
>  > >
>  > > i) a "backward compatibility a.k.a which end of the stick is sharp"
>  > > section is very advisable
>  > 
>  > I would agree that something more than "figure out how to configure the
>  > new release to behave like the old release" would be helpful.
>  > 
>  > > ii) the BCP should describe which customer segment is best served with
>  > > which default
>  > >
>  > 
>  > But then operators from different segments would have to get together to
>  > understand each others' requirements, and they'd have to respect each
>  > others' opinions as well.   I can't wait to see what happens when the
>  > "trust nobody" folks get together with the "zeroconfig plug and play"
>  > folks ;-)
>  > 
>  > The dilemma is that there is a real security problem in certain
>  > environments, but the proposed solution seems to have unintended
>  > side-effects that are problematic.  Then the question becomes whether
>  > the benefits are worth the cost, and this is not really a question that
>  > can be resolved by IETF consensus.
> 
> Good summary, thanks.
> 
> 1) As already asked, could the draft states what the problem it aims at solving?
> In particular,
> - it does not solve the general route leak problem, nor the 3 problems indicated in the first section of the introduction.
> - on the list, one author expressed a different, more focused/pragmatic, goal
> " The problem is that there are some platforms which _immediately_
> activate a line of configuration after you press enter, and a BGP
> session may already come up before you get to the configuration line
> which restricts what should be announced or accepted."
> 
> 2) Can the draft document the side-effects, e.g. in a manageability section.
> 
> 
> Without those 2 points, IMHO the draft is misleading for the reader/reviewer/voter/user. This trade-off analysis is currently absent in the document up to the point that those drawbacks have not been raised during RTG-DIR and RTG-OPS review. So it's probably fair to assume that this may also have missed by some other IETF contributors.
> 
> 3) Once the problem that we want to solve has been clarified (cf 1) , then we can start reviewing the solution.
> In particular, if the problem is indeed:
> " The problem is that there are some platforms which _immediately_
> activate a line of configuration after you press enter, and a BGP
> session may already come up before you get to the configuration line
> which restricts what should be announced or accepted."
> 
> Then, there might be other solutions. e.g.
> - fixing this CLI issue on those plateforms. In particular, no need to also impact the netconf provisioning which has not this issue, or the implementations which do not have such CLI issue.
> - use a 2 step provisioning on both EBGP peers:
>    - on the sending side, use a trick for avoid the session to come up until the BGP configuration is complete enough . e.g. interface shut, use the wrong authentication key/TTL hack
>    - on the receiving side, use a trick to avoid the session to successfully come up or to accept the routes. Then after allowing for a reasonable time to let the sender finish its config, restore the correct configuration. Obviously this can be automated by a "controller", a local feature, a local event script.
> This 2 step provisioning has the benefit of limiting the cost of the solution to the space where the problem is. (vs asking everyone to bear the cost, for a benefit of a few, whatever important is this use case)
> - I sure others may find more creative solutions.
> 
> 4) Regarding the specific solution proposed in the draft,
> -  why has it been prefer to silently drop the route, with will surprise people and definitely the EBGP peer, rather than bringing done the BGP session with a reasonable error (sub)code / text to help diagnose the problem.
> 
> - the 3rd bullet is debatable to me
> "   o  A BGP speaker SHOULD fall back to an "import nothing" and "export nothing" mode following failure of internal components, such as a policy engine."
> This is an error handling situation. IMHO https://tools.ietf.org/html/draft-ietf-grow-ops-reqs-for-bgp-error-handling-07 had a better analysis on this point. e.g. at the minimum, rather than calling for silently dropping the route, I would call for closing the BGP session, possibly trying to restart it. Plus if this BGP internal failure also impact IBGP session, we have a bigger problem.
> 
> - it's not clear whether this draft is a requirement draft or a solution draft. As per the first sentence of section 2 and its further text, it looks like a requirement draft. But in this case, the requirements should be solution agnostic. Which is definitely not the case. (e.g. above comments are solutions specific)
> 
> Thanks,
> Regards,
> -- Bruno