Re: [Idr] [BULK] Bug in draft-ietf-idr-rfc5575bis, worth fixing?
Robert Raszuk <robert@raszuk.net> Tue, 29 September 2020 15:24 UTC
Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 849353A0EB4 for <idr@ietfa.amsl.com>; Tue, 29 Sep 2020 08:24:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AvO_t-U8gDGf for <idr@ietfa.amsl.com>; Tue, 29 Sep 2020 08:24:13 -0700 (PDT)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8BA53A0EAD for <idr@ietf.org>; Tue, 29 Sep 2020 08:24:12 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id l17so6763688edq.12 for <idr@ietf.org>; Tue, 29 Sep 2020 08:24:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DNlw7t1f3xNl06EVfOdI9ZsPSjuJtl1ruJ/WLVGFRtQ=; b=VYvXZMGkLYH443M4yyv/9RQ9eouf9Khj4kEvlBxuu6PuCkPBq/VoEa3i9hCCM9T1Bm Ue/xxSTHc1cz7co+JYzO6E7Q0YbSQNlz8OSQ0w8Z9rY5Y8OOBeIs5p2vnowtxVnyr19p nGG/HZUVwedePtSj0ONiOuGxCSXyybc3n7ZkbdBKw8bvF6Uwo+/WZpQ1EH5nGTuAPRea kN3QdWX9yZC+ArhX+LLtEraChR3vJlGF2XkJm1yHFNDb/1+9+uF8PxLI/8xeNETbp8QC lKAtsSsPUMt9TDae0zUlBSQ0k8/f5zKnvCcXeR5bIctHqTX8vys5pRZyFik8WN+7Q0hc ixyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DNlw7t1f3xNl06EVfOdI9ZsPSjuJtl1ruJ/WLVGFRtQ=; b=DAftfyXYY5gAEECeDT0yrGMDh5VrRbGQ3QdLsv+JXcH0isiIroKrmbfxJKT0avyRV1 D88QLjuYahiiQK+55jCddUfDJgRSKJ+I3h/iTj7B0hnWjm8nBRv/2ixOc1nKGdhHQ69V 1eN74yt77SHiGa3MVwRIw0OS4W3NUVEn9Pyse+WLmSgoVlvP38gd4uLRJVsUR91L2HGH dr+4BVdvxpCKE+StYri3joo//+8/pNPVWm5cxk8K0qBeOXL3nLhNdt/9Opt4DNi6RKId wRbY8mxN4w6/8miJQySyLDIhuIn5F6pBIgifHsu0gtNw7EkbhQ/XwPSkfjEXOHml8lkp KVSA==
X-Gm-Message-State: AOAM530bp4QZYPHFB9F6DfL6AZONli135StKnmuJhsDnyVefTVzUc+dA mG11cqgQDfySlVdgug5ni329/wi+AsLfqc9mohnMxg==
X-Google-Smtp-Source: ABdhPJy7jBO+0N0XPmhLyaw+uozTUV6Ei3yG0HVUtd44eBJp0DIIegLYiZCwhEX8eEhHhD1IX9kRdrc543gz/JRJ1So=
X-Received: by 2002:a05:6402:3c8:: with SMTP id t8mr3747199edw.266.1601393051117; Tue, 29 Sep 2020 08:24:11 -0700 (PDT)
MIME-Version: 1.0
References: <303E54F6-833A-4458-B3E6-DE90E7CA121B@juniper.net> <22341_1601052988_5F6E213C_22341_268_1_53C29892C857584299CBF5D05346208A48F82C17@OPEXCAUBM43.corporate.adroot.infra.ftgroup> <DEE76A95-339B-433C-BD46-AD0243F72FBE@juniper.net> <3366_1601300732_5F71E8FC_3366_6_3_53C29892C857584299CBF5D05346208A48F86028@OPEXCAUBM43.corporate.adroot.infra.ftgroup> <21B4E52C-38F4-4C94-985C-8C1DF88F4A92@juniper.net> <CAMMESsxG+ASdax1USizop-1bzYELcSdvND-f3RNEJ78zDUPrng@mail.gmail.com> <A9128F3D-948E-4F22-B000-7B470AFAC219@tix.at> <CAOj+MMESP=1EtTcuptE9xdyb+g36kDiD4sH6wSLezeZX74v2vw@mail.gmail.com> <BYAPR11MB32079E5730B9B170C1ADF7E1C0350@BYAPR11MB3207.namprd11.prod.outlook.com> <CAOj+MMFrFhwF1D=j1KS5wJXzc-ULEA6Ne-n296LYvit5fKUB+w@mail.gmail.com> <57A5696C-4AD1-46E3-85C8-21867D821A3D@juniper.net>
In-Reply-To: <57A5696C-4AD1-46E3-85C8-21867D821A3D@juniper.net>
From: Robert Raszuk <robert@raszuk.net>
Date: Tue, 29 Sep 2020 17:24:00 +0200
Message-ID: <CAOj+MMENOtZ2tEJYRUq8EXizJNZ75+r3YWFDp7yOBka_hgj-UA@mail.gmail.com>
To: John Scudder <jgs@juniper.net>
Cc: "Jakob Heitz (jheitz)" <jheitz@cisco.com>, Christoph Loibl <c@tix.at>, "idr@ietf. org" <idr@ietf.org>, "draft-ietf-idr-rfc5575bis@ietf.org" <draft-ietf-idr-rfc5575bis@ietf.org>, "bruno.decraene@orange.com" <bruno.decraene@orange.com>, Hares Susan <shares@ndzh.com>
Content-Type: multipart/alternative; boundary="000000000000f53e3a05b0755f4f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/kkX8RnMox8L-J5GYUSlyYi5emnQ>
Subject: Re: [Idr] [BULK] Bug in draft-ietf-idr-rfc5575bis, worth fixing?
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Sep 2020 15:24:16 -0000
Hi John, I admit I have missed that change or even if I noticed it apparently I did not realize the magnitude and consequences this change brings. IMHO it would be a fine change for FSv2 however I am quite sceptical for rolling it into 5575bis. Many thx, R. On Tue, Sep 29, 2020 at 5:20 PM John Scudder <jgs@juniper.net> wrote: > Hi Robert, > > You are right that RFC 5575 is very clear about that decision: > > We define a "Flow Specification" NLRI type that may include several > components such as destination prefix, source prefix, protocol, > ports, etc. This NLRI is treated as an opaque bit string prefix by > BGP. Each bit string identifies a key to a database entry with which > a set of attributes can be associated. > > > It’s also true that rfc5575bis retracts it. Appendix B makes it clear this > wasn’t an accident: > > Section 1 <https://tools.ietf.org/html/draft-ietf-idr-rfc5575bis-26#section-1> introduces the Flow Specification NLRI. In [RFC5575 <https://tools.ietf.org/html/rfc5575>] > this NLRI was defined as an opaque-key in BGPs database. This > specification has removed all references to an opaque-key > property. BGP implementations are able to understand the NLRI > encoding. > > > I haven’t gone back to check, but given that this was made so explicit in > the draft, I’m going to suppose that it was discussed in the WG before the > WGLC concluded, so I’m not very excited to re-litigate it. > > I do think that it would be good to commence work on FSv2 soon, while we > still have this experience fresh in our minds. > > —John > > On Sep 29, 2020, at 2:57 AM, Robert Raszuk <robert@raszuk.net> wrote: > > > > Hi Jakob, > > > Flowspec does not AFAIK have any such NLRI... yet. > > I am not quite sure what are you trying to say above. > > Today in RFC5575 NLRI is clearly defined as a numeric value with a given > length. It was by design not parsable by BGP. The entire NLRI is a key. > > So updates and withdraws processing happens on the key as defined. > > Now if we start to parse that value (except maybe for validation which I > am also now pretty sceptical about) and dissecting part of that calling > some types to be a key and some not - at min IMHO we should use different > SAFI not to create complete deployment issues. > > Many thx, > R. > > > On Tue, Sep 29, 2020 at 1:23 AM Jakob Heitz (jheitz) <jheitz@cisco.com> > wrote: > >> Also to consider that in BGP, there are several examples of NLRI >> >> where the NLRI key is not the whole NLRI, starting with RFC 3107, >> >> where the label is not part of the key. >> >> >> >> A speaker that receives an update with an unknown NLRI does not >> >> know if that unknown NLRI servers to withdraw a (seemingly) >> >> different unknown NLRI, if the parts that are different are not >> >> key material. >> >> >> >> Therefore, a BGP speaker must always be able to completely >> >> parse and understand received NLRI. >> >> >> >> Flowspec does not AFAIK have any such NLRI... yet. >> >> >> >> Regards, >> >> Jakob. >> >> >> >> *From:* Idr <idr-bounces@ietf.org> *On Behalf Of *Robert Raszuk >> *Sent:* Monday, September 28, 2020 1:44 PM >> *To:* Christoph Loibl <c@tix.at> >> *Cc:* idr@ietf. org <idr@ietf.org>; draft-ietf-idr-rfc5575bis@ietf.org; >> John Scudder <jgs=40juniper.net@dmarc.ietf.org>; >> bruno.decraene@orange.com; Hares Susan <shares@ndzh.com> >> *Subject:* Re: [Idr] [BULK] Bug in draft-ietf-idr-rfc5575bis, worth >> fixing? >> >> >> >> All, >> >> >> >> To me the real question is if we really should validate the content of >> NLRI or just make sure that NLRI boundaries meet BGP MP_REACH >> definition and treat NLRI values completely opaque to BGP (as per original >> RFC5575). >> >> >> >> If NLRI is really malformed resulting in MP_REACH attribute being >> malformed I do not see that much harm in session reset. >> >> >> >> But if we dive into each atomic type parsing of the NLRI value itself at >> each BGP speaker talking SAFI 133/134 I think this is going to be a mess. >> >> >> >> Best, >> >> R. >> >> >> >> >> >> >> >> On Mon, Sep 28, 2020 at 9:41 PM Christoph Loibl <c@tix.at> wrote: >> >> Hi, >> >> >> >> I do not really want to repeat the whole discussion here (seems that we >> are going in circles) if not needed. I think that we agreed that if the >> NLRI is malformed the only option is to reset (+send notification) the >> session (even if we consider rfc7606). And from draft-rfc5575bis it is >> clear that we are talking about a malformed NLRI: >> >> >> >> A NLRI value not encoded as specified specified here is considered >> >> malformed and error handling according to Section 10 is performed. >> >> >> >> -> I think that adding the small term that John suggested is sufficient. >> >> >> >> Cheers Christoph >> >> >> >> -- >> Christoph Loibl >> c@tix.at | CL8-RIPE | PGP-Key-ID: 0x4B2C0055 | http://www.nextlayer.at >> <https://urldefense.com/v3/__http://www.nextlayer.at__;!!NEt6yMaO-gk!X4eMxV72EsYddrA45y5RcVvdurOK06WI3jav90JT_G28wjdKzOfMHr3s65ZeQA$> >> >> >> >> >> >> >> >> On 28.09.2020, at 21:16, Alvaro Retana <aretana.ietf@gmail.com> wrote: >> >> >> >> [Explicitly adding Jeff to the To list.] >> >> >> >> Hi! >> >> >> >> During my AD review there was a discussion on the list about this point, >> and whether we could avoid resetting the session. Jeff presented some >> examples and, I think, made a very convincing case of why we really can’t: >> even if we can look at the length, we would still be guessing. >> >> >> >> I think this is one of the messages: >> https://mailarchive.ietf.org/arch/msg/idr/FHC-Vz26LZfam-o5Y-9-WSrEm2g/ >> <https://urldefense.com/v3/__https://mailarchive.ietf.org/arch/msg/idr/FHC-Vz26LZfam-o5Y-9-WSrEm2g/__;!!NEt6yMaO-gk!X4eMxV72EsYddrA45y5RcVvdurOK06WI3jav90JT_G28wjdKzOfMHr29g9EyWw$> >> >> >> >> >> Jeff: if you get a chance, please chime in. >> >> >> >> Thanks! >> >> >> >> Alvaro. >> >> >> >> On September 28, 2020 at 2:16:38 PM, John Scudder ( >> jgs=40juniper.net@dmarc.ietf.org) wrote: >> >> >> >> I think that is the right thing, too: FS uses T,V and not T,L,V for its >> component types, the lengths are implicit. So, if my parser encounters an >> unknown type code it is impossible for me to know how to skip over that >> type code. At that point, parsing breaks down. >> >> [Bruno] I had in mind the higher level of hierarchy: >> >> >> >> The NLRI field of the MP_REACH_NLRI and MP_UNREACH_NLRI is encoded as >> >> one or more 2-tuples of the form <length, NLRI value>. It consists >> >> of a 1- or 2-octet length field followed by a variable-length NLRI >> >> value. The length is expressed in octets. >> >> >> >> +-------------------------------+ >> >> | length (0xnn or 0xfnnn) | >> >> +-------------------------------+ >> >> | NLRI value (variable) | >> >> +-------------------------------+ >> >> >> >> Figure 1: Flow Specification NLRI for IPv4 >> >> >> >> At this level, assuming that the NLRI value is found semantically >> incorrect, it seems to me that one could: >> >> - Skip this NLRI (thanks to the ‘length’ field) and continue >> with the next NLRI >> >> - Read the ‘NLRI value’ as an opaque data, and treat this NLRI >> as withdraw. (In the context of the discussion, this NLRI would never had >> been accepted, so ‘treat-as-withdraw’ could even be replaced with >> ‘ignore’. But I’m _*not*_ calling for this). >> >> Hence it seems to me that treat-as-withdraw is technically possible. >> >> >> >> Fair enough. It’s a little unfortunate that the draft contains this >> ambiguity; in retrospect it would have been better to be explicit about the >> error-handling strategy chosen rather than simply referencing RFC 7606. >> Whether or not we want to respin the draft in order to clarify it, is a >> question for the WG. If we were to make a change, it could potentially be >> the addition of this sentence, in Section 10: >> >> >> >> Error handling according to [RFC7606 <https://urldefense.com/v3/__https://tools.ietf.org/html/rfc7606__;!!NEt6yMaO-gk!X4eMxV72EsYddrA45y5RcVvdurOK06WI3jav90JT_G28wjdKzOfMHr00REP3-Q$>] and [RFC4760 <https://urldefense.com/v3/__https://tools.ietf.org/html/rfc4760__;!!NEt6yMaO-gk!X4eMxV72EsYddrA45y5RcVvdurOK06WI3jav90JT_G28wjdKzOfMHr324tDOCw$>] applies to this >> >> specification. *Notably, an NLRI that is found to be semantically* >> >> *incorrect (for example due to an unknown component type) MUST be* >> >> *handled using the “treat-as-withdraw” strategy (which in this case,* >> >> *it** must be noted, works out to be the same as skipping over the NLRI).* >> >> >> >> >
- [Idr] Bug in draft-ietf-idr-rfc5575bis, worth fix… John Scudder
- Re: [Idr] Bug in draft-ietf-idr-rfc5575bis, worth… Alvaro Retana
- Re: [Idr] Bug in draft-ietf-idr-rfc5575bis, worth… Robert Raszuk
- Re: [Idr] Bug in draft-ietf-idr-rfc5575bis, worth… Robert Raszuk
- Re: [Idr] Bug in draft-ietf-idr-rfc5575bis, worth… John Scudder
- Re: [Idr] Bug in draft-ietf-idr-rfc5575bis, worth… John Scudder
- Re: [Idr] [BULK] Bug in draft-ietf-idr-rfc5575bis… Christoph Loibl
- Re: [Idr] [BULK] Bug in draft-ietf-idr-rfc5575bis… McPherson, Danny
- Re: [Idr] Bug in draft-ietf-idr-rfc5575bis, worth… Susan Hares
- Re: [Idr] Bug in draft-ietf-idr-rfc5575bis, worth… bruno.decraene
- Re: [Idr] Bug in draft-ietf-idr-rfc5575bis, worth… John Scudder
- Re: [Idr] Bug in draft-ietf-idr-rfc5575bis, worth… John Scudder
- Re: [Idr] Bug in draft-ietf-idr-rfc5575bis, worth… John Scudder
- Re: [Idr] Bug in draft-ietf-idr-rfc5575bis, worth… Robert Raszuk
- Re: [Idr] [BULK] Bug in draft-ietf-idr-rfc5575bis… Christoph Loibl
- Re: [Idr] [BULK] Bug in draft-ietf-idr-rfc5575bis… Susan Hares
- Re: [Idr] Bug in draft-ietf-idr-rfc5575bis, worth… Dongjie (Jimmy)
- Re: [Idr] Bug in draft-ietf-idr-rfc5575bis, worth… bruno.decraene
- Re: [Idr] Bug in draft-ietf-idr-rfc5575bis, worth… John Scudder
- Re: [Idr] Bug in draft-ietf-idr-rfc5575bis, worth… Alvaro Retana
- Re: [Idr] [BULK] Bug in draft-ietf-idr-rfc5575bis… Christoph Loibl
- Re: [Idr] [BULK] Bug in draft-ietf-idr-rfc5575bis… Robert Raszuk
- Re: [Idr] [BULK] Bug in draft-ietf-idr-rfc5575bis… Jakob Heitz (jheitz)
- Re: [Idr] [BULK] Bug in draft-ietf-idr-rfc5575bis… Robert Raszuk
- Re: [Idr] Bug in draft-ietf-idr-rfc5575bis, worth… bruno.decraene
- Re: [Idr] Bug in draft-ietf-idr-rfc5575bis, worth… bruno.decraene
- Re: [Idr] [BULK] Bug in draft-ietf-idr-rfc5575bis… John Scudder
- Re: [Idr] [BULK] Bug in draft-ietf-idr-rfc5575bis… Robert Raszuk
- Re: [Idr] Bug in draft-ietf-idr-rfc5575bis, worth… John Scudder
- Re: [Idr] [BULK] Bug in draft-ietf-idr-rfc5575bis… Jakob Heitz (jheitz)
- Re: [Idr] [BULK] [BULK] Bug in draft-ietf-idr-rfc… Christoph Loibl
- Re: [Idr] [BULK] [BULK] Bug in draft-ietf-idr-rfc… John Scudder
- Re: [Idr] [BULK] [BULK] Bug in draft-ietf-idr-rfc… Christoph Loibl
- Re: [Idr] [BULK] Bug in draft-ietf-idr-rfc5575bis… Dongjie (Jimmy)
- Re: [Idr] [BULK] Bug in draft-ietf-idr-rfc5575bis… Jakob Heitz (jheitz)
- Re: [Idr] [BULK] Bug in draft-ietf-idr-rfc5575bis… Robert Raszuk
- Re: [Idr] [BULK] [BULK] Bug in draft-ietf-idr-rfc… Susan Hares
- Re: [Idr] [BULK] [BULK] Bug in draft-ietf-idr-rfc… John Scudder
- Re: [Idr] [BULK] [BULK] Bug in draft-ietf-idr-rfc… Susan Hares
- Re: [Idr] [BULK] [BULK] [BULK] Bug in draft-ietf-… Christoph Loibl
- Re: [Idr] Bug in draft-ietf-idr-rfc5575bis, worth… Alvaro Retana
- Re: [Idr] Bug in draft-ietf-idr-rfc5575bis, worth… John Scudder
- Re: [Idr] [BULK] Bug in draft-ietf-idr-rfc5575bis… Jeffrey Haas
- Re: [Idr] [BULK] Bug in draft-ietf-idr-rfc5575bis… Jeffrey Haas