Re: [Idr] draft-djsmith-bgp-flowspec-oid-01.txt
Robert Raszuk <robert@raszuk.net> Wed, 16 May 2012 22:36 UTC
Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB8A411E8073 for <idr@ietfa.amsl.com>; Wed, 16 May 2012 15:36:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.517
X-Spam-Level:
X-Spam-Status: No, score=-2.517 tagged_above=-999 required=5 tests=[AWL=0.082, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wKJQbjCNzeCN for <idr@ietfa.amsl.com>; Wed, 16 May 2012 15:36:33 -0700 (PDT)
Received: from mail1310.opentransfer.com (mail1310.opentransfer.com [76.162.254.103]) by ietfa.amsl.com (Postfix) with ESMTP id 072B011E8081 for <idr@ietf.org>; Wed, 16 May 2012 15:36:33 -0700 (PDT)
Received: (qmail 15496 invoked by uid 399); 16 May 2012 22:36:32 -0000
Received: from unknown (HELO ?192.168.1.58?) (pbs:robert@raszuk.net@83.31.240.29) by mail1310.opentransfer.com with ESMTPM; 16 May 2012 22:36:32 -0000
X-Originating-IP: 83.31.240.29
Message-ID: <4FB42BF2.7030108@raszuk.net>
Date: Thu, 17 May 2012 00:36:34 +0200
From: Robert Raszuk <robert@raszuk.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: Randy Bush <randy@psg.com>
References: <4FB40BC1.1070604@raszuk.net> <CBD9681C.253D5%keyupate@cisco.com> <m2bolnbw6k.wl%randy@psg.com>
In-Reply-To: <m2bolnbw6k.wl%randy@psg.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: Keyur Patel <keyupate@cisco.com>, "idr@ietf.org List" <idr@ietf.org>
Subject: Re: [Idr] draft-djsmith-bgp-flowspec-oid-01.txt
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: robert@raszuk.net
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/idr>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 May 2012 22:36:33 -0000
> you gotta love the ref to 5575 which essentially says you have no > protection, abandon all hope ye who enter For the record .. this is not what below quote says. No new security issues are introduced by relaxing the validation procedure for IBGP learned flow specifications. With this proposal, the security characteristics of BGP flow specifications remain equivalent to the existing security properties of BGP unicast routing. Traffic flow specifications learned from IBGP peers are trusted, hence, its not required to validate that the originator of an intra-domain traffic flow specification matches the originator of the best-match unicast route for the flow destination prefix. Conversely, this proposal continues to enforce the validation procedure for EBGP learned traffic flow specifications. In this way, the security properties of RFC 5575 are maintained such that an EBGP peer cannot cause a denial-of-service attack by advertising an inter-domain flow specification for a destination prefix that it does not provide reachability information for. Explanation: The RFC says that for IBGP even with relaxed validation you get what you have today .. provided that you know how to protect your AS in the first place. For EBGP the validation is in place and matching last AS as unicast route injector with flow spec is sufficient. The DDoS attack to a particular destination may have been detected just by your peer and it is WRONG to mandate full AS_PATH match. That would mean that flow-spec filter would need to be injected by the target and would consume bandwith of all transit ASes in the AS_PATH. This is wrong. I admit we did not consider RS @ IX when writing section 6. R.
- Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… Keyur Patel
- Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… Robert Raszuk
- Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… Keyur Patel
- [Idr] draft-djsmith-bgp-flowspec-oid-01.txt Randy Bush
- Re: [Idr] draft-djsmith-bgp-flowspec-oid-01.txt Robert Raszuk
- [Idr] Adoption of draft-djsmith-bgp-flowspec-oid-… John G. Scudder
- Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… Keyur Patel
- Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… Robert Raszuk
- Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… Randy Bush
- Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… John G. Scudder
- Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… Henderickx, Wim (Wim)
- Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… Jeffrey Haas
- Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… Jeff Tantsura
- Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… Warren Kumari
- Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… Shyam Sethuram (shsethur)
- Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… bruno.decraene
- Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… UTTARO, JAMES
- Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… John G. Scudder
- Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… David Smith (djsmith)