Re: [Idr] draft-djsmith-bgp-flowspec-oid-01.txt

Robert Raszuk <robert@raszuk.net> Wed, 16 May 2012 22:36 UTC

Message-ID: <4FB42BF2.7030108@raszuk.net>
Date: Thu, 17 May 2012 00:36:34 +0200
From: Robert Raszuk <robert@raszuk.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: Randy Bush <randy@psg.com>
References: <4FB40BC1.1070604@raszuk.net> <CBD9681C.253D5%keyupate@cisco.com> <m2bolnbw6k.wl%randy@psg.com>
In-Reply-To: <m2bolnbw6k.wl%randy@psg.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: Keyur Patel <keyupate@cisco.com>, "idr@ietf.org List" <idr@ietf.org>
Subject: Re: [Idr] draft-djsmith-bgp-flowspec-oid-01.txt
Precedence: list
Reply-To: robert@raszuk.net

> you gotta love the ref to 5575 which essentially says you have no
> protection, abandon all hope ye who enter

For the record .. this is not what below quote says.

    No new security issues are introduced by relaxing the validation
    procedure for IBGP learned flow specifications. With this proposal,
    the security characteristics of BGP flow specifications remain
    equivalent to the existing security properties of BGP unicast
    routing.  Traffic flow specifications learned from IBGP peers are
    trusted, hence, its not required to validate that the originator of
    an intra-domain traffic flow specification matches the originator of
    the best-match unicast route for the flow destination prefix.
    Conversely, this proposal continues to enforce the validation
    procedure for EBGP learned traffic flow specifications. In this way,
    the security properties of RFC 5575 are maintained such that an EBGP
    peer cannot cause a denial-of-service attack by advertising an
    inter-domain flow specification for a destination prefix that it does
    not provide reachability information for.

Explanation:

The RFC says that for IBGP even with relaxed validation you get what you 
have today .. provided that you know how to protect your AS in the first 
place.

For EBGP the validation is in place and matching last AS as unicast 
route injector with flow spec is sufficient. The DDoS attack to a 
particular destination may have been detected just by your peer and it 
is WRONG to mandate full AS_PATH match.

That would mean that flow-spec filter would need to be injected by the 
target and would consume bandwith of all transit ASes in the AS_PATH. 
This is wrong.

I admit we did not consider RS @ IX when writing section 6.

R.

Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… Keyur Patel
Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… Robert Raszuk
Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… Keyur Patel
[Idr] draft-djsmith-bgp-flowspec-oid-01.txt Randy Bush
Re: [Idr] draft-djsmith-bgp-flowspec-oid-01.txt Robert Raszuk
[Idr] Adoption of draft-djsmith-bgp-flowspec-oid-… John G. Scudder
Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… Keyur Patel
Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… Robert Raszuk
Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… Randy Bush
Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… John G. Scudder
Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… Henderickx, Wim (Wim)
Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… Jeffrey Haas
Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… Jeff Tantsura
Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… Warren Kumari
Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… Shyam Sethuram (shsethur)
Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… bruno.decraene
Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… UTTARO, JAMES
Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… John G. Scudder
Re: [Idr] Adoption of draft-djsmith-bgp-flowspec-… David Smith (djsmith)