Re: [Idr] [Responses for the comments during the IETF108] New Version Notification for draft-wang-idr-rd-orf-01.txt

Robert Raszuk <> Wed, 12 August 2020 09:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 603713A0F06 for <>; Wed, 12 Aug 2020 02:59:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ngWSbpCOC6_g for <>; Wed, 12 Aug 2020 02:59:49 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::632]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6A90A3A11C3 for <>; Wed, 12 Aug 2020 02:59:48 -0700 (PDT)
Received: by with SMTP id o23so1604606ejr.1 for <>; Wed, 12 Aug 2020 02:59:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EqEGJBuxro+FwzqyXeN7b66lI4kr3EmoUbntVdVIK/M=; b=OhUiwfAD4elgGFTE6PVLtoOGsHPpOR+dKajOqvp4Z9yrCWfCBw4HvcYJ+zVBBXSeQC sqWmtZuXJa9PXsxLUogCYKxfrJwZg4xbtQ3Xc973BxLCk98RgUqCWD27SzipVMaWPJTC X59RzfkyoJwsyWJKmTKJ4dukrL1W+yFts4zgq5oW7oWJtEMkJRDM3gHG1gGmLwF8isDB jr0x153AV86hhx7BjRvttFxFB29idjINIp+np8XDw8BvTxXPICbNxS8COd34xiExNfu2 JuTBtazOKd9E3y69WQxhXK6gHE22zgv1Kt2M64sPgDU12JlgSHEE7xg5ZXgZ2WLhHqMt D/uw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EqEGJBuxro+FwzqyXeN7b66lI4kr3EmoUbntVdVIK/M=; b=QEI5cQ2r5mCg9ZxF2lrwroNW9VdZ2FDuD0o1yaap03r3ADZ32+ZFXogzo/uMRL/pyB fOUYKchEuLS3pBxhe2wE1r578i/YlrXjYXpjpalF8/JiFbfrZDlwDTZY4lhWJ3roWS+O bTtTD7qChPEnrA4KEwg9SY2ORZdHle/dRbC5Pq2tlewZVc0nIITxruo6x/sxrh2Oo2jd MkY00tQBtef3m+sjKVQNb9thusBbThQNmNiKDjf3NXuhim0gfG7kjDzAbOIqQdK9aReB Ay8tPNjTyPzfQv4djLQH9J6a4AOLQQCIgTwWA8nvnHgppyZVTyg7skXsAfCPP3TEas/q nlww==
X-Gm-Message-State: AOAM530UN9ScRLI/VIHmsffbBLkdQmOWqTCmmE/Gw3wQSvA5NePhdv2n /qgI0mioQYthGUHXvHhcQKgaGFxdz3OBb4vgziqAiw==
X-Google-Smtp-Source: ABdhPJwgzhb0nqXr3r+USLf/whSdfevbuBdXq9fUHqC9LxpgmEjt83Xu/BjKo1gnUzBOeNAFZwkzOwhNkA7AvyTAuJI=
X-Received: by 2002:a17:906:2490:: with SMTP id e16mr29965090ejb.386.1597226386716; Wed, 12 Aug 2020 02:59:46 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <00ae01d66c58$de4da280$9ae8e780$> <> <> <> <> <> <009201d66eb9$cad23ff0$6076bfd0$> <> <003701d66ef7$6d79bac0$486d3040$> <> <00a501d67049$c455f720$4d01e560$>
In-Reply-To: <00a501d67049$c455f720$4d01e560$>
From: Robert Raszuk <>
Date: Wed, 12 Aug 2020 11:59:36 +0200
Message-ID: <>
To: Aijun Wang <>
Cc: Gyan Mishra <>, John E Drake <>, Keyur Patel <>, "UTTARO, JAMES" <>, idr <>,
Content-Type: multipart/alternative; boundary="0000000000006810a405acab3ffa"
Archived-At: <>
Subject: Re: [Idr] [Responses for the comments during the IETF108] New Version Notification for draft-wang-idr-rd-orf-01.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 12 Aug 2020 09:59:52 -0000


But, don’t’ you worry that if only one of the edge points being
> comprised/error-configured/attacked, then all of PEs within your domain are
> under risk?

First if one PE is compromised new RD can be created or routes injected
into global table completely destroying your entire network. No matter how
much protocol extensions we will define here if your network infrastructure
is attacked and the attack is successful you are over.

Now we keep telling you that any decent L3VPN or L2VPN implementation has
two completely different protections - shipping and successfully protecting
production networks:

Protection 1 - BGP prefix limit

Protection 2 - VRF limit

If you enable correctly those two checks you are pretty safe.

If not I recommend you offer CSC model and do not take any external routes
into your core infrastructure. Of course you can still carry routes for
your customers except that they will be distributed with no risk to your
core or PEs "over the top". PEs in this case *only* handle directly
connected next hops which I hops is pretty trivial to protect.

Many thx,