Re: [Idr] [Responses for the comments during the IETF108] New Version Notification for draft-wang-idr-rd-orf-01.txt
Robert Raszuk <robert@raszuk.net> Wed, 12 August 2020 09:59 UTC
Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 603713A0F06 for <idr@ietfa.amsl.com>; Wed, 12 Aug 2020 02:59:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ngWSbpCOC6_g for <idr@ietfa.amsl.com>; Wed, 12 Aug 2020 02:59:49 -0700 (PDT)
Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A90A3A11C3 for <idr@ietf.org>; Wed, 12 Aug 2020 02:59:48 -0700 (PDT)
Received: by mail-ej1-x632.google.com with SMTP id o23so1604606ejr.1 for <idr@ietf.org>; Wed, 12 Aug 2020 02:59:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EqEGJBuxro+FwzqyXeN7b66lI4kr3EmoUbntVdVIK/M=; b=OhUiwfAD4elgGFTE6PVLtoOGsHPpOR+dKajOqvp4Z9yrCWfCBw4HvcYJ+zVBBXSeQC sqWmtZuXJa9PXsxLUogCYKxfrJwZg4xbtQ3Xc973BxLCk98RgUqCWD27SzipVMaWPJTC X59RzfkyoJwsyWJKmTKJ4dukrL1W+yFts4zgq5oW7oWJtEMkJRDM3gHG1gGmLwF8isDB jr0x153AV86hhx7BjRvttFxFB29idjINIp+np8XDw8BvTxXPICbNxS8COd34xiExNfu2 JuTBtazOKd9E3y69WQxhXK6gHE22zgv1Kt2M64sPgDU12JlgSHEE7xg5ZXgZ2WLhHqMt D/uw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EqEGJBuxro+FwzqyXeN7b66lI4kr3EmoUbntVdVIK/M=; b=QEI5cQ2r5mCg9ZxF2lrwroNW9VdZ2FDuD0o1yaap03r3ADZ32+ZFXogzo/uMRL/pyB fOUYKchEuLS3pBxhe2wE1r578i/YlrXjYXpjpalF8/JiFbfrZDlwDTZY4lhWJ3roWS+O bTtTD7qChPEnrA4KEwg9SY2ORZdHle/dRbC5Pq2tlewZVc0nIITxruo6x/sxrh2Oo2jd MkY00tQBtef3m+sjKVQNb9thusBbThQNmNiKDjf3NXuhim0gfG7kjDzAbOIqQdK9aReB Ay8tPNjTyPzfQv4djLQH9J6a4AOLQQCIgTwWA8nvnHgppyZVTyg7skXsAfCPP3TEas/q nlww==
X-Gm-Message-State: AOAM530UN9ScRLI/VIHmsffbBLkdQmOWqTCmmE/Gw3wQSvA5NePhdv2n /qgI0mioQYthGUHXvHhcQKgaGFxdz3OBb4vgziqAiw==
X-Google-Smtp-Source: ABdhPJwgzhb0nqXr3r+USLf/whSdfevbuBdXq9fUHqC9LxpgmEjt83Xu/BjKo1gnUzBOeNAFZwkzOwhNkA7AvyTAuJI=
X-Received: by 2002:a17:906:2490:: with SMTP id e16mr29965090ejb.386.1597226386716; Wed, 12 Aug 2020 02:59:46 -0700 (PDT)
MIME-Version: 1.0
References: <CABNhwV0upBRPwMmjV86ZOb1HObtugY5TQ5AdTt=tzv6mS=EzJg@mail.gmail.com> <2FFFEB16-DAAC-4E8A-AD24-7880A091F46E@tsinghua.org.cn> <CABNhwV0C9tmPre4KeRe+p5F2Wokjdb46M5UnC0LjRxwXue6ccw@mail.gmail.com> <CAOj+MME=-sC30LSEi9sdMZAwN-iWi-ATR7oT0n_4KeG5-o98ZQ@mail.gmail.com> <00ae01d66c58$de4da280$9ae8e780$@tsinghua.org.cn> <CAOj+MMH47cvi4YZCrgb_tDt6ttaL7M9_TS6fdFAX6GvFxs6LGA@mail.gmail.com> <DM5PR05MB3388C9D4EC80F129F67D6934C7490@DM5PR05MB3388.namprd05.prod.outlook.com> <CABNhwV0x2Nscniw0=pdUBinWmstv8MyyqKVy9evKnSNG2zeL6Q@mail.gmail.com> <67ef32c7d3aa43419382f9398ce1dc69@att.com> <CABNhwV2iTr6P7OwDYk5oLVfrA7Zt-j3WtHSdLF4T6gHoZJ3V1g@mail.gmail.com> <009201d66eb9$cad23ff0$6076bfd0$@tsinghua.org.cn> <CAOj+MMEufX1fjFk_R19=t2P7+49oJtYQH2rVB95U70KqxLwgqg@mail.gmail.com> <003701d66ef7$6d79bac0$486d3040$@tsinghua.org.cn> <CABNhwV1m-nZScygo11m7AG6P45X6r42TY28X4yv6wr_Cc-ruqw@mail.gmail.com> <00a501d67049$c455f720$4d01e560$@tsinghua.org.cn>
In-Reply-To: <00a501d67049$c455f720$4d01e560$@tsinghua.org.cn>
From: Robert Raszuk <robert@raszuk.net>
Date: Wed, 12 Aug 2020 11:59:36 +0200
Message-ID: <CAOj+MMHOQr_w7B3V5ZHdAs4zCnGtF48UULa1qaOV-jPxHAUvxg@mail.gmail.com>
To: Aijun Wang <wangaijun@tsinghua.org.cn>
Cc: Gyan Mishra <hayabusagsm@gmail.com>, John E Drake <jdrake=40juniper.net@dmarc.ietf.org>, Keyur Patel <keyur@arrcus.com>, "UTTARO, JAMES" <ju1738@att.com>, idr <idr@ietf.org>, wangw36@chinatelecom.cn
Content-Type: multipart/alternative; boundary="0000000000006810a405acab3ffa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/mGzthb6IoXTo7RBDMULyXnKCiC4>
Subject: Re: [Idr] [Responses for the comments during the IETF108] New Version Notification for draft-wang-idr-rd-orf-01.txt
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2020 09:59:52 -0000
Aijun, But, don’t’ you worry that if only one of the edge points being > comprised/error-configured/attacked, then all of PEs within your domain are > under risk? > First if one PE is compromised new RD can be created or routes injected into global table completely destroying your entire network. No matter how much protocol extensions we will define here if your network infrastructure is attacked and the attack is successful you are over. Now we keep telling you that any decent L3VPN or L2VPN implementation has two completely different protections - shipping and successfully protecting production networks: Protection 1 - BGP prefix limit Protection 2 - VRF limit If you enable correctly those two checks you are pretty safe. If not I recommend you offer CSC model and do not take any external routes into your core infrastructure. Of course you can still carry routes for your customers except that they will be distributed with no risk to your core or PEs "over the top". PEs in this case *only* handle directly connected next hops which I hops is pretty trivial to protect. Many thx, R.
- [Idr] New Version Notification for draft-wang-idr… wangw36@chinatelecom.cn
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Robert Raszuk
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Rajiv Asati (rajiva)
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Robert Raszuk
- Re: [Idr] [Responses for the comments during the … Robert Raszuk
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Robert Raszuk
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Gyan Mishra
- Re: [Idr] [Responses for the comments during the … Robert Raszuk
- Re: [Idr] [Responses for the comments during the … Gyan Mishra
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … UTTARO, JAMES
- Re: [Idr] [Responses for the comments during the … Gyan Mishra
- Re: [Idr] [Responses for the comments during the … Robert Raszuk
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Robert Raszuk
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Robert Raszuk
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Robert Raszuk
- Re: [Idr] [Responses for the comments during the … John E Drake
- Re: [Idr] [Responses for the comments during the … Gyan Mishra
- Re: [Idr] [Responses for the comments during the … UTTARO, JAMES
- Re: [Idr] [Responses for the comments during the … Gyan Mishra
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Robert Raszuk
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Gert Doering
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Gert Doering
- Re: [Idr] [Responses for the comments during the … Gyan Mishra
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Gyan Mishra
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Robert Raszuk
- Re: [Idr] [Responses for the comments during the … Gyan Mishra
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Gyan Mishra