Re: [Idr] Can one Destination Address appear in both Tunnel Encap Attribute and in MP_REACH_NLRI ?

Keyur Patel <keyur@arrcus.com> Fri, 18 October 2019 00:30 UTC

Return-Path: <keyur@arrcus.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3091012003F; Thu, 17 Oct 2019 17:30:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netorgft1331857.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MFmYz32FW1iJ; Thu, 17 Oct 2019 17:30:37 -0700 (PDT)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-eopbgr800042.outbound.protection.outlook.com [40.107.80.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D1C412085B; Thu, 17 Oct 2019 17:30:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RXa223Qiok5lePXq/9MWqgaCf2BJqd4Ha/GISssiTYHAkcj33+4vpvGm6W9SfsDtXhvuMVALd8wklhl8tMdVSexMKGRTNjs37ZuRwUC34bUcVMP/fGCjY8V7zRbda7HZohaFMQgcSU6u3WGiSoxNkAS8IWDfCwgi95n/YDh3xN7Z64HyXmNKvmxe+Ii//lbDhpwEjcD8QuzL/DQls+SLVBth15S3KkPkTsrjxa4GPGu9a1JPMsa0j4VMkDG13u9PxIAjvhECKnkW/xzZzs09r/sdRniMTuSxmz/kwKH1vcawF4wI+5B9wbzg26kOBAbzHB3UzpzuhZB6OpE2rM/cCQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Z13az3P5U6PRsud4y8TJwn7+NQNnwB/M9IeOmLRh3D4=; b=DaXmabgI3vs8KNgPGtIWzglp6D67DpRlWuCqBi9RM8/gf094ByDYJBHZGxIK9kfWUt0cqz1vdYDML4xSuE9DkWxoGy0fSgag/+HJKKlhBNWmCvzYBVCGNWhmIDfK7QYW3hL3Mxt2zYu47/Yxas6jAdzzriv+/JaHUG2YGXCKyW+MJARIPG2/784NMzrwXg1p4XMfUrgiLITjCRyynkcSyXXrAHdFPrtU3xJ6Wj7h1ywHX6Rc0TKAORwyFb81eJ4oNKHQiplAqAJYi+kjV4aqJ+tZynMKIdOjyepW1Qg52CAGQU3md25aLnhmw2JquLRoxBVyiNMivnx6lM7XhCsfrQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arrcus.com; dmarc=pass action=none header.from=arrcus.com; dkim=pass header.d=arrcus.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NETORGFT1331857.onmicrosoft.com; s=selector2-NETORGFT1331857-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Z13az3P5U6PRsud4y8TJwn7+NQNnwB/M9IeOmLRh3D4=; b=Spx7n78G4XHaVb3e4/EOObvGfGv8xNU5AymwaULK05EIuu7LJwBFjikhKi1SWu3aM98p7q0An38lA/bEr3fYLjOlVR0rooH+TmY11H0/9nMz1dKWBKNsGBvKtKe/PFUAvSLf6sibxkL6gvR8QEktXSwf+Wnc6ovqIgbgBhYfcTc=
Received: from BYAPR18MB2856.namprd18.prod.outlook.com (20.179.59.30) by BYAPR18MB2646.namprd18.prod.outlook.com (20.179.94.158) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.22; Fri, 18 Oct 2019 00:30:28 +0000
Received: from BYAPR18MB2856.namprd18.prod.outlook.com ([fe80::6182:28f2:3566:d173]) by BYAPR18MB2856.namprd18.prod.outlook.com ([fe80::6182:28f2:3566:d173%3]) with mapi id 15.20.2347.024; Fri, 18 Oct 2019 00:30:27 +0000
From: Keyur Patel <keyur@arrcus.com>
To: "Rajiv Asati (rajiva)" <rajiva@cisco.com>, Robert Raszuk <robert@raszuk.net>, Ondrej Zajicek <santiago@crfreenet.org>
CC: "idr@ietf.org" <idr@ietf.org>, Linda Dunbar <linda.dunbar@futurewei.com>, Srihari Sangli <ssangli=40juniper.net@dmarc.ietf.org>, "draft-ietf-idr-tunnel-encaps@ietf.org" <draft-ietf-idr-tunnel-encaps@ietf.org>
Thread-Topic: [Idr] Can one Destination Address appear in both Tunnel Encap Attribute and in MP_REACH_NLRI ?
Thread-Index: AQHVhL8lFDuHxnzddkaD1lVXXD4SAKdeeoqAgAAEwoCAABL6AIAAECQAgADTL4D//6IMgA==
Date: Fri, 18 Oct 2019 00:30:27 +0000
Message-ID: <3FD4F2A8-F3F0-45ED-B6CB-B80B0FB4C4AB@arrcus.com>
References: <MN2PR13MB3582A1E1FE3441CDD54A101985950@MN2PR13MB3582.namprd13.prod.outlook.com> <78F7A474-6F86-4EA3-93A3-001B4E2C2116@juniper.net> <CAOj+MMGqKj=zKbws92ni1fL2O-So=dbcW-mb02uRnQ+G55xm_w@mail.gmail.com> <0B48E5E7-3A1F-45C0-ACF9-B9A0FA323ED4@juniper.net> <CAOj+MMHs91BoMpgrN2-qtMAgVtiUE_e2bm=BG=+xVnfU9-6Aaw@mail.gmail.com> <20191017093308.GB2427@feanor.crfreenet.org> <CAOj+MMFs=StpLvK1dZO+ChBUN5i2AYq+CrhHMfMxifpxqegwiw@mail.gmail.com> <2A6A8F0A-82B2-4016-9148-10B4FC75FC03@cisco.com>
In-Reply-To: <2A6A8F0A-82B2-4016-9148-10B4FC75FC03@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=keyur@arrcus.com;
x-originating-ip: [70.234.233.187]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4d5c2d20-6760-463a-4e89-08d753626013
x-ms-traffictypediagnostic: BYAPR18MB2646:
x-microsoft-antispam-prvs: <BYAPR18MB2646673F6C02A77D0F11A4E5C16C0@BYAPR18MB2646.namprd18.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 01949FE337
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(346002)(366004)(396003)(376002)(39830400003)(199004)(189003)(7736002)(316002)(110136005)(71200400001)(71190400001)(2906002)(6306002)(26005)(53546011)(102836004)(486006)(54906003)(6506007)(36756003)(33656002)(3846002)(6116002)(81156014)(66946007)(99286004)(256004)(229853002)(4326008)(8676002)(81166006)(66446008)(76116006)(64756008)(66556008)(66476007)(6512007)(6246003)(6486002)(6436002)(54896002)(236005)(9326002)(8936002)(14454004)(25786009)(66066001)(86362001)(476003)(446003)(11346002)(2616005)(186003)(76176011)(508600001)(5660300002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR18MB2646; H:BYAPR18MB2856.namprd18.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arrcus.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5vnzWiOpFfan3wVedtmM4OmRiWKzuBOHDZyNpaAvfUQETb1h5/tSaa96mJ+Q0GwkQ3buQCXpvrdtH8uGa6imB1zkwxwGTVJSWOK0YnNGqsfnk4zwSjetF6DFvMQ4/oFFkbetm0E+XwPtVWjap+W8JNxzGZzLkCH0v3ya8FQ5hflICrK+BFRVXPU7TO+/TC80AebmejYj1puahlWZhAP/YzU+L7ejn3/NLnmib4RyBTBaedjNEaTsO83oBfsr2jHqXO3SCEvSvMVGFp2CDutu+tzaZuDUm8SCWqJqtjkhxevWyJ8++ye4lKWyk52vxS27uVdmKl+LKNJd4nazpk9AHfMY2Z2F6ZkvKRwJEbBvpD93506arhFvwnqx6T5Z/FcXv6HeFrFFi+n3XqNogDsb9NfTlFE/VYVitWXAwg7vFAw=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_3FD4F2A8F3F045EDB6CBB80B0FB4C4ABarrcuscom_"
MIME-Version: 1.0
X-OriginatorOrg: arrcus.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4d5c2d20-6760-463a-4e89-08d753626013
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Oct 2019 00:30:27.8303 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 697b3529-5c2b-40cf-a019-193eb78f6820
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: fPm+b6zb44JeD1mDBIfS3z/kZaUYICoqFK8tV0rdqSKfnb4c6kDM+cf9CQD43cG4P7+hlSLK4J4SVz+tNqcqLA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR18MB2646
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/oYIbfjfVtjiEWVQyGC8lLwetIM0>
Subject: Re: [Idr] Can one Destination Address appear in both Tunnel Encap Attribute and in MP_REACH_NLRI ?
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Oct 2019 00:30:41 -0000

Hi Rajiv,

Section 13 paragraph 5th states about performing origin validation on IP Address of Tunnel Endpoint to help avoid attack vectors your describing (in an event where the tunnel endpoint address is different than a nexthop across inter-as.

<snip>
Before sending a packet through the tunnel identified in a particular
   TLV of a Tunnel Encapsulation attribute, it may be advisable to use
   BGP Origin Validation to obtain the following additional assurances:

   o  the origin AS of the route carrying the Tunnel Encapsulation
      attribute is correct;

   o  the origin AS of the route to the IP address specified in the
      Tunnel Endpoint sub-TLV is correct, and is the same AS that is
      specified in the Tunnel Endpoint sub-TLV.
</snip>

Regards,
Keyur

From: "Rajiv Asati (rajiva)" <rajiva@cisco.com>
Date: Thursday, October 17, 2019 at 4:07 PM
To: Robert Raszuk <robert@raszuk.net>et>, Ondrej Zajicek <santiago@crfreenet.org>
Cc: "idr@ietf.org" <idr@ietf.org>rg>, Linda Dunbar <linda.dunbar@futurewei.com>om>, Srihari Sangli <ssangli=40juniper.net@dmarc.ietf.org>rg>, "draft-ietf-idr-tunnel-encaps@ietf.org" <draft-ietf-idr-tunnel-encaps@ietf.org>
Subject: Re: [Idr] Can one Destination Address appear in both Tunnel Encap Attribute and in MP_REACH_NLRI ?


One of the things that is strikingly problematic in allowing BGP NH and Tunnel Endpoint to be different is that it could be used as an attack vector (node A advertises a route with NH =A & tunnel endpoint = node B, so node B gets bombarded with unwanted traffic (in fact, node B may not even have any BGP, or not have a particular BGP route, or..).

This would be a big red flag for many of us.

--
Cheers,
Rajiv

PS: Now, what if node A uses two IPv6 addresses – one as the NH, and the other as the tunnel endpoint. That’s a legit case, one could argue.


From: Idr <idr-bounces@ietf.org> on behalf of "robert@raszuk.net" <robert@raszuk.net>
Date: Thursday, October 17, 2019 at 6:32 AM
To: Ondrej Zajicek <santiago@crfreenet.org>
Cc: "idr@ietf.org" <idr@ietf.org>rg>, Linda Dunbar <linda.dunbar@futurewei.com>om>, Srihari Sangli <ssangli=40juniper.net@dmarc.ietf.org>rg>, "draft-ietf-idr-tunnel-encaps@ietf.org" <draft-ietf-idr-tunnel-encaps@ietf.org>
Subject: Re: [Idr] Can one Destination Address appear in both Tunnel Encap Attribute and in MP_REACH_NLRI ?

Well indeed the draft is very underspecified in this space..

The fun starts when next hop from NLRI is unreachable while tunnel end point is. Does it mean that given path is not going to be considered for best path selection ?

And we can go further ... say bgp uses selective next hops and is set to only consider /24 and higher and NH from NLRI does not meet those criteria ... but tunnel endpoint is reachable over default route - what happens then ?

See what strikes me the most is the mandatory nature of endpoint TLV and no good description of various cases when NH in NLRI != Tunnel endpoint address. If there are equal tunnel endpoint may be optional.

Thx,
R.

On Thu, Oct 17, 2019 at 5:33 AM Ondrej Zajicek <santiago@crfreenet.org<mailto:santiago@crfreenet.org>> wrote:
On Thu, Oct 17, 2019 at 10:25:13AM +0200, Robert Raszuk wrote:
> Srihari,
>
> Can you comment on the expected BGP next hop validation behaviour ?
>
> Can you also comment on the next hop BGP is installing the prefixes to RIB
> with ?
>
> Is tunnel endpoint now the NH BGP is asking RIB to track ?

My impression of the draft is that handling of BGP NH and address from
Tunnel Encap attribute is different. BGP NH is tracked in RIB and
recursivery resolved, could be used to daisy-chain encapsulation in RIB
(section 7). In contrast, the address from the Tunnel attribute is just
passed to FIB as encapsulation action argument.

But it is true that this part of the draft is a bit blurry and would
definitely need more clear wording.

--
Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org<mailto:santiago@crfreenet.org>)