Re: [Idr] dear diary: well-known community vs new path attribute
Brian Dickson <brian.peter.dickson@gmail.com> Sat, 01 April 2017 20:56 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B9CF129693 for <idr@ietfa.amsl.com>; Sat, 1 Apr 2017 13:56:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S5T4F3cXntOU for <idr@ietfa.amsl.com>; Sat, 1 Apr 2017 13:56:13 -0700 (PDT)
Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78678127077 for <idr@ietf.org>; Sat, 1 Apr 2017 13:56:11 -0700 (PDT)
Received: by mail-it0-x22b.google.com with SMTP id y18so27225541itc.1 for <idr@ietf.org>; Sat, 01 Apr 2017 13:56:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=S6WmCwNFywkKEPvdbVt/DjU+RKMew+pxey9NeUcxBWo=; b=NcbFXcRQxYB5TO4cziMvLKqoE/JH5F5GFn05o9Wx/W3g/rY2dbUyUtSztSGjpIn9g1 QaXjlueyn2ZbbZQqn/0tH2pYSJDt9AHyXRI4eWXYW2uY1b4Tv6azEIq6FaZLbfmCPT3L u39UkU/lodlvcXEeZnS0A2DYazHz6cTfl0iNUitmE02w57H/n5sa2s6y6S3EIu12Eg/s 2hVih6DIlAgLQomhse9mD+NrSPkNIzgHybFL4elxvgSZjENGNI9TjYXXKJNzf7JwbCq1 8WPvCSS4Paqs/TchDbfhxPGRBHArfN6JhtYzyvTpHVw0hI6bPPT9CTz6qEyGPy17xU7f FE9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=S6WmCwNFywkKEPvdbVt/DjU+RKMew+pxey9NeUcxBWo=; b=I2qHL4c6QXyAANBkSLgSN90CP9YajKfeslDXnyYjVN+pAcFtDgMl8Y4Gqiud6k/05g vEJCu2bm9XnS8AlAeK3FnrUctJHALs1vswlgnG7ULk2545Doq2SmlR53IjfDtBQ6EmFz MY7VtFRnOsImxq8wsnmdu+SdFKbrUpKnSw3flQj3VJjrf7aNVPXDP+FF5Exy3z6Iivbu j2sYePfVK7TAZVPMMM7041MDODOa247VmvlS3fGvFTsitrEQFZk1Vh4rOnZChW9W8hOy IRU5s8rf/PbZzQR7aPmsYkPw5Uedvq3RzEX12w7ZXzmyOyB2UNtgwLXsuCMI8ymZqmDE +GjQ==
X-Gm-Message-State: AFeK/H2hy5kACaBsCsXZdI+Hw4t3BrLe/Ibuh37ylhlRjyXAPJwEjYOs LIMmEeW7wUv8abkmxlYDlu/vwOAraiuI
X-Received: by 10.36.91.76 with SMTP id g73mr4057414itb.75.1491080170478; Sat, 01 Apr 2017 13:56:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.46.151 with HTTP; Sat, 1 Apr 2017 13:56:09 -0700 (PDT)
In-Reply-To: <20170401020136.ftbjliohoaznzqyx@dhcp-86cf.meeting.ietf.org>
References: <20170401020136.ftbjliohoaznzqyx@dhcp-86cf.meeting.ietf.org>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Sat, 01 Apr 2017 15:56:09 -0500
Message-ID: <CAH1iCioRzKouQuh_DqKQVMB=azFaWzZ-YKZT7Jo4UpNF23=gEQ@mail.gmail.com>
To: Job Snijders <job@ntt.net>
Cc: IETF IDR <idr@ietf.org>
Content-Type: multipart/alternative; boundary="001a1144ca76e4a4bb054c212714"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/omyR7TfntfvNhFPb-EV9dDVs3Hc>
Subject: Re: [Idr] dear diary: well-known community vs new path attribute
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Apr 2017 20:56:25 -0000
Hi, Job, Your message was very well written, well thought-out, and presents a good case for use of communities. I think it makes one or two assumptions that turn out to be incorrect. I will try to address a couple of issues, that I think need to be discussed. (Sorry, it is a long message.) First, a point of clarification - in Sri's presentation, the slide where he is discussing "community vs attribute", the context is ONLY for intra-AS, not inter-AS, usage. This is also in-scope for the "open" draft, which includes a non-transitive attribute (iOTC, internal only to customer), and probably more relevant in that discussion. (For that case, I would point out that they are not mutually exclusive, and for any AS already using communities, the impact of adding the Open and the iOTC attribute, would be classified as "belt and suspenders" - redundant methods of protection against accidental leaks. Second is the propagation characteristics of communities (1997 in particular), vs any new path attribute. It is unfortunately the case, that in at least one major vendor's implementation, propagation of communities is off by default. This means that even if a new well-known community were agreed upon, the usefulness of it would be extremely limited until every AS using firmware that does not propagate-by-default, has changed the configuration on every BGP neighbor to propagate communities. In contrast, the BGP protocol RFCs require optional transitive attributes which are not understood, to be propagated. If the rules for a particular new attribute also require the attribute to be propagated (regardless of the attributes value(s)), a new attribute would have global visibility as soon as it gets deployed by any ASN, and as it gained adoption, the usefulness of the attribute (based on the attribute values) would increase monotonically. The _Feature_X_ value IS in its propagation, NOT on its active use. This distinction is very important, and tips the equation in favor of attributes. Note also, this does NOT preclude the use of communities, even before the attribute is available in shipping code. It does mean that the usefulness is significantly restricted outside of the contiguous zone of bidirectional community usage. E.g. Does every ISP that accepts communities also send them, and if that is not the case, the community implementation would suffer. The presentation and current state of the I-D are not necessarily clear (and possibly not correct) on the intended behavior. I will be working with my co-authors to correct these problems. The correct rules for the attribute are as follows: - Session-level Role is used to control marking and detection rules applicable for that session. - Marking and detection is per-prefix. - Some details on interactions with other BGP mechanisms needs more work (I'll be working with my co-authors on that), such as atomic-aggregate. - Incremental deployment is a fundamental characteristic, and is intended to incrementally improve detection, without causing false positives if deployed consistently with actual neighbor roles - If a given neighbor does not support the Role attribute (during Open), the locally configured Role should still be used: - Since the inbound marking will not exist on the last hop, the locally configured Role should be used to apply an inbound marking as if the Role had been negotiated and the prefix marked by the neighbor accordingly - Inbound detection based on the Role should be done. - Of the four Role types, this unilateral Role setting (if not understood by a peer) will work correctly for three (peer, customer, transit) but not the fourth (complex) - Complex Role, and complex behavior requires successful negotiation with a peer that supports Role, and is also configured for complex - Complex is the one Role where marking is dependent on prefixes having existing markings, or local origination. - Complex - All marking is intended to be automatic, with no operator input other than Role setting towards neighbors - It may be the case that implementations provide a "safety-valve" during early deployments, to disable marking to handle situations where implementation errors are discovered - iBGP peers and confederation peers should probably be implemented to automatically have role Complex - Sensible defaults should be used to avoid creating the problem being solved. - Default Role, if any, should be Peer (or maybe Transit). - The combination of existing marking and outbound Role type must also prevent announcement or propagation of leaks - During ongoing WG discussion and revisions, the consensus on "must" might not be reached, in which case "should" is the minimum, with local policy override possible - Regardless of announcement, the received marking MUST NOT be modified, so that other parties are aware of the prefix's status - As long as a prefix is marked at some point as having been received from a peer or transit neighbor, it will be possible to detect that a leak has occurred by a receiving party whose neighbor is "peer" or "customer". - Two parties benefit in deploying the attribute immediately, by being protected against leaks of their announced routes by any direct or indirect mutual customer. - This happens even without coordination between the two parties. - Until very widely deployed, leaks will still be possible, however: - The scope of leaks will be reduced to the set of unmarked prefixes - Unmarked prefixes can only be heard from ISPs who don't mark, or from their customer cone(s) - At that point, the feedback mechanism provides strong incentive to mark - The bigger an ISP is, the more impact to a leak beneath them there is, and the more incentive there is to mark - The set of ISPs who don't mark could be significantly reduced if/when individual IXPs adopt policies that require marking - ISPs who require peers and customers to mark would also have significant impact on potential sources - Early deployment by large ISPs (preferably Tier-1) would directly benefit themselves, and impact the cone of leak-resistant networks. - There is benefit even to leaf networks, in protecting themselves from leaks heard from transit providers - Suppose a leaf network has providers A and B - Suppose a leak is propagated by B, but not by A - Suppose B only has one path to the leaked prefix(es) and elects to propagate a known leak - By filtering out (automatically) prefixes from B that are leaks: - The leaf network can send traffic to those prefixes via A - The path through A is highly likely to not be adversely affected by traffic following the leak - This is still per-prefix behavior The incremental deployment does require setting the Role without the benefit of negotiation. In the case of correctly applied Roles, the automated per-prefix marking and detection works. The marking controls the internal propagation behavior to prevent leak origination, and depending on existing markings, may prevent leak propagation. Similarly, detection may allow inbound detection of leaks or propagated leaks, making filtering possible. Unilateral Role-setting (and "proxy" marking) allows gap-filling in late-deployment scenarios. Here are the behaviors of unilateral role setting, at different stages of partial deployment: - Suppose only one AS, X, does not participate - All of X's neighbors do participate - Every prefix propagated through X will be marked, including with values that correspond to the receiver's configured Role assignment of X - If all the Role assignments toward X are correct, then: - Leaks propagated and not blocked by X (which would have been blocked, if X implemented) will be blocked by every neighbor of X upon receipt (modulo local policy on the recipient) - Leaks by X will be detected and blocked (modulo local policy) - If a Role assignment toward X is wrong: - X is transit, configured as customer - Sender sends all routes, leak toward X; X may filter (no impact), otherwise everyone is impacted incl. sender's transits and peer s - X sends all routes, recipient leaks all routes - X, X's peers/transits, and recipient are all impacted - X is peer, configured as customer - Sender sends all routes, leaks; impact is sender's upstreams - X sends X's customer's routes, recipient leaks to peers/transits - X and recipient + upstreams affected - X is transit, configured as peer - Sender sends only customer prefixes - correct behavior - X sends all routes, sent only to customers - correct behavior, except X's transit's prefixes are blocked - X is peer, configured as transit - Sender sends only customer prefixes - correct behavior - X sends only customer routes, sent only to customers - correct behavior - X is customer, configured as transit - Sender sends only customer prefixes - subset of expected prefixes - only X is impacted - X sends only customer prefixes - not sent to peers/transit, only X is impacted - X is customer, configured as peer - Sender sends only customer prefixes - subset of expected prefixes - only X is impacted - X sends only customer prefixes - not sent to peers/transit, only X is impacted - Suppose every AS that does not participate, has only neighbors that do participate - The same situation occurs as in the "only one AS does not participate": - A leak has to originate somewhere - If the leak originates on a non-participant, it gets detected and block by all its neighbors, unless the unilateral Role of the non-participant is incorrect on the receiver side - Role error on the sender side, would be an instance of "leak originates on a participant", below - Leaked non-local prefixes which are first correctly marked by a participant, and leaked by the non-participant: - Transit leaked to transit-marked-as-transit: sent only to customers, impact is leaker and its upstreams, and customers - Transit leaked to peer-marked-as-transit: same - Peer leaked to transit-marked-as-transit: same - Peer leaked to peer-marked-as-transit: same - Transit leaked to transit-marked-as-peer: same - Peer leaked to peer-marked-as-transit: same - In all cases, impacts are to non-participant, and to participant making error in manual Role setting - If the leak originates on a participant, it means there was a Role mismatch between that participant, and a non-participant - Marking a customer as a peer or provider fails "safe" - only customer routes are received, and get blocked towards peers or providers - Marking a peer or provider as a customer, results in the following: - Previously unmarked prefixes (local to the Peer or Provider) get marked as "customer"; only the Peer or Provider itself is affected - Prefixes marked by the non-participant's neighbors get marked, then detection rules apply: - non-participant's peer/provider routes are detected as leaks, and are blocked (modulo local policy) - non-participant's customers' routes are not considered leaks; only non-participant is affected - Note that all of the failures (in the singleton contiguous non-implementer topologies) are induced by errors in Role setting, and possibly a combination of Role error and leakage. - This provides incremental incentive to request peers to implement and configure their Role - The recommended method is to keep any existing measures in place to prevent leaking, and identify marking errors seen inbound - One all Roles are set correctly, no further leaks can occur if all neighbors' neighbors either implement or have their Roles set correctly. I realize that a lot of this needs to go in the document(s), but I hope I have at least indicated that this has had some thought given to it, and that I don't yet see situations where this makes anything worse, and in most cases offers benefit even at relatively sparse deployment. Brian On Fri, Mar 31, 2017 at 9:01 PM, Job Snijders <job@ntt.net> wrote: > Dear colleagues, > > In today's IDR session (thank you for the orderly meeting, chairs & > secretary!) the topic of 'well-known BGP community vs BGP Path > attribute' came up, in context of having a marker to signify or signal a > route's audience [Sriram] https://datatracker.ietf.org/ > meeting/98/agenda/idr/ > > I've come to the conclusion that we have no choice other then to use a > well-known communities for boolean functions like the ones currently on > the table. > > There are a number of significant advantages to using communities, that > in my opinion outweigh the perceived benefit of introducing a new path > attribute. This is asserted from a deployment process and adoption rate > perspective. Throughout this email I'll refer to the _function_ of the > path attribute/community as "feature X". Most reasons relate to > "accelerated" deployment rates. With "accelerated" I'm referring to a > 2-3 year timescale rather then 8+ years. I'll share my analysis below. > > We have to assume that there are many networks which might (from this > moment on) _never_ upgrade their software to the required newer software > to support feature X natively. There are a number of reasons why a > network might never receive the necessary software upgrades: the network > choose to continue using devices well after the End-of-Sale/Support/Life > date for economic reasons. Some networks use hardware longer then the > vendor intended, sometimes because the operator disagreed with the > vendor's view on longevity. Like some of you, I've travelled to regions > of the world where a good router, is a router without bullet holes in > it, in such cases you'll have to make things work with whatever was > loaded on there. In other cases, the vendor simply has gone bankrupt, > and the network has to make do with what is available on their sparing > shelves until the hardware is fully amortised. > > With the above in mind, I'd argue that for many BGP features it is > entirely acceptable to state "upgrade your software and receive awesome > feature Y!". But in the instance of routing security, one might need to > salvage as much as one can in existing deployments, for altruistic > reasons. > > I think it is fair to assume that in all cases, the BGP speakers will > support RFC 1997 BGP Communities. We can also assume that the device > supports neighbor-specific routing policy options to (at the very least) > match, and subsequently deny or permit based on the RFC 1997 community. > > Another interesting (perhaps underappreciated) angle is that there are > both open source and commercial ancillary configuration management > systems on the market, which will happily manage devices which were not > upgraded to support Feature X natively. When vendor B doesn't want to > implement native support for Feature X, perhaps the ancillary third > market will support Feature X on vendor B. > > A number considerations apply for well-known BGP communities in context > of route leak prevention: > > - on day 0, there will be no routes tagged with the well-known > community, likewise on day 365, there will be a small number of routes > tagged with the well-known community. > > - throughout the lifetime of feature X, the tagged routs are likely > to be outnumbered by the untagged routes, in all contexts. > > - ideally feature X can be deployed incrementally within an AS, so it > should _add_ an extra layer of protection, rather then replace or > hotswap an existing protection function. > > - RFC 1997 communities are transitive, so Feature X must at the very > least not be significantly hindered by the transivity, and in an ideal > case actually benefit from the transivity property. Enforcing > non-transivity through a RFC 2119-style "When received on EBGP, MUST > delete" is also acceptable. Operators can manually emulate the > non-transivity, and wait for software upgrades to do it for them. > > - the presence of a well-known community on one route, cannot, and > should not be superimposed to other routes received through the same > BGP session. In a more general sense, a well-known community on one > route cannot act as a semaphore for the entire session. I am not aware > of any implementations which allow to match/act on one route and > perform congruent manipulation of properties on a different route. > > - When the well-known community for Feature X is present (aka 'true'), > we can assume feature X for the route was enabled intentionally, > however, in the case where it is absent, we're dealing with either an > 'unknown' or 'false'. The deny/accept logic we expect to be present > either through manual manipulation or through > > We also might be able to assume that networks looking to implement > Feature X, will do so out of their own volition, sufficiently motivated > to do so correctly. (Even though they are implementing the feature > manually!) Likewise, there will be a significant number of networks > which will not hear about Feature X for the foreseeable future, and only > receive the feature through software upgrades. In other words: network > operators whom are ignorant of Feature X until they read Release notes, > could be considered harmless. Furthermore, networks which are well > intended, might be in a position to recitfy erroneous use of the > well-known community for feature X when received across EBGP sessions. > > >From my own deployment perspective, when using a BGP Community, > (disclaimer: merely stating options!) I can start deploying _right_now_, > _network-wide_ (meanwhile waiting for software upgrades to slowly start > catching up and replace my manual implementation). More importantly, I > can deploy in a heterogeneous environment where the timelines for policy > deployment and software deployment are not aligned, or with parts of the > network not even expected to receive the required software upgrade for > native support. > > We haven't seen a standards track well-known community in a while, but > I'd be supportive of a well-known community RFC which demands rigorous > discipline related to the transivity, semantics, and would provide > configuration examples for those who cannot (yet) use Feature X > natively, with an agreed upon upgrade path to native support for > feature X. > > As long as the benefits of using Feature X are 'egocentric' (aka > "deploying this concept helps me, and I don't need others to cooperate > with me"), and misuse of Feature X through the well-known community is > either merely self-inflicted pain, or harmless, we'll be fine. > > Since Feature X is positioned in context of routing security, something > we'd probably like to see broad adoption on, I'd argue that the lowest > common denominator should be used: well-known BGP communities. > > Kind regards, > > Job > > _______________________________________________ > Idr mailing list > Idr@ietf.org > https://www.ietf.org/mailman/listinfo/idr >
- [Idr] dear diary: well-known community vs new pat… Job Snijders
- Re: [Idr] dear diary: well-known community vs new… Robert Raszuk
- Re: [Idr] dear diary: well-known community vs new… Job Snijders
- Re: [Idr] dear diary: well-known community vs new… Brian Dickson