Re: [Idr] AD Review of draft-ietf-idr-bgp-extended-messages-20

"Alvaro Retana (aretana)" <> Tue, 07 March 2017 22:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C5E711295FA; Tue, 7 Mar 2017 14:08:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.522
X-Spam-Status: No, score=-14.522 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tejGEnnmcy_R; Tue, 7 Mar 2017 14:08:00 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2BEA2129473; Tue, 7 Mar 2017 14:08:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=7164; q=dns/txt; s=iport; t=1488924480; x=1490134080; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=GDK65SOfzx7dW5cdTuU8XepgbQ5GaEOc+K6p38crkxA=; b=SteacQQoaQ1wKPpHWf8EWHVascCI9gb8BlDTu1MgKcf/ziA+69pfHeNf +fdyRaArP6pbh8tvC+P1g/7K2oWw1GHohaatD3FkIrTCG3dCSsHh/ETux Ja24yYnY3nhEDrvb6JnoBzVl0I1xpq3kpb0rjRxFITZNMoo/gI60+O4w3 U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.36,260,1486425600"; d="scan'208";a="206999108"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-SHA; 07 Mar 2017 22:07:59 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id v27M7xkX023806 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 7 Mar 2017 22:07:59 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1210.3; Tue, 7 Mar 2017 16:07:58 -0600
Received: from ([]) by ([]) with mapi id 15.00.1210.000; Tue, 7 Mar 2017 16:07:58 -0600
From: "Alvaro Retana (aretana)" <>
To: Randy Bush <>
Thread-Topic: AD Review of draft-ietf-idr-bgp-extended-messages-20
Thread-Index: AQHSjglrFbHoeYS2WUyxb/MV1DegzqGGUcQAgAPBewA=
Date: Tue, 07 Mar 2017 22:07:58 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/f.1f.0.170216
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Cc: "" <>, "" <>, Susan Hares <>, "" <>
Subject: Re: [Idr] AD Review of draft-ietf-idr-bgp-extended-messages-20
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Inter-Domain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 07 Mar 2017 22:08:03 -0000

On 3/5/17, 2:46 AM, "Randy Bush" <> wrote:



I have some in-line comments.  Thanks for the updated document.


> > M2.1.  Even with John’s explanation, I find myself thinking that this
> > specification could result in some sloppy implementations: if I need
> > to account for receiving unexpected Extended Messages in my code, then
> > maybe I won’t worry too much about controlling what to send to my
> > peers – specially in cases where it would be easy to just replicate an
> > UPDATE (like in a peer-group) and not worry about possible exceptions.
> > I know that we can’t avoid bad implementations, no matter what text is
> > added – but I think that recognizing the threat (maybe in the Security
> > Considerations section) of someone receiving an Extended Message when
> > they don’t support it would be good.  I know that there’s text in the
> > document already which talks about what to do if the receiver doesn’t
> > support Extended Messages – I’m just worried about potential issues
> > with memory allocation if the receiver was not ready…
> in the absense of an AD with the guts to let me tear that out, i'll put
> a note in sec cons. :)


Personally, I don’t like this path of accepting anything that you didn’t negotiate.  However, I have to assume that, by the time the Chairs request the publication of a document, there is already consensus in the WG – in this case, the Shepherd’s write-up says that there is “strong consensus” [1].  From your answers and the text below, I think you and I would both have been in the rough on this consensus call.


>    Section 5 allowed a receiver to accept an extended message even
>    though they had not advertised the capability.  This slippery slope
>    will surely lead to sloppy implementations sending extended messages
>    when the receiver is not prepared to deal with them, e.g. to peer
>    groups.  At best, this will result in erroes; at worst, buffer
>    overflows.

This text raises the obvious question of: why even do this if it may be so bad?

The text should reflect the WG consensus – not your personal opinion (or mine, for that matter).  Please reword to be more objective.

> 6.  Changes to RFC4271
>    [RFC4271] states "The value of the Length field MUST always be at
>    least > 19 and no greater than 4096."  This document changes the
>    latter number to 65535 for UPDATE messages.
>    [RFC4271] Sec 6.1, specifies raising an error if the length of a
>    message is over 4096 octets.  For UPDATE messages, iff the receiver
>    has advertised the capability to receive extended messages, this
>    document raises that limit to 65535.

This last paragraph is not completely true because of Section 4.

> > M7. What about transition/migration/partial deployment?  What should
> > the behavior be if, for example, an Extended Message UPDATE is
> > received from a peer, but can’t be propagated to others because they
> > don’t support Extended Messages
> if they do not support extended messages, then they can not be bgpsec
> speakers.  so the whole bgpsec path stripping applies and the message
> becomes short.
> > There should be some guidance for the general case (i.e. when the
> > total size is >4k due simply to the total amount of information, and
> > not because a single attribute, for example, is really big)
> how about "do not do this?"
> i believe you have entered a twisty maze in which all rooms do not have
> path(s) to the exit.
> 4.  Operation
>    A BGP announcement will, in the normal case, propagate throughout the
>    BGP speaking Internet; and there will undoubtedly be BGP speakers
>    which do not have the Extended Message capability.  Therefore putting
>    an attribute which can not be decomposed to 4096 octets or less in an
>    Extended Message is a sure path to routing failure.

If this text is in the document, then you’re basically saying that you shouldn’t deploy anything that could need more than 4k because it is a “sure path to routing failure”.  Again, please reflect WG consensus…

What I was really hoping for was something like what you wrote above about BGPSec: if a 4k-neighbor is encountered, then just revert to “normal operation”.  I’m not asking you to put that text in this document, mostly because there might not be “normal operation” for something new in the future (like there is for BGPSec).  So, what am I asking for?  Two things:

- guidance of what to do if the “normal operation” of adding attributes results in >4k.  Maybe “treat as withdraw” would be appropriate…

- some text saying that if a future extension knows it needs more than 4k (like BGPSec does), then it MUST include some text about what to do.  IOW, you can’t solve the future case now, let them solve it later.

BTW, it looks like you may have overlooked these other questions: “What should the default be for this extension?  Should it be enabled by default or not?”