IETF Logo Mail Archive

[Idr] Re: [Core] draft-haas-idr-bgp-attribute-escape-04 - WG Adoption call (6/2 to 6/16/2026).

Robert Raszuk <robert@raszuk.net> Wed, 10 June 2026 18:03 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: idr@mail2.ietf.org
Delivered-To: idr@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 8DDBEFEDC168 for <idr@mail2.ietf.org>; Wed, 10 Jun 2026 11:03:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1781114636; bh=4LMUFqSChiblGr3jnlr6cb+vKC9y+5j7bkADtYy0gh8=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=IK2N27aYvw5ibnHH+T5Q3H1mvi1y+3MGKhCLf9Lh1ocnwX6lbg0mk9gabVmqQT/fW siDuOc2ATrnjgKQXNM7KkthFqeQo4vFo2vWAz79Xij6wgpJBRYFgK6DWJj/K2OPUBX PNgKOg+/ne5TI9NuVdgzNAPrGk8TAH0pduVVZcMM=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TC1vwNaX3jeA for <idr@mail2.ietf.org>; Wed, 10 Jun 2026 11:03:55 -0700 (PDT)
Received: from mail-vk1-xa2a.google.com (mail-vk1-xa2a.google.com [IPv6:2607:f8b0:4864:20::a2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 579E0FEDC144 for <idr@ietf.org>; Wed, 10 Jun 2026 11:03:55 -0700 (PDT)
Received: by mail-vk1-xa2a.google.com with SMTP id 71dfb90a1353d-59f967189e7so2174994e0c.0 for <idr@ietf.org>; Wed, 10 Jun 2026 11:03:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1781114635; cv=none; d=google.com; s=arc-20240605; b=SIMd+HeWGqCpM/viOWo5URiQUD7U5XQCELblLYr5EVaj+s6Uk7mcYS+jd7BvWmBApG X1OUuYNsZK/vRLE90f82oPK/qQr6vcr6JDntX3K3paT/DAu2myRM3TM4/nCTExFJTcc2 ZCfGCmgfL14xECZx18JcdmzHIKqQMCgLssI77Dci15q1ZOE8lIziEfQ9f6wy/BolZNRj YwoNsFAGCmM9wbPn5XDvYQV5zvLU5kJKEVGRorofB6xAqbF46bvdeWv7Tpxz6WFOhYXM GJqWt27D0v5K6jYKqptU8A+31lxoykIqWsdMXGHC5q+Netv5cNa9tJLRbXFc++j514fo D95w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=f/UIO6AypPgKdoaToPaxSJsjbOH1L2kA5h/lKN9AwOI=; fh=xc+3t14yY7ZfuJpmMLxj3dtjEDF9XwW0DAnGiINtxKY=; b=fTkZ/zLht+HXRXBqZe+ZF8Vruhb/iaoecdpReiSQPJodYiJg5+kM2CtnucpZny90ii u9XMTmgkpKqyDR1Q6YmF1RaThSspMkFqCYDVPdNe2e9JhN+o0FOEODbR6OOi2mJ9uSJC 3kEdIV5qhf1dq91ul8aWXmrXrYFcYe+kVIqzW0rRceXg/YKzoB8G4hIG2JAQ0tgyNlEV OxUPISmJ5eR2rjyozTM2tKCVaMktkYKNZsF48tfeYyujebsHT4ppDkPITw9W7UXYJK5f rUCnr91W6D3nbMSR3RyORNCg3wI4yZ3OfWzPzffHQK9y5EReNxbxfjRU6cGXXBh6zAoz TTew==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; t=1781114635; x=1781719435; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=f/UIO6AypPgKdoaToPaxSJsjbOH1L2kA5h/lKN9AwOI=; b=TKXH5P07lshzMY0BW91otZkd3TQ85DqLnyVa0ZY2ezlMf9a4LrZSINOaLMrfYvPmRC ELLdQNLVuz1R0fYNYibSSttik8j+ahv2nmdGQkf/8oeh49ch/GJhepneVqaBsUMRx/n0 igccujJKD0xco3jZp0mK/XmbNMXlLD1bOeMvQo19DN55CaVaUSYMFOer1D/hWzi/xjlt 4XMInDulpq47sedSAQ7wWbNicwuZLR3iz6cKzujFtvKWGrXn9lI6l9W0yLP34lxPRHq6 nVsFORKgK6Q9AW3kDWMP+STe2SV91xmPH+Lir5mVggBqMBWJSejw7qHDl0ZJLdWaTsVI N3KQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781114635; x=1781719435; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=f/UIO6AypPgKdoaToPaxSJsjbOH1L2kA5h/lKN9AwOI=; b=ROy+h8F/L28vZOy22H7aovDcgK0ChVBuwklA044DYkDZFcebkvZtq8W/AkEpqbAtIb hpgEcXt+XLoT+Vwhuo4XWLDmtg52rhpuvdlMzl505OaG3TfMs9ikGA3rkrXBmpe70cHd 6KFbZrZkdsYO11gMGr3X9LRHd0pD62FeIuSJOc52WfvTxXKGCvHwWU3vwoTUwHKafxf0 RFWjJEOcHqfFumrNNupBpr7bLSbTHb1O0XQi6s1tGw0YliBA6xBWzO6knmkIlbzhWgOp Kr5oF5sJnj0q7a7OM8dxeIhoEg5DAWucK13KVEai/LqgUCkIt8RzahZIE80TqMA0+uHX tjcw==
X-Forwarded-Encrypted: i=1; AFNElJ9glVrlqZ9gtgU4yo7zqawMPgDfFz7E+qNjahm7Fc/QbHaQPxVK6cZsYtVPx2Q/vZjK4Y0=@ietf.org
X-Gm-Message-State: AOJu0Yzhf+F4wICHphJZgd7AZ4xI7mASofrUFwUX5MAOwk7Jw9Zh7Z2m GMcPUUJstmrO/g09sJddSAZ7OtbrRycxpL4tGUzcKCq9/DFFGSEKOrvbnxxe7Y1j9gQOCTnx0N4 DjmVxfTB7p0qu71Q9M1O9deNXGj5O05PWfULWe7K/xmQYIgaf4vYt
X-Gm-Gg: Acq92OF371g9ZhS9ZvkQMnM4jOMmaIUlfhF2LhOZScRD7Hc4OgEs4A5PdhJXcaxuuLd /Gg4mEI0W3RP92yZtea5XDajeP+B0NjCD6SQbWJVx+e761rdFgblTLd15zYvBhKotiCY6yrAjhx n0e0XX8zxTSIPVJSSKMMUgeSWcteunMmznRtqTsCcVQ6+Cn+BEwNoMoctLd/ChMmZuvDNiP2LFX Lfrl7Z/Zqe4G534k3Ixsei5LteIPr6yg2PopJ16nBX1tjf5NUIFaDANk8as9bwmEaTI9O9rSJcS Be8m1CBphJdq8Uo4qw==
X-Received: by 2002:a05:6122:e202:b0:56e:f876:5626 with SMTP id 71dfb90a1353d-5ba42f6f711mr187593e0c.5.1781114634660; Wed, 10 Jun 2026 11:03:54 -0700 (PDT)
MIME-Version: 1.0
References: <DM8PR08MB7413ADC1A461AFB182F8D69AB3122@DM8PR08MB7413.namprd08.prod.outlook.com> <CAOj+MMHQQ3xb3YTEZQfF1-r+0Y8=2S-sa9UW70egaQPdvouWsw@mail.gmail.com> <DM8PR08MB74133C97B0A14BC931306CA3B3102@DM8PR08MB7413.namprd08.prod.outlook.com> <CAOj+MMELJLdOdQnr-qbSi3oUf7fjxJ_+BmEdyaCiqB9G=6PPAA@mail.gmail.com> <978477ca-4d03-47a0-91ba-708129b3d389@pfrc.org> <CAOj+MMGGWGH_zLfPtk=3dY9Cn2uaPR=9k4E07f0qjSFFC8zfSw@mail.gmail.com> <44015F02-676C-4FA9-9947-931FACF3BD9D@pfrc.org>
In-Reply-To: <44015F02-676C-4FA9-9947-931FACF3BD9D@pfrc.org>
From: Robert Raszuk <robert@raszuk.net>
Date: Wed, 10 Jun 2026 20:03:43 +0200
X-Gm-Features: AVVi8CccFu-L016KdxO0PiZ6wZkT3WI32Tuvx2ATGhzdfpqZjYyAf2nZz7zZiiI
Message-ID: <CAOj+MMEWzpWkyhc3JhkyjuQJfwdn1=sYotGhRh7KAmdeov=YZA@mail.gmail.com>
To: Jeffrey Haas <jhaas@pfrc.org>
Content-Type: multipart/alternative; boundary="0000000000001a7d3d0653ea11c4"
Message-ID-Hash: 76RT6GFZZEKYLUXANLFGJLTWMIOVAJPW
X-Message-ID-Hash: 76RT6GFZZEKYLUXANLFGJLTWMIOVAJPW
X-MailFrom: robert@raszuk.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-idr.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Susan Hares <shares@ndzh.com>, "idr@ietf. org" <idr@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Idr] Re: [Core] draft-haas-idr-bgp-attribute-escape-04 - WG Adoption call (6/2 to 6/16/2026).
List-Id: Inter-Domain Routing <idr.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/qlU3ZaFVdSh5wlwaPfRRCC1w5xE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Owner: <mailto:idr-owner@ietf.org>
List-Post: <mailto:idr@ietf.org>
List-Subscribe: <mailto:idr-join@ietf.org>
List-Unsubscribe: <mailto:idr-leave@ietf.org>

Hi Jeff,

Yes while my first idea was to indeed import such lists to the routers
later I realized that it may be easier said then done due to zoo of
reasons.

So if you ask me today I would consider such list to be published by IETF,
IANA, *NOG as sort of advisory to operators building their BGP policies
within given's vendor configuration file.

And yes I've just build both exclude and scope lists.

You are absolutely correct that deprecated could be a separate list on its
own.

Excluded attributes in AFI/SAFIs that should never show up could be also
separate from Excluded in general over the EBGP boundary.

Otherwise operators may need to compile such a list on their own .. sure
with everywhere present AI these days it is an easy task, but the
thought is that if we publish such a list it will be at least reviewed by a
few humans :)

Cheers,
R.


On Wed, Jun 10, 2026 at 7:24 PM Jeffrey Haas <jhaas@pfrc.org> wrote:

> Robert,
>
>
> On Jun 7, 2026, at 13:32, Robert Raszuk <robert@raszuk.net> wrote:
>
> Hi Jeff,
>
> I think documenting the things we know are currently problematic is a
>> reasonable item for the appendix.
>>
>
> If this is of any help I created an interactive html doc (attached below)
> which lists BGP Attributes which should not be present in a given AFI/SAFI
> (Selectable in top-left corner).
>
> Perhaps you may consider at least recommending that when seen such
> attribute type in specific AFI/SAFIs a syslog warning should be generated.
>
>
> Thanks for the example.  Please note that my comments here are general
> discussion points and not intended to be a specific criticism of the
> example's contents.
>
> One of the useful things for the framing of this example is that many
> types of things we want to protect against end up being exclude lists.
> Working from excludes rather than explicit permits is helpful in not
> encouraging people to firewall all of BGP that they don't want and thus
> harming incremental deployment of new features.
>
> The second useful thing is the attempt to be AFI/SAFI specific.
>
> The other things that are important to discuss before text is written in
> the draft are:
>
> What do we do when the entry in such a registry is wrong?  As an example,
> the IPv6-specific extended community is restrictively scoped and probably
> shouldn't be.  Had we put this into the document and implementations
> deploying it, we've set the stage for issues in incrementally updating who
> knows how much of the Internet.  The real point here is RFC text that is
> utterly safe may be okay, but that we need to figure out how the filters
> should be "agile".
>
> This suggests (as does your javascript example) that machine readable is
> probably the way to go for this sort of thing.
>
> IANA registries from text have a level of ability to be machine read, but
> aren't really meant to be maintained in the same fashion as code.
>
> YANG structures give us a way to document the format for this sort of
> thing. (There is work elsewhere in IETF covering this.)  But the related
> point would be maintaining the file(s)  covering the expected filters.  I'm
> unaware of work having done such a thing, but perhaps there are others
> on-list that may have suggestions.  The general idea is it should be
> trivial to poke a button on your router and fetch the "IETF approved
> general filter list". (The security considerations for that will be
> terrifying!)
>
> Default filtering procedures for deprecated code points will be
> interesting.  I know many providers that filter those by default already.
> We don't care about this today, and likely may not prior to my retirement,
> but at some point we may need to reuse them.  There's also the related
> conversation about us effectively building an Internet-wide kill-switch for
> someone's feature when that someone isn't playing nice with IETF.  That
> will go badly for all concerned.
>
> The remainder would be operational considerations about how to leverage
> the exclude lists.  Roughly:
> - Implementations SHOULD filter path attributes that aren't intended to be
> used for a given AFI/SAFI by default
> - Implementations providing default filtering MUST provide a mechanism to
> locally update the filter list. (I.e., what's built into the software can't
> be immutable.)
> - Implementations MUST include the ability to override the default
> filters. (This is a "moral" MUST rather than a technical one.</bcp14>)
>
>
> -- Jeff
>
>

v2.46.0 | Report a Bug | By Email | System Status