[Idr] Re: WG LC for draft-ietf-idr-deprecate-as-set-confed-set-14 (7/8 to 7/ - call continues from 7/8 to 7/26/2024 - 2nd extensions to 8/6
"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Thu, 22 August 2024 03:46 UTC
Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56453C151545; Wed, 21 Aug 2024 20:46:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.709
X-Spam-Level:
X-Spam-Status: No, score=-2.709 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.453, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nist.gov
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c3qbZ2faemlu; Wed, 21 Aug 2024 20:46:17 -0700 (PDT)
Received: from SA9PR09CU002.outbound.protection.outlook.com (mail-southcentralusazon11010008.outbound.protection.outlook.com [40.93.193.8]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 134CCC14F5F1; Wed, 21 Aug 2024 20:46:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=T7VjTl8XHw9CrJqqvZUVbj7ef3dXTBO6Z78ODoFJn0Y1IJQsgFUH6clPIaHtmZ/IjHhzD9zplU2DeipVFMZuiE9m/9W/57QQobaLmA+UK8zyVnwppZFJ6CWVQ3xksPSy5iDYT9DhWa91TiFpYQ3M4/CxCIC64pdn9Wieh/XhhL1YmXUiRiGz79dUHf5wKviLyhBy4gDRlWnRt+MAXDqLlZMawQGgMjZtab29yU7+oddO4PRkrtfEU/5pBOowZ9v8CY8pLQ8tjNDbLvyFhIgbn2BBHZMJLhS4+yRNEdNJfvehMqBaC2jD3WDyqTt9Pa4VBbYT1nLX2/zWaJZdtuta2Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=EvZx/Yb8CZTAHS4sDwbGyZsvuRWlzW1pIevP/Mf7/As=; b=qx5MaKf0ftsk14x1RHjl8tMniZ/ANMdDobvsd5w38xWFJ5s1LuMPKGjwFDhs7VksFmYWaJxi9XEdkKvIm4+MtSwc4Nr6bro4mKVO2z1xbzAxP+xfkG5jG6OALJYip4vRIbIbFOgfMJvBW0sS6vd/cK0lQ+v+W2/2mVT7yY1ZQFDzluDopD6yGGSpedozzWJy/M4BTtkjReCfLPmdDDV7IsqVw7+i55mvbGGlSLuGp5GbZAUcYAMx+s4dowPfpmzRNeNlc2yACjH1XzxziKetFo0iRm9IZeiBdo94t/C/i1+1/S/3yGBnhpDI78PUfbGpEn2IOKl6BKWXv/qwsor6KQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EvZx/Yb8CZTAHS4sDwbGyZsvuRWlzW1pIevP/Mf7/As=; b=mFEsWfI0L/9Te2KEk6MWkOEVXNUPlo2SxX6sGbAPFCCzU7XVV23gOoq89mrVXfD0QAXLti5mGN0WtBlBOnuHrAN779HBfH8pxSQSSV3f0pOkEEo2qqHcgLeheyfXeu2cFcJTuYDir9na9wbvk0AjT5O9fQS5N+PtXxUmwZKoaUxVEimwjxalGjMZbDkgisnZ8mVTmu50U3Hah6jkCJkjSibuY41O5mWEEGibAusqQcOiHNrvV9QbhawkVojLch8RVMG+xmkWJgudvTLUW3BGZtclulbBJh2q0bdUxGRPpm5AtcHAhxZnoSMCp+Y+iY4dZL8xa2qa83RGuGImJ0VZHg==
Received: from SA1PR09MB8142.namprd09.prod.outlook.com (2603:10b6:806:171::8) by PH0PR09MB10608.namprd09.prod.outlook.com (2603:10b6:510:2c1::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7897.19; Thu, 22 Aug 2024 03:46:13 +0000
Received: from SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::504f:d20c:9137:39a7]) by SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::504f:d20c:9137:39a7%5]) with mapi id 15.20.7897.014; Thu, 22 Aug 2024 03:46:13 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Claudio Jeker <cjeker@diehard.n-r-g.com>
Thread-Topic: WG LC for draft-ietf-idr-deprecate-as-set-confed-set-14 (7/8 to 7/ - call continues from 7/8 to 7/26/2024 - 2nd extensions to 8/6
Thread-Index: AQHa9EXU9LEaXW/KgUSgiFzOD1JM9g==
Date: Thu, 22 Aug 2024 03:46:11 +0000
Message-ID: <SA1PR09MB81420D4FFD4A9E5DE21F72CF848F2@SA1PR09MB8142.namprd09.prod.outlook.com>
References: <SA1PR09MB81429DA3D95133F743EE2FF184BE2@SA1PR09MB8142.namprd09.prod.outlook.com> <CO1PR08MB6611189A21004F78179BDF24B38D2@CO1PR08MB6611.namprd08.prod.outlook.com> <ZsTuq46mz8lqQ-Ag@diehard.n-r-g.com>
In-Reply-To: <ZsTuq46mz8lqQ-Ag@diehard.n-r-g.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nist.gov;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR09MB8142:EE_|PH0PR09MB10608:EE_
x-ms-office365-filtering-correlation-id: 74be5502-7f22-4534-8cee-08dcc25cf72a
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|38070700018;
x-microsoft-antispam-message-info: Okn/+/8BujgfRxONvm/lHvHKhOSNg1TBhS/bwyzjjiFn7sVbs6qBSn3ww/W3T3M3C3t7RIwABKRGhCGpo0yPKsk6Y77Xf6agrvbfyLyMOfbk4iEkteQLvQioNlZBE+ezjOqz0kaAsbQWDiD/67OHvITgMk10s7AAruE9QAAb58puiDJjLTuPoPg5GoCFEKvvUoQgu2ymPo3DfLUGtcEnS0SpS35vPEMDdizpPTCH7c34rtuJQljEM8JTVLPcf0Gwl49ILNs/z1FbHD+ChbN1ATeTIWFw4vUvpXfJJm7ZF8gxcv7rZQqJKJ848jaQLICnSOuptAMPnaZW8d0iXtwQ93aJjk5rTio06hZB3YVa0zvgjKWCJrstTScxYtFS7xrfshTRyvGXUmB//beKA2zEAxtKV/5ZbhDXOE+dVqMCdmvYgeqUVyM4fbudr2+Gp2e6P65L4f1LR53VprB2tKFqex+OKzXPrLZr+XwSHvh0sdoQrgparr5JOZwTn6swy9rKj82fZoKjTGROi+x6OEPDSTIb9JUyOzT4A2oCOptTmuwaM6KV5s8d+uDMhxiR3zi1A8eDosMboGjWxqNjvPMsLpPvUZobqPuDxjtb0Krq5JUnQpK2g2v7CY84FgH4Y6ZQ8b4KXh4SrchEAQkL6mJLGv7pxa1JM9i7CjDHp2lt7xTcBKj7jBSXtIjmTA+B/CzmJS8r+UZUh8dJXAP8RDHMj16iCYHQCd1U5Y6o93/QbJTUWmfM4yhkcG/nkTrMHUuQfQMK3ZHDZOmayLkVYqRFJEk8ZSkHKX5lVwZb7DkeFb7aF/yA46oFddWkVLLEHRYpxns5uJY6L/bx4tLHHhh0AymUwK3HRag2J9mIlUmMewcHkS9A+qXe5T3kB2QAG1F6AErz6j9UQdXTPcgRzVK3Xfayd8iQRk6nlpvD+X1hgqSzviDbLx+xJ9WI05Ab6aZT0SW18CkQ1gAkCBHQ6n10hZYtd1RLiNrEv52252Lh4kqk9GRnq9r1Inradme3Paevzlmkg/vNxhW0A6tNqm2vXzTbymqwOO3RMPC2oMt2GYEWbn6qlGDlSwyg0ZEOZ7QA5YkI+NmKgbQUrHFNRt5/oXCkKzp4tRLn0PE7eP0acDS8WmgZe69KQ6T6J63OLYZLrv5Hpb8Cz7Df84h0gpeW3/+A0F0MtCYw+Fbn10kFe9n0uI3NkOKobkt9tIaw0+8oZouZJepccwXbVsDAVc5fScIFqcp+Av9qJYiAManEE/FXAWpe4UVotl/9mrXx30TJtRFxZYpO1m7ZzpMtGO7TNQMVBvX6+COaQGVPQmy/e9uH8D6JuFxuKgpefdSf9ADc9umI3zSfYiRVfYD/lxcpjO5j1LH9IwPmr8mVnzgsduA=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1PR09MB8142.namprd09.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Fx0fVMUHtaNtmi7KqKNRKQLElj2TzAh8aEmd3pnkOY3xWZ7rgNJSQCeZzIUX3jQvp+bMdj2WM0zE3zuJ0nZ1T53+1IE0VgQKYeVI8xBqbZdPqD82aplxdfpc087iw+H0cUAWGiH842mYG4cIBBsDhSBNk8xLX382yLMf4rsFtyZrkRomdpoCMysq4i+zm6POG4ggZMZM8n+mhzsXyTrMTADo5AqSL2k4w1rc+4vDkChuYerEnXgb6mabCiQYQB2k8CKSyRX+oRFW4Vc/2Xnfw9JF6AKmUbQ3tl6B9wRn97KayX9ciK7L3n2QWPXqnIRPMHLQXNy0X/zguyLYxa7qqzpsES7ZXM48690TlGtfy3BqnX9EqMZzJSqLVDPv6E3xkqlLn9n+R44vIrvg2pJaxRdEU4R1yWMBFgc+wvqbK5zyZpNirQjfr4ZYNFTAoPyPIiZ+m9uITk3JAQN28FsGrLhWbbQQdo/0YnNe4H3Mwb+rYABjF3MR9V3ixi8ztz2eT+BZ5ISjK+y9xM6xORQpwNGyEm2sDpR3PE5CIiTXh7DXYBjOAeD8kFHCnjilDb2mG21K6/DuPlqDw+XdclJrdtO2vJRYzs0ZnfZFwBGYZCx9zb9+9Mz4QkN03QQ6y1QKJ7DVE9GLyBWgQ8mlyxbE4vremeWzC3Oo0E4ZDNe/GWsFW/LToHj6IXIYrosj0gdo7xPupjiJfaRf6rk3pmQ4Iw8g7AzjDCwMPLXM3TGCdRFu6KvQHgSKEVzn38OvMsc1uwPqWIOwHkqVNgYsYUq2Y3dWruun5qrhY6tKRkEmpvlS5dT0xA1MMY4Iz16szCL7SjT3mhrc/QT56YzeJzwDf9JD92gH/df/++m4T4jehvN6l+ZwH52haOJLXlb+BDsrtYqMQht1YPIvQmOjCAaaKazZ3cVtnJwEGgn+dOCPGA8dik8depwyslbgUh3VCSfjtSRY+q25azAgUrTgoEnWorfzTLXgcGB6wnFo+KzKIRuEXHtur2CLbe5XfYhATLu7B9YFH20mHUyZVq575vg///SolOERDWrpMtFi5so1pHsDOCiBtVflHLQ7tLdDgTF4rLj8vHk6oSaXc6AHk7yWW95q+jPWRCFCse/xUw/rbTfOWy618fStqKHIvXOndjj02X5gh1mlWzZDYAaSrEpLcoMjCtIvdQ+ktUucpBeRXUAoPkq4volbjD07Aoy9Nbujw2le1J6FVqP4qiHPslmn6hWDGGk2p44wpFyr3RPw9kH7+PaF1hr5mKQqBOG8vC+I3tJL6g5yUuFPfeEAPmhSfqlcOS/KRjk0xR2UjQQC/iL/UZPLsgBgj38gMc3wHhcSAHj1lbgjP35NIeyQ02xN7G1/ngjslUe4RMdAOXfvBB3rFLq8hh0FROTA5hi5HwDbUqf+nhcLz8YF56P/6qRfIoQuDnyiyTRvbTURYs5g8wU3DVfKrjLHtzi4VAdhp5lfdlWo/YSrQ0vvyR8pshnJ+e/sNGS7QNDDu5wU+1CgGHgAsaoToTueGpwmzO9KooKjy+Mn6VGn4xGfDRGzBhVETlfZZyk4N3UCZwu5F9n2iQk=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR09MB8142.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 74be5502-7f22-4534-8cee-08dcc25cf72a
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Aug 2024 03:46:11.8856 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR09MB10608
Message-ID-Hash: CWYTA43PX5M3KSRZZJZXGRUE5FLYIXR4
X-Message-ID-Hash: CWYTA43PX5M3KSRZZJZXGRUE5FLYIXR4
X-MailFrom: kotikalapudi.sriram@nist.gov
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-idr.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "idr@ietf.org" <idr@ietf.org>, "sidrops@ietf.org" <sidrops@ietf.org>, "grow@ietf.org" <grow@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Idr] Re: WG LC for draft-ietf-idr-deprecate-as-set-confed-set-14 (7/8 to 7/ - call continues from 7/8 to 7/26/2024 - 2nd extensions to 8/6
List-Id: Inter-Domain Routing <idr.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/u52QNsDxOPT4Nl9v_cMMZwuH36I>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Owner: <mailto:idr-owner@ietf.org>
List-Post: <mailto:idr@ietf.org>
List-Subscribe: <mailto:idr-join@ietf.org>
List-Unsubscribe: <mailto:idr-leave@ietf.org>
[Jeff, Ketan, Sue, Keyur, all ... please share if you have some thoughts about this] Hi Claudio, >If a router sends you an AS_PATH without AS_SET and an AS4_PATH with AS_SET .... You raise a good question. Section 3.1 observations are based on the premise that if RFC6793 is implemented correctly by the sender and preceding ASes in the AS path, then the above will not happen. But you think it could happen due to an intentional attack by the sender or a preceding AS. All: OK, let us see if we can address this. Which of the following methods for modifying the recommendations at the top of Section 3 would be preferable (click to see Sec. 3: https://datatracker.ietf.org/doc/html/draft-ietf-idr-deprecate-as-set-confed-set-15#name-recommendations )? Method A: Modify the second bullet in Sec. 3 as follows: * Upon reception of BGP UPDATE messages containing AS_SETs or AS_CONFED_SETs in the AS_PATH or AS4_PATH, MUST use the "treat-as-withdraw" error handling behavior as per [RFC7606]. Methos B. The second bullet in Sec. 3 remains as is but add a third bullet as follows: (unchanged second bullet) * Upon reception of BGP UPDATE messages containing AS_SETs or AS_CONFED_SETs in the AS_PATH, MUST use the "treat-as-withdraw" error handling behavior as per [RFC7606]. (new third bullet) * Upon reception of BGP UPDATE messages not containing AS_SETs or AS_CONFED_SETs in the AS_PATH but containing AS_SETs in the AS4_PATH, MUST use the "attribute discard" approach for the (malformed) AS4_PATH as per [RFC7606]. Note (with Choice B): The handling of UPDATES with AS_CONFED_SETs in the AS4_PATH is as specified in [RFC6793]. Thanks for you anticipated inputs. Sriram -----Original Message----- From: Claudio Jeker <cjeker@diehard.n-r-g.com> Sent: Tuesday, August 20, 2024 9:29 AM To: idr@ietf.org Subject: [Idr] Re: I-D Action: draft-ietf-idr-deprecate-as-set-confed-set-15.txt On Mon, Aug 19, 2024 at 11:21:37AM -0700, internet-drafts@ietf.org wrote: > Internet-Draft draft-ietf-idr-deprecate-as-set-confed-set-15.txt is > now available. It is a work item of the Inter-Domain Routing (IDR) WG of the IETF. > > Title: Deprecation of AS_SET and AS_CONFED_SET in BGP > Authors: Warren Kumari > Kotikalapudi Sriram > Lilia Hannachi > Jeffrey Haas > Name: draft-ietf-idr-deprecate-as-set-confed-set-15.txt > Pages: 15 > Dates: 2024-08-19 > > Abstract: > > BCP 172 (i.e., RFC 6472) recommends not using AS_SET and > AS_CONFED_SET AS_PATH segment types in the Border Gateway Protocol > (BGP). This document advances that recommendation to a standards > requirement in BGP; it prohibits the use of the AS_SET and > AS_CONFED_SET path segment types in the AS_PATH. This is done to > simplify the design and implementation of BGP and to make the > semantics of the originator of a BGP route clearer. This will also > simplify the design, implementation, and deployment of various BGP > security mechanisms. This document updates RFC 4271 by deprecating > the origination of BGP routes with AS_SET (Type 1 AS_PATH segment) > and updates RFC 5065 by deprecating the origination of BGP routes > with AS_CONFED_SET (Type 4 AS_PATH segment). Finally, it obsoletes > RFC 6472. > I had a look at this draft and think Section 3.1 Considerations for AS4_PATH needs to be adjusted. 3.1. Considerations for AS4_PATH [RFC6793] created support for four-octet AS numbers in BGP using the optional transitive AS4_PATH attribute. The mandatory AS_PATH attribute is always present in a route [RFC4271], while the AS4_PATH may or may not be present. If both AS_PATH and AS4_PATH attributes are present, an AS_SET present in one would also be necessarily present in the other. So, it is sufficient to perform the "treat-as- withdraw" error handling as specified above using the AS_PATH alone. I think this is incorrect. You can not assume anything about AS4_PATH. The only thing RFC6793 mandates is that aspath length of AS4_PATH is smaller or equal to the aspath length of AS_PATH. If a router sends you an AS_PATH without AS_SET and an AS4_PATH with AS_SET then the reconstruction will introduce an AS_SET. This is possible and since AS4_PATH is transitive you can not even assume it was your peer playing games with you. So instead I would suggest what OpenBGPD does. By default reject AS4_PATH attributes that contain AS_SET and use "attribute discard" for them. If the AS_PATH had a AS_SET as well then the prefix will be withdrawn anyway but if not then there will be no merge of this bad AS4_PATH. If the user explicitly allows AS_SET then skip the above. I hope that after deprecating AS_SET for good we will be able to deprecate old 2-byte ASnum sessions as well since the hoops introduced by RFC6793 give me the heebie-jeebies. -- :wq Claudio
- [Idr] Re: WG LC for draft-ietf-idr-deprecate-as-s… Susan Hares
- [Idr] Re: WG LC for draft-ietf-idr-deprecate-as-s… Sriram, Kotikalapudi (Fed)
- [Idr] Re: WG LC for draft-ietf-idr-deprecate-as-s… gengnan
- [Idr] Re: [Sidrops] Re: WG LC for draft-ietf-idr-… Lancheng
- [Idr] Re: WG LC for draft-ietf-idr-deprecate-as-s… Lancheng
- [Idr] Re: WG LC for draft-ietf-idr-deprecate-as-s… Susan Hares
- [Idr] Re: WG LC for draft-ietf-idr-deprecate-as-s… Claudio Jeker
- [Idr] Re: WG LC for draft-ietf-idr-deprecate-as-s… Sriram, Kotikalapudi (Fed)
- [Idr] Re: [Sidrops] Re: WG LC for draft-ietf-idr-… Claudio Jeker
- [Idr] Re: [Sidrops] Re: WG LC for draft-ietf-idr-… Sriram, Kotikalapudi (Fed)
- [Idr] Re: WG LC for draft-ietf-idr-deprecate-as-s… Sriram, Kotikalapudi (Fed)
- [Idr] Re: WG LC for draft-ietf-idr-deprecate-as-s… Susan Hares