Re: [Idr] Validation for BGP Flow-Spec Redirect to IP Action
PVLR Pavana Murthy <pvlrpm@gmail.com> Thu, 17 May 2018 07:32 UTC
Return-Path: <pvlrpm@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19CF712E8D6; Thu, 17 May 2018 00:32:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HK_RANDOM_ENVFROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yg0_n4gu8we0; Thu, 17 May 2018 00:32:40 -0700 (PDT)
Received: from mail-ot0-x22e.google.com (mail-ot0-x22e.google.com [IPv6:2607:f8b0:4003:c0f::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7ED69128954; Thu, 17 May 2018 00:32:40 -0700 (PDT)
Received: by mail-ot0-x22e.google.com with SMTP id y10-v6so3959322otg.10; Thu, 17 May 2018 00:32:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=FBUSVDSqlCt/GjspQLpof9S/n2pHK0oNQc0hiN5m20k=; b=N4guPjsUH+jWFSCrLiMGQQ9G+qZLEfiUZJ0Wl8FfqyPb42ElHrwyTuSqkowVWoVbjp kIL0o1MFOGPW3Z3Cwyq0OIiSFmQrNL/ftFLLANx+oB8nUlMOfNwlJ+kZv3d5b+pmW8ZG COcspp/tQwuj9IGn0v/zhOI7QAdj0KIFpLhwEN5AfOI0Pr5Im1HYIsxoEuox7/BK3l70 Xo98X/KvCH0toBGdfypArj9GDIbDXLEThMlu3Rv3r19FVUiBUKjAO7OEDWlnU134dn/f ZbudMjB1LRfixqYfB6WyQFCUhz1az/vTQxKZdmzmesVOtRNGpb7Icnf4NuqWTlIu3JfK MfWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=FBUSVDSqlCt/GjspQLpof9S/n2pHK0oNQc0hiN5m20k=; b=r2LZNrC8N4Y5DZwi37tdeBSm4hPJ3hLK+dxJrNZM6sdLN/JoP/mfbi0yMb4TrvdZ7G VfGuInHhmo3syjghHhvdU9KJUja4wr61Feg1MraQne/hK7kJq9XmZZei2Ra0nB+SJZQQ phDcTQMnMEUeAVBE09WCaZHF5zVcxV5V1N6OrB/sQhKJNBg94neEJdKr/2IsRwaB0w3Z ssipqMZROjpjTlAk8r2sYkOAlR8+MfHU5e+uJbidat0nnsBaSz0kVx5uLbS4F9rSa35n oIN1dJtH7JW4ASCp7zVJaR8zpLptvPM01TpK+OLfLMExFvLRyAqht5uF3WlThhiXoNfa x15A==
X-Gm-Message-State: ALKqPwdjQ66xzOSOJIW6Sb1vEWnsdXs3DK5UhmT7xF1gZUevI3NECkaq C98vecCJyoM/c0Ue4yZ4ojA8Bw4IIlE0LIpAUEI=
X-Google-Smtp-Source: AB8JxZo3KaV3xNehlaSSo2xbsDLdPo8eJ/N3IGHlFOibRsbR553O+g1Lk1yUt9EGOAhUgrKQUbO3+CLjjixpI/rIJzU=
X-Received: by 2002:a9d:2b72:: with SMTP id f47-v6mr2806252otd.69.1526542359530; Thu, 17 May 2018 00:32:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.88.154 with HTTP; Thu, 17 May 2018 00:32:38 -0700 (PDT)
In-Reply-To: <2efbf3be8d7c4833ac82d17a6b3ff249@XCH-RCD-012.cisco.com>
References: <CAN-MQG6bDyzcyuVs1vmka-JZFrD9Ya1uOuU_AFxfu0GnYgdmbA@mail.gmail.com> <aaa4916758a34ed99cb7432cff257f25@XCH-RCD-012.cisco.com> <CAN-MQG6R_LCLAM5xgaak3W_oRkuQFQsgZtEodacpeiLCQV8p-g@mail.gmail.com> <bd31302086e4453daa60d19aff45133b@XCH-RCD-012.cisco.com> <CAN-MQG7o41bnMebez1iovpRqpr=2gy9FB8xXOFDTzRRN=kUeug@mail.gmail.com> <25145a9f2db04e23b211c1caf3b86d74@XCH-RCD-012.cisco.com> <CAN-MQG61cg7JJHF4Co_LeCbur-7mYz4kbptampme4LgBXQtAyw@mail.gmail.com> <2efbf3be8d7c4833ac82d17a6b3ff249@XCH-RCD-012.cisco.com>
From: PVLR Pavana Murthy <pvlrpm@gmail.com>
Date: Thu, 17 May 2018 13:02:39 +0530
Message-ID: <CAN-MQG6TP9Z3dPEjjneAB+WLDtaALMKMoXG32EKdJPfttL-QDw@mail.gmail.com>
To: "David Smith (djsmith)" <djsmith@cisco.com>
Cc: idr wg <idr@ietf.org>, Pradosh Mohapatra <mpradosh@yahoo.com>, "draft-ietf-idr-bgp-flowspec-oid@ietf.org" <draft-ietf-idr-bgp-flowspec-oid@ietf.org>, "Simpson, Adam 1. (Nokia - CA/Ottawa)" <adam.1.simpson@nokia.com>
Content-Type: multipart/alternative; boundary="0000000000001311c3056c61d7c0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/xktDevtU0pG8USI1Asb2v6QqKG8>
Subject: Re: [Idr] Validation for BGP Flow-Spec Redirect to IP Action
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 May 2018 07:32:44 -0000
Hi Dave, Did you get comments or reply from any author? Thanks, Pavana. On Wed, May 9, 2018 at 3:40 AM, David Smith (djsmith) <djsmith@cisco.com> wrote: > Hi Pavana, > > > > This is a good question and not currently described in the redirect-ip > draft so I’ll defer to the authors for additional comments. In the > meantime, I’ll also mention the following: > > · “IF” transit ASes are able to modify a redirect-ip flowspec > “target address”, then it would make sense to compare with the peer AS of > the redirect-ip flowspec. However, this isn’t covered in the current draft. > > · Otherwise, it would make sense to compare the origin ASes or the > whole AS-PATHs for a redirect-ip flowspec. > > > > Regards, > > > > /dave > > > > > > *From:* PVLR Pavana Murthy <pvlrpm@gmail.com> > *Sent:* Sunday, May 06, 2018 9:32 AM > > *To:* David Smith (djsmith) <djsmith@cisco.com> > *Cc:* idr wg <idr@ietf.org>; Pradosh Mohapatra <mpradosh@yahoo.com>; > draft-ietf-idr-bgp-flowspec-oid@ietf.org; Simpson, Adam 1. (Nokia - > CA/Ottawa) <adam.1.simpson@nokia.com> > *Subject:* Re: Validation for BGP Flow-Spec Redirect to IP Action > > > > Hi Dave, > > What is the possible reason or explanation for comparing the origin AS > of best match route of target X with the peer-as of the flowspec route > instead of comparing origin AS of both the routes? > > > > Thanks, > > Pavana. > > > > On Fri, May 4, 2018 at 11:23 PM, David Smith (djsmith) <djsmith@cisco.com> > wrote: > > Hi Pavana, > > > > The redirect-ip draft specifies this additional validation step as the > default behavior, however, it also allows it to be disabled via > configuration. > > > > Regards, > > > > /dave > > > > > > *From:* PVLR Pavana Murthy <pvlrpm@gmail.com> > *Sent:* Friday, May 04, 2018 11:42 AM > *To:* David Smith (djsmith) <djsmith@cisco.com> > *Cc:* idr wg <idr@ietf.org>; Pradosh Mohapatra <mpradosh@yahoo.com>; > draft-ietf-idr-bgp-flowspec-oid@ietf.org; Simpson, Adam 1. (Nokia - > CA/Ottawa) <adam.1.simpson@nokia.com> > > > *Subject:* Re: Validation for BGP Flow-Spec Redirect to IP Action > > > > Hi Dave and Adam, > > Thanks for the reply. > > > > Lets take the example as I gave earlier. > > > > A----B----C > > > > A, B and C are 3 routers in different AS's 1, 2 and 3 respectively. > > A advertises a route for target X and also a Flowspec route with > "redirect IP(target X)". C receives these routes via B. > > Now the the origin AS or first AS in the AS_PATH of the route to target X > is 1 but the peer-AS of Flowspec route is 2 > > > > According to Dave,since the peer-AS 2 does not match the origin AS 1 of > the best route for target X, this redirect IP action will be considered > invalid for the flowspec route received at C. > > This is a typical scenario. Like this, we can't propagate the Flowspec > routes with "redirect IP" action, more than one AS. I think, that's not > expected. > > > > I feel, we should compare origin AS or neighbor-as for both Flowspec route > and the best match route of target X. We should not be using peer-AS for > flowspec route and nbr-as for best match route of target x. Otherwise the > above typical scenarios never work. > > Probably, we need to edit the draft for "redirect-ip" action. > > > > Thanks, > > Pavana. > > > > On Thu, May 3, 2018 at 11:08 PM, David Smith (djsmith) <djsmith@cisco.com> > wrote: > > Hi Pavana, > > > > >I went through the latest draft-ietf-idr-bgp-flowspec-oid-06. It calls > the first AS the Origin AS. Is it so? > > > > Correct, first AS = first AS added = last AS in AS_PATH_SEQ hex-string = > origin AS. > > last AS = last AS added = first AS in AS_PATH_SEQ hex-string = neighboring > AS. > neighbor AS = peering AS: if update is coming from EBGP and > enforce-first-AS used -as mandated by RFC 5575. > > Note that draft-ietf-idr-bgp-flowspec-oid-06 uses 'last AS *added*' in > most cases, and when it does just use 'last AS', it can be inferred. > > > > >If that’s the case, the validation will fail for any 'redirect IP' > actions coming from the AS other than neighbor AS. Is that the intention? > > > > The RFC 5575 validation procedure required that for EBGP learned flowspecs > the ‘neighboring AS’ be in the left-most (or last) position of the AS_PATH > attribute. Since this is not valid for all topologies, > draft-ietf-idr-bgp-flowspec-oid-06 redefines the BGP flowspec validation > procedures including AS_PATH attribute. Further, the redirect-ip draft > imposes an additional AS_PATH validation check (specific for redirect-ip > flowspecs only) to validate that the best matching route to the redirect-ip > 'target address' is a BGP route with origin AS matching the last AS added > within the AS_PATH attribute of the redirect-ip flowspec. As > > > > >Also In draft-ietf-idr-flowspec-redirect-ip-00.txt, instead of 'origin > AS', the word 'last AS' is used. It is confusing. Does the validation > need to consider the first AS or last AS? > > > > See feedback above. Draft-ietf-idr-bgp-flowspec-oid-06 only needs to > consider last AS while redirect-ip draft needs to consider both per above. > > > > >Regarding my second doubt, I could not get any pointers from > draft-ietf-idr-bgp-flowspec-oid-06 . Do we need to consider only BGP > routes always (for redirect-ip target address)? > > > > The redirect-ip draft allows for its added validation check to be disabled > via configuration. This allows for a non-BGP route to the redirect-ip > target address. > > > > Regards, > > > > /dave > > > > > > *From:* PVLR Pavana Murthy <pvlrpm@gmail.com> > *Sent:* Saturday, April 28, 2018 12:40 AM > *To:* David Smith (djsmith) <djsmith@cisco.com> > *Cc:* idr wg <idr@ietf.org>; Pradosh Mohapatra <mpradosh@yahoo.com>; > draft-ietf-idr-flowspec-redirect-ip@ietf.org; draft-ietf-idr-bgp-flowspec- > oid@ietf.org > *Subject:* Re: Validation for BGP Flow-Spec Redirect to IP Action > > > > Hi Dave, > > Thanks for the reply and including respective draft author aliases. > > > > I went through the latest draft-ietf-idr-bgp-flowspec-oid-06. It calls > the first AS the Origin AS. Is it so? > > If that's the case, the validation will fail for any 'redirect IP' actions > coming from the AS other than neighbor AS. Is that the intention? > > Also In draft-ietf-idr-flowspec-redirect-ip-00.txt, instead of 'origin > AS', the word 'last AS' is used.It is confusing. Does the validation need > to consider the first AS or last AS? > > > > Regarding my second doubt, I could not get any pointers from > draft-ietf-idr-bgp-flowspec-oid-06 . Do we need to consider only BGP > routes always? > > > > Thanks, > > Pavana. > > > > > On Sat, Apr 28, 2018 at 3:37 AM, David Smith (djsmith) <djsmith@cisco.com> > wrote: > > Hi Pavana, > > > > Your points are valid. With that said, I’ll defer you to > draft-ietf-idr-bgp-flowspec-oid-05 (and later) and, specifically, section > 4 (revised validation procedure) which addresses your points below. > > > > Co-incidentally, a WG last call was issued for draft-ietf-idr-bgp-flowspec-oid-06 > yesterday. > > > > Regards, > > > > /dave > > > > > > *From:* PVLR Pavana Murthy <pvlrpm@gmail.com> > *Sent:* Friday, April 13, 2018 1:51 AM > *To:* idr wg <idr@ietf.org>; pmohapat@cumulusnetworks.com; David Smith > (djsmith) <djsmith@cisco.com> > *Subject:* Validation for BGP Flow-Spec Redirect to IP Action > > > > Hello, > > In the draft draft-ietf-idr-flowspec-redirect-ip-02.txt, the following > procedure is mentioned to validate the extended community of 'Flowspec > > redirect to IP'. > > > > > > BGP speakers that support the extended communities defined in this > > draft MUST also, by default, enforce the following check when > > receiving a flow-spec route from an EBGP peer: if the received flow- > > spec route has a 'redirect to IP' extended community with a 'target > > address' X (in the global administrator field) and the best matching > > route to X is not a BGP route with *origin AS* matching the peer AS > > then the extended community should be discarded and not propagated > > along with the flow-spec route to other peers. > > > > *I have 2 doubts related to this statement.* > > > > *What is 'origin AS' here? Is it the AS no. that is first added to the AS_PATH? * > *In the previous version of the draft its mentioned as the last AS in the AS_PATH.* > *Is it the last AS no. that has been added to the AS_PATH or the last AS no. from left in AS_PATH? * > > > > *What if the redirect target X is directly connected or reachable by a static route and its not advertised by EBGP?* > > *Do we need to consider that action invalid in that case?* > > > > > > Thanks, > > Pavana. > > > > > > > > > > > > >
- [Idr] Validation for BGP Flow-Spec Redirect to IP… PVLR Pavana Murthy
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… David Smith (djsmith)
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… PVLR Pavana Murthy
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… PVLR Pavana Murthy
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… Simpson, Adam 1. (Nokia - CA/Ottawa)
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… PVLR Pavana Murthy
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… Simpson, Adam 1. (Nokia - CA/Ottawa)
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… PVLR Pavana Murthy
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… Simpson, Adam 1. (Nokia - CA/Ottawa)
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… David Smith (djsmith)
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… PVLR Pavana Murthy
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… David Smith (djsmith)
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… PVLR Pavana Murthy
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… David Smith (djsmith)
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… PVLR Pavana Murthy
- Re: [Idr] Validation for BGP Flow-Spec Redirect t… David Smith (djsmith)