Re: [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route Propagation Behavior Without Policies) to Proposed Standard

Alexander Azimov <aa@qrator.net> Wed, 26 April 2017 21:52 UTC

Return-Path: <aa@highloadlab.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D091128B92 for <idr@ietfa.amsl.com>; Wed, 26 Apr 2017 14:52:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=highloadlab-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KgCjHhniGc85 for <idr@ietfa.amsl.com>; Wed, 26 Apr 2017 14:52:15 -0700 (PDT)
Received: from mail-lf0-x22b.google.com (mail-lf0-x22b.google.com [IPv6:2a00:1450:4010:c07::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5847D128B8F for <idr@ietf.org>; Wed, 26 Apr 2017 14:52:15 -0700 (PDT)
Received: by mail-lf0-x22b.google.com with SMTP id t144so7713512lff.1 for <idr@ietf.org>; Wed, 26 Apr 2017 14:52:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=highloadlab-com.20150623.gappssmtp.com; s=20150623; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=zwivG++bQgngqV2LP5ZbOyzgbb0hMe5odBHjfsTWYhM=; b=ss9sV9XK5UsHkQvTe1xApPe9+TCaYg+6UWEQ0c/sLWLMvXO6NyzvHklsW7i1bGuHPt TDyWBunfOQ+JbjEPMT2SxIdXvvr+bg22Zat7yz4Gk+iP2waeS//NMFw305G/tBqXa4eS b5+PPVGPPCUSqv4JeY18LyV/EvqOUM/z/hAJPFgrZmppyJJKSCLAZH8+3oI1b+B0STZt krxynrN6EP42ik+Z9G0wb+ChofVithpUxGKmPzw7gB8PeWN1N+KjoqRC5TM82vUj2LQn r+FB+4feuxrflDURs48BDiOd+yvhLR0xnN0xP5c67xD6lvFG19EdRjJ1kCO4LtAu8NEy Bz9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=zwivG++bQgngqV2LP5ZbOyzgbb0hMe5odBHjfsTWYhM=; b=RdAttwtAWo5SrwnrzPWoWzJ1x/2UrqxIxMPtL68de4ik533dg+aN7d4jZIaoKVmi+J YWFY1lBhOFsqt0CMXdirSOQgf+cdFgxYuGhYODs53OgmoNKIx/AJOTzHncIz1Y7OGZYH J4thxs3+6Aapdp2BdPLzWoq6igjoFC5RQemGrrA+dd2rHGhpeKr9lUTjV0+ecp0qGZAd RfniA+fqbfCyQ3kjS5TN7C4Jd0ecm0h5W5jSeRRcb1Q6JPJvxo47MV8KUcBqtUIN1jU8 w6wLq6J54NHOmGDA9+DsTFeY6MqKI+Qu2kQ+aH6XhOITGTuNkbhCrZpvzC8G/6d53SjX BZBQ==
X-Gm-Message-State: AN3rC/7dxf5aXMFASvy3U9YzCkSjx232EjRXjZ0jqYCQZ8MyZnUWDrEj I9xzJk8V9jsDcO4x5qdg55MqfLglkw==
X-Received: by 10.46.5.143 with SMTP id 137mr881654ljf.49.1493243533498; Wed, 26 Apr 2017 14:52:13 -0700 (PDT)
MIME-Version: 1.0
Sender: aa@highloadlab.com
Received: by 10.46.82.85 with HTTP; Wed, 26 Apr 2017 14:52:12 -0700 (PDT)
X-Originating-IP: [46.188.120.33]
In-Reply-To: <CAHw9_iKhRQpEGigqvqYoF0ca9D=-2VmESO8Fp4P_p1tZqpJgXQ@mail.gmail.com>
References: <0A49219D-E721-4DA8-B9BF-A55C2FA36FBE@puck.nether.net> <D95C67A4-AEBF-400B-A360-61C342FD6E4A@arrcus.com> <CA+b+ER=hq0=JNRfF8VA76_aqeRMBCeyQm5aTbapysXGTgaGS_g@mail.gmail.com> <50353B76-1323-4828-88D6-25954DA1E344@puck.nether.net> <20170425221104.GS30063@pfrc.org> <023e01d2be72$031ac180$4001a8c0@gateway.2wire.net> <20170426095547.GP25069@Space.Net> <CA+b+ERk4FxB4KQ3N0xtjV6uaQptd=EGKdpbKcpoL2TH41fVSYg@mail.gmail.com> <20170426113954.GA18318@puck.nether.net> <CA+b+ER=Ej7G1EEOQ7uBU-z7LeBAGNSfPkE5yGmo+z52ncKhVdg@mail.gmail.com> <20170426125417.GU25069@Space.Net> <CA+b+ERm1iDv3+GNk+N_gqjDWsd+E4QjmfhmwDN4vQVQVZ1EMpw@mail.gmail.com> <CAL9jLaabkYUO+7jsRbfZg1fXXLHXaWr88AxGyNF+AVTLquyxTQ@mail.gmail.com> <CAHw9_iKhRQpEGigqvqYoF0ca9D=-2VmESO8Fp4P_p1tZqpJgXQ@mail.gmail.com>
From: Alexander Azimov <aa@qrator.net>
Date: Thu, 27 Apr 2017 00:52:12 +0300
X-Google-Sender-Auth: JBTvm1i3e-du90SEBTbXk_Wiavc
Message-ID: <CAHgCvCNRYyH9wyT=vtVk34_Wc_rqrX0z1D9FCx+cZzLBOXmFLw@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
Cc: Christopher Morrow <morrowc.lists@gmail.com>, idr wg <idr@ietf.org>, Robert Raszuk <robert@raszuk.net>
Content-Type: multipart/alternative; boundary=001a114a6f9a60b331054e18da9d
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/y6vRkxsius0lEPnI7Ca5U2BgUJs>
Subject: Re: [Idr] IETF LC for IDR-ish document <draft-ietf-grow-bgp-reject-05.txt> (Default EBGP Route Propagation Behavior Without Policies) to Proposed Standard
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Apr 2017 21:52:18 -0000

Hi all,


While I do like idea of making simple fix to avoid leaks of full table
(this how I understand the goal of this document) I'm afraid that this will
only result in change from absence of policy to empty policy. This
requirement of policy existence will not automatically result in
requirement of understanding of its purpose.



Additionally, I would like to argue that full table leaks are still common
now. They do exist, but they are rare, thanks to policies at upstream
providers, or, at least prefix limit.

2017-04-26 22:17 GMT+03:00 Warren Kumari <warren@kumari.net>;:

> On Wed, Apr 26, 2017 at 10:08 AM, Christopher Morrow
> <morrowc.lists@gmail.com>; wrote:
> >
> >
> > On Wed, Apr 26, 2017 at 9:56 AM, Robert Raszuk <robert@raszuk.net>;
> wrote:
> >>>
> >>> > And if you are customer and have 4 prefixes in BGP table thing are
> >>> > fine. If
> >>> > you by accident become transit and advertise fulm table around I
> think
> >>> > we
> >>> > can do better in BGP to protect from it then mandate policy.
> >>>
> >>> Evidence shows that, as of today, we can not.
> >>
> >>
> >> Have anyone actually tried ?
> >>
> >> The BGP origin validation was at least one attempt.
> >>
> >
> > origin validation doesn't protect against 'accidentally i became transit,
> > whoops!' mistakes.
>
> ... and I suspect that basically everyone who actually run networks
> have done this (and probably more than once.)
>
> My first time was in around 1997 or so - I managed to become transit
> (on my Cisco AGS+!) between Global Naps and (IIRC) PSI.
>
> I was turning up Global Naps as a peer, so I log on and type:
> router bgp 8120
> neighbor 192.0.2.1 peer-as 1784
>
> ... and, as I press enter, one of the sysadmin folk turns around and
> asks me to hand him a sharpie. While doing so I bump my coffee mug,
> spilling 3 week old coffee (and a very cool mold colony I was
> culturing) all over my desk. What with the cursing and running to find
> paper towels and similar I don't come back to the router for a minute
> or two... by which time I can mysteriously no longer reach it. Turns
> out that becoming transit between 2 (at the time) large providers over
> a T1 makes your router unavailable. Eventually BGP falls down (because
> keepalives get starved), and then, before you are able to login again,
> it comes up.
>
>
> Stuff like this happens all the time - bringing peers up without
> policy is a: really easy to accidentally do and b: hurts both the
> person doing it, and everyone caught in the collateral damage.
>
> >
> > bgpsec also doesn't protect against this scenario.
> >
> > There have been a few years worth of papers/analysis out of academia
> (and at
> > least 2 drafts in the ietf) talking about the above.
> >
> >>
> >> The other one could be as simple as "ebgp policy auto" where based in
> the
> >> IRRDB and your peer's AS router can build a policy automagically using
> say
> >> BGPQ3.
> >>
> >
> > are you suggesting that the router build it's filtering directly (on it's
> > own) from an IRRdb? that seems interesting, but also fraught with
> peril...
> >
> > I also see problems in setting up the configuration parts for this, for a
> > single network it probably isn't rough, but for a more generic solution
> it's
> > going to involve more configuration toggling than just enabling a policy
> on
> > the peerings. At least you'd need to account for:
> >   1) which irrdb to pull content from
> >   2) which protocol to use to do that pulling
> >   3) authentication?
> >   4) results qualifications (larger than X, smaller than Y, general
> content
> > sanity)
> >   5) how to match/query the irrdb for the particular peerings on this
> device
> >   6) timeouts for operations
> >   7) scheduling of operations
> >   8) security bits around the new 'service' enabled on this device
> >
> > there are other things to account for as well...
>
>    9) making sure that you have announced just enough (and received)
> just enough that you can actually reach the irrdb
>
> I'm saddened that something which is basically a trigger safety to
> make it harder to shoot myself in the foot is this hard....
>
> W
>
> >
> >>
> >> http://snar.spb.ru/prog/bgpq3/
> >>
> >
> > that's very vendor specific :(
> >
> >>
> >> Otherwise while Jared, you and perhaps most folks on this list already
> >> have automated ways to build nice and accurate policies I suspect they
> are
> >> those which do not. And those would either put "allow all" or will now
> start
> >> looking for hints "what do I put in".
> >>
> >
> > vendors who sold gear could probably offer solutions in this space.
> >
> >>
> >> And if the end result is what you are doing twice a day why router's
> can't
> >> do it themselves assuming IRRDB or any other src of truth is accurate ?
> >>
> >
> > 'how often does this data change?'
> > 'how often do I want to refresh peering data on devices (from neighbors)'
> > 'what is the sla for this part of the service'
> >
> > Some folk do it more 'dynamically' (some providers update 4 or 6 times
> day),
> > some folk do it 'less dynamically' (email nacr-list@uu.net .. data
> updated
> > in 24hrs)
> >
> > 'why not do it more!' has lots of reasons in both directions, but really
> > that's not the point of this draft anyway.
> >
> > _______________________________________________
> > Idr mailing list
> > Idr@ietf.org
> > https://www.ietf.org/mailman/listinfo/idr
> >
>
>
>
> --
> I don't think the execution is relevant when it was obviously a bad
> idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair
> of pants.
>    ---maf
>
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>



-- 
| Alexander Azimov  | HLL l QRATOR
| tel.: +7 499 241 81 92
| mob.: +7 915 360 08 86
| skype: mitradir
| mailto: aa@qrator.net
| visit: www.qrator.net