IETF Logo Mail Archive

Re: [Idr] RFC-4893 handling malformed AS4_PATH attributes

Danny McPherson <danny@tcb.net> Mon, 15 December 2008 19:38 UTC

Return-Path: <idr-bounces@ietf.org>
X-Original-To: idr-archive@megatron.ietf.org
Delivered-To: ietfarch-idr-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 44D423A680C; Mon, 15 Dec 2008 11:38:26 -0800 (PST)
X-Original-To: idr@core3.amsl.com
Delivered-To: idr@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AA68A28C0F2 for <idr@core3.amsl.com>; Mon, 15 Dec 2008 11:38:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.056
X-Spam-Level:
X-Spam-Status: No, score=-1.056 tagged_above=-999 required=5 tests=[AWL=0.061, BAYES_00=-2.599, DNS_FROM_RFC_BOGUSMX=1.482]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8TNPQNgDhj+i for <idr@core3.amsl.com>; Mon, 15 Dec 2008 11:38:25 -0800 (PST)
Received: from dog.tcb.net (dog.tcb.net [64.78.150.133]) by core3.amsl.com (Postfix) with ESMTP id 0A5F33A680C for <idr@ietf.org>; Mon, 15 Dec 2008 11:38:25 -0800 (PST)
Received: by dog.tcb.net (Postfix, from userid 0) id 687ED2684EA; Mon, 15 Dec 2008 12:38:18 -0700 (MST)
Received: from [192.168.0.100] (97-122-99-176.hlrn.qwest.net [97.122.99.176]) (authenticated-user danny) (TLSv1/SSLv3 AES128-SHA 128/128) by dog.tcb.net with SMTP; Mon, 15 Dec 2008 12:38:18 -0700 (MST) (envelope-from danny@tcb.net)
X-Avenger: version=0.7.8; receiver=dog.tcb.net; client-ip=97.122.99.176; client-port=62999; syn-fingerprint=65535:55:1:64:M1316,N,W3,N,N,T,S; data-bytes=0
Message-Id: <5340D990-F446-4C37-8307-1DB31ADF2273@tcb.net>
From: Danny McPherson <danny@tcb.net>
To: Enke Chen <enkechen@cisco.com>
In-Reply-To: <4946AC94.2080605@cisco.com>
Mime-Version: 1.0 (Apple Message framework v929.2)
Date: Mon, 15 Dec 2008 12:38:17 -0700
References: <CD705FABA8532448AA1FB7A96C88FF140898F8A4@emailbng1.jnpr.net> <4D86C4C6-F7CD-46B9-ABBE-04530F4D1278@juniper.net> <164BE5B4-1A18-42D7-A11B-DE2056890C78@tcb.net> <4946AC94.2080605@cisco.com>
X-Mailer: Apple Mail (2.929.2)
Cc: Inter-Domain Routing List <idr@ietf.org>, quaizar.vohra@gmail.com
Subject: Re: [Idr] RFC-4893 handling malformed AS4_PATH attributes
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/idr>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: idr-bounces@ietf.org
Errors-To: idr-bounces@ietf.org

On Dec 15, 2008, at 12:14 PM, Enke Chen wrote:
>
> The issue of receiving unexpected AS_CONFED_xxx segment was actually  
> considered when we were working on the 4byte AS document before. The  
> thinking was that it's a generic issue with the confederation that  
> has been addressed by the confederation document.

But it's not, because you're now tunneling these attributes
in AS4_PATH and can result in *remote* non-adjacent session
tear downs or even craft targeted attacks with such a behavior,
not just adjacent eBGP speakers.

> While the confederation document (RFC 5056) treats it as an error  
> condition to maintain the protocol correctness, the implementations  
> commonly just ignore the segments.  "be conservative in what you  
> send, and be liberal in what you accept".

I'm not sure what that means, are you saying that you propagate
those segments and ignore the spec?  or that you discard them
and ignore the spec?  If the latter, you're saying that's what you
currently do, but the spec need not be updated to reflect this?

And what if those segments were there because a broken generating
implementation put them, rather than a confederation identifier,
in the AS4_PATH attribute?  Could this not result in routing
information loops?  Should the operator not be notified of this?

Either way, I get the "people do stupid things, don't let them
hurt you bit", but the fact that RFC 4893 enables this is a
problem.

-danny
_______________________________________________
Idr mailing list
Idr@ietf.org
https://www.ietf.org/mailman/listinfo/idr

v2.23.0 | Report a Bug | By Email