Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspec-oid-12

"Juan Alcaide (jalcaide)" <jalcaide@cisco.com> Tue, 16 March 2021 19:36 UTC

IronPort-PHdr: A9a23:MxQVRh1qGquYh3RFsmDPW1BlVkAck7zpIg4Y7IYmgLtSc6Oluo7vJ 1Hb+e4FpFDMVITfrflDjrmev6PhXDkG5pCM+DAHfYdXXhAIwcMRg0Q7AcGDBEG6SZyibyEzE MlYElMw+Xa9PBtaHc//YxvZpXjhpTIXEw/0YAxyIOm9E4XOjsOxgua1/ZCbYwhBiDenJ71oK xDjpgTKvc5Qioxnec4M
IronPort-HdrOrdr: A9a23:mm12RaEcR5t5K1WupLqEeseALOonbusQ8zAX/mp2TgFYddHdqt unm+4V2QSxpDEaXnwhnt7oAtjjfVr385lp7Y4NeYqzRQWOghrKEKhOz6vHhwfhFSr36/JH2c 5bGMJDIfD5EFQSt6rHySa1H9sqyNOEtICE7N2uq0tFYhptb8hbgTtRLia+PglISBJdBZw/fa D92uNiqyC7cXoaKuSXb0NpY8H5q9fGlI3rbHc9bnYawTOThjCl4qOSKXel9yoZOgkv/Z4StV LoqUje+ristfG9xHbnpgru06g=
From: "Juan Alcaide (jalcaide)" <jalcaide@cisco.com>
To: Alvaro Retana <aretana.ietf@gmail.com>, "draft-ietf-idr-bgp-flowspec-oid@ietf.org" <draft-ietf-idr-bgp-flowspec-oid@ietf.org>
CC: Susan Hares <shares@ndzh.com>, "idr-chairs@ietf.org" <idr-chairs@ietf.org>, IDR List <idr@ietf.org>
Thread-Topic: AD Review of draft-ietf-idr-bgp-flowspec-oid-12
Thread-Index: AQHW9QDI2xQHpdk2Z0uhqDf2mVgKOap9sTZAgAA2NYCACB0UUIABM80AgAAKxJA=
Date: Tue, 16 Mar 2021 19:36:05 +0000
Message-ID: <DM6PR11MB3194D8C6B94EAD8E1CB2B4C5CD6B9@DM6PR11MB3194.namprd11.prod.outlook.com>
References: <CAMMESsxqRWK2vDPyj-0_ruYoW7pkautFc09MoFBUTKxG23=tyA@mail.gmail.com> <DM6PR11MB3194B28B0BD8A3AF913ECB0ECD919@DM6PR11MB3194.namprd11.prod.outlook.com> <CAMMESsyUtogXkjiQGfP=SDXzNdOu-FJ-e1-NbppD_mZcq+yGkQ@mail.gmail.com> <DM6PR11MB3194D2E820E675E9C1D65639CD6B9@DM6PR11MB3194.namprd11.prod.outlook.com> <CAMMESswZE+2SD_pFnzXC50cVvJf6XuoWf+uGhkvk7hGsrP0G2w@mail.gmail.com>
In-Reply-To: <CAMMESswZE+2SD_pFnzXC50cVvJf6XuoWf+uGhkvk7hGsrP0G2w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 87476634-4570-4947-0fb1-08d8e8b2bd94
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Mar 2021 19:36:05.3546 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0hyCjQsfCsSl9jOApBrlJuRCwzFOyfuKkAyLqd5IEPu6sDdrckIw2GSSQXYFIviJIwng1NfS101hAQJVBCpECA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1676
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.21, xbe-aln-006.cisco.com
X-Outbound-Node: rcdn-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/y_Wn8cp2GT3-EIrs1S9eKzi4KVU>
Subject: Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspec-oid-12
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Mar 2021 19:36:13 -0000

Inline



The "normal" iBGP case is different than the confederation case where we do find an eBGP relationship.


[JUAN]:

Consider 
R1(AS-65001)--R2(AS-65001)--- R3(AS-65002)--R4(AS65002) ==== R5 (AS 701)
R1, R2, R3, R4 belong to the same confederation (AS 100)
R2-R3 have an ebgp-confed peering session

R5 advertises the FS route and the unicast route
R4 does the AS_PATH check (i.e. making sure the AS_PATH of the unicast route and the FS route received from R5 are both AS_PATH ='701 XXX')
R3 does not do the AS_PATH check (from the route received from R4)
Why R2 should do the AS_PATH check from a router received from R3? (i.e. making sure the AS_PATH of the unicast route and the FS route are both AS_PATH = '(XXX) 701 XXX')




In short, yes.  rfc6793 formally Updated rfc4271, so any interpretation of the AS_PATH has to consider what rfc6793 says.
[JUAN]: I'll be happy to remove it. It adds too much detail. But it seems to me that all new rfcs are assuming rfc6793 is already implemented. Trying to implement rfc8955 without rfc6793 would be undefined.



As you mention, rfc8955 considers eBGP.  The fact that it doesn't say anything about iBGP shouldn't be interpreted as trusting those peers.
Even if that was the intent in rfc8955, this document deals directly with iBGP so it makes it the best place to call the risk out.

[JUAN]: I think that's a bit open for interpretation. Quoting rfc8955:

<snip>
The Flow Specification received from an internal BGP
   peer within the same autonomous system [RFC4271] is assumed to have
   been validated prior to transmission within the internal BGP (iBGP)
   mesh of an autonomous system.
</snip>

You can read that iBGP validation is not needed because eBGP validation was successful, what implies iBGP is trusted.
Rfc8955 should have mentioned if that assumption was not true 100% of the time. There are different 'levels' of what it means to be 'trusted'.

Regardless, it doesn't hurt to mention it here. 


-J

[Idr] AD Review of draft-ietf-idr-bgp-flowspec-oi… Alvaro Retana
Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Susan Hares
Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Juan Alcaide (jalcaide)
Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Alvaro Retana
Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Juan Alcaide (jalcaide)
Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Alvaro Retana
Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… David Smith (djsmith)
Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Susan Hares
Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Alvaro Retana
Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Juan Alcaide (jalcaide)
Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Alvaro Retana
Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Juan Alcaide (jalcaide)
Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Alvaro Retana
Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Juan Alcaide (jalcaide)
Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Alvaro Retana
Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Juan Alcaide (jalcaide)
Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Alvaro Retana
Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Alvaro Retana
Re: [Idr] AD Review of draft-ietf-idr-bgp-flowspe… Juan Alcaide (jalcaide)