IETF Logo Mail Archive

Re: [Idr] Validation for BGP Flow-Spec Redirect to IP Action

PVLR Pavana Murthy <pvlrpm@gmail.com> Sat, 28 April 2018 04:45 UTC

Return-Path: <pvlrpm@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6172D1252BA; Fri, 27 Apr 2018 21:45:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.997
X-Spam-Level:
X-Spam-Status: No, score=-0.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CzTCcGkGe21c; Fri, 27 Apr 2018 21:45:46 -0700 (PDT)
Received: from mail-ot0-x244.google.com (mail-ot0-x244.google.com [IPv6:2607:f8b0:4003:c0f::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A9B7120047; Fri, 27 Apr 2018 21:45:46 -0700 (PDT)
Received: by mail-ot0-x244.google.com with SMTP id j27-v6so4275540ota.5; Fri, 27 Apr 2018 21:45:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=w/IY5/CkotP//9Afb+Bq4Gxu/lJU/NhW9JKuVD0y/iM=; b=o/jlU4EkDA/tk2WYwIhbg8kMb0SzQAslXDMJty0jze01cQndYW66yLS3/7ZD5a/XzP Xh+KyYnc/lCfuEexl/lQ4qgISCEhvTSVPku2p1+hXctVC6TPauupMGOMh3dkXTTpCC3u 6oarl+9qyxQqHNPQx83e5nsgZ//jw/pjBRtD3Zuwf56kq08c/UjyWFXAcsa4ywRSvndl A5W8ZhQ+FoMP3wVtKjPAMohHZZrvjEOANeShxR6aruNUC+hevQbDKK1G/JFP3Nasw4XR l1VQa5paExmECFPMgZHg3kjkDUKr2CnRxDKE+fGUIT20Nr/OJMbJYzKJMJoj6lawjA/9 /jYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=w/IY5/CkotP//9Afb+Bq4Gxu/lJU/NhW9JKuVD0y/iM=; b=SSboldMJKVMMBvXJ+HbfK16SSdtF+SOHNONXT8gi+7rv3zkoXIVsmH8IEjyEgF/uNX bvia1lJPUIdMFwCsi5kpDIWGPEGKoQJjHBRXYwr8jBQ/9EfMOb8J6gR7crX8CjGbpuoU 3T97YnGK5m0t97KHy75SA0ZTDa1wXzfI3Q6Ftmsuvv2OhN95HYJSfT88/sU8XQed/z3B TnJLIjwReGPGIK/k0f+BfLqF9xQ4iDciOrYeizSQK0hfJSFSwu3elMRY4u2NM7kTAfe9 kS9RXfZ1DL4Nx1TGbhoGp59R85ErNpN4/I8KVzrt8ugE8i1JworYPtsuDDRgy1al7bvi fGoA==
X-Gm-Message-State: ALQs6tCaCLpDQ2ukTn63aeSlvRSwGCx/f1H+R2yOWAzAxCeDY9HNgob6 Oama96MgGHt3m9lL+uxRoXvKrWYGeQtqN+VPhRI=
X-Google-Smtp-Source: AB8JxZqW6xWwWHztTfP3uBLLQhaJwKJRvSF1MSgx3KBOLAY9Wkn13UaAf0AyIJ/PwUIm3/Nk5KiK4xddu1I+4+rNpik=
X-Received: by 2002:a9d:310b:: with SMTP id e11-v6mr3391259otc.84.1524890745574; Fri, 27 Apr 2018 21:45:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.47.9 with HTTP; Fri, 27 Apr 2018 21:45:45 -0700 (PDT)
In-Reply-To: <CAN-MQG6R_LCLAM5xgaak3W_oRkuQFQsgZtEodacpeiLCQV8p-g@mail.gmail.com>
References: <CAN-MQG6bDyzcyuVs1vmka-JZFrD9Ya1uOuU_AFxfu0GnYgdmbA@mail.gmail.com> <aaa4916758a34ed99cb7432cff257f25@XCH-RCD-012.cisco.com> <CAN-MQG6R_LCLAM5xgaak3W_oRkuQFQsgZtEodacpeiLCQV8p-g@mail.gmail.com>
From: PVLR Pavana Murthy <pvlrpm@gmail.com>
Date: Sat, 28 Apr 2018 10:15:45 +0530
Message-ID: <CAN-MQG4oyycFhFzWGrKcQUG_B5eatan9y3PJJG1O-2vSLmhttg@mail.gmail.com>
To: "David Smith (djsmith)" <djsmith@cisco.com>
Cc: idr wg <idr@ietf.org>, Pradosh Mohapatra <mpradosh@yahoo.com>, "draft-ietf-idr-bgp-flowspec-oid@ietf.org" <draft-ietf-idr-bgp-flowspec-oid@ietf.org>, ju1738@att.com, jhaas@juniper.net, akarch@cisco.com, sairay@cisco.com, pmohapat@cumulusnetworks.com, wim.henderickx@alcatel-lucent.be, adam.simpson@alcatel-lucent.com, mtexier@arbor.net
Content-Type: multipart/alternative; boundary="000000000000361956056ae14be7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/zhHhQmza2VkaddVV2AChI4Um4kM>
X-Mailman-Approved-At: Sat, 28 Apr 2018 13:06:20 -0700
Subject: Re: [Idr] Validation for BGP Flow-Spec Redirect to IP Action
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Apr 2018 04:45:48 -0000

Hello,
  Including all the authors mentioned
in draft-ietf-idr-flowspec-redirect-ip-02, as the alias did not work. Also
pasting doubts again here.

In the draft  draft-ietf-idr-flowspec-redirect-ip-02.txt, the following
procedure is mentioned to validate the extended community of 'Flowspec
redirect to IP'.

   BGP speakers that support the extended communities defined in this
   draft MUST also, by default, enforce the following check when
   receiving a flow-spec route from an EBGP peer: if the received flow-

   spec route has a 'redirect to IP' extended community with a 'target
   address' X (in the global administrator field) and the best matching
   route to X is not a BGP route with *origin AS* matching the peer AS
   then the extended community should be discarded and not propagated
   along with the flow-spec route to other peers.


*I have 2 doubts related to this statement.*


*What is 'origin AS' here? Is it the AS no. that is first added to the
AS_PATH? *
*In the previous version of the draft its mentioned as the last AS in
the AS_PATH.*
*Is it the last AS no. that has been added to the AS_PATH or the last
AS no. from left in AS_PATH? *


*What if the redirect target X is directly connected or reachable by a
static route and its not advertised by EBGP?*

*Do we need to consider that action invalid in that case?*


Thanks,
Pavana.


On Sat, Apr 28, 2018 at 10:10 AM, PVLR Pavana Murthy <pvlrpm@gmail.com>
wrote:

> Hi Dave,
>    Thanks for the reply and including respective draft author aliases.
>
> I went through the latest draft-ietf-idr-bgp-flowspec-oid-06. It calls
> the first AS the Origin AS. Is it so?
> If that's the case, the validation will fail for any 'redirect IP' actions
> coming from the AS other than neighbor AS. Is that the intention?
> Also In  draft-ietf-idr-flowspec-redirect-ip-00.txt, instead of 'origin
> AS', the word 'last AS' is used.It is confusing.   Does the validation need
> to consider the first AS or last AS?
>
> Regarding my second doubt, I could not get any pointers from  d
> raft-ietf-idr-bgp-flowspec-oid-06 .  Do we need to consider only BGP
> routes always?
>
> Thanks,
> Pavana.
>
>
> On Sat, Apr 28, 2018 at 3:37 AM, David Smith (djsmith) <djsmith@cisco.com>
> wrote:
>
>> Hi Pavana,
>>
>>
>>
>> Your points are valid. With that said, I’ll defer you to d
>> raft-ietf-idr-bgp-flowspec-oid-05 (and later) and, specifically, section
>> 4 (revised validation procedure) which addresses your points below.
>>
>>
>>
>> Co-incidentally, a WG last call was issued for d
>> raft-ietf-idr-bgp-flowspec-oid-06 yesterday.
>>
>>
>>
>> Regards,
>>
>>
>>
>> /dave
>>
>>
>>
>>
>>
>> *From:* PVLR Pavana Murthy <pvlrpm@gmail.com>
>> *Sent:* Friday, April 13, 2018 1:51 AM
>> *To:* idr wg <idr@ietf.org>; pmohapat@cumulusnetworks.com; David Smith
>> (djsmith) <djsmith@cisco.com>
>> *Subject:* Validation for BGP Flow-Spec Redirect to IP Action
>>
>>
>>
>> Hello,
>>
>>   In the draft  draft-ietf-idr-flowspec-redirect-ip-02.txt, the
>> following procedure is mentioned to validate the extended community of
>> 'Flowspec
>>
>> redirect to IP'.
>>
>>
>>
>>
>>
>>    BGP speakers that support the extended communities defined in this
>>
>>    draft MUST also, by default, enforce the following check when
>>
>>    receiving a flow-spec route from an EBGP peer: if the received flow-
>>
>>    spec route has a 'redirect to IP' extended community with a 'target
>>
>>    address' X (in the global administrator field) and the best matching
>>
>>    route to X is not a BGP route with *origin AS* matching the peer AS
>>
>>    then the extended community should be discarded and not propagated
>>
>>    along with the flow-spec route to other peers.
>>
>>
>>
>> *I have 2 doubts related to this statement.*
>>
>>
>>
>> *What is 'origin AS' here? Is it the AS no. that is first added to the AS_PATH? *
>> *In the previous version of the draft its mentioned as the last AS in the AS_PATH.*
>> *Is it the last AS no. that has been added to the AS_PATH or the last AS no. from left in AS_PATH? *
>>
>>
>>
>> *What if the redirect target X is directly connected or reachable by a static route and its not advertised by EBGP?*
>>
>> *Do we need to consider that action invalid in that case?*
>>
>>
>>
>>
>>
>> Thanks,
>>
>> Pavana.
>>
>>
>>
>>
>>
>>
>>
>
>

v2.23.0 | Report a Bug | By Email