IETF Logo Mail Archive

Re: [Lsvr] AD Review of draft-ietf-lsvr-bgp-spf-11.txt

Alvaro Retana <aretana.ietf@gmail.com> Thu, 09 February 2023 13:00 UTC

Return-Path: <aretana.ietf@gmail.com>
X-Original-To: lsvr@ietfa.amsl.com
Delivered-To: lsvr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60638C14F6EC; Thu, 9 Feb 2023 05:00:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IFZe_hLzqiwg; Thu, 9 Feb 2023 05:00:05 -0800 (PST)
Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78C23C14EB1E; Thu, 9 Feb 2023 05:00:05 -0800 (PST)
Received: by mail-pl1-x62f.google.com with SMTP id u9so2683334plr.9; Thu, 09 Feb 2023 05:00:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date :mime-version:references:in-reply-to:from:from:to:cc:subject:date :message-id:reply-to; bh=miroFgNfAqLL3o7af6+tcuUkioGepTbJejafk1cU8no=; b=DGIORS2k2o5cc1NOjSHvGx7VBWvUzb3PsRMvJ3//Dxd4shNtwujpuK2f1OKTfqmLj+ cNReY1JwqtFa4HvxUw+/7t8Pp60+EhxVEm+BXPQlksV8U+jZGdR6hj0foQCo2CClqqxw WaKD3YFIXWrY4OBqZNVk2d7W2zvo9w+7fvIX/t78adZwviEEJWnEgnwbfM4N/1DtFT0V 6+dIKTfK20919X3FlTvZoavAMdKZczXD+pXgfChc+8eMWCwk6B0KtA8GQU+rnAtBtps8 hr43rPVQz808Duh4q7Aem0XJ4b0cSUSyA16Sn1KjXye6/FtNrLxEZ77Ipft/ftMkSK0R 15HQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date :mime-version:references:in-reply-to:from:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=miroFgNfAqLL3o7af6+tcuUkioGepTbJejafk1cU8no=; b=EGGvRLT0iqRQHerYhIMry/bqIv4yILsPOoH97b8/Zcxn3IUX7f6kE1RLIuFyg6cEyp is97sqhbW6v7EXBIKn5+VfABvw2VMKM3fLg2omIMQbs4S6JDdxKj+eKll9z/OpIbvtzq cTx6ZzoqHpjNmDgn9CiepNq3DszwTQkAU3ULTFKMCzo+bqFmFitCNsJqz9d7U75+92Ze U8AZiPb9NJxAm8948/dvmV0/d96DG0k4krsPVYhILtJ8dEIANVlfXZmkZnDMlLfYD5Lq uPovICreHCUKP79iKoKM+cWzPFMXhEa0+brMp9/KA64oc1/gOQ/PoifRiB8xelOxhqnd szNA==
X-Gm-Message-State: AO0yUKW+XwvbYCHt1VwS6pwgpRMu8f7YdpX7toK1MeF+xlPoxMIrD1Ko 2MxGXhXK8PANGMQJuZ6xVvrCkFJiftWzRGUgdujG6/fZ
X-Google-Smtp-Source: AK7set+0GYg3+YvU/JkF22DTFUrzCJdwz82wqCpJC3xd4XSXHokJ0BGiAcK+CesumqADxkzknSA3CH0aqSyazGF/Gu0=
X-Received: by 2002:a17:90a:9293:b0:231:2812:e916 with SMTP id n19-20020a17090a929300b002312812e916mr802902pjo.47.1675947604873; Thu, 09 Feb 2023 05:00:04 -0800 (PST)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Thu, 9 Feb 2023 05:00:03 -0800
From: Alvaro Retana <aretana.ietf@gmail.com>
In-Reply-To: <F1DFEA4B-600C-4989-AA84-F81AAF3BD19B@cisco.com>
References: <F1DFEA4B-600C-4989-AA84-F81AAF3BD19B@cisco.com>
MIME-Version: 1.0
Date: Thu, 09 Feb 2023 05:00:03 -0800
Message-ID: <CAMMESszKAZwwNFWBqitrS_rEsYhN3UuyFAvMBYob1VPPBEgTzQ@mail.gmail.com>
To: Acee Lindem <acee.ietf@gmail.com>
Cc: "draft-ietf-lsvr-bgp-spf@ietf.org" <draft-ietf-lsvr-bgp-spf@ietf.org>, "lsvr@ietf.org" <lsvr@ietf.org>, lsvr-chairs@ietf.org, Victor Kuarsingh <victor@jvknet.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/lsvr/Iu-mFX3iFBypHbvjszd9-rHqd64>
Subject: Re: [Lsvr] AD Review of draft-ietf-lsvr-bgp-spf-11.txt
X-BeenThere: lsvr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Link State Vector Routing <lsvr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lsvr>, <mailto:lsvr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lsvr/>
List-Post: <mailto:lsvr@ietf.org>
List-Help: <mailto:lsvr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lsvr>, <mailto:lsvr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2023 13:00:09 -0000

On February 15, 2021 at 10:55:53 AM, Acee Lindem wrote:


Hi!

This message covers the initial set of up-front comments/questions.

Thanks!

Alvaro.



> [**]
>
> > It would be ideal for the document to include a "Summary of Operation"
> > section, similar to ??3/rfc4271. This would also serve as a place to
> > point back at what applies and what doesn't.
>
> We've added a "Document Overview" in section 1.3. This should suffice in
> giving the reader a preview of what is coming.

241	1.3.  Document Overview

243	   The document begins with sections defining the precise relationship
244	   that BGP SPF has with both the base BGP protocol [RFC4271]
245	   (Section 2) and the BGP Link-State (BGP-LS) extensions [RFC7752]
246	   (Section 3).  This is required to dispel the notion that BGP SPF is
247	   an independent protocol.  The BGP peering models, as well as the
248	   their respective trade-offs are then discussed in Section 4.  The
249	   remaining sections, which make up the bulk of the document, define
250	   the protocol enhancements necessary to support BGP SPF.  The BGP-LS
251	   extensions to support BGP SPF are defined in Section 5.  The
252	   replacement of the base BGP decision process with the SPF computation
253	   is specified in Section 6.  Finally, BGP SPF error handling is
254	   defined in Section 7


[major] Before I forget, please update the rfc7752 reference to
draft-ietf-idr-rfc7752bis.  That document is already in front of the
IESG; I expect to approve it by March.


[minor] "This is required to dispel the notion that BGP SPF is an
independent protocol."

Not needed.


[nit] The last couple of sentences are a little repetitive, and
there's a period missing at the end.

Suggestion>
  The document begins with sections defining the precise relationship
  that BGP SPF has with both the base BGP protocol [RFC4271]
  (Section 2) and the BGP Link-State (BGP-LS) extensions [RFC7752bis]
  (Section 3). The BGP peering models, as well as the their respective
  trade-offs are then discussed in Section 4. The remaining sections
  define the protocol enhancements necessary to support BGP SPF
  including BGP-LS extensions (Section 5), the replacement decision
  process with the SPF computation (Section 6), and error handling
  (Section 7).



> > (1) Use of the BGP Base (rfc4271)
> >
> > - The well-known RIB structure from BGP (Adj-RIB-In, Loc-RIB, Adj-RIB-Out)
> > didn't quite make it into BGP SPF. It looks like the LSNDB may correspond
> > to the Adj-RIB-In, and there is a Local RIB. The non-existence of an
> > Adj-RIB-Out implies changes. [Note that it is obviously ok to not follow
> > the same structure -- what needs to be explained are the differences.]
>
> Since we have completely replaced the base BGP decision process, we don't use
> these terms.

[major] You did change the "Local RIB" for "LOC-RIB", but the
definition is not the same as Loc-RIB in rfc4271.  Even if the case is
different, it would be better to change the terminology (maybe back to
"Local RIB") to eliminate any confusion.



...
> > - About the attributes... In ??5.1 you mention that attributes that "would
> > influence the Decision process...are ignored".
> >
> > What about other attributes, the ones that don't influence the Decision
> > Process? If all the information is encoded in the NLRI or carried in the
> > BGP-LS Attribute, does BGP SPF need any other attribute? Maybe requiring
> > that other attributes not to be included (especially the mandatory ones) is
> > too much, but can it be recommended? Given that BGP (and rfc7606) require
> > specific actions if the attributes are malformed, it would be bad if we
> > apply treat-as-withdraw because of an error in an attribute that is not
> > relevant in BGP SPF. [Note: we need to add this risk to the Security
> > Considerations.]
...
> We clarified the usage of the attributes in section 2. Error handling is
> covered in section 7.

§2:

273	   Due to the changes to the decision process, there are mechanisms and
274	   encodings that are no longer applicable.  While not necessarily
275	   required for computation, the ORIGIN, AS_PATH, MULTI_EXIT_DISC,
276	   LOCAL_PREF, and NEXT_HOP path attributes are mandatory and will be
277	   validated.  The ATOMIC_AGGEGATE, and AGGREGATOR are not applicable
278	   within the context of BGP SPF and SHOULD NOT be advertised.  However,
279	   if they are advertised, they will be accepted, validated, and
280	   propagated consistent with the BGP protocol.

[minor] s/are mandatory/are mandatory [RFC4271]

To clarify that they are not mandatory in this specification.


[major] What about other attributes [1]?  I know that most are not
mandatory but they could still be included in an UPDATE.

Is it possible to generalize the statement above?  Here's a suggestion:

s/
   The ATOMIC_AGGEGATE, and AGGREGATOR are not applicable within
   the context of BGP SPF and SHOULD NOT be advertised.  However,
   if they are advertised, they will be accepted, validated, and
   propagated consistent with the BGP protocol.
/
   Unless explicitly specified in the context of BGP SPF, all other
   attributes SHOULD NOT be advertised.  However, if they are
   advertised, they will be accepted, validated, and propagated
   consistent with the BGP protocol.

[1] https://www.iana.org/assignments/bgp-parameters/bgp-parameters.xhtml#bgp-parameters-2


[major] Processing non-applicable attributes represents an increase in
the attack surface.  A rogue node can advertise a non-applicable
attribute and affect the routing decisions; for example a malformed
Community results in "treat-as-withdraw".

This is not a new threat.  The difference is that for other BGP
AFI/SAFIs alll the attributes are "applicable".  In the case of BGP
SPF, this document explicitly says that the nodes will accept,
validate, and propagate information that is not relevant.

One option to reduce the attack surface is to ignore/drop
non-applicable attributes, or even mandate that they must not be
included.  I understand that implementation-wise that is not the best
option.

Please include a couple of sentences in the Security Considerations to
show that the threat was considered -- that it is an existing threat
-- ...


...
> > - Using a Confederation ID is mentioned, which seems ok. I don't see an
> > advantage/reason for having Confederations in a BGP SPF network. Is there
> > one?
>
> Confederations are no longer applicable.

>From §5.2:

   The BGP Confederation Member (TLV 517) [RFC7752] is not appliable
   and SHOULD NOT be included.  If TLV 517 is included, it will be
   ignored.

[nit] s/appliable/applicable

[?] s/will be ignored/MUST be ignored

v2.23.0 | Report a Bug | By Email