Re: [Lsvr] AD Review of draft-ietf-lsvr-bgp-spf-11.txt
Acee Lindem <acee.ietf@gmail.com> Wed, 15 February 2023 19:53 UTC
Return-Path: <acee.ietf@gmail.com>
X-Original-To: lsvr@ietfa.amsl.com
Delivered-To: lsvr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FFB8C15257C; Wed, 15 Feb 2023 11:53:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kAmNlbIWn38N; Wed, 15 Feb 2023 11:53:32 -0800 (PST)
Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67879C14F726; Wed, 15 Feb 2023 11:53:32 -0800 (PST)
Received: by mail-qt1-x82e.google.com with SMTP id c2so23045314qtw.5; Wed, 15 Feb 2023 11:53:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=d+eBBVubTubTHCeugHQLwN/p71Q3hzMUGGjC6VQQdl8=; b=k80QmJ6hwmJwdzOEdtRKoArSIgph9IKQ9+I9rKDgMSWNF35M0OZt9uKEmu3igU+i4E FKmDlA6PQOD4hQ0LhFQCfkv26NfDy/plxnS4Ho0w3tV4rTJ5hZ/ji4kT7P6BdXRwgQPd fUQdR3EQb9KnE7eZLBm8w+BT/duENPUJisd1/kTlJACcSMbajWHRzJD4ujWMYNmDbgEl QaF6Zq/kC1Dow2dtfYpx7oF0PqxNXJQwujyC6/qi+wj/RBnqGESMOLIXSXWneDdC2aju EnD0kMANkT/bWHIFz/0PFPHDgHOU3tcfI9o7QxCTR4JnvKWqtq++kTF6mNVPO2sh24gn Tt3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=d+eBBVubTubTHCeugHQLwN/p71Q3hzMUGGjC6VQQdl8=; b=JzBic4H2cWQG/7V3D0eWO5/GmKoJuCyko4v1djd28oeEf2/HwDRedztJN1vgtVnHSc T7yOnpA2zDzKGoR1b/JMCtes3FsG8iTc9TwBY22e/0mRKNj8n6Ltd7v/hzdO/QHbV5jn MdBjhM8i6eXsimNLks5QaysPjwXxrhEXjPLcdAUWEcRN6TRZB7nsfPiSECj+hcmRNWWX xVvwmeRIKeESKOrqat2RpkzRc/fTayvJllnqOoNnr4It775dZ2fyMSIuEHWPCiaM3Zb3 meVeVLViarwgpr7inm47wyVfhnFDQhkF5PlMclgIMxwLYDMcY58hjcQm2fK7cOIzcQph GZuQ==
X-Gm-Message-State: AO0yUKUWa6gCe1PK6hL4+xTSAufQHqyRR22hM3X8AzUFXcPHef2uxGdh W8bUtGrawnKzH8w1KDwibFM=
X-Google-Smtp-Source: AK7set+5A0b0rs9K5v2DaU8CgJxSJpWCl6BIzV8nDBlbs3sjGjtndwtXkaAffqb1YfKhkqG4XwufwQ==
X-Received: by 2002:a05:622a:60c:b0:3bc:fa79:c20c with SMTP id z12-20020a05622a060c00b003bcfa79c20cmr841000qta.16.1676490811424; Wed, 15 Feb 2023 11:53:31 -0800 (PST)
Received: from smtpclient.apple ([136.56.133.70]) by smtp.gmail.com with ESMTPSA id f63-20020a37d242000000b0073917fae4f8sm10835252qkj.25.2023.02.15.11.53.30 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 Feb 2023 11:53:31 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
From: Acee Lindem <acee.ietf@gmail.com>
In-Reply-To: <CAMMESszKAZwwNFWBqitrS_rEsYhN3UuyFAvMBYob1VPPBEgTzQ@mail.gmail.com>
Date: Wed, 15 Feb 2023 14:53:20 -0500
Cc: "draft-ietf-lsvr-bgp-spf@ietf.org" <draft-ietf-lsvr-bgp-spf@ietf.org>, "lsvr@ietf.org" <lsvr@ietf.org>, lsvr-chairs@ietf.org, Victor Kuarsingh <victor@jvknet.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <EA6764DA-5CF5-453F-BBDB-BAB3A4D19383@gmail.com>
References: <F1DFEA4B-600C-4989-AA84-F81AAF3BD19B@cisco.com> <CAMMESszKAZwwNFWBqitrS_rEsYhN3UuyFAvMBYob1VPPBEgTzQ@mail.gmail.com>
To: Alvaro Retana <aretana.ietf@gmail.com>
X-Mailer: Apple Mail (2.3731.400.51.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lsvr/QXjgGA7SPusZH_A26mwrpFUyzGA>
Subject: Re: [Lsvr] AD Review of draft-ietf-lsvr-bgp-spf-11.txt
X-BeenThere: lsvr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Link State Vector Routing <lsvr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lsvr>, <mailto:lsvr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lsvr/>
List-Post: <mailto:lsvr@ietf.org>
List-Help: <mailto:lsvr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lsvr>, <mailto:lsvr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Feb 2023 19:53:36 -0000
Hi Alvaro, Keyur and I addressed these comments as well. > On Feb 9, 2023, at 8:00 AM, Alvaro Retana <aretana.ietf@gmail.com> wrote: > > On February 15, 2021 at 10:55:53 AM, Acee Lindem wrote: > > > Hi! > > This message covers the initial set of up-front comments/questions. > > Thanks! > > Alvaro. > > > >> [**] >> >>> It would be ideal for the document to include a "Summary of Operation" >>> section, similar to ??3/rfc4271. This would also serve as a place to >>> point back at what applies and what doesn't. >> >> We've added a "Document Overview" in section 1.3. This should suffice in >> giving the reader a preview of what is coming. > > 241 1.3. Document Overview > > 243 The document begins with sections defining the precise relationship > 244 that BGP SPF has with both the base BGP protocol [RFC4271] > 245 (Section 2) and the BGP Link-State (BGP-LS) extensions [RFC7752] > 246 (Section 3). This is required to dispel the notion that BGP SPF is > 247 an independent protocol. The BGP peering models, as well as the > 248 their respective trade-offs are then discussed in Section 4. The > 249 remaining sections, which make up the bulk of the document, define > 250 the protocol enhancements necessary to support BGP SPF. The BGP-LS > 251 extensions to support BGP SPF are defined in Section 5. The > 252 replacement of the base BGP decision process with the SPF computation > 253 is specified in Section 6. Finally, BGP SPF error handling is > 254 defined in Section 7 > > > [major] Before I forget, please update the rfc7752 reference to > draft-ietf-idr-rfc7752bis. That document is already in front of the > IESG; I expect to approve it by March. Changed - this made the diff bigger. > > > [minor] "This is required to dispel the notion that BGP SPF is an > independent protocol." > > Not needed. Removed. > > > [nit] The last couple of sentences are a little repetitive, and > there's a period missing at the end. > > Suggestion> > The document begins with sections defining the precise relationship > that BGP SPF has with both the base BGP protocol [RFC4271] > (Section 2) and the BGP Link-State (BGP-LS) extensions [RFC7752bis] > (Section 3). The BGP peering models, as well as the their respective > trade-offs are then discussed in Section 4. The remaining sections > define the protocol enhancements necessary to support BGP SPF > including BGP-LS extensions (Section 5), the replacement decision > process with the SPF computation (Section 6), and error handling > (Section 7). Incorporated you suggested text. > > > >>> (1) Use of the BGP Base (rfc4271) >>> >>> - The well-known RIB structure from BGP (Adj-RIB-In, Loc-RIB, Adj-RIB-Out) >>> didn't quite make it into BGP SPF. It looks like the LSNDB may correspond >>> to the Adj-RIB-In, and there is a Local RIB. The non-existence of an >>> Adj-RIB-Out implies changes. [Note that it is obviously ok to not follow >>> the same structure -- what needs to be explained are the differences.] >> >> Since we have completely replaced the base BGP decision process, we don't use >> these terms. > > [major] You did change the "Local RIB" for "LOC-RIB", but the > definition is not the same as Loc-RIB in rfc4271. Even if the case is > different, it would be better to change the terminology (maybe back to > "Local RIB") to eliminate any confusion. Changed to “Local-RIB”. > > > ... >>> - About the attributes... In ??5.1 you mention that attributes that "would >>> influence the Decision process...are ignored". >>> >>> What about other attributes, the ones that don't influence the Decision >>> Process? If all the information is encoded in the NLRI or carried in the >>> BGP-LS Attribute, does BGP SPF need any other attribute? Maybe requiring >>> that other attributes not to be included (especially the mandatory ones) is >>> too much, but can it be recommended? Given that BGP (and rfc7606) require >>> specific actions if the attributes are malformed, it would be bad if we >>> apply treat-as-withdraw because of an error in an attribute that is not >>> relevant in BGP SPF. [Note: we need to add this risk to the Security >>> Considerations.] > ... >> We clarified the usage of the attributes in section 2. Error handling is >> covered in section 7. > > §2: > > 273 Due to the changes to the decision process, there are mechanisms and > 274 encodings that are no longer applicable. While not necessarily > 275 required for computation, the ORIGIN, AS_PATH, MULTI_EXIT_DISC, > 276 LOCAL_PREF, and NEXT_HOP path attributes are mandatory and will be > 277 validated. The ATOMIC_AGGEGATE, and AGGREGATOR are not applicable > 278 within the context of BGP SPF and SHOULD NOT be advertised. However, > 279 if they are advertised, they will be accepted, validated, and > 280 propagated consistent with the BGP protocol. > > [minor] s/are mandatory/are mandatory [RFC4271] Fixed. > > To clarify that they are not mandatory in this specification. > > > [major] What about other attributes [1]? I know that most are not > mandatory but they could still be included in an UPDATE. > > Is it possible to generalize the statement above? Here's a suggestion: > > s/ > The ATOMIC_AGGEGATE, and AGGREGATOR are not applicable within > the context of BGP SPF and SHOULD NOT be advertised. However, > if they are advertised, they will be accepted, validated, and > propagated consistent with the BGP protocol. > / > Unless explicitly specified in the context of BGP SPF, all other > attributes SHOULD NOT be advertised. However, if they are > advertised, they will be accepted, validated, and propagated > consistent with the BGP protocol. > > [1] https://www.iana.org/assignments/bgp-parameters/bgp-parameters.xhtml#bgp-parameters-2 We made the statement generalized as suggested. Unless explicitly specified in the context of BGP SPF, all other attributes SHOULD NOT be advertised. However, if they are advertised, they will be accepted, validated, and propagated consistent with the BGP protocol. > > > [major] Processing non-applicable attributes represents an increase in > the attack surface. A rogue node can advertise a non-applicable > attribute and affect the routing decisions; for example a malformed > Community results in "treat-as-withdraw". > > This is not a new threat. The difference is that for other BGP > AFI/SAFIs alll the attributes are "applicable". In the case of BGP > SPF, this document explicitly says that the nodes will accept, > validate, and propagate information that is not relevant. > > One option to reduce the attack surface is to ignore/drop > non-applicable attributes, or even mandate that they must not be > included. I understand that implementation-wise that is not the best > option. > > Please include a couple of sentences in the Security Considerations to > show that the threat was considered -- that it is an existing threat We tried to capture this in the “Security Considerations”. Additionally, given that the BGP SPF protocol is used to install IPv4 and IPv6 Unicast routes, the BGP SPF protocol is vulnerable to attacks to the routing control plane that aren't applicable to BGP-LS. One notable Denial-of-Service attack, would be to include malformed BGP attributes in a replicated BGP Update, causing the receiving peer to treat the advertised BGP- LS-SPF to a withdrawal [RFC7606]. > -- ... > > > ... >>> - Using a Confederation ID is mentioned, which seems ok. I don't see an >>> advantage/reason for having Confederations in a BGP SPF network. Is there >>> one? >> >> Confederations are no longer applicable. > > From §5.2: > > The BGP Confederation Member (TLV 517) [RFC7752] is not appliable > and SHOULD NOT be included. If TLV 517 is included, it will be > ignored. > > [nit] s/appliable/applicable > > [?] s/will be ignored/MUST be ignored Fixed. Thanks, Acee
- [Lsvr] AD Review of draft-ietf-lsvr-bgp-spf-11.txt Acee Lindem (acee)
- Re: [Lsvr] AD Review of draft-ietf-lsvr-bgp-spf-1… Alvaro Retana
- Re: [Lsvr] AD Review of draft-ietf-lsvr-bgp-spf-1… Alvaro Retana
- Re: [Lsvr] AD Review of draft-ietf-lsvr-bgp-spf-1… Alvaro Retana
- Re: [Lsvr] AD Review of draft-ietf-lsvr-bgp-spf-1… Alvaro Retana
- Re: [Lsvr] AD Review of draft-ietf-lsvr-bgp-spf-1… Acee Lindem
- Re: [Lsvr] AD Review of draft-ietf-lsvr-bgp-spf-1… Acee Lindem
- Re: [Lsvr] AD Review of draft-ietf-lsvr-bgp-spf-1… Alvaro Retana
- Re: [Lsvr] AD Review of draft-ietf-lsvr-bgp-spf-1… Alvaro Retana
- Re: [Lsvr] AD Review of draft-ietf-lsvr-bgp-spf-1… Acee Lindem
- Re: [Lsvr] AD Review of draft-ietf-lsvr-bgp-spf-1… Acee Lindem