IETF Logo Mail Archive

Re: [Lsvr] AD Review of draft-ietf-lsvr-bgp-spf-19

Alvaro Retana <aretana.ietf@gmail.com> Fri, 10 March 2023 12:02 UTC

Return-Path: <aretana.ietf@gmail.com>
X-Original-To: lsvr@ietfa.amsl.com
Delivered-To: lsvr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CF6FC1CAB32; Fri, 10 Mar 2023 04:02:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.852
X-Spam-Level:
X-Spam-Status: No, score=-0.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QSvBEPxncYMH; Fri, 10 Mar 2023 04:02:11 -0800 (PST)
Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9580CC152574; Fri, 10 Mar 2023 04:02:11 -0800 (PST)
Received: by mail-pl1-x62e.google.com with SMTP id h8so5270399plf.10; Fri, 10 Mar 2023 04:02:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678449730; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:from:to:cc:subject:date:message-id:reply-to; bh=tYcIspCnewr8XCnvZTQTe6fQ9IsJ+qG0GTmrfARhNhc=; b=ML58N6Q8KPRdktl4NKIoNue5x3VWf8QU1zY06UgmkcCDsXsvDuPUMbvS4xI9o6nLtT 2BU1kCRZ0dDufKuxc7BMvppdE9Bor7qngZNfBuvYcSL2+Z74kcUpSqDhgebYF4QzS23T guoGjhqj8GFmwiYYZQkOViXO7N/EqcZ7/g2y2QAEkqnkIElvp74G5dI1+TuKcATK2nA9 EgTB6e0IaoOoHTZFIJeuuT8MBJN4MmHzPas/Zu5Bc5H6cROll7WmTvBtqNeXOBg0aO0W ZKljrrkiUKOe4GOSuvF209hrXBhWo1nxSPXriUBKnBFhoSGfANe4troVOZFcwS2LGfhE R9HQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678449730; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=tYcIspCnewr8XCnvZTQTe6fQ9IsJ+qG0GTmrfARhNhc=; b=NPUUeUrpaETrTwX9osoU4A/O3c0r4knel/KIMLS54sxskhD4FE7oyBkDpsu6X0+KTO ff7VDEKuVb+5e310822guBvUgaFWTSda6ooQ8F9uWMxH/XROwfTtfaeIMCjlDeWV3n6R tZGicFxnMHKwEW+gVBIZje4YRiE5H3qvy5crFeNXsWOu6bQCaAuEshMNDjWD3VOI+rUW 8jdB+NsPHpJyoxAYQRJLjtkC0f43j399w4raQZBpt1MW5Dcjej8DPRHGVI2pxP6a0DX3 SvvL990i55QyBoK5qqSJJga1aNOriNhJylluNwa+5wrWr3tUxBL/7ok/s7Fw4Vj/fewd 9ZqQ==
X-Gm-Message-State: AO0yUKVCh/CFZlDRdn7sTK09J95PBoGtCCzwRVgWKGV1eAnZBaneLAgd WxN0J+SbVDMoGBBlYyIjzEvKgRJ3WArqdqvgz9KlbOLu
X-Google-Smtp-Source: AK7set+t7UutRl6GX2CbobSnpo2uoMxRDvCVqMDJUV4D6dW+2w5Q1pj3PwVs+zgkBWU6zuWYRf8eGClfWi8wzh0NBBU=
X-Received: by 2002:a17:90a:c293:b0:237:5c37:d9e7 with SMTP id f19-20020a17090ac29300b002375c37d9e7mr9323339pjt.3.1678449730433; Fri, 10 Mar 2023 04:02:10 -0800 (PST)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Fri, 10 Mar 2023 04:02:09 -0800
From: Alvaro Retana <aretana.ietf@gmail.com>
In-Reply-To: <CAMMESsyp_7VSwE5geAKagQJ5vaJCTDmQgYwTSFr2Kfwr7Njn=A@mail.gmail.com>
References: <CAMMESsyqvrTH70NXGBpB9DLW6VHvpyY8TSm2m_rovXoxZKPyVQ@mail.gmail.com> <7A7004BC-FD6B-4159-85D0-AEA1FB047788@gmail.com> <CAMMESsyp_7VSwE5geAKagQJ5vaJCTDmQgYwTSFr2Kfwr7Njn=A@mail.gmail.com>
MIME-Version: 1.0
Date: Fri, 10 Mar 2023 04:02:09 -0800
Message-ID: <CAMMESswkD0FkcmgsDjp80rcg3k9JyD7v8ZdCcn5r+WtViynHDw@mail.gmail.com>
To: Acee Lindem <acee.ietf@gmail.com>
Cc: draft-ietf-lsvr-bgp-spf@ietf.org, Victor Kuarsingh <victor@jvknet.com>, "lsvr@ietf.org" <lsvr@ietf.org>, lsvr-chairs@ietf.org
Content-Type: multipart/alternative; boundary="000000000000f4b99b05f68a8766"
Archived-At: <https://mailarchive.ietf.org/arch/msg/lsvr/xafbZjqzXrGW_N5SgdjmAaf_Bl8>
Subject: Re: [Lsvr] AD Review of draft-ietf-lsvr-bgp-spf-19
X-BeenThere: lsvr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Link State Vector Routing <lsvr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lsvr>, <mailto:lsvr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lsvr/>
List-Post: <mailto:lsvr@ietf.org>
List-Help: <mailto:lsvr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lsvr>, <mailto:lsvr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Mar 2023 12:02:16 -0000

Hi!

For some reason I woke up thinking about semantic validation...in the
middle of the night. :-(


Semantic validation is something that has always been missing from BGP-LS
-- that's what the authors/WG wanted.  As you can see from the multiple
"IGP to BGP-LS" documents, it is a discussion I've had many times with
Ketan (as lead author) that eventually concluded in being very specific
about the BGP-LS Consumer role in rfc7752bis to clearly leave only
syntactic validation in scope.

I think it is important for BGP-SPF to define semantic validation because
it will use the information to calculate routes.  The contents of the TLVs
cannot be incorrect, out of range, inconsistent, etc.


Short of defining the expected content of every TLV, I wonder if we can do
it through reference.  Many of the TLVs in rfc7752bis are directly derived
from OSPF/IS-IS LSA/LSPs -- can the BGP SPF spec say that the contents of
the TLVs MUST be compliant with the IGP specifications?  For example...

(1) One of the first TLVs listed in rfc7752bis is TLV 258 (Link
Local/Remote
    Identifiers), which is directly mapped to IS-IS's TLV/Sub-TLV 22/5 from
    §1.1/rfc5307 (Link Local/Remote Identifiers):

   =====
   A Link Local Interface Identifier is a sub-TLV of the extended IS
   reachability TLV.  The type of this sub-TLV is 4, and the length is 8
   octets.  The value field of this sub-TLV contains 4 octets of Link
   Local Identifier followed by 4 octets of Link Remote Identifier (see
   Section 2.1, "Support for Unnumbered Links", of [GMPLS-ROUTING]).  If
   the Link Remote Identifier is unknown, it is set to 0.

   The following illustrates encoding of the Value field of the Link
   Local/Remote Identifiers sub-TLV.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                  Link Local Identifier                        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                  Link Remote Identifier                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   The Link Local/Remote Identifiers sub-TLV MUST NOT occur more than
   once within the extended IS reachability TLV.  If the Link
   Local/Remote Identifiers sub-TLV occurs more than once within the
   extended IS reachability TLV, the receiver SHOULD ignore all these
   sub-TLVs.
   =====

    BGP SPF/§5.2.2: "For unnumbered links, the link local/remote
identifiers
    (TLV 258) will be used."

    Even though this looks straightforward: the GMPLS-ROUTING reference
    basically says that each side makes up a number.  The problem is that
§1.5/
    rfc5307 says this:

   =====
   Link Identifiers are exchanged in the Extended Local Circuit ID field
   of the "Point-to-Point Three-Way Adjacency" IS-IS Option type
[ISIS-3way].
   =====

    IS-IS uses Hellos to figure out the IDs.  But there is no 3-way
handshake,
    or Hellos in BGP SPF.  How are these values learned?

    §4.2/§4.3 (but not §4.1!?) talk about "connection discovery".  Some
text
    can be added to hint at what type of information is expected to be
    discovered, and even use l3dl as an example of how to get it.


    Ok -- this first example wasn't great, and it discovered another issue.



(2) Let's try TLV 259 (IPv4 interface address), which maps to §3.2/rfc5305:

   =====
   This sub-TLV contains a 4-octet IPv4 address for the interface
   described by the (main) TLV.  This sub-TLV can occur multiple times.
   =====

    This one does look straightforward. :-)   Even though rfc5305 doesn't
say
    what to do if the contents are not an IPv4 address (for example
0.0.0.1),
    we can safely assume that it should be considered malformed.

    BGP SPF/§5.2.2: "For IPv4 links, the link's local IPv4 (TLV 259) and
remote
    IPv4 (TLV 260) addresses will be used."

    The remote IP address (TLV 260) has a similar definition in rfc5305 and
is
    also something that seems to fall under "connection discovery".

    BGP SPF already requires that the addresses belong to the same subnet,
    which rfc5305 said nothing about.  Good!



(3) Let's look at TLV 516 (BGP Router-ID), which is specified in
§4.1/rfc9086.
    BTW, please add a normative reference to it.

   =====
   BGP Router Identifier (BGP Router-ID):

    Type: 516

    Length: 4 octets
    Value: 4-octet unsigned non-zero integer representing the
    BGP Identifier as defined in [RFC6286]
   =====

    This one also looks straightforward and answers my question below. :-)
 If
    the value is 0 then it is not in line with rfc9086/rfc6286 and it
should be
    considered malformed.  Right?

    Given that the contents of this TLV (and TLV 512 - more on this below)
    should be the same as the BGP ID in the BGP OPEN message, should there
be
    any check to make sure that NLRIs from connected nodes have the same
    information in their descriptors when running SPF?



(4) Back to TLV 512 (Autonomous System).  At first glance it seems that we
can
    assume that this is the ASN number, the same as the OPEN message,
etc..but
    this is the definition from §5.2.1.4/rfc7752bis:

   =====
   Autonomous System:  Opaque value (32-bit AS Number).  This is an
   optional TLV.  The value SHOULD be set to the AS Number associated
   with the BGP process originating the link-state information.  An
   implementation MAY provide a configuration option on the BGP-LS
   Producer to use a different value; e.g., to avoid collisions when
   using private AS numbers.
   =====

    The text doesn't require it to be the same as what is on the BGP OPEN.
It
    even let's any ASN be used. :-(  I don't remember what the
justification
    was, but I'll send a message to Ketan about it.

    If BGP SPF wants TLV 512 to contain the ASN from the OPEN, and check
(?)
    while running SPF, then it has to be specified because it is different
than
    rfc7752bis.




All this is to say that I think we can address semantic validation by
adding some text like this (suggestions):

   3. BGP Link-State (BGP-LS) Relationship

   Semantic validation of the TLVs defined in rfc7752bis MUST be
   performed against the specifications in the underlying OSPF or
   IS-IS specifications: rfc5305, rfc5307, ...  If the semantic
   validation fails, then the TLV MUST be considered malformed
   (Section 7.1).

   [There should be normative references added.]


   7.1. Processing of BGP-LS-SPF TLVs

   A TLV that is determined to be malformed MUST...  [There might
   be different actions to be taken, but treat-as-withdraw sounds
   relatively safe to me.]


   [Any exceptions or special processing needs to be specified.  For
example.]

   5.2. Extensions to BGP-LS

   The format of TLV 512 is defined in rfc7752bis, when used in a
   BGP-LS-SPF NLRI the content MUST be as follows:

     Autonomous System:  Opaque value (32-bit AS Number).  The
     value MUST be set to the AS Number associated with the BGP
     process originating the link-state information.


   [Generalize the text about "connection discovery" and provide
expectations.]

   4. BGP SPF Peering Models

   For all the peering models, the direct connection discovery and
   liveliness detection for the interconnecting links are independent
   of the BGP protocol and outside the scope of this document. For
   example, liveliness detection could be done using the BFD protocol
   [RFC5880] and connection discovery using [l3dl - Informative
   Reference].

   It is expected that a connection discovery mechanism provides the
   following information: remote link identifiers, ASN, BGP ID, ...


That was a lot shorter in my dream... ;-)

My 2c.

Alvaro.


On March 9, 2023 at 3:45:53 PM, Alvaro Retana (aretana.ietf@gmail.com)
wrote:

On March 9, 2023 at 2:41:17 PM, Acee Lindem wrote:

Acee:

Hi!

It looks like the review was truncated, you replied up to line 372, but the
complete review goes all the way to line 1513. :-(

  https://mailarchive.ietf.org/arch/msg/lsvr/80Awa3weqFJC5G--ep0EZVYFfmc/


...
> > My main concern is still the lack of semantic checking (see my
> > comments in §7.*). BGP-LS (rfc7752bis) only does syntactic validation
> > because any semantic checking is left to the BGP-LS Consumer (and the
> > specifics left out of scope). The way BGP SPF uses the information is
> > different (all the nodes run SPF), so the validity of the contents
> > need to be verified
>
> Keyur and I discussed and we’re not sure you think is missing.

This is an example (comment at line 1513):

=====
  [major] The validation in rfc7752bis is syntactic, checking that the
lengths
  are ok, etc.  What about semantic validation?  For example, if TLV 516
is
  present, but the value of the ID is 0, what should the receiver do?  Is
the
  TLV valid?  Is the Node Descriptor valid?  Is the NLRI valid?

  This is just an example -- we should go through all the TLVs.  Note that
none
  of the BGP-LS documents talk about semantic validation, so there isn't a
  place to point to :-( because the Consumer is expected to take care of
that -
  - and how it operates is out of scope.  IOW, BGP-LS can be a garbage-in-
  garbage-out transport from a semantic point of view, but BGP SPF can't!
=====



Alvaro.

v2.23.0 | Report a Bug | By Email