Re: [OPSEC] Comments on draft-jdurand-bgp-security-02
"Jerome Durand (jerduran)" <jerduran@cisco.com> Mon, 01 October 2012 12:46 UTC
Return-Path: <jerduran@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7146F21F8812 for <opsec@ietfa.amsl.com>; Mon, 1 Oct 2012 05:46:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.178
X-Spam-Level:
X-Spam-Status: No, score=-8.178 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, EXTRA_MPART_TYPE=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, SARE_GIF_ATTACH=1.42]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rMP6JbTcU+Zt for <opsec@ietfa.amsl.com>; Mon, 1 Oct 2012 05:46:13 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by ietfa.amsl.com (Postfix) with ESMTP id 0C0E521F8867 for <opsec@ietf.org>; Mon, 1 Oct 2012 05:46:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=14742; q=dns/txt; s=iport; t=1349095573; x=1350305173; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=ElqQV4qsM6wkqCGnzES2EPyhCCwJe0awCeVM8Z9XZos=; b=cLlYRWvgLgcjRHYceeVw4o/uEHaHmahKOmvMinjCgcYeN8HThVUYGh54 KGtHXE6sgVKmlm77TxM1Mv3YeSRgQL/EIHrF9J0bbxvGauRaUWZHz5f5U Lc8hjHkXE1A2t9wSLik+Xj5hIIB5IyY2keFy2Z5X9sRqqsDZObP5zyAkl o=;
X-Files: logo.gif, green.gif : 837, 87
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ap8FALKPaVCtJV2Z/2dsb2JhbABFgkuqHIhrAYhmgQiCIQEBBAEBAQIHBgEbGxsKCxACAQgdAQEBAh0HAgUQDwELFBECBA4EAQgGFIdjC5pYn3KLOYVRYAOQDgGGb40tgWmCZ4FjNA
X-IronPort-AV: E=Sophos; i="4.80,515,1344211200"; d="gif'147?scan'147,208,217,147"; a="124051669"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by rcdn-iport-9.cisco.com with ESMTP; 01 Oct 2012 12:46:12 +0000
Received: from xhc-rcd-x02.cisco.com (xhc-rcd-x02.cisco.com [173.37.183.76]) by rcdn-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id q91CkC98009510 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 1 Oct 2012 12:46:12 GMT
Received: from xmb-rcd-x01.cisco.com ([169.254.1.4]) by xhc-rcd-x02.cisco.com ([173.37.183.76]) with mapi id 14.02.0318.001; Mon, 1 Oct 2012 07:46:12 -0500
From: "Jerome Durand (jerduran)" <jerduran@cisco.com>
To: Gert Doering <gert@space.net>
Thread-Topic: [OPSEC] Comments on draft-jdurand-bgp-security-02
Thread-Index: AQHNnKu3WrxGACmI90KZhJSLw3Z/15eeeWkAgAZGiAA=
Date: Mon, 01 Oct 2012 12:46:11 +0000
Message-ID: <0145702467942740A26A9633AA8B60FA1F8BE1FE@xmb-rcd-x01.cisco.com>
References: <E2B120470A420C49A1CB4F6D01C013F875A88100@srvgrexmb02.claranet.local> <20120927125610.GC13776@Space.Net>
In-Reply-To: <20120927125610.GC13776@Space.Net>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [64.103.29.199]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19226.000
x-tm-as-result: No--46.286700-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: multipart/related; boundary="_005_0145702467942740A26A9633AA8B60FA1F8BE1FExmbrcdx01ciscoc_"; type="multipart/alternative"
MIME-Version: 1.0
Cc: "opsec@ietf.org" <opsec@ietf.org>
Subject: Re: [OPSEC] Comments on draft-jdurand-bgp-security-02
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Oct 2012 12:46:14 -0000
Also, are you aware that some networks inject the IXP
LAN into their IGP for the purposes of TE? (I.e leaving
the IXP LAN next hop present in their iBGP and then
doing MPLS TE on this LAN as opposed to next-hop-self
on the border where all peering networks are collapsed
into a single loopback)
Yeah, I did. At some point.
Hi all,
I did too for managing my 2 exits to a single IXP. This had rgeat advantages: simple and best for convergence with Cisco BGP PIC.
However I had big problems few times when PE redistributed the LAN prefix while there was no connectivity due to broken switch fabric on Brocade MLX of the IXP. (Note I was managing also the IXP so no excuse! :-) … So I decided to change this for next-hop-self :-)
SHOULD works for me then :-)
Cheers,
Jerome
Maybe we need to add a bit more language to the point of "if you
need to deviate from these recommendations, understand why you are
doing this, and then feel free to do so" (= "SHOULD" normative
language).
Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
_______________________________________________
OPSEC mailing list
OPSEC@ietf.org<mailto:OPSEC@ietf.org>
https://www.ietf.org/mailman/listinfo/opsec
[cid:64A2AD8F-2887-4ECC-AD2A-E695929D6837@cisco.com]
Jérôme Durand
Consulting Systems Engineer
Routing & Switching
jerduran@cisco.com<mailto:jerduran@cisco.com>
Mobile :+33 6 35 11 60 50
http://reseauxblog.cisco.fr
http://ipv6blog.cisco.fr
Cisco France
11, rue Camille Desmoulins
92782 Issy les Moulineaux
Cedex 9
France
www.cisco.fr<http://www.cisco.fr>
[cid:7248AA9E-F798-45B3-9917-F1BBD75CD002@cisco.com]
Think before you print.
This e-mail may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply e-mail and delete all copies of this message.
For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html
- [OPSEC] Comments on draft-jdurand-bgp-security-02 David Freedman
- Re: [OPSEC] Comments on draft-jdurand-bgp-securit… Gert Doering
- Re: [OPSEC] Comments on draft-jdurand-bgp-securit… Ivan Pepelnjak
- Re: [OPSEC] Comments on draft-jdurand-bgp-securit… Jerome Durand (jerduran)
- [OPSEC] Comments on draft-jdurand-bgp-security-02 Tim Kleefass
- Re: [OPSEC] Comments on draft-jdurand-bgp-securit… Tim Kleefass