IETF Logo Mail Archive

Re: [OPSEC] Comments on draft-jdurand-bgp-security-02

"Ivan Pepelnjak" <ipepelnjak@gmail.com> Sat, 29 September 2012 14:22 UTC

Return-Path: <ipepelnjak@gmail.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D694121F851B for <opsec@ietfa.amsl.com>; Sat, 29 Sep 2012 07:22:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.445
X-Spam-Level:
X-Spam-Status: No, score=-3.445 tagged_above=-999 required=5 tests=[AWL=0.154, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RI0+ChfnJATb for <opsec@ietfa.amsl.com>; Sat, 29 Sep 2012 07:22:09 -0700 (PDT)
Received: from mail-we0-f172.google.com (mail-we0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id 005C721F84EE for <opsec@ietf.org>; Sat, 29 Sep 2012 07:22:08 -0700 (PDT)
Received: by weyu46 with SMTP id u46so2216622wey.31 for <opsec@ietf.org>; Sat, 29 Sep 2012 07:22:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-type:content-transfer-encoding:x-mailer :thread-index:content-language; bh=IzXGYhqeZj6l68Oqr1Ir8zr0wP57NBqoQyDSzyh6R88=; b=aBlg/poQYNttSGg5xd7fVtS/Lix+PlRr05yY+FooHrLssanylJQFww42pb6TsHxlzr XD8u390yqMPNJKua9qM99yfKpyF7CeWiu1XzyOV8LaVerK+z5B7A5efvzU4AC7Aw/W1s 3/tWIvW6OhTJyEeiHYLBm8BZVKOqK06Ef9z40gTCUqSY8pImdf0XAShS/GaIelk7GasZ qgaHiFfzODFTUPWDoDbJmzbearN2moN2CR5b+loRIe9dbaJPSHsTMGCNpl/ryUEwt0Ki nqF22YpNnuxv7eXlR8FJpdG2lPj6UuTSWD8J71L1mJK/WYCJk2mT7SbPLKkEBcfOH4Vh sXSQ==
Received: by 10.180.108.45 with SMTP id hh13mr3919997wib.15.1348928528103; Sat, 29 Sep 2012 07:22:08 -0700 (PDT)
Received: from PIPINB2009 (BSN-61-57-40.dial-up.dsl.siol.net. [86.61.57.40]) by mx.google.com with ESMTPS id dm3sm6025596wib.3.2012.09.29.07.22.05 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 29 Sep 2012 07:22:06 -0700 (PDT)
From: Ivan Pepelnjak <ipepelnjak@gmail.com>
To: 'Gert Doering' <gert@space.net>, 'David Freedman' <david.freedman@uk.clara.net>
References: <E2B120470A420C49A1CB4F6D01C013F875A88100@srvgrexmb02.claranet.local> <20120927125610.GC13776@Space.Net>
In-Reply-To: <20120927125610.GC13776@Space.Net>
Date: Sat, 29 Sep 2012 16:22:04 +0200
Message-ID: <000e01cd9e4d$cdb1e2b0$6915a810$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac2cr3wquAbIaod4Tm2rYJN36hUG8gBnRPIQ
Content-Language: sl
Cc: opsec@ietf.org
Subject: Re: [OPSEC] Comments on draft-jdurand-bgp-security-02
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Sep 2012 14:22:10 -0000

David,

On the IXP LAN prefix front, there's nothing in the draft saying you shouldn't propagate it (maybe even in deaggregated form) in your IGP. What it says is (or maybe I'm just reading it wrong):

* You MUST NOT accept more specific prefixes (for obvious reasons);
* If you do accept it, take care that the EBGP route doesn't become better than an IGP route (leading to recursive routing problems) or use next-hop-self;
* It MUST only be accepted from ASes authorized to announce it (OK, this one MAY use a rewording).
* Exact IXP LAN prefix (accepted from proper AS) SHOULD be propagated to downstreams for uRPF checks on pMTUd ICMP replies.

On the next-hop filtering (section 9), I agree we MUST mention use of EBGP next hops for RTBH, including a reference to RFC 6666.

Thanks again for the comments,
Ivan

> -----Original Message-----
> From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] On Behalf Of
> Gert Doering
> Sent: Thursday, September 27, 2012 2:56 PM
> To: David Freedman
> Cc: opsec@ietf.org
> Subject: Re: [OPSEC] Comments on draft-jdurand-bgp-security-02
> 
> Hi,
> 
> On Thu, Sep 27, 2012 at 12:29:21PM +0000, David Freedman wrote:
> > I'm not aware of any implementations which can achieve this in a
> > scalable way, are the authors? at present I would have to statically
> > configure a next hop for each peer, not fun.
> 
> Both Cisco and Juniper can do
> 
> route-map foo permit 10
>   set ip(v6) next-hop peer-address
> 
> (dunno the exact Juniper syntax, but have been told it can be done)
> 
> DFN(680) stated on the DECIX list that the have been doing this on Cisco
> "since ever" and it works.
> 
> > Also, are you aware that some networks inject the IXP LAN into their
> > IGP for the purposes of TE? (I.e leaving the IXP LAN next hop present
> > in their iBGP and then doing MPLS TE on this LAN as opposed to
> > next-hop-self on the border where all peering networks are collapsed
> > into a single loopback)
> 
> Yeah, I did.  At some point.
> 
> Maybe we need to add a bit more language to the point of "if you need to
> deviate from these recommendations, understand why you are doing this, and
> then feel free to do so" (= "SHOULD" normative language).
> 
> Gert Doering
>         -- NetMaster
> --
> have you enabled IPv6 on something today...?
> 
> SpaceNet AG                        Vorstand: Sebastian v. Bomhard
> Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-
> Culemann
> D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
> Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279
> _______________________________________________
> OPSEC mailing list
> OPSEC@ietf.org
> https://www.ietf.org/mailman/listinfo/opsec

v2.23.0 | Report a Bug | By Email