[OPSEC] Comments on draft-jdurand-bgp-security-02
Tim Kleefass <tim@haitabu.net> Wed, 03 October 2012 15:27 UTC
Return-Path: <tim@haitabu.net>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4810A21F841B for <opsec@ietfa.amsl.com>; Wed, 3 Oct 2012 08:27:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cd1Z8bHh9MGU for <opsec@ietfa.amsl.com>; Wed, 3 Oct 2012 08:27:20 -0700 (PDT)
Received: from samstag.members.selfnet.de (samstag.members.selfnet.de [IPv6:2001:7c0:e701:800::199]) by ietfa.amsl.com (Postfix) with ESMTP id 38C2F21F849D for <opsec@ietf.org>; Wed, 3 Oct 2012 08:27:20 -0700 (PDT)
Received: from [192.168.178.19] (HSI-KBW-046-005-022-247.hsi8.kabel-badenwuerttemberg.de [46.5.22.247]) by samstag.members.selfnet.de (Postfix) with ESMTPSA id 764A721C034 for <opsec@ietf.org>; Wed, 3 Oct 2012 17:27:17 +0200 (CEST)
Message-ID: <506C5954.9050807@haitabu.net>
Date: Wed, 03 Oct 2012 17:27:16 +0200
From: Tim Kleefass <tim@haitabu.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: "opsec@ietf.org" <opsec@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: [OPSEC] Comments on draft-jdurand-bgp-security-02
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Oct 2012 15:27:21 -0000
Hi there, Some comments and thoughts. * next-hop filtering possible (If had sent this only to the authors, but maybe the list is also interested.) Regarding Section 9. Next-Hop Filtering With IOS XR one can match the next-hop in a route-policy (but I have never used it, so no real-life experience): Example on Cisco ASR 9000, IOS XR 4.1.1: route-policy test if not next-hop in (192.0.2.1) then drop endif ... end-policy One can also state a prefix-list instead a single IPv4/IPv6 address. So this could by an alternative to setting the next-hop by hard. This could be interesting if you have on an IXP two peering sessions to the same ISP and want to allow this ISP to play with the next-hop. Or you could apply an prefix-list to the peering with the route-server of an IXP to make sure that through this peerings only valid next-hops are announced. But probably one trusts this route-servers and such a setup would be overkill... * About route flap dampening """ 6. BGP route flap dampening BGP route flap dampening mechanism makes it possible to give penalties to routes each time they change in the BGP routing table. Initially this mechanism was created to protect the entire internet from multiple events impacting a single network. RIPE community now recommends not using BGP route flap dampening [20]. Author of this document proposes to follow the proposal of the RIPE community. """ On that topic there are some "updates" at the RIPE-64: Randy Bush, Route Flap Damping Considered Usable @ RIPE-64 https://ripe64.ripe.net/presentations/136-120418.ripe-rfd.pdf https://ripe64.ripe.net/archives/video/80 [routing-wg] Route flap damping considered usable http://www.ripe.net/ripe/mail/archives/routing-wg/2012-July/002163.html So maybe the recommendation of the RIPE community will change in the future... * stable eBGP announcement Talking about route flap dampening, it could be a good idea to prevent routes from flapping in the first place and I haven't seen that in the draft (the focus is on security, but as route flap dampening is named...). If you are the origin of a prefix you want to announce that prefix in a very stable way. For example, if you are stub, configure on two router a null-route for that prefix and inject it into BGP. There are also situations where an ISP can help stub customers with an stable eBGP announcement. We have several single-homed customers (customers that are only connected to us and no other ISP). These customers have their own IPv4 (legacy) space. In the RIPE region the requirement for IPv6 PI space to be at least dual-homed was canceled. So there could also be single-homed customers with an own IPv6 space. Such customers are connected to us with static routes (then we put their prefix in BGP) or via BGP (and private AS numbers; which we strip before announcing to others). For them we put a "backup null-route" on two of our core routers, so that if the connection to the customer fails we still have a route to the prefix and the prefix is injected into BGP and announced into the Internet. Example on Cisco ASR 9000, IOS XR 4.1.1: router static address-family ipv4 unicast 192.0.2.0/24 Null0 240 ! ^^^ administrative distance of 240 ! higher than OSPF and BGP ! ! router bgp 553 address-family ipv4 unicast ! BelWue network 192.0.2.0/24 route-policy ebgp-null-route ! ^^ the route-policy sets (only) a community ! ! * private AS numbers In Section 8. AS-path filtering """ o Do not advertise private AS numbers. Exception: Customers using BGP without having their own AS number must use private AS numbers to advertise their prefixes to their upstream. The private AS number is usually provided by the upstream. """ An then strip the private AS number before announcing that prefix to others ISPs. Cheers, Tim
- [OPSEC] Comments on draft-jdurand-bgp-security-02 David Freedman
- Re: [OPSEC] Comments on draft-jdurand-bgp-securit… Gert Doering
- Re: [OPSEC] Comments on draft-jdurand-bgp-securit… Ivan Pepelnjak
- Re: [OPSEC] Comments on draft-jdurand-bgp-securit… Jerome Durand (jerduran)
- [OPSEC] Comments on draft-jdurand-bgp-security-02 Tim Kleefass
- Re: [OPSEC] Comments on draft-jdurand-bgp-securit… Tim Kleefass