[OPSEC] RFC7454 Sec. 6.1.5.2 IXP LAN Prefixes in the DFZ
Tobias Fiebig <tobias@reads-this-mailinglist.com> Sun, 07 August 2022 10:55 UTC
Return-Path: <tobias@reads-this-mailinglist.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B7E2C15A73D for <opsec@ietfa.amsl.com>; Sun, 7 Aug 2022 03:55:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=reads-this-mailinglist.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i-O44VB6qJwb for <opsec@ietfa.amsl.com>; Sun, 7 Aug 2022 03:55:40 -0700 (PDT)
Received: from mail.aperture-labs.org (mail.aperture-labs.org [195.191.197.3]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1EBE9C1594AD for <opsec@ietf.org>; Sun, 7 Aug 2022 03:55:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=reads-this-mailinglist.com; s=key01; t=1659869731; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=mD4PmwhubZ9fFa6Zq2x6FdT0H2fmDcTcAPwzAvt3a/8=; b=UlNZtXqVu9VYqvIsT6wf6IlJbxsw2whQ6nG4SydIcP0OcnWOwQYN4u01E7ueYlDn/uxgO9 38OuMMdhS39tr9O1lxIo7M3WV8PoxCdWRqKJo3t/2LP+Gh7UR9pYmq+D1dUkqGxXQtShob UxNxaW7sv0/4H38VFeoMRxJo6JYNJvE=
Received: from DESKTOP1J9BJ88 (<unknown> [2a06:d1c0:2342:2342:d0f7:15f4:7842:c716]) by mail.aperture-labs.org (OpenSMTPD) with ESMTPSA id f232f1e9 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for <opsec@ietf.org>; Sun, 7 Aug 2022 10:55:31 +0000 (UTC)
From: Tobias Fiebig <tobias@reads-this-mailinglist.com>
To: opsec@ietf.org
Date: Sun, 07 Aug 2022 12:55:30 +0200
Message-ID: <004f01d8aa4c$368f5870$a3ae0950$@reads-this-mailinglist.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdiqSWhA/iTtXClZTc6FfL2kDqKp/g==
Content-Language: en-nl
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/xXi_Ak0i55NI7zIChUWSa86X5Vo>
Subject: [OPSEC] RFC7454 Sec. 6.1.5.2 IXP LAN Prefixes in the DFZ
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Aug 2022 10:59:27 -0000
Heho, After debugging some pmtud issues with a route via an ix due to packets (datagram too big in this case) with ixp peering lan sources being dropped by the network of one of the participants in the connection [0], i stumbled over rfc7454/bcp194 sec. 6.1.5.2. This recommends announcing peering lan prefixes into the dfz to make pmtud work, also suggesting that--to accomplish that--the ix should announce the peering lan with the rs themselves. Iirc, operational practice goes more into the direction of 'keep the peering lan out of the dfz, do not fill it into your igp', and most ixps even push for peering lans to be considered bogon (see, e.g.: [1]). The reasoning usually being that the chances of somebody 'holding it wrong' are just too high when a peering lan is in the dfz. Would it maybe make sense to eratta rfc7454/bcp194 to note that most ixps prefer peering lans not being in the dfz, and operators should follow their ix'es prefrences re: filling it into their igp/announcing it to downstreams? Similar, as i have been bitten by it, too, it might be a good idea to think about known ixp prefixes' relation to uRPF even if they are not in the dfz? Reasoning being here that pmtud will work with an unroutable source as long as the destination is routable. (There is a lot more considerations here, and it may also relate to other transfer links often using unannounced/unroutable addresses/rfc1918 etc.; This is more of an impulsive thought than a well though through idea for now.) With best regards, Tobias [0] https://doing-stupid-things.as59645.net/networking/bgp/nsfp/2022/08/07/making-it-ping-part-6.html [1] https://github.com/peeringdb/peeringdb/issues/352 -- Tobias Fiebig M tobias@fiebig.nl
- [OPSEC] RFC7454 Sec. 6.1.5.2 IXP LAN Prefixes in … Tobias Fiebig