Re: [secdir] [GROW] Secdir last call review of draft-ietf-grow-bgp-session-culling-04

"Will Hargrave" <> Mon, 25 September 2017 16:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B8EAA1344D8; Mon, 25 Sep 2017 09:29:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6D8RLVnCqfGe; Mon, 25 Sep 2017 09:29:30 -0700 (PDT)
Received: from ( [IPv6:2a00:eb20:100::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C86491344B4; Mon, 25 Sep 2017 09:29:29 -0700 (PDT)
Received: from [] by with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <>) id 1dwWG5-0008AH-6b; Mon, 25 Sep 2017 17:29:27 +0100
From: "Will Hargrave" <>
To: "Paul Wouters" <>
Date: Mon, 25 Sep 2017 17:29:24 +0100
Message-ID: <>
In-Reply-To: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
X-Mailer: MailMate (1.9.7r5419)
Archived-At: <>
Subject: Re: [secdir] [GROW] Secdir last call review of draft-ietf-grow-bgp-session-culling-04
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 25 Sep 2017 16:29:32 -0000

On 25 Sep 2017, at 16:45, Paul Wouters wrote:

> This document basically states that people doing network maintenance 
> so often
> make mistakes that leak into the global BGP table, that it would be a 
> good idea
> to just firewall all the BGP traffic going out of your network edge as 
> a
> preventive measure. It's a sad state of software/firmware that an 
> external
> firewalling process is deemed necessary to properly (re)configure BGP.

Hi Paul,

I am afraid you have got the wrong end of the stick here. This technique 
is intended for IXP and other L2 operators, not those who operate BGP 
speakers / IP networks. It is a workaround to unwanted blackholing of 
traffic as a result of the dataplane being broken whilst waiting for BGP 
holdtimers to expire - nothing to do with actual BGP route policy.

I gave a presentation earlier this year at the UK Network Operators 
Forum which attempts to explain this