Re: [secdir] [GROW] Secdir last call review of draft-ietf-grow-bgp-session-culling-04

"Will Hargrave" <will@harg.net> Mon, 25 September 2017 16:29 UTC

Return-Path: <will@harg.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8EAA1344D8; Mon, 25 Sep 2017 09:29:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6D8RLVnCqfGe; Mon, 25 Sep 2017 09:29:30 -0700 (PDT)
Received: from mail0.lonap.net (mail0.lonap.net [IPv6:2a00:eb20:100::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C86491344B4; Mon, 25 Sep 2017 09:29:29 -0700 (PDT)
Received: from [188.246.198.145] by mail0.lonap.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <will@harg.net>) id 1dwWG5-0008AH-6b; Mon, 25 Sep 2017 17:29:27 +0100
From: "Will Hargrave" <will@harg.net>
To: "Paul Wouters" <paul@nohats.ca>
Cc: secdir@ietf.org, grow@ietf.org, draft-ietf-grow-bgp-session-culling.all@ietf.org, ietf@ietf.org
Date: Mon, 25 Sep 2017 17:29:24 +0100
Message-ID: <ABA19C9B-7226-4001-86F9-9BDAAA21942C@harg.net>
In-Reply-To: <150635434992.27366.574012206348474088@ietfa.amsl.com>
References: <150635434992.27366.574012206348474088@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
X-Mailer: MailMate (1.9.7r5419)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/A0K08b0QfWBFF1RKavxQi0x2nwE>
Subject: Re: [secdir] [GROW] Secdir last call review of draft-ietf-grow-bgp-session-culling-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Sep 2017 16:29:32 -0000

On 25 Sep 2017, at 16:45, Paul Wouters wrote:

> This document basically states that people doing network maintenance 
> so often
> make mistakes that leak into the global BGP table, that it would be a 
> good idea
> to just firewall all the BGP traffic going out of your network edge as 
> a
> preventive measure. It's a sad state of software/firmware that an 
> external
> firewalling process is deemed necessary to properly (re)configure BGP.

Hi Paul,

I am afraid you have got the wrong end of the stick here. This technique 
is intended for IXP and other L2 operators, not those who operate BGP 
speakers / IP networks. It is a workaround to unwanted blackholing of 
traffic as a result of the dataplane being broken whilst waiting for BGP 
holdtimers to expire - nothing to do with actual BGP route policy.

I gave a presentation earlier this year at the UK Network Operators 
Forum which attempts to explain this 
https://indico.uknof.org.uk/event/39/contribution/8


Regards,

Will