Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath

heasley <heas@shrubbery.net> Wed, 28 March 2012 17:30 UTC

Return-Path: <heas@shrubbery.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6B1221E809E; Wed, 28 Mar 2012 10:30:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 95BuxumnM2qD; Wed, 28 Mar 2012 10:30:10 -0700 (PDT)
Received: from guelah.shrubbery.net (guelah.shrubbery.net [198.58.5.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAB5421E804A; Wed, 28 Mar 2012 10:30:10 -0700 (PDT)
Received: by guelah.shrubbery.net (Postfix, from userid 7053) id 673F888B42; Wed, 28 Mar 2012 17:30:10 +0000 (UTC)
Date: Wed, 28 Mar 2012 17:30:10 +0000
From: heasley <heas@shrubbery.net>
To: "Murphy, Sandra" <Sandra.Murphy@sparta.com>
Message-ID: <20120328173010.GB72348@shrubbery.net>
References: <alpine.LFD.2.02.1203281401410.2692@jamaica.dcs.gla.ac.uk> <7309FCBCAE981B43ABBE69B31C8D21391B3EBFD895@EUSAACMS0701.eamcs.ericsson.se> <FBFDBAE5-9BF8-4708-9240-B775CAF46D56@raszuk.net> <7309FCBCAE981B43ABBE69B31C8D21391B3EBFD924@EUSAACMS0701.eamcs.ericsson.se> <alpine.LFD.2.02.1203281618090.2692@jamaica.dcs.gla.ac.uk> <CAL9jLaYqMwXVNKsHuBf_r8h==CGoee+D9k89Q4AZqT49jOQK1A@mail.gmail.com> <4F733C79.8080600@raszuk.net> <CAL9jLabVcWMtpu8usUS5w_BVPCG8ihvDcVjWbhnj_u6H-cdZkw@mail.gmail.com> <4F733FBE.1020902@raszuk.net> <24B20D14B2CD29478C8D5D6E9CBB29F60F6CB73F@Hermes.columbia.ads.sparta.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F60F6CB73F@Hermes.columbia.ads.sparta.com>
X-PGPkey: http://www.shrubbery.net/~heas/public-key.asc
X-note: live free, or die!
X-homer: i just want to have a beer while i am caring.
X-Claimation: an engineer needs a manager like a fish needs a bicycle
X-reality: only YOU can put an end to the embarrassment that is Tom Cruise
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: "idr@ietf.org List" <idr@ietf.org>, Paul Jakma <paul@jakma.org>, sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2012 17:30:11 -0000

Wed, Mar 28, 2012 at 05:00:43PM +0000, Murphy, Sandra:
> Replacing ASs in the AS_PATH sounds like a behavior you would want the security protections to prohibit.  It would enable attacks.
> 
> Can you explain how you would distinguish legitimate uses of this feature?

I've not used this feature, but from cisco's documentation, it doesnt appear
to function as raszuk described.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t11/feature/guide/gtbgpdas.html

if local-as is configured for a peer(-group), ie: if configured to peer as
a different AS than your own, such as for merging two ASes or changing your
ASN, then:
"The replace-as keyword is used to prepend only the local autonomous-system number (as configured with the ip-address argument) to the AS_PATH attribute. The autonomous-system number from the local BGP routing process is not prepended."

though I think that is unclear, I interpret it to mean that if my ASN is 1
and, I peer as ASN 2 with ebgp peer 3, then a route received from AS 3 will
have the path [2 3], but if configured with replace-as, it will be [3].

I do not believe that the feature allows the arbitrary replacement of AS path
elements.

> --Sandy
> 
> ________________________________________
> From: sidr-bounces@ietf.org [sidr-bounces@ietf.org] on behalf of Robert Raszuk [robert@raszuk.net]
> Sent: Wednesday, March 28, 2012 12:43 PM
> To: Christopher Morrow
> Cc: idr@ietf.org List; Paul Jakma; sidr wg list
> Subject: Re: [sidr] [Idr]  AS_SET depreciation (RFC6472) and BGP multipath
> 
> >> Are we going to freeze any AS_PATH modifications by operator's policy too ?
> >> I mentioned replace-as which all major vendors support. There can be more
> >> knobs like this coming in the future.
> >
> > replace as i think is dealt with .... sign again and pcount=0 and move along.
> 
> replace-as allows to replace any arbitrary match of list of ASes in the
> AS_PATH by your own AS. Does not need to be the last one.
> 
> I don't think SIDR has a solution to deal with such policy.
> 
> Best regards,
> R.
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr