Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath

Robert Raszuk <robert@raszuk.net> Wed, 28 March 2012 20:23 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC4F921E80A3 for <sidr@ietfa.amsl.com>; Wed, 28 Mar 2012 13:23:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.492
X-Spam-Level:
X-Spam-Status: No, score=-2.492 tagged_above=-999 required=5 tests=[AWL=0.107, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V7j2uJMfRqPx for <sidr@ietfa.amsl.com>; Wed, 28 Mar 2012 13:23:35 -0700 (PDT)
Received: from mail1310.opentransfer.com (mail1310.opentransfer.com [76.162.254.103]) by ietfa.amsl.com (Postfix) with ESMTP id E9C7021E802A for <sidr@ietf.org>; Wed, 28 Mar 2012 13:23:34 -0700 (PDT)
Received: (qmail 10182 invoked by uid 399); 28 Mar 2012 20:23:34 -0000
Received: from unknown (HELO ?10.0.1.4?) (pbs:robert@raszuk.net@79.141.15.165) by mail1310.opentransfer.com with ESMTPM; 28 Mar 2012 20:23:34 -0000
X-Originating-IP: 79.141.15.165
Message-ID: <4F737347.4040206@raszuk.net>
Date: Wed, 28 Mar 2012 22:23:35 +0200
From: Robert Raszuk <robert@raszuk.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20120312 Thunderbird/11.0
MIME-Version: 1.0
To: heasley <heas@shrubbery.net>, "Murphy, Sandra" <Sandra.Murphy@sparta.com>
References: <alpine.LFD.2.02.1203281401410.2692@jamaica.dcs.gla.ac.uk> <7309FCBCAE981B43ABBE69B31C8D21391B3EBFD895@EUSAACMS0701.eamcs.ericsson.se> <FBFDBAE5-9BF8-4708-9240-B775CAF46D56@raszuk.net> <7309FCBCAE981B43ABBE69B31C8D21391B3EBFD924@EUSAACMS0701.eamcs.ericsson.se> <alpine.LFD.2.02.1203281618090.2692@jamaica.dcs.gla.ac.uk> <CAL9jLaYqMwXVNKsHuBf_r8h==CGoee+D9k89Q4AZqT49jOQK1A@mail.gmail.com> <4F733C79.8080600@raszuk.net> <CAL9jLabVcWMtpu8usUS5w_BVPCG8ihvDcVjWbhnj_u6H-cdZkw@mail.gmail.com> <4F733FBE.1020902@raszuk.net> <24B20D14B2CD29478C8D5D6E9CBB29F60F6CB73F@Hermes.columbia.ads.sparta.com> <20120328173010.GB72348@shrubbery.net>
In-Reply-To: <20120328173010.GB72348@shrubbery.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "idr@ietf.org List" <idr@ietf.org>, Paul Jakma <paul@jakma.org>, sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] [Idr] AS_SET depreciation (RFC6472) and BGP multipath
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: robert@raszuk.net
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2012 20:23:36 -0000

 > it doesnt appear to function as raszuk described.

Let me point out that heasley is looking at completely different knob 
which has nothing to do with replace as path policy extension.

The correct pointer is: http://goo.gl/xVToJ

Rgs,
R.

> Wed, Mar 28, 2012 at 05:00:43PM +0000, Murphy, Sandra:
>> Replacing ASs in the AS_PATH sounds like a behavior you would want the security protections to prohibit.  It would enable attacks.
>>
>> Can you explain how you would distinguish legitimate uses of this feature?
>
> I've not used this feature, but from cisco's documentation, it doesnt appear
> to function as raszuk described.
>
> http://www.cisco.com/en/US/docs/ios/12_3t/12_3t11/feature/guide/gtbgpdas.html
>
> if local-as is configured for a peer(-group), ie: if configured to peer as
> a different AS than your own, such as for merging two ASes or changing your
> ASN, then:
> "The replace-as keyword is used to prepend only the local autonomous-system number (as configured with the ip-address argument) to the AS_PATH attribute. The autonomous-system number from the local BGP routing process is not prepended."
>
> though I think that is unclear, I interpret it to mean that if my ASN is 1
> and, I peer as ASN 2 with ebgp peer 3, then a route received from AS 3 will
> have the path [2 3], but if configured with replace-as, it will be [3].
>
> I do not believe that the feature allows the arbitrary replacement of AS path
> elements.
>
>> --Sandy
>>
>> ________________________________________
>> From: sidr-bounces@ietf.org [sidr-bounces@ietf.org] on behalf of Robert Raszuk [robert@raszuk.net]
>> Sent: Wednesday, March 28, 2012 12:43 PM
>> To: Christopher Morrow
>> Cc: idr@ietf.org List; Paul Jakma; sidr wg list
>> Subject: Re: [sidr] [Idr]  AS_SET depreciation (RFC6472) and BGP multipath
>>
>>>> Are we going to freeze any AS_PATH modifications by operator's policy too ?
>>>> I mentioned replace-as which all major vendors support. There can be more
>>>> knobs like this coming in the future.
>>>
>>> replace as i think is dealt with .... sign again and pcount=0 and move along.
>>
>> replace-as allows to replace any arbitrary match of list of ASes in the
>> AS_PATH by your own AS. Does not need to be the last one.
>>
>> I don't think SIDR has a solution to deal with such policy.
>>
>> Best regards,
>> R.
>> _______________________________________________
>> sidr mailing list
>> sidr@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidr
>> _______________________________________________
>> sidr mailing list
>> sidr@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidr
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>
>