IETF Logo Mail Archive

Re: [sidr] draft-ietf-sidr-bgpsec-protocol

Keyur Patel <keyur@arrcus.com> Wed, 11 January 2017 16:54 UTC

Return-Path: <keyur@arrcus.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C460C1295D9; Wed, 11 Jan 2017 08:54:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.756
X-Spam-Level:
X-Spam-Status: No, score=-3.756 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-1.156, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netorgft1331857.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PTYXwI-xJ2La; Wed, 11 Jan 2017 08:54:11 -0800 (PST)
Received: from dispatch1-us1.ppe-hosted.com (dispatch1-us1.ppe-hosted.com [67.231.154.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC556129416; Wed, 11 Jan 2017 08:54:11 -0800 (PST)
Received: from pure.maildistiller.com (unknown [10.110.50.29]) by dispatch1-us1.ppe-hosted.com (Proofpoint Essentials ESMTP Server) with ESMTP id 1FE166004F; Wed, 11 Jan 2017 16:54:11 +0000 (UTC)
X-Virus-Scanned: Proofpoint Essentials engine
Received: from mx4-us3.ppe-hosted.com (unknown [10.110.49.251]) by pure.maildistiller.com (Proofpoint Essentials ESMTP Server) with ESMTPS id 81CFF60055; Wed, 11 Jan 2017 16:54:10 +0000 (UTC)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03lp0021.outbound.protection.outlook.com [216.32.181.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mx4-us3.ppe-hosted.com (Proofpoint Essentials ESMTP Server) with ESMTPS id 16DAC80057; Wed, 11 Jan 2017 16:54:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NETORGFT1331857.onmicrosoft.com; s=selector1-arrcus-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=AmthXFSY3SVRPi8BTUcfc+sGANV4M+RiYcf8Ju66rFE=; b=hknuwLmsJAPR2TL0X6I5klcYWCN2ukSMgFzH3ie9gyaGLzBss5H5eeA6BZ/ByRXxH0Uy6ZPUIjib1/t2nOi+zIMYQAcVjK3gMlRTvFJZ7qzuY12wmiiylkqfXxC+8yi96dpElcYBLTx1Fcu49CvmpzGJ/LDmiMNUOqbmGqVtgjw=
Received: from BY2PR18MB0262.namprd18.prod.outlook.com (10.163.72.152) by BY2PR18MB0263.namprd18.prod.outlook.com (10.163.72.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.845.12; Wed, 11 Jan 2017 16:54:02 +0000
Received: from BY2PR18MB0262.namprd18.prod.outlook.com ([10.163.72.152]) by BY2PR18MB0262.namprd18.prod.outlook.com ([10.163.72.152]) with mapi id 15.01.0829.017; Wed, 11 Jan 2017 16:54:02 +0000
From: Keyur Patel <keyur@arrcus.com>
To: "Alvaro Retana (aretana)" <aretana@cisco.com>, "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
Thread-Topic: draft-ietf-sidr-bgpsec-protocol
Thread-Index: AQHSZthkNfH8MXPYLkOmxwl9coeqv6EoZskAgAKH0dSAASfLgIAG7GoA
Date: Wed, 11 Jan 2017 16:54:02 +0000
Message-ID: <67DBF30E-B262-4568-87FB-96EEF9FB87A9@arrcus.com>
References: <B3E00907-BF7C-400D-8A5B-4F02BA2A2C12@arrcus.com> <C3B0482B-1007-4B29-B178-DE98C062E197@arrcus.com> <DM2PR09MB0446573C5C4C482D62700B6884630@DM2PR09MB0446.namprd09.prod.outlook.com> <6C8E073D-F1AB-4588-8DFF-FAA0A2465273@cisco.com>
In-Reply-To: <6C8E073D-F1AB-4588-8DFF-FAA0A2465273@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=keyur@arrcus.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2601:646:8980:4f18:f1bf:786f:d301:2422]
x-ms-office365-filtering-correlation-id: 06c1a9d1-98fc-40ac-593b-08d43a42721c
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:BY2PR18MB0263;
x-microsoft-exchange-diagnostics: 1; BY2PR18MB0263; 7:3qY0eR89RS5LzH4UlfjzqGbNhZy8dmidRYg2FLHqbWm7zr7BgQbQZSbtlTnmo+x8q0+G7Y8icKGFFAQcPxX0uxgns0n6Q30sTxb4IArPrbzF97Dt56HP1X2Ni8V4rAJaxlEXODlyVj1MN57XWRklj/OSVksdEsh7dAV9Z2N//uvTTU7QbG8uEJ9Ceq/Vp6aCevegyLjz29wvZz/kaJmmbNVZrBoFqFno4DYVJZCsInGFIpPYzDykTq87w812c2wt0DDIKyw1ZcuF0gcsPYG4Z9jG/fQRdU6D6jqjgSnq0nwEoIaU36PfwG7BEfky4H6Xgrj7+6JsD8iLkVKL7BuG+l/nDg//re1VfYBPZg9GwW8gRreeE/Lu2bOHg86cy6hZqWrrETzWuVu9i6GOGp7o7Lm0M7kt5DAJsxyp4Ay8lR5Gbc7sSVOIrMj7luYM0I5k3dSILdJdN8WN2lYQtQmIpw==
x-microsoft-antispam-prvs: <BY2PR18MB0263EFB217E9DA107D15DCD8C1660@BY2PR18MB0263.namprd18.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(65766998875637)(95692535739014)(21748063052155)(17755550239193);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6041248)(20161123562025)(20161123555025)(20161123564025)(20161123560025)(2016111802025)(6072148)(6043046); SRVR:BY2PR18MB0263; BCL:0; PCL:0; RULEID:; SRVR:BY2PR18MB0263;
x-forefront-prvs: 01842C458A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(39410400002)(39450400003)(39830400002)(377454003)(199003)(24454002)(189002)(2900100001)(4326007)(102836003)(54906002)(189998001)(6116002)(230783001)(99286003)(54896002)(8656002)(6306002)(6436002)(77096006)(38730400001)(86362001)(101416001)(122556002)(6486002)(25786008)(7736002)(2906002)(6506006)(229853002)(6512007)(5001770100001)(97736004)(92566002)(33656002)(54356999)(50986999)(76176999)(3280700002)(93886004)(81166006)(8676002)(8936002)(36756003)(82746002)(81156014)(3660700001)(106116001)(5660300001)(2950100002)(83716003)(68736007)(105586002)(5890100001)(106356001)(9326002)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR18MB0263; H:BY2PR18MB0262.namprd18.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: arrcus.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_67DBF30EB262456887FB96EEF9FB87A9arrcuscom_"
MIME-Version: 1.0
X-OriginatorOrg: arrcus.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jan 2017 16:54:02.0743 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 697b3529-5c2b-40cf-a019-193eb78f6820
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR18MB0263
X-MDID: 1484153651-7XMbExrkiipW
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/v9RAr3n7eTJ3n96OzZuFUDBF4sk>
Cc: "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>, "mlepinski@ncf.edu" <mlepinski@ncf.edu>, sidr <sidr@ietf.org>
Subject: Re: [sidr] draft-ietf-sidr-bgpsec-protocol
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jan 2017 16:54:15 -0000

Hi Alvaro,

Comments inlined #Keyur

From: "Alvaro Retana (aretana)" <aretana@cisco.com>
Date: Friday, January 6, 2017 at 3:10 PM
To: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>, Keyur Patel <keyur@arrcus.com>
Cc: "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>, sidr <sidr@ietf.org>, "mlepinski@ncf.edu" <mlepinski@ncf.edu>
Subject: Re: draft-ietf-sidr-bgpsec-protocol


On 1/6/17, 12:40 AM, "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> wrote:



[Cut the distribution list a little.]



Sriram:



Hi!  Happy New Year!



I have some comments on this, please see below.



Thanks!



Alvaro.





…

| | 1)  Section 4.1 “The BGPsec Path attribute and the AS_PATH attribute are mutually

| | exclusive. That is, any update message containing the BGPsec Path attribute MUST NOT

| | contain the AS_PATH attribute”.  For any restarting speakers in a GR mode, where the bgp

| | capability is not exchanged, the existing stale routes won’t have an AS_PATH attribute. We

| | could add some clarifying that helps to indicate that such routes should be considered

| | valid in stale mode (till they get refreshed)?

|

| [Sriram]  As you have clarified for me on the phone, what you are saying here is that the

| two BGPsec peers lost the BGPsec session and now restarting in GR mode, but they have not

| exchanged BGPsec capability this time. Hence, they are now simple BGP (non-BGPsec) peers

| in GR mode. RFC4271 considers update message received without a well-known AS_PATH

| attribute as an error, and unfortunately in this case the cached BGPsec updates do not have

| AS_PATH (albeit they have BGPsec_Path). So you are saying "the router should not panic"

| and instead simply treat each cached update as NOT-IN-ERROR even though it is missing

| AS_PATH attribute. This way the GR can work properly. Of course, shortly the updates will

| have AS_PATH (and not considered in error) when they get refreshed (over the new simple

| BGP session). Per your suggestion, I will include new text in Section 7 to describe this

| required behavior for the GR mode.



I don’t have an objection for this behavior, but I think we should make the WG (and idr!) aware of the change and get their comments (if any) before I approve the publication.



#Keyur: Ack. Though I was only requesting some text clarification so that it is very clear to the implementers.



Regards,

Keyur





…

| | 3)  Section 5 and Section 5.2, 1st paragraph: RFC4271 considers update message received

| | without a well-known AS_PATH attribute as an error.  We need some text to clarify the

| | (error handling if any) behavior when an update message is received without a bgpsec and

| | an aspath attribute. The current draft text seems unclear about generation of bgpsec

| | attribute as well (in a ibgp scenario). Is it a requirement to generate an empty bgpsec

| | attribute?

|

| [Sriram]  As you have clarified for me over the phone, RFC 4271 (page 26) says the

| following :

|

|  "When a BGP speaker originates a route then:

|   b) the originating speaker includes an empty AS_PATH attribute in

|        all UPDATE messages sent to internal peers.  (An empty AS_PATH

|         attribute is one whose length field contains the value zero)."

|

|

| [Sriram]  So what needs to be said in the BGPsec document is the following:  The

| BGPsec_Path attribute is not attached in updates originated inside an AS and propagated to

| BGPsec capable internal peers. However, when a route is originated inside an AS and

| propagated to non-BGPsec internal peers, an empty AS_PATH attribute is included in the

| update (see [RFC 4271], page 26).



The Route Selection Section (9.1.2) in RFC4271 is not explicit about performing loop detection only on eBGP sessions – the criteria is generic to any route, so there is a possibility that a BGPsec-capable router may want to perform loop detection on an iBGP-received Update.  Given this text from Section 5 in the BGPsec spec:



   Whenever the use of AS path information is called for

   (e.g., loop detection, or use of AS path length in best path

   selection) the externally visible behavior of the implementation

   shall be the same as if the implementation had run the algorithm in

   Section 4.4 and used the resulting AS_PATH attribute as it would for

   a non-BGPsec update message.



…how should an iBGP speaker perform loop detection if there’s no BGPsec_Path attribute?  In other words, there is no defined mechanism to run the algorithm in 4.4 without it.



I’m not suggesting that you include an empty attribute, but that you indicate in 4.4 that no BGPsec_Path attribute is equivalent to an empty AS_PATH.



Thanks!



Alvaro.

v2.23.0 | Report a Bug | By Email