| draft-ietf-idr-bgp-extended-messages-30.txt | draft-ietf-idr-bgp-extended-messages-31.txt | |||
|---|---|---|---|---|
| Network Working Group R. Bush | Network Working Group R. Bush | |||
| Internet-Draft Internet Initiative Japan | Internet-Draft IIJ & Arrcus | |||
| Updates: 4271 (if approved) K. Patel | Updates: 4271 (if approved) K. Patel | |||
| Intended status: Standards Track Arrcus, Inc. | Intended status: Standards Track Arrcus, Inc. | |||
| Expires: September 27, 2019 D. Ward | Expires: January 1, 2020 D. Ward | |||
| Cisco Systems | Cisco Systems | |||
| March 26, 2019 | June 30, 2019 | |||
| Extended Message support for BGP | Extended Message support for BGP | |||
| draft-ietf-idr-bgp-extended-messages-30 | draft-ietf-idr-bgp-extended-messages-31 | |||
| Abstract | Abstract | |||
| The BGP specification mandates a maximum BGP message size of 4096 | The BGP specification mandates a maximum BGP message size of 4,096 | |||
| octets. As BGP is extended to support newer AFI/SAFIs and other | octets. As BGP is extended to support newer AFI/SAFIs and other | |||
| features, there is a need to extend the maximum message size beyond | features, there is a need to extend the maximum message size beyond | |||
| 4096 octets. This document updates the BGP specification RFC4271 by | 4,096 octets. This document updates the BGP specification RFC4271 by | |||
| providing an extension to BGP to extend its current maximum message | extending the maximum message size from 4,096 octets to 65,535 octets | |||
| size from 4096 octets to 65535 octets for all except the OPEN | for all except the OPEN and KEEPALIVE messages. | |||
| message. | ||||
| Requirements Language | Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| be interpreted as described in [RFC2119] only when they appear in all | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| upper case. They may also appear in lower or mixed case as English | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| words, without normative meaning. | capitals, as shown here. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 27, 2019. | This Internet-Draft will expire on January 1, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 27 ¶ | skipping to change at page 2, line 27 ¶ | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. BGP Extended Message . . . . . . . . . . . . . . . . . . . . 2 | 2. BGP Extended Message . . . . . . . . . . . . . . . . . . . . 2 | |||
| 3. Extended Message Capability for BGP . . . . . . . . . . . . . 3 | 3. Extended Message Capability for BGP . . . . . . . . . . . . . 3 | |||
| 4. Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 4. Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 5. Error Handling . . . . . . . . . . . . . . . . . . . . . . . 4 | 5. Error Handling . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 6. Changes to RFC4271 . . . . . . . . . . . . . . . . . . . . . 4 | 6. Changes to RFC4271 . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | |||
| 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6 | 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 6 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 6 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 6 | 10.2. Informative References . . . . . . . . . . . . . . . . . 7 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 1. Introduction | 1. Introduction | |||
| The BGP specification [RFC4271] mandates a maximum BGP message size | The BGP specification [RFC4271] mandates a maximum BGP message size | |||
| of 4096 octets. As BGP is extended to support newer AFI/SAFIs and | of 4,096 octets. As BGP is extended to support newer AFI/SAFIs and | |||
| newer capabilities (e.g., BGPsec, [RFC8205], BGP-LS, [RFC7752]), | newer capabilities (e.g., BGPsec [RFC8205] and BGP-LS [RFC7752]), | |||
| there is a need to extend the maximum message size beyond 4096 | there is a need to extend the maximum message size beyond 4,096 | |||
| octets. This draft provides an extension to BGP to extend its | octets. This draft provides an extension to BGP to extend its | |||
| current message size limit from 4096 octets to 65535 octets for all | message size limit from 4,096 octets to 65,535 octets for all except | |||
| except the OPEN message. | the OPEN and KEEPALIVE messages. | |||
| 2. BGP Extended Message | 2. BGP Extended Message | |||
| A BGP message over 4096 octets in length is a BGP Extended Message. | A BGP message over 4,096 octets in length is a BGP Extended Message. | |||
| BGP Extended Messages have maximum message size of 65535 octets. The | BGP Extended Messages have a maximum message size of 65,535 octets. | |||
| smallest message that may be sent consists of a BGP header without a | The smallest message that may be sent consists of a BGP KEEPALIVE | |||
| data portion (19 octets). | which consists of 19 octets. | |||
| 3. Extended Message Capability for BGP | 3. Extended Message Capability for BGP | |||
| To advertise the BGP Extended Message Capability to a peer, a BGP | To advertise the BGP Extended Message Capability to a peer, a BGP | |||
| speaker uses BGP Capabilities Advertisement [RFC5492]. By | speaker uses BGP Capabilities Advertisement [RFC5492]. By | |||
| advertising the BGP Extended Message Capability to a peer, a BGP | advertising the BGP Extended Message Capability to a peer, a BGP | |||
| speaker conveys that it is able to send, receive, and properly handle | speaker conveys that it is able to send, receive, and properly | |||
| BGP Extended Messages. | handle, see Section 4, BGP Extended Messages. | |||
| The BGP Extended Message Capability is a new BGP Capability [RFC5492] | The BGP Extended Message Capability is a new BGP Capability [RFC5492] | |||
| defined with Capability code 6 and Capability length 0. | defined with Capability code 6 and Capability length 0. | |||
| A peer which does not advertise this capability MUST NOT send BGP | A peer which does not advertise this capability MUST NOT send BGP | |||
| Extended Messages, and BGP Extended Messages MUST NOT be sent to it. | Extended Messages, and BGP Extended Messages MUST NOT be sent to it. | |||
| 4. Operation | Peers that wish to use the BGP Extended Message capability must | |||
| support Error Handling for BGP UPDATE Messages per [RFC7606]. | ||||
| A BGP speaker that is capable of sending and receiving BGP Extended | 4. Operation | |||
| Messages SHOULD advertise the BGP Extended Message Capability to the | ||||
| peer using BGP Capabilities Advertisement [RFC5492]. A BGP speaker | ||||
| MAY send Extended Messages to its peer only if it has fully exchanged | ||||
| the Extended Message Capability with that peer. | ||||
| The Extended Message Capability applies to all messages except for | The Extended Message Capability applies to all messages except for | |||
| the OPEN message. This exception is made to reduce complexity of | the OPEN and KEEPALIVE messages. The former exception is to reduce | |||
| providing backward compatibility | the complexity of providing a backward compatibility | |||
| A BGP speaker that is capable of sending and receiving BGP Extended | ||||
| Messages SHOULD advertise the BGP Extended Message Capability to its | ||||
| peers using BGP Capabilities Advertisement [RFC5492]. A BGP speaker | ||||
| MAY send Extended Messages to its peer only if both peers have | ||||
| negotiated the Extended Message Capability with each other. | ||||
| An implementation that advertises support for BGP Extended Messages | An implementation that advertises support for BGP Extended Messages | |||
| MUST be capable of receiving a message with a length up to and | MUST be capable of receiving a message with a Length up to and | |||
| including 65535 octets. | including 65,535 octets. | |||
| Applications generating information which might be encapsulated | Applications generating information which might be encapsulated | |||
| within BGP messages MUST limit the size of their payload to take the | within BGP messages MUST limit the size of their payload to take the | |||
| maximum message size into account. | maximum message size into account. | |||
| If a BGP update with a payload longer than 4096 octets is received by | If a BGP message with a Length lgreater than 4,096 octets is received | |||
| a BGP listener who has neither advertised nor agreed to accept BGP | by a BGP listener who has not advertised the Extended Message | |||
| Extended Messages, the listener MUST treat this as a malformed update | Capability, the listener MUST treat this as a malformed message, and | |||
| message, and MUST raise an UPDATE Message Error (see [RFC4271] Sec | MUST generate a NOTIFICATION with the Error Subcode set to Bad | |||
| 6.3). | Message Length (see [RFC4271] Sec 6.1). | |||
| A BGP announcement will, in the normal case, propagate throughout the | ||||
| BGP speaking Internet; and there will undoubtedly be BGP speakers | ||||
| which do not have the Extended Message capability. Therefore, having | ||||
| an attribute set which can not be decomposed to 4096 octets or less | ||||
| in an Extended Message will likely raise errors. | ||||
| A BGP speaker with a mixture of peers some of which have negotiated | A BGP announcement will (policy, best path, etc., allowing) propagate | |||
| BGP Extended Message capability and some which have not, MUST | throughout the BGP speaking Internet; and hence to BGP speakers which | |||
| o support [RFC7606], and | may not have the Extended Message capability. Therefore, an | |||
| o "treat as withdraw" (see [RFC7606]) a BGP attribute/NLRI pair | announcement in an Extended Message where the size of the attribute | |||
| (defined as BGP Route) which is too large to be sent to a peer | set plus the NLRI can not be decomposed to 4,096 octets or less may | |||
| which does not support BGP Extended Messages. | cause lack of reachability. | |||
| The BGP speaker MAY remove some BGP attributes which are eligible to | A speaker capable of BGP Extended Messages having a mixture of peers | |||
| use the Attribute discard approach in [RFC7606]. | some of which have not exchanged the BGP Extended Message capability, | |||
| may receive an announcement from one of its capable peers that would | ||||
| (due to the new AS on the path, new added attributes, etc.) produce | ||||
| an ongoing announcement that would be over 4,096 octets. When | ||||
| propagating that update onward to a neighbor with which it has not | ||||
| negotiated the BGP Extended Message capability, the sender SHOULD try | ||||
| to reduce the outgoing message size by downgrading BGPsec to BGP4, | ||||
| decomposing a multi-NLRI update producing multiple updates with fewer | ||||
| NLRI per update, removing attributes eligible under the attribute | ||||
| discard approach of [RFC7606], etc. If the resulting message would | ||||
| still be over the 4,096 octet limit, the sender SHOULD treat-as- | ||||
| withdraw per [RFC7606]. | ||||
| In an iBGP mesh, all peers SHOULD support the BGP Extended Message | In an iBGP mesh, all peers SHOULD support the BGP Extended Message | |||
| Capability and [RFC7606]. Only then is it consistent to deploy with | Capability and [RFC7606]. Only then is it consistent to deploy with | |||
| eBGP peers. | eBGP peers. | |||
| During the incremental deployment of BGP Extended Messages and | During the incremental deployment of BGP Extended Messages and | |||
| [RFC7606] in an iBGP mesh, or with eBGP peers, the operator should | [RFC7606] in an iBGP mesh, or with eBGP peers, the operator should | |||
| monitor any routes dropped as "treat as withdraw". | monitor any routes dropped as "treat-as-withdraw". | |||
| It is RECOMMENDED that BGP protocol developers and implementers are | It is RECOMMENDED that BGP protocol developers and implementers are | |||
| conservative in their application and use of Extended Messages. | conservative in their application and use of Extended Messages. | |||
| Future protocol specifications will need to describe how to handle | Future protocol specifications will need to describe how to handle | |||
| peers which can only accommodate 4096 octet messages. | peers which can only accommodate 4,096 octet messages. | |||
| 5. Error Handling | 5. Error Handling | |||
| A BGP speaker that has the ability to use Extended Messages but has | A BGP speaker that has the ability to use Extended Messages but has | |||
| not advertised the BGP Extended Messages capability, presumably due | not advertised the BGP Extended Messages capability, presumably due | |||
| to configuration, SHOULD NOT accept an Extended Message. A speaker | to configuration, SHOULD NOT accept an Extended Message. A speaker | |||
| SHOULD NOT implement a more liberal policy accepting BGP Extended | SHOULD NOT implement a more liberal policy accepting BGP Extended | |||
| Messages. | Messages. | |||
| A BGP speaker that does not advertise the BGP Extended Messages | A BGP speaker that does not advertise the BGP Extended Messages | |||
| skipping to change at page 4, line 48 ¶ | skipping to change at page 5, line 10 ¶ | |||
| similarly. | similarly. | |||
| The inconsistency between the local and remote BGP speakers MUST be | The inconsistency between the local and remote BGP speakers MUST be | |||
| flagged to the network operator through standard operational | flagged to the network operator through standard operational | |||
| interfaces. The information should include the NLRI and as much | interfaces. The information should include the NLRI and as much | |||
| relevant information as reasonably possible. | relevant information as reasonably possible. | |||
| 6. Changes to RFC4271 | 6. Changes to RFC4271 | |||
| [RFC4271] states "The value of the Length field MUST always be at | [RFC4271] states "The value of the Length field MUST always be at | |||
| least 19 and no greater than 4096." This document changes the latter | least 19 and no greater than 4,096." This document changes the | |||
| number to 65535 for all except the OPEN message. | latter number to 65,535 for all except the OPEN and KEEPALIVE | |||
| messages. | ||||
| [RFC4271] Sec 6.1, specifies raising an error if the length of a | [RFC4271] Sec 6.1, specifies raising an error if the length of a | |||
| message is over 4096 octets. For all messages except the OPEN | message is over 4,096 octets. For all messages except the OPEN | |||
| message, if the receiver has advertised the BGP Extended Messages | message, if the receiver has advertised the BGP Extended Messages | |||
| Capability, this document raises that limit to 65535. | Capability, this document raises that limit to 65,535. | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| The IANA has made an early allocation for this new BGP Extended | The IANA has made an early allocation for this new BGP Extended | |||
| Message Capability referring to this document. | Message Capability referring to this document. | |||
| Registry: BGP Capability Code | Registry: BGP Capability Code | |||
| Value Description Document | Value Description Document | |||
| ----- ----------------------------------- ------------- | ----- ----------------------------------- ------------- | |||
| skipping to change at page 5, line 44 ¶ | skipping to change at page 6, line 7 ¶ | |||
| unintentional. | unintentional. | |||
| As this draft requires support for [RFC7606] update error handling, | As this draft requires support for [RFC7606] update error handling, | |||
| it inherits the security considerations of [RFC7606]. BGP peers may | it inherits the security considerations of [RFC7606]. BGP peers may | |||
| avoid such issues by using Authenticated Encryption with additional | avoid such issues by using Authenticated Encryption with additional | |||
| Data (AEAD) ciphers [RFC5116] and discard messages that do not | Data (AEAD) ciphers [RFC5116] and discard messages that do not | |||
| verify. | verify. | |||
| If a remote attacker is able to craft a large BGP Extended Message to | If a remote attacker is able to craft a large BGP Extended Message to | |||
| send on a path where one or more peers do not support BGP Extended | send on a path where one or more peers do not support BGP Extended | |||
| Messages, peers which support BGP Extended Messages may act to reduce | ||||
| the outgoing message, see Section 4, and in doing so produce a | ||||
| downgrade attack, e.g. convert BGPsec to BGP4. | ||||
| If a remote attacker is able to craft a large BGP Extended Message to | ||||
| send on a path where one or more peers do not support BGP Extended | ||||
| Messages, peers which support BGP Extended Messages may incur | Messages, peers which support BGP Extended Messages may incur | |||
| resource load (processing, message resizing, etc.) reformatting the | resource load (processing, message resizing, etc.) reformatting the | |||
| large messages. Worse, ([RFC7606] "treat as withdraw" may | large messages. Worse, ([RFC7606] "treat-as-withdraw" may | |||
| consistently withdraw announcements causing inconsistent routing. | consistently withdraw announcements causing inconsistent routing. | |||
| BGP routes are filtered by policies set by the operators. | BGP routes are filtered by policies set by the operators. | |||
| Implementations may provide policies to filter routes that would | Implementations may provide policies to filter routes that would | |||
| cause the "treat as withdraw" from being passed by an extended | cause the "treat-as-withdraw" from being passed by an extended | |||
| message speaker. | message speaker. | |||
| 9. Acknowledgments | 9. Acknowledgments | |||
| The authors thank Alvaro Retana, Enke Chen, Susan Hares, John | The authors thank Alvaro Retana for an amazing review, Enke Chen, | |||
| Scudder, John Levine, and Job Snijders for their input; and Oliver | Susan Hares, John Scudder, John Levine, and Job Snijders for their | |||
| Borchert and Kyehwan Lee for their implementations and testing. | input; and Oliver Borchert and Kyehwan Lee for their implementations | |||
| and testing. | ||||
| 10. References | 10. References | |||
| 10.1. Normative References | 10.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | ||||
| Requirement Levels", BCP 14, RFC 2119, | ||||
| DOI 10.17487/RFC2119, March 1997, | ||||
| <http://www.rfc-editor.org/info/rfc2119>. | ||||
| [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A | [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A | |||
| Border Gateway Protocol 4 (BGP-4)", RFC 4271, | Border Gateway Protocol 4 (BGP-4)", RFC 4271, | |||
| DOI 10.17487/RFC4271, January 2006, | DOI 10.17487/RFC4271, January 2006, | |||
| <http://www.rfc-editor.org/info/rfc4271>. | <http://www.rfc-editor.org/info/rfc4271>. | |||
| [RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis", | [RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis", | |||
| RFC 4272, DOI 10.17487/RFC4272, January 2006, | RFC 4272, DOI 10.17487/RFC4272, January 2006, | |||
| <http://www.rfc-editor.org/info/rfc4272>. | <http://www.rfc-editor.org/info/rfc4272>. | |||
| [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated | [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated | |||
| skipping to change at page 7, line 8 ¶ | skipping to change at page 7, line 25 ¶ | |||
| DOI 10.17487/RFC7752, March 2016, | DOI 10.17487/RFC7752, March 2016, | |||
| <http://www.rfc-editor.org/info/rfc7752>. | <http://www.rfc-editor.org/info/rfc7752>. | |||
| [RFC8205] Lepinski, M., Ed. and K. Sriram, Ed., "BGPsec Protocol | [RFC8205] Lepinski, M., Ed. and K. Sriram, Ed., "BGPsec Protocol | |||
| Specification", RFC 8205, DOI 10.17487/RFC8205, September | Specification", RFC 8205, DOI 10.17487/RFC8205, September | |||
| 2017, <https://www.rfc-editor.org/info/rfc8205>. | 2017, <https://www.rfc-editor.org/info/rfc8205>. | |||
| Authors' Addresses | Authors' Addresses | |||
| Randy Bush | Randy Bush | |||
| Internet Initiative Japan | IIJ & Arrcus | |||
| 5147 Crystal Springs | 5147 Crystal Springs | |||
| Bainbridge Island, Washington 98110 | Bainbridge Island, Washington 98110 | |||
| United States of America | US | |||
| Email: randy@psg.com | Email: randy@psg.com | |||
| Keyur Patel | Keyur Patel | |||
| Arrcus, Inc. | Arrcus, Inc. | |||
| Email: keyur@arrcus.com | Email: keyur@arrcus.com | |||
| Dave Ward | Dave Ward | |||
| Cisco Systems | Cisco Systems | |||
| 170 W. Tasman Drive | 170 W. Tasman Drive | |||
| San Jose, CA 95134 | San Jose, CA 95134 | |||
| United States of America | US | |||
| Email: dward@cisco.com | Email: dward@cisco.com | |||
| End of changes. 35 change blocks. | ||||
| 75 lines changed or deleted | 85 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||