| draft-ietf-idr-bgp-flowspec-oid-03.txt | draft-ietf-idr-bgp-flowspec-oid-04.txt | |||
|---|---|---|---|---|
| Network Working Group James Uttaro | ||||
| Internet Draft AT&T | Network Working Group J. Uttaro | |||
| Updates: 5575 Clarence Filsfils | Internet-Draft AT&T | |||
| Intended Status: Proposed Standard David Smith | Updates: 5575 (if approved) J. Alcaide | |||
| Expiration Date: September 21, 2016 Juan Alcaide | Intended status: Standards Track C. Filsfils | |||
| Expires: September 14, 2017 D. Smith | ||||
| Cisco | Cisco | |||
| Pradosh Mohapatra | P. Mohapatra | |||
| Sproute Networks | Sproute Networks | |||
| March 21, 2016 | March 13, 2017 | |||
| Revised Validation Procedure for BGP Flow Specifications | Revised Validation Procedure for BGP Flow Specifications | |||
| draft-ietf-idr-bgp-flowspec-oid-03 | draft-ietf-idr-bgp-flowspec-oid-04 | |||
| Abstract | Abstract | |||
| This document describes a modification to the validation procedure | This document describes a modification to the validation procedure | |||
| defined in RFC 5575 for the dissemination of BGP flow specifications. | defined in RFC 5575 for the dissemination of BGP flow specifications. | |||
| RFC 5575 requires that the originator of the flow specification | RFC 5575 requires that the originator of the flow specification | |||
| matches the originator of the best-match unicast route for the | matches the originator of the best-match unicast route for the | |||
| destination prefix embedded in the flow specification. This allows | destination prefix embedded in the flow specification. This allows | |||
| only BGP speakers within the data forwarding path (such as autonomous | only BGP speakers within the data forwarding path (such as autonomous | |||
| system border routers) to originate BGP flow specifications. Though | system border routers) to originate BGP flow specifications. Though | |||
| it is possible to disseminate such flow specifications directly from | it is possible to disseminate such flow specifications directly from | |||
| border routers, it may be operationally cumbersome in an autonomous | border routers, it may be operationally cumbersome in an autonomous | |||
| system with a large number of border routers having complex BGP | system with a large number of border routers having complex BGP | |||
| policies. The modification proposed herein enables flow | policies. The modification proposed herein enables flow | |||
| specifications to be originated from a centralized BGP route | specifications to be originated from a centralized BGP route | |||
| controller. | controller. | |||
| Status of this Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF). Note that other groups may also distribute | |||
| other groups may also distribute working documents as Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | ||||
| http://www.ietf.org/ietf/1id-abstracts.txt. | ||||
| The list of Internet-Draft Shadow Directories can be accessed at | ||||
| http://www.ietf.org/shadow.html. | ||||
| This Internet-Draft will expire on September 21, 2016. | This Internet-Draft will expire on September 14, 2017. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2016 IETF Trust and the persons identified as the | Copyright (c) 2017 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1 Specification of Requirements ...................... 3 | 1. Requirements Language . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2 Motivation ......................................... 3 | 2. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 3 Introduction ....................................... 5 | 3. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4 Revised Validation Procedure ....................... 6 | 4. Revised Validation Procedure . . . . . . . . . . . . . . . . 5 | |||
| 5 Security Considerations ............................ 7 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 6 IANA Considerations ................................ 7 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | |||
| 7 Normative References ............................... 7 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 8 Acknowledgements ................................... 8 | 8. Normative References . . . . . . . . . . . . . . . . . . . . 7 | |||
| 9 Authors' Addresses ................................. 8 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 1. Specification of Requirements | 1. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| 2. Motivation | 2. Motivation | |||
| Step (a) of the validation procedure in [RFC5575], section 6 is | Step (a) of the validation procedure in [RFC5575], section 6 is | |||
| defined with the underlying assumption that the flow specification | defined with the underlying assumption that the flow specification | |||
| NLRI traverses the same path, in the inter-domain and intra-domain | NLRI traverses the same path, in the inter-domain and intra-domain | |||
| route distribution graph, as that of the longest-match unicast route | route distribution graph, as that of the longest-match unicast route | |||
| for the destination prefix embedded in the flow specification. | for the destination prefix embedded in the flow specification. | |||
| In the case of inter-domain traffic filtering, for example, the flow | In the case of inter-domain traffic filtering, for example, the flow | |||
| specification originator at the egress border routers of ASN1 (RTR-D | specification originator at the egress border routers of ASN1 (RTR-D | |||
| and RTR-E in figure 1) matches the EBGP neighbor that advertised the | and RTR-E in figure 1) matches the EBGP neighbor that advertised the | |||
| longest match destination prefix (RTR-F and RTR-G respectively). | longest match destination prefix (RTR-F and RTR-G respectively). | |||
| Similarly, at the ingress border routers of ASN1 (RTR-A and RTR-B in | Similarly, at the ingress border routers of ASN1 (RTR-A and RTR-B in | |||
| figure 1), the flow specification originator matches the egress IBGP | figure 1), the flow specification originator matches the egress IBGP | |||
| border routers that had advertised the unicast route for the best- | border routers that had advertised the unicast route for the best- | |||
| match destination prefix (RTR-D and RTR-E respectively). This is true | match destination prefix (RTR-D and RTR-E respectively). This is | |||
| even when ingress border routers select paths from different egress | true even when ingress border routers select paths from different | |||
| border routers as best path based upon IGP distance (as an example, | egress border routers as best path based upon IGP distance (as an | |||
| RTR-A chooses RTR-D's path as best; RTR-B chooses RTR-E as the best | example, RTR-A chooses RTR-D's path as best; RTR-B chooses RTR-E as | |||
| path). | the best path). | |||
| / - - - - - - - - - - - - - - | / - - - - - - - - - - - - - - | |||
| | ASN1 | | | ASN1 | | |||
| +-------+ +-------+ | +-------+ +-------+ | |||
| | | | | | | | | | | | | | | |||
| | RTR-A | | RTR-B | | | RTR-A | | RTR-B | | |||
| | | | | | | | | | | | | | | |||
| +-------+ +-------+ | +-------+ +-------+ | |||
| | \ / | | | \ / | | |||
| IBGP \ / IBGP | IBGP \ / IBGP | |||
| | \ / | | | \ / | | |||
| +-------+ | +-------+ | |||
| | | | | | | | | | | |||
| | RTR-C | | | RTR-C | | |||
| | | RC | | | | | RC | | | |||
| +-------+ | +-------+ | |||
| | / \ | | | / \ | | |||
| / \ | / \ | |||
| | IBGP / \ IBGP | | | IBGP / \ IBGP | | |||
| +-------+ +-------+ | +-------+ +-------+ | |||
| | | RTR-D | | RTR-E | | | | | RTR-D | | RTR-E | | | |||
| | | | | | | | | | | |||
| | | | | | | | | | | | | | | |||
| +-------+ +-------+ | +-------+ +-------+ | |||
| | | | | | | | | | | |||
| - - -|- - - - - - - - -|- - -/ | - - -|- - - - - - - - -|- - -/ | |||
| | EBGP EBGP | | | EBGP EBGP | | |||
| - - -|- - - - - - - - -|- - -/ | - - -|- - - - - - - - -|- - -/ | |||
| | | | | | | | | | | |||
| +-------+ +-------+ | +-------+ +-------+ | |||
| | | | | | | | | | | | | | | |||
| | RTR-F | | RTR-G | | | RTR-F | | RTR-G | | |||
| | | | | | | | | | | | | | | |||
| +-------+ +-------+ | +-------+ +-------+ | |||
| | ASN2 | | | ASN2 | | |||
| / - - - - - - - - - - - - - - | / - - - - - - - - - - - - - - | |||
| Figure 1 | Figure 1 | |||
| It is highly desirable that each ASN is able to protect itself | It is highly desirable that each ASN is able to protect itself | |||
| independently from network security attacks using the BGP flow | independently from network security attacks using the BGP flow | |||
| specification NLRI for intra-domain purposes only. Network operators | specification NLRI for intra-domain purposes only. Network operators | |||
| often deploy a dedicated Security Operations Center (SOC) within | often deploy a dedicated Security Operations Center (SOC) within | |||
| their ASN to monitor and detect such security attacks. To mitigate | their ASN to monitor and detect such security attacks. To mitigate | |||
| attacks in a scalable intra-domain manner, operators require the | attacks in a scalable intra-domain manner, operators require the | |||
| ability to originate intra-domain flow specification NLRIs from a | ability to originate intra-domain flow specification NLRIs from a | |||
| central BGP route controller (or router reflector per [RFC4456]) that | central BGP route controller (or router reflector per [RFC4456]) that | |||
| is not within the data forwarding plane. In this way, operators can | is not within the data forwarding plane. In this way, operators can | |||
| direct border routers within their ASN with specific attack | direct border routers within their ASN with specific attack | |||
| mitigation actions (drop the traffic, forward to a clean-pipe center, | mitigation actions (drop the traffic, forward to a clean-pipe center, | |||
| etc.). To originate a flow specification NLRI, a central BGP route | etc.). To originate a flow specification NLRI, a central BGP route | |||
| controller (or route reflector) must set itself as the originator in | controller (or route reflector) must set itself as the originator in | |||
| the flowspec NLRI. This is necessary given the route controller is | the flowspec NLRI. This is necessary given the route controller is | |||
| originating the flow specification not reflecting it, and to avoid | originating the flow specification not reflecting it, and to avoid | |||
| the complexity of having to determine the egress border router whose | the complexity of having to determine the egress border router whose | |||
| path was chosen as the best in each of the ingress border routers. It | path was chosen as the best in each of the ingress border routers. | |||
| thus becomes necessary to modify step (a) of the RFC 5575 validation | It thus becomes necessary to modify step (a) of the RFC 5575 | |||
| procedure such that an IBGP peer that is not within the data | validation procedure such that an IBGP peer that is not within the | |||
| forwarding plane may originate flow specification NLRIs. | data forwarding plane may originate flow specification NLRIs. | |||
| 3. Introduction | 3. Introduction | |||
| RFC 5575 defined a new BGP capability that can be used to distribute | RFC 5575 defined a new BGP capability that can be used to distribute | |||
| traffic flow specifications amongst BGP speakers in support of | traffic flow specifications amongst BGP speakers in support of | |||
| traffic filtering. The primary intention of RFC 5575 is to enable | traffic filtering. The primary intention of RFC 5575 is to enable | |||
| downstream autonomous systems to signal traffic filtering policies to | downstream autonomous systems to signal traffic filtering policies to | |||
| upstream autonomous systems. In this way, traffic is filtered closer | upstream autonomous systems. In this way, traffic is filtered closer | |||
| to the source and the upstream autonomous system(s) avoid carrying | to the source and the upstream autonomous system(s) avoid carrying | |||
| the traffic to the downstream autonomous system only to be discarded. | the traffic to the downstream autonomous system only to be discarded. | |||
| RFC 5575 also enables more granular traffic filtering based upon | RFC 5575 also enables more granular traffic filtering based upon | |||
| upper layer protocol information (e.g., protocol port numbers) as | upper layer protocol information (e.g., protocol port numbers) as | |||
| opposed to coarse IP destination prefix-based filtering. Flow | opposed to coarse IP destination prefix-based filtering. Flow | |||
| specification NLRIs received from a BGP peer are subject to validity | specification NLRIs received from a BGP peer are subject to validity | |||
| checks before being considered feasible and subsequently installed | checks before being considered feasible and subsequently installed | |||
| within the respective Adj-RIB-In. The validation procedure defined | within the respective Adj-RIB-In. The validation procedure defined | |||
| within RFC 5575 requires that the originator of the flow | within RFC 5575 requires that the originator of the flow | |||
| specification NLRI matches the originator of the best-match unicast | specification NLRI matches the originator of the best-match unicast | |||
| route for the destination prefix embedded in the flow specification. | route for the destination prefix embedded in the flow specification. | |||
| This allows only BGP speakers [RFC4271] within the data forwarding | This allows only BGP speakers [RFC4271] within the data forwarding | |||
| path (such as autonomous system border routers) to originate BGP flow | path (such as autonomous system border routers) to originate BGP flow | |||
| specification NLRIs. Though it is possible to disseminate such flow | specification NLRIs. Though it is possible to disseminate such flow | |||
| specification NLRIs directly from border routers, it may be | specification NLRIs directly from border routers, it may be | |||
| operationally cumbersome in an autonomous system with a large number | operationally cumbersome in an autonomous system with a large number | |||
| of border routers having complex BGP policies. This document | of border routers having complex BGP policies. This document | |||
| describes a modification to the RFC 5575 validation procedure | describes a modification to the RFC 5575 validation procedure | |||
| allowing flow specification NLRIs to be originated from a centralized | allowing flow specification NLRIs to be originated from a centralized | |||
| BGP route controller within the local autonomous system that is | BGP route controller within the local autonomous system that is | |||
| neither in the data forwarding path nor serving as a BGP route | neither in the data forwarding path nor serving as a BGP route | |||
| reflector [RFC4456]. While the proposed modification cannot be used | reflector [RFC4456]. While the proposed modification cannot be used | |||
| for inter-domain coordination of traffic filtering, it greatly | for inter-domain coordination of traffic filtering, it greatly | |||
| simplifies distribution of intra-domain traffic filtering policies in | simplifies distribution of intra-domain traffic filtering policies in | |||
| an autonomous system with a large number of border routers having | an autonomous system with a large number of border routers having | |||
| complex BGP policies. By relaxing the validation procedure for IBGP, | complex BGP policies. By relaxing the validation procedure for IBGP, | |||
| the proposed modification allows flow specifications to be | the proposed modification allows flow specifications to be | |||
| distributed in a standard and scalable manner throughout an | distributed in a standard and scalable manner throughout an | |||
| autonomous system. | autonomous system. | |||
| 4. Revised Validation Procedure | 4. Revised Validation Procedure | |||
| Step (a) of the validation procedure specified in RFC 5575, section 6 | Step (a) of the validation procedure specified in RFC 5575, section 6 | |||
| is redefined as follows: | is redefined as follows: | |||
| a) One of the following conditions MUST hold true: | a. One of the following conditions MUST hold true. | |||
| o The originator of the flow specification matches the | ||||
| originator of the best-match unicast route for the | ||||
| destination prefix embedded in the flow specification. | ||||
| o The AS_PATH and AS4_PATH attribute of the flow | ||||
| specification are empty. | ||||
| o The AS_PATH and AS4_PATH attribute of the flow | ||||
| specification does not contain AS_SET and AS_SEQUENCE | ||||
| segments. | ||||
| An empty AS_PATH and AS4_PATH attribute indicates per [RFC4271] that | * The originator of the flow specification matches the | |||
| the flow specification NLRI originated in the same autonomous system | originator of the best-match unicast route for the destination | |||
| as the local BGP speaker. Similarly, lack of AS_SET and AS_SEQUENCE | prefix embedded in the flow specification. | |||
| segments within an AS_PATH and AS4_PATH attribute that is not empty | ||||
| indicates that the flow specification NLRI originated in the same | * The AS_PATH attribute of the flow specification does not | |||
| autonomous system as the local BGP speaker but that the autonomous | contain AS_SET and AS_SEQUENCE segments. | |||
| system includes a BGP confederation [RFC5065]. With this proposed | ||||
| modification to the RFC 5575 validation procedure, it is now possible | An AS_PATH without AS_SET and AS_SEQUENCE segments indicates that the | |||
| for an IBGP peer that is not within the data forwarding path to | flow specification was originated inside the local AS [RFC4271] or | |||
| originate flow specification NLRIs. This applies with and without the | inside the local confederation (in the case that the local AS belongs | |||
| presence of a BGP confederation within the autonomous system. | to a confederation of ASes) [RFC5065]. With this modification to the | |||
| RFC 5575 validation procedure, it is now possible for an IBGP peer | ||||
| that is not within the data forwarding path to originate flow | ||||
| specification NLRIs. This applies whether the AS belongs or not to a | ||||
| confederation of ASes. Checking the (newly introduced) second | ||||
| condition above MAY be disabled by configuration on a BGP speaker. | ||||
| However, it SHOULD be enabled by default. Disabling the condition | ||||
| may be a good practice when the administrator knows with certainty | ||||
| that there are not flow specification NLRI originated inside the | ||||
| local AS (or local confederation). Optionally, an implementation | ||||
| could be configured to allow only flow specification NLRIs containing | ||||
| only a subset of ASes. This could be useful, for example, with | ||||
| networks that consist of multiple ASes that operate under the same | ||||
| administrative domain. | ||||
| Further, RFC 5575 states that "BGP (flow specification) | Further, RFC 5575 states that "BGP (flow specification) | |||
| implementations MUST also enforce that AS_PATH attribute of a route | implementations MUST also enforce that AS_PATH attribute of a route | |||
| received via the External Border Gateway Protocol (eBGP) contains the | received via the External Border Gateway Protocol (EBGP) contains the | |||
| neighboring AS in the left-most position of the AS_PATH attribute". | neighboring AS in the left-most position of the AS_PATH attribute". | |||
| This rule is not valid for all topologies. For example, it prevents | This rule is not valid for all topologies. For example, it prevents | |||
| exchange of BGP flow specification NLRIs at Internet exchanges with | the exchange of BGP flow specification NLRIs at Internet exchanges | |||
| BGP route servers. Therefore, this document also redefines the RFC | with BGP route servers. Therefore, this document also redefines the | |||
| 5575 AS_PATH and AS4_PATH validation procedure referenced above as | RFC 5575 AS_PATH validation procedure referenced above as follows. | |||
| follows. | ||||
| BGP flow specification implementations MUST enforce that the last AS | BGP flow specification implementations MUST enforce that the last AS | |||
| added within the AS_PATH and AS4_PATH attribute of a EBGP learned | added within the AS_PATH attribute of a EBGP learned flow | |||
| flow specification NLRI MUST match the last AS added within the | specification NLRI MUST match the last AS added within the AS_PATH | |||
| AS_PATH and AS4_PATH attribute of the best-match unicast route for | attribute of the best-match unicast route for the destination prefix | |||
| the destination prefix embedded in the flow specification. This | embedded in the flow specification. This proposed modification | |||
| proposed modification enables the exchange of BGP flow specification | enables the exchange of BGP flow specification NLRIs at Internet | |||
| NLRIs at Internet exchanges with BGP route servers while at the same | exchanges with BGP route servers while at the same time, for security | |||
| time, for security reasons, prevents an EBGP peer from advertising an | reasons, prevents an EBGP peer from advertising an inter-domain flow | |||
| inter-domain flow specification for a destination prefix that it does | specification for a destination prefix that it does not provide | |||
| not provide reachability information for. Note, comparing only the | reachability information for. Note, comparing only the last ASes is | |||
| last ASNs is sufficient for EBGP learned flow specification NLRIs. | sufficient for EBGP learned flow specification NLRIs. Requiring a | |||
| full AS_PATH match would limit origination of inter-domain flow | ||||
| specifications to the origin (or first) AS of the best-match unicast | ||||
| route for the destination prefix embedded in the flow specification | ||||
| only. As such, a full AS_PATH validity check may prevent transit | ||||
| ASes from originating inter-domain flow specifications which is not | ||||
| desirable. | ||||
| Requiring a full AS_PATH and AS4_PATH match would limit origination | This document also clarifies proper handling when the BGP flow | |||
| of inter-domain flow specifications to the origin (or first) AS of | specification does not embed a destination prefix component. The | |||
| the best-match unicast route for the destination prefix embedded in | default behavior SHOULD be not to perform any validation procedure. | |||
| the flow specification only. As such, a full AS_PATH and AS4_PATH | Further, support for two-octet AS number space is out of the scope of | |||
| validity check may prevent transit ASNs from originating inter-domain | this document. | |||
| flow specifications which is not desirable. | ||||
| 5. Security Considerations | In this context, AS_PATH attribute is defined as the reconstructed AS | |||
| Path information (by combining AS_PATH and AS4_PATH attributes, if | ||||
| the BGP speaker is a NEW speaker and receives the route from an OLD | ||||
| speaker), according to section 4.2.3 of RFC 6793. | ||||
| RFC 5575 references "the best-match unicast route for the destination | ||||
| prefix embedded in the flow specification". For clarity, this route | ||||
| is defined hereby as the best path of the unicast network that covers | ||||
| destination prefix embedded in the flow specification with the longer | ||||
| prefix-length. In other words, we consider only the best-match | ||||
| network and we do not consider unicast non-best paths (even if it is | ||||
| received from the same peer than the flowspec route). | ||||
| Note that, per RFC 5575, originator may refer to the BGP | ||||
| ORIGINATOR_ID attribute or the transport address of the peer from | ||||
| which we received the update. If the later, a network must be | ||||
| designed so it has a congruent topology. Otherwise, using two | ||||
| peering sessions between the same pair of BGP speakers, one for | ||||
| unicast and one for flowspec, will cause the flowspec validation | ||||
| procedure to fail. Consider, for example, the case where a BGP route | ||||
| reflector receives the NLRIs from a route reflector client, thus not | ||||
| receiving the ORIGINATOR_ID attribute. If the speaker belongs to a | ||||
| confederation [RFC5065] and we are receiving a flowspec route from | ||||
| different peers than its best match unicast route, the flowspec | ||||
| validation procedure will fail as well. Consider also a | ||||
| misconfiguration where flowspec address-family is not configured for | ||||
| a particular peering between different member-AS (but it is | ||||
| configured for unicast). Even if we receive the flowspec route via a | ||||
| redundant peer, we may receive the unicast route and the flowspec | ||||
| from different peers, and thus flowspec validation will fail. With | ||||
| the (newly introduced) second condition above applied, uncongruent | ||||
| topologies are supported. | ||||
| 5. IANA Considerations | ||||
| This memo includes no request to IANA. | ||||
| 6. Security Considerations | ||||
| No new security issues are introduced by relaxing the validation | No new security issues are introduced by relaxing the validation | |||
| procedure for IBGP learned flow specifications. With this proposal, | procedure for IBGP learned flow specifications. With this proposal, | |||
| the security characteristics of BGP flow specifications remain | the security characteristics of BGP flow specifications remain | |||
| equivalent to the existing security properties of BGP unicast | equivalent to the existing security properties of BGP unicast | |||
| routing. Traffic flow specifications learned from IBGP peers are | routing. Traffic flow specifications learned from IBGP peers are | |||
| trusted, hence, its not required to validate that the originator of | trusted, hence, it is not required to validate that the originator of | |||
| an intra-domain traffic flow specification matches the originator of | an intra-domain traffic flow specification matches the originator of | |||
| the best-match unicast route for the flow destination prefix. | the best-match unicast route for the flow destination prefix. | |||
| Conversely, this proposal continues to enforce the validation | Conversely, this proposal continues to enforce the validation | |||
| procedure for EBGP learned traffic flow specifications. In this way, | procedure for EBGP learned traffic flow specifications. In this way, | |||
| the security properties of RFC 5575 are maintained such that an EBGP | the security properties of RFC 5575 are maintained such that an EBGP | |||
| peer cannot cause a denial-of-service attack by advertising an | peer cannot cause a denial-of-service attack by advertising an inter- | |||
| inter-domain flow specification for a destination prefix that it does | domain flow specification for a destination prefix that it does not | |||
| not provide reachability information for. | provide reachability information for. | |||
| 6. IANA Considerations | ||||
| This document has no actions for IANA. | 7. Acknowledgements | |||
| 7. Normative References | The authors would like to thank Han Nguyen for his direction on this | |||
| work as well as Waqas Alam, Keyur Patel, Robert Raszuk, Eric Rosen | ||||
| and Shyam Sethuram for their review comments. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | 8. Normative References | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | ||||
| [RFC4271] Rekhter, Y., Li, T., and Hares, S., "A Border Gateway | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Protocol 4 (BGP-4)", RFC 4271, March 2006. | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | ||||
| <http://www.rfc-editor.org/info/rfc2119>. | ||||
| [RFC4456] Bates, T., Chen, E., and Chandra, R., "BGP Route | [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A | |||
| Reflection: An Alternative to Full Mesh Internal BGP (IBGP)", RFC | Border Gateway Protocol 4 (BGP-4)", RFC 4271, | |||
| 4456, April 2006. | DOI 10.17487/RFC4271, January 2006, | |||
| <http://www.rfc-editor.org/info/rfc4271>. | ||||
| [RFC5065] Traina, P., McPherson, D., and Scudder, J., "Autonomous | [RFC4456] Bates, T., Chen, E., and R. Chandra, "BGP Route | |||
| System Confederations for BGP", August 2007. | Reflection: An Alternative to Full Mesh Internal BGP | |||
| (IBGP)", RFC 4456, DOI 10.17487/RFC4456, April 2006, | ||||
| <http://www.rfc-editor.org/info/rfc4456>. | ||||
| [RFC5575] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J., | [RFC5065] Traina, P., McPherson, D., and J. Scudder, "Autonomous | |||
| and McPherson, D., "Dissemination of Flow Specification Rules", RFC | System Confederations for BGP", RFC 5065, | |||
| 5575, August 2009. | DOI 10.17487/RFC5065, August 2007, | |||
| <http://www.rfc-editor.org/info/rfc5065>. | ||||
| 8. Acknowledgements | [RFC5575] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J., | |||
| and D. McPherson, "Dissemination of Flow Specification | ||||
| Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009, | ||||
| <http://www.rfc-editor.org/info/rfc5575>. | ||||
| The authors would like to thank Han Nguyen for his direction on this | [RFC6793] Vohra, Q. and E. Chen, "BGP Support for Four-Octet | |||
| work as well as Waqas Alam, Keyur Patel, Robert Raszuk, Eric Rosen | Autonomous System (AS) Number Space", RFC 6793, | |||
| and Shyam Sethuram for their review comments. | DOI 10.17487/RFC6793, December 2012, | |||
| <http://www.rfc-editor.org/info/rfc6793>. | ||||
| 9. Authors' Addresses | Authors' Addresses | |||
| James Uttaro | James Uttaro | |||
| AT&T | AT&T | |||
| 200 S. Laurel Avenue | 200 S. Laurel Ave | |||
| Middletown, NJ 07748 | Middletown, NJ 07748 | |||
| USA | USA | |||
| Email: ju1738@att.com | Email: ju1738@att.com | |||
| Juan Alcaide | Juan Alcaide | |||
| Cisco | Cisco | |||
| 7100 Kit Creek Road | 7100 Kit Creek Road | |||
| Research Triangle Park, NC 27709 | Research Triangle Park, NC 27709 | |||
| USA | USA | |||
| Email: jalcaide@cisco.com | Email: jalcaide@cisco.com | |||
| Clarence Filsfils | Clarence Filsfils | |||
| Cisco | Cisco | |||
| Brussels 1000 | ||||
| BE | ||||
| Email: cf@cisco.com | Email: cf@cisco.com | |||
| David Smith | David Smith | |||
| Cisco | Cisco | |||
| 111 Wood Avenue South | 111 Wood Ave South | |||
| Iselin, NJ 08830 | Iselin, NJ 08830 | |||
| USA | USA | |||
| Email: djsmith@cisco.com | Email: djsmith@cisco.com | |||
| Pradosh Mohapatra | Pradosh Mohapatra | |||
| Sproute Networks | Sproute Networks | |||
| Email: mpradosh@yahoo.com | Email: mpradosh@yahoo.com | |||
| End of changes. 63 change blocks. | ||||
| 187 lines changed or deleted | 236 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||