| draft-ietf-idr-bgp-flowspec-oid-08.txt | draft-ietf-idr-bgp-flowspec-oid-09.txt | |||
|---|---|---|---|---|
| Network Working Group J. Uttaro | Network Working Group J. Uttaro | |||
| Internet-Draft AT&T | Internet-Draft AT&T | |||
| Updates: 5575bis (if approved) J. Alcaide | Updates: 5575bis (if approved) J. Alcaide | |||
| Intended status: Standards Track C. Filsfils | Intended status: Standards Track C. Filsfils | |||
| Expires: November 10, 2019 D. Smith | Expires: January 9, 2020 D. Smith | |||
| Cisco | Cisco | |||
| P. Mohapatra | P. Mohapatra | |||
| Sproute Networks | Sproute Networks | |||
| May 9, 2019 | July 8, 2019 | |||
| Revised Validation Procedure for BGP Flow Specifications | Revised Validation Procedure for BGP Flow Specifications | |||
| draft-ietf-idr-bgp-flowspec-oid-08 | draft-ietf-idr-bgp-flowspec-oid-09 | |||
| Abstract | Abstract | |||
| This document describes a modification to the validation procedure | This document describes a modification to the validation procedure | |||
| defined in RFC 5575bis for the dissemination of BGP flow | defined in RFC 5575bis for the dissemination of BGP Flow | |||
| specifications. RFC 5575bis requires that the originator of the flow | Specifications. RFC 5575bis requires that the originator of the Flow | |||
| specification matches the originator of the best-match unicast route | Specification matches the originator of the best-match unicast route | |||
| for the destination prefix embedded in the flow specification. This | for the destination prefix embedded in the Flow Specification. This | |||
| allows only BGP speakers within the data forwarding path (such as | allows only BGP speakers within the data forwarding path (such as | |||
| autonomous system border routers) to originate BGP flow | autonomous system border routers) to originate BGP Flow | |||
| specifications. Though it is possible to disseminate such flow | Specifications. Though it is possible to disseminate such Flow | |||
| specifications directly from border routers, it may be operationally | Specifications directly from border routers, it may be operationally | |||
| cumbersome in an autonomous system with a large number of border | cumbersome in an autonomous system with a large number of border | |||
| routers having complex BGP policies. The modification proposed | routers having complex BGP policies. The modification proposed | |||
| herein enables flow specifications to be originated from a | herein enables Flow Specifications to be originated from a | |||
| centralized BGP route controller. | centralized BGP route controller. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on November 10, 2019. | This Internet-Draft will expire on January 9, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Requirements Language . . . . . . . . . . . . . . . . . . . . 2 | 1. Requirements Language . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 2 | 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 3. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 4. Revised Validation Procedure . . . . . . . . . . . . . . . . 5 | 4. Revised Validation Procedure . . . . . . . . . . . . . . . . 5 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | 4.1. Revision of Route Feasibility . . . . . . . . . . . . . . 5 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | 4.2. Revision of AS_PATH Validation . . . . . . . . . . . . . 6 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 | 5. Other RFC5575bis Considerations . . . . . . . . . . . . . . . 7 | |||
| 8. Normative References . . . . . . . . . . . . . . . . . . . . 7 | 6. Topology Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | ||||
| 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 | ||||
| 10. Normative References . . . . . . . . . . . . . . . . . . . . 10 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 | ||||
| 1. Requirements Language | 1. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| 2. Motivation | 2. Introduction | |||
| [RFC5575bis] defined a new BGP [RFC4271] capability that can be used | ||||
| to distribute traffic Flow Specifications amongst BGP speakers in | ||||
| support of traffic filtering. The primary intention of [RFC5575bis] | ||||
| is to enable downstream autonomous systems to signal traffic | ||||
| filtering policies to upstream autonomous systems. In this way, | ||||
| traffic is filtered closer to the source and the upstream autonomous | ||||
| system(s) avoid carrying the traffic to the downstream autonomous | ||||
| system only to be discarded. [RFC5575bis] also enables more granular | ||||
| traffic filtering based upon upper layer protocol information (e.g., | ||||
| protocol port numbers) as opposed to coarse IP destination prefix- | ||||
| based filtering. Flow specification NLRIs received from a BGP peer | ||||
| are subject to validity checks before being considered feasible and | ||||
| subsequently installed within the respective Adj-RIB-In. | ||||
| The validation procedure defined within [RFC5575bis] requires that | ||||
| the originator of the Flow Specification NLRI matches the originator | ||||
| of the best-match unicast route for the destination prefix embedded | ||||
| in the Flow Specification. This allows only BGP speakers within the | ||||
| data forwarding path (such as autonomous system border routers) to | ||||
| originate BGP Flow Specification NLRIs. Though it is possible to | ||||
| disseminate such Flow Specification NLRIs directly from border | ||||
| routers, it may be operationally cumbersome in an autonomous system | ||||
| with a large number of border routers having complex BGP policies. | ||||
| This document describes a modification to the [RFC5575bis] validation | ||||
| procedure allowing Flow Specification NLRIs to be originated from a | ||||
| centralized BGP route controller within the local autonomous system | ||||
| that is not in the data forwarding path. While the proposed | ||||
| modification cannot be used for inter-domain coordination of traffic | ||||
| filtering, it greatly simplifies distribution of intra-domain traffic | ||||
| filtering policies within an autonomous system which has a large | ||||
| number of border routers having complex BGP policies. By relaxing | ||||
| the validation procedure for iBGP, the proposed modification allows | ||||
| Flow Specifications to be distributed in a standard and scalable | ||||
| manner throughout an autonomous system. | ||||
| 3. Motivation | ||||
| Step (a) of the validation procedure in [RFC5575bis], section 6 is | Step (a) of the validation procedure in [RFC5575bis], section 6 is | |||
| defined with the underlying assumption that the flow specification | defined with the underlying assumption that the Flow Specification | |||
| NLRI traverses the same path, in the inter-domain and intra-domain | NLRI traverses the same path, in the inter-domain and intra-domain | |||
| route distribution graph, as that of the longest-match unicast route | route distribution graph, as that of the longest-match unicast route | |||
| for the destination prefix embedded in the flow specification. | for the destination prefix embedded in the Flow Specification. | |||
| In the case of inter-domain traffic filtering, for example, the flow | In the case of inter-domain traffic filtering, the Flow Specification | |||
| specification originator at the egress border routers of ASN1 (RTR-D | originator at the egress border routers of an AS (e.g. RTR-D and | |||
| and RTR-E in figure 1) matches the EBGP neighbor that advertised the | RTR-E of ASN1 in figure 1) matches the eBGP neighbor that advertised | |||
| longest match destination prefix (RTR-F and RTR-G respectively). | the longest match destination prefix (see RTR-F and RTR-G | |||
| Similarly, at the ingress border routers of ASN1 (RTR-A and RTR-B in | respectively in figure 1). Similarly, at the ingress border routers | |||
| figure 1), the flow specification originator matches the egress IBGP | of ASN (see RTR-A and RTR-B of ASN1 in figure 1), the Flow | |||
| border routers that had advertised the unicast route for the best- | Specification originator matches the egress iBGP border routers that | |||
| match destination prefix (RTR-D and RTR-E respectively). This is | had advertised the unicast route for the best-match destination | |||
| true even when ingress border routers select paths from different | prefix (see RTR-D and RTR-E respectively in figure 1). This is true | |||
| egress border routers as best path based upon IGP distance (as an | even when ingress border routers select paths from different egress | |||
| example, RTR-A chooses RTR-D's path as best; RTR-B chooses RTR-E as | border routers as best path based upon IGP distance. For example, in | |||
| the best path). | figure 1: | |||
| RTR-A chooses RTR-D's path as best | ||||
| RTR-B chooses RTR-E as the best path | ||||
| / - - - - - - - - - - - - - - | / - - - - - - - - - - - - - - | |||
| | ASN1 | | | ASN1 | | |||
| +-------+ +-------+ | +-------+ +-------+ | |||
| | | | | | | | | | | | | | | |||
| | RTR-A | | RTR-B | | | RTR-A | | RTR-B | | |||
| | | | | | | | | | | | | | | |||
| +-------+ +-------+ | +-------+ +-------+ | |||
| | \ / | | | \ / | | |||
| IBGP \ / IBGP | iBGP \ / iBGP | |||
| | \ / | | | \ / | | |||
| +-------+ | +-------+ | |||
| | | | | | | | | | | |||
| | RTR-C | | | RTR-C | | |||
| | | RC | | | | | RC | | | |||
| +-------+ | +-------+ | |||
| | / \ | | | / \ | | |||
| / \ | / \ | |||
| | IBGP / \ IBGP | | | iBGP / \ iBGP | | |||
| +-------+ +-------+ | +-------+ +-------+ | |||
| | | RTR-D | | RTR-E | | | | | RTR-D | | RTR-E | | | |||
| | | | | | | | | | | |||
| | | | | | | | | | | | | | | |||
| +-------+ +-------+ | +-------+ +-------+ | |||
| | | | | | | | | | | |||
| - - -|- - - - - - - - -|- - -/ | - - -|- - - - - - - - -|- - -/ | |||
| | EBGP EBGP | | | eBGP eBGP | | |||
| - - -|- - - - - - - - -|- - -/ | - - -|- - - - - - - - -|- - -/ | |||
| | | | | | | | | | | |||
| +-------+ +-------+ | +-------+ +-------+ | |||
| | | | | | | | | | | | | | | |||
| | RTR-F | | RTR-G | | | RTR-F | | RTR-G | | |||
| | | | | | | | | | | | | | | |||
| +-------+ +-------+ | +-------+ +-------+ | |||
| | ASN2 | | | ASN2 | | |||
| / - - - - - - - - - - - - - - | / - - - - - - - - - - - - - - | |||
| Figure 1 | Figure 1 | |||
| It is highly desirable that each ASN is able to protect itself | It is highly desirable that the mechanisms exist to protect each ASN | |||
| independently from network security attacks using the BGP flow | independently from network security attacks using the BGP Flow | |||
| specification NLRI for intra-domain purposes only. Network operators | Specification NLRI for intra-domain purposes only. Network operators | |||
| often deploy a dedicated Security Operations Center (SOC) within | often deploy a dedicated Security Operations Center (SOC) within | |||
| their ASN to monitor and detect such security attacks. To mitigate | their ASN to monitor and detect such security attacks. To mitigate | |||
| attacks in a scalable intra-domain manner, operators require the | attacks within a domain (AS or group of ASes), operators require the | |||
| ability to originate intra-domain flow specification NLRIs from a | ability to originate intra-domain Flow Specification NLRIs from a | |||
| central BGP route controller that is not within the data forwarding | central BGP route controller that is not within the data forwarding | |||
| plane. In this way, operators can direct border routers within their | plane. In this way, operators can direct border routers within their | |||
| ASN with specific attack mitigation actions (drop the traffic, | ASN with specific attack mitigation actions (drop the traffic, | |||
| forward to a clean-pipe center, etc.). To originate a flow | forward to a clean-pipe center, etc.). | |||
| specification NLRI, a central BGP route controller must set itself as | ||||
| the originator in the flowspec NLRI. This is necessary given the | ||||
| route controller is originating the flow specification not reflecting | ||||
| it, and to avoid the complexity of having to determine the egress | ||||
| border router whose path was chosen as the best in each of the | ||||
| ingress border routers. It thus becomes necessary to modify step (a) | ||||
| of the [RFC5575bis] validation procedure such that an IBGP peer that | ||||
| is not within the data forwarding plane may originate flow | ||||
| specification NLRIs. | ||||
| 3. Introduction | ||||
| [RFC5575bis] defined a new BGP capability that can be used to | To originate a Flow Specification NLRI, a central BGP route | |||
| distribute traffic flow specifications amongst BGP speakers in | controller must set itself as the originator in the Flow | |||
| support of traffic filtering. The primary intention of [RFC5575bis] | Specification NLRI. This is necessary given the route controller is | |||
| is to enable downstream autonomous systems to signal traffic | originating the Flow Specification rather than reflecting it, and to | |||
| filtering policies to upstream autonomous systems. In this way, | avoid the complexity of having to determine the egress border router | |||
| traffic is filtered closer to the source and the upstream autonomous | whose path was chosen as the best in each of the ingress border | |||
| system(s) avoid carrying the traffic to the downstream autonomous | routers. Thus, it is necessary to modify step (a) of the | |||
| system only to be discarded. [RFC5575bis] also enables more granular | [RFC5575bis] validation procedure such that an iBGP peer that is not | |||
| traffic filtering based upon upper layer protocol information (e.g., | within the data forwarding plane may originate Flow Specification | |||
| protocol port numbers) as opposed to coarse IP destination prefix- | NLRIs. | |||
| based filtering. Flow specification NLRIs received from a BGP peer | ||||
| are subject to validity checks before being considered feasible and | ||||
| subsequently installed within the respective Adj-RIB-In. The | ||||
| validation procedure defined within [RFC5575bis] requires that the | ||||
| originator of the flow specification NLRI matches the originator of | ||||
| the best-match unicast route for the destination prefix embedded in | ||||
| the flow specification. This allows only BGP speakers [RFC4271] | ||||
| within the data forwarding path (such as autonomous system border | ||||
| routers) to originate BGP flow specification NLRIs. Though it is | ||||
| possible to disseminate such flow specification NLRIs directly from | ||||
| border routers, it may be operationally cumbersome in an autonomous | ||||
| system with a large number of border routers having complex BGP | ||||
| policies. This document describes a modification to the [RFC5575bis] | ||||
| validation procedure allowing flow specification NLRIs to be | ||||
| originated from a centralized BGP route controller within the local | ||||
| autonomous system that is not in the data forwarding path. While the | ||||
| proposed modification cannot be used for inter-domain coordination of | ||||
| traffic filtering, it greatly simplifies distribution of intra-domain | ||||
| traffic filtering policies in an autonomous system with a large | ||||
| number of border routers having complex BGP policies. By relaxing | ||||
| the validation procedure for IBGP, the proposed modification allows | ||||
| flow specifications to be distributed in a standard and scalable | ||||
| manner throughout an autonomous system. | ||||
| 4. Revised Validation Procedure | 4. Revised Validation Procedure | |||
| 4.1. Revision of Route Feasibility | ||||
| Step (a) of the validation procedure specified in [RFC5575bis], | Step (a) of the validation procedure specified in [RFC5575bis], | |||
| section 6 is redefined as follows: | section 6 is redefined as follows: | |||
| a. One of the following conditions MUST hold true. | a. One of the following conditions MUST hold true. | |||
| * The originator of the flow specification matches the | 1. The originator of the Flow Specification matches the | |||
| originator of the best-match unicast route for the destination | originator of the best-match unicast route for the | |||
| prefix embedded in the flow specification. | destination prefix embedded in the Flow Specification. | |||
| * The AS_PATH attribute of the flow specification does not | 2. The AS_PATH attribute of the Flow Specification does not | |||
| contain AS_SET and/or AS_SEQUENCE segments. | contain AS_SET and/or AS_SEQUENCE segments. | |||
| An AS_PATH without AS_SET and/or AS_SEQUENCE segments indicates that | 1. This condition SHOULD be enabled by default. This | |||
| the flow specification was originated inside the local AS [RFC4271] | default behavior should validate an empty AS_PATH. | |||
| or inside the local confederation (in the case that the local AS | ||||
| belongs to a confederation of ASes) [RFC5065]. With this | ||||
| modification to the [RFC5575bis] validation procedure, it is now | ||||
| possible for an IBGP peer that is not within the data forwarding path | ||||
| to originate flow specification NLRIs. This applies whether the AS | ||||
| belongs or not to a confederation of ASes. Checking the (newly | ||||
| introduced) second condition above MAY be disabled by configuration | ||||
| on a BGP speaker. However, it SHOULD be enabled by default. | ||||
| Disabling the condition may be a good practice when the administrator | ||||
| knows with certainty that there are not flow specification NLRI | ||||
| originated inside the local AS (or local confederation). The default | ||||
| behavior is thus to validate an empty AS_PATH. In this context, an | ||||
| empty AS_PATH means that it does not have AS_SET and/or AS_SEQUENCE | ||||
| segments. Optionally, an implementation MAY also validate a specific | ||||
| non-empty AS_PATH. For instance, it could validate a flowspec NLRI | ||||
| whose AS_PATH contains only an AS_SEQUENCE of ASes known (via | ||||
| configuration) to belong to the same administrative domain. | ||||
| Further, [RFC5575bis] states that "BGP (flow specification) | 2. This condition MAY be disabled by configuration on a BGP | |||
| implementations MUST also enforce that AS_PATH attribute of a route | speaker. | |||
| received via the External Border Gateway Protocol (EBGP) contains the | ||||
| neighboring AS in the left-most position of the AS_PATH attribute". | ||||
| This rule is not valid for all topologies. For example, it prevents | ||||
| the exchange of BGP flow specification NLRIs at Internet exchanges | ||||
| with BGP route servers. Therefore, this document also redefines the | ||||
| [RFC5575bis] AS_PATH validation procedure referenced above as | ||||
| follows: | ||||
| BGP flow specification implementations MUST enforce that the last AS | 3. As an exception to this rule, a given AS_PATH with AS_SET | |||
| added within the AS_PATH attribute of a EBGP learned flow | and/or AS_SEQUENCE segments MAY be validated by policy. | |||
| specification NLRI MUST match the last AS added within the AS_PATH | ||||
| attribute of the best-match unicast route for the destination prefix | ||||
| embedded in the flow specification. This proposed modification | ||||
| enables the exchange of BGP flow specification NLRIs at Internet | ||||
| exchanges with BGP route servers while at the same time, for security | ||||
| reasons, prevents an EBGP peer from advertising an inter-domain flow | ||||
| specification for a destination prefix that it does not provide | ||||
| reachability information for. Note, comparing only the last ASes | ||||
| added is sufficient for EBGP learned flow specification NLRIs. | ||||
| Requiring a full AS_PATH match would limit origination of inter- | ||||
| domain flow specifications to the origin (or first) AS of the best- | ||||
| match unicast route for the destination prefix embedded in the flow | ||||
| specification only. As such, a full AS_PATH validity check may | ||||
| prevent transit ASes from originating inter-domain flow | ||||
| specifications, which is not desirable. | ||||
| This document also clarifies proper handling when the BGP flow | Explanation: | |||
| specification does not embed a destination prefix component. The | ||||
| default behavior SHOULD be not to perform any validation procedure. | ||||
| Further, support for two-octet AS number space is out of the scope of | ||||
| this document. | ||||
| In this context, AS_PATH attribute is defined as the reconstructed AS | In this context, an empty AS_PATH means that it does not have | |||
| Path information (by combining AS_PATH and AS4_PATH attributes, if | AS_SET and/or AS_SEQUENCE segments, and local domain means the | |||
| the BGP speaker is a NEW speaker and receives the route from an OLD | local AS [RFC4271] or the local confederation of ASes (in the case | |||
| speaker), according to section 4.2.3 of [RFC6793]. | that the local AS belongs to a confederation of ASes [RFC5065]). | |||
| [RFC5575bis] references "the best-match unicast route for the | Thus, receiving a Flow Specification with an empty AS_PATH | |||
| destination prefix embedded in the flow specification". For clarity, | indicates that the Flow Specification was originated inside the | |||
| this route is defined hereby as the best path of the unicast network | local domain. | |||
| that covers destination prefix embedded in the flow specification | ||||
| with the longer prefix-length. In other words, we consider only the | ||||
| best-match network and we do not consider unicast non-best paths | ||||
| (even if it is received from the same peer than the flowspec route). | ||||
| Note that, per [RFC5575bis], originator may refer to the BGP | With the above modification to the [RFC5575bis] validation | |||
| ORIGINATOR_ID attribute or the transport address of the peer from | procedure, a BGP peer within the local domain that is not within | |||
| which we received the update. If the later, a network must be | the data forwarding path can originate a Flow Specification. | |||
| designed so it has a congruent topology. Otherwise, using two | ||||
| peering sessions between the same pair of BGP speakers, one for | ||||
| unicast and one for flowspec, will cause the flowspec validation | ||||
| procedure to fail. Consider, for example, the case where a BGP route | ||||
| reflector receives the NLRIs from a route reflector client, thus not | ||||
| receiving the ORIGINATOR_ID attribute. If the speaker belongs to a | ||||
| confederation [RFC5065] and we are receiving a flowspec route from | ||||
| different peers than its best match unicast route, the flowspec | ||||
| validation procedure will fail as well. Consider also a | ||||
| misconfiguration where flowspec address-family is not configured for | ||||
| a particular peering between different member-AS (but it is | ||||
| configured for unicast). Even if we receive the flowspec route via a | ||||
| redundant peer, we may receive the unicast route and the flowspec | ||||
| from different peers, and thus flowspec validation will fail. Thus, | ||||
| with the (newly introduced) second condition above applied, | ||||
| incongruent topologies are supported. | ||||
| Note that if the flowspec NLRI is learned from another AS (and thus | Disabling the new condition above (a.2.2) may be a good practice | |||
| the AS_PATH is not empty), the original validation procedures defined | when the operator knows with certainty that there is not a Flow | |||
| in [RFC5575bis] still apply and incongruent topologies may cause | Specification originated inside the local domain. | |||
| validation rules to fail. | ||||
| 5. IANA Considerations | Also, policy may be useful to validate a specific set of non-empty | |||
| AS_PATHs (a.2.3). For example, it could validate a Flow | ||||
| Specification whose AS_PATH contains only an AS_SEQUENCE with ASes | ||||
| that are all known to belong to the same administrative domain. | ||||
| 4.2. Revision of AS_PATH Validation | ||||
| [RFC5575bis] states: | ||||
| o BGP implementations MUST also enforce that the AS_PATH attribute | ||||
| of a route received via the External Border Gateway Protocol | ||||
| (eBGP) contains the neighboring AS in the left-most position of | ||||
| the AS_PATH attribute. | ||||
| This rule prevents the exchange of BGP Flow Specification NLRIs at | ||||
| Internet exchanges with BGP route servers. Therefore, this document | ||||
| also redefines the [RFC5575bis] AS_PATH validation procedure | ||||
| referenced above as follows: | ||||
| o BGP Flow Specification implementations MUST enforce that the AS in | ||||
| the left-most position of the AS_PATH attribute of a Flow | ||||
| Specification route received via the External Border Gateway | ||||
| Protocol (eBGP) matches the AS in the left-most position of the | ||||
| AS_PATH attribute of the best-match unicast route for the | ||||
| destination prefix embedded in the Flow Specification NLRI. | ||||
| Explanation: | ||||
| For clarity, the AS in the left-most position of the AS_PATH means | ||||
| the AS that was last added to the AS_SEQUENCE. | ||||
| This proposed modification enables the exchange of BGP Flow | ||||
| Specification NLRIs at Internet exchanges with BGP route servers | ||||
| while at the same time, for security reasons, prevents an eBGP | ||||
| peer from advertising an inter-domain Flow Specification for a | ||||
| destination prefix that it does not provide reachability | ||||
| information for. | ||||
| Comparing only the last ASes added is sufficient for eBGP learned | ||||
| Flow Specification NLRIs. Requiring a full AS_PATH match would | ||||
| limit origination of inter-domain Flow Specifications to the | ||||
| origin AS of the best-match unicast route for the destination | ||||
| prefix embedded in the Flow Specification only. As such, a full | ||||
| AS_PATH validity check may prevent transit ASes from originating | ||||
| inter-domain Flow Specifications, which is not desirable. | ||||
| Redefinition of this AS_PATH validation rule for a Flow | ||||
| Specification does not mean that the original rule in [RFC5575bis] | ||||
| cannot be enforced as well. Its enforcement remains optional per | ||||
| [RFC4271]. That is, we can enforce the first AS in the AS_PATH to | ||||
| be the same as the neighbor AS for any address-family route | ||||
| (including a Flow Specification). | ||||
| Using the new rule to validate a Flow Specification received from | ||||
| an Internal Border Gateway Protocol (iBGP) peer is out of the | ||||
| scope of this document. Note that in most scenarios such | ||||
| validation would be redundant. | ||||
| Using the new rule to validate a Flow Specification route received | ||||
| from an External Border Gateway Protocol (eBGP) peer belonging to | ||||
| the same local domain (in the case that the local AS belongs to a | ||||
| confederation of ASes) is out of the scope of this document. Note | ||||
| that although it's possible, its utility is dubious. | ||||
| 5. Other RFC5575bis Considerations | ||||
| This section clarifies some of the terminology and rules referenced | ||||
| in [RFC5575bis]. Namely: | ||||
| o [RFC5575bis] references "the best-match unicast route for the | ||||
| destination prefix embedded in the Flow Specification". For | ||||
| clarity, this route is defined hereby as the best path of the | ||||
| unicast network with the longer prefix-length that covers the | ||||
| destination prefix embedded in the Flow Specification. | ||||
| Explanation: | ||||
| We consider only the best-match network and we do not consider | ||||
| unicast non-best paths (even if it is received from the same peer | ||||
| as the Flow Specification). | ||||
| o If a BGP Flow Specification does not embed a destination prefix | ||||
| component, then the default behavior SHOULD be not to perform the | ||||
| validation procedures. | ||||
| Explanation: | ||||
| The reason for this is because the best-match unicast route is not | ||||
| defined in this case. | ||||
| o In the context of this document and [RFC5575bis], AS_PATH | ||||
| attribute is defined as the reconstructed AS path information (by | ||||
| combining AS_PATH and AS4_PATH attributes, if the BGP speaker is a | ||||
| NEW speaker and receives the route from an OLD speaker), according | ||||
| to section 4.2.3 of [RFC6793]. | ||||
| o Support for two-octet AS only implementations is out of the scope | ||||
| of this document (i.e. it's assumed that the BGP speaker supports | ||||
| [RFC6793]). | ||||
| 6. Topology Considerations | ||||
| [RFC5575bis] indicates that the originator may refer to the | ||||
| originator path attribute (ORIGINATOR_ID) or (if the attribute is not | ||||
| present) the transport address of the peer from which we received the | ||||
| update. If the latter applies, a network should be designed so it | ||||
| has a congruent topology. | ||||
| With the additional second condition (a.2) in the validation | ||||
| procedure, non-congruent topologies are supported within the local | ||||
| domain if the Flow Specification is originated within the local | ||||
| domain. | ||||
| Explanation: | ||||
| Consider the following scenarios without the second condition | ||||
| (a.2) being added to the validation procedure: | ||||
| 1. Consider a topology with two BGP speakers with two peering | ||||
| sessions between them, one for unicast and one for Flow | ||||
| Specification. This is a non-congruent topology. Let's | ||||
| assume that the ORIGINATOR_ID attribute was not received (e.g. | ||||
| a route reflector receiving routes from its clients). In this | ||||
| case, the Flow Specification validation procedure will fail | ||||
| because of the first condition (a.1). | ||||
| 2. Consider a topology with a BGP speaker within a confederation | ||||
| of ASes, inside local AS X. ORIGINATOR_ID attribute is not | ||||
| advertised within the local domain. Let's assume the Flow | ||||
| Specification route is received from peer A and the best-match | ||||
| unicast route is received from peer B. Both peers belong in | ||||
| local AS Y. Both AS X and AS Y belong to the same local | ||||
| domain. The Flow Specification validation procedure will also | ||||
| fail because of the first condition (a.1). | ||||
| In the examples above, if Flow Specifications are originated in | ||||
| the same local domain, AS_PATH will not contain AS_SET and/or | ||||
| AS_SEQUENCE segments. When the second condition (a.2) in the | ||||
| validation procedure is used, the validation procedure will pass. | ||||
| Thus, non-congruent topologies are supported if the Flow | ||||
| Specification is originated in the same local domain. | ||||
| Even when the second condition (a.2) is used in the validation | ||||
| procedure, a Flow Specification originated in a different local | ||||
| domain needs a congruent topology. AS_SEQUENCE is not empty and | ||||
| the first condition (a.1) in the validation procedure needs to be | ||||
| evaluated. Because transport addresses for Flow Specification and | ||||
| unicast routes are different, the validation procedure will fail. | ||||
| This is true both across domains and within domains. Consider | ||||
| both cases: | ||||
| * Consider the first example. If the Flow Specification route is | ||||
| originated in another AS, the validation procedure will fail | ||||
| because the topology is non-congruent within the domain. | ||||
| * Consider the second example and modify it so AS X and AS Y | ||||
| belong to different local domains (no confederation of ASes | ||||
| exists). The validation procedure will fail because the | ||||
| topology is non-congruent across domains. | ||||
| 7. IANA Considerations | ||||
| This memo includes no request to IANA. | This memo includes no request to IANA. | |||
| 6. Security Considerations | 8. Security Considerations | |||
| No new security issues are introduced by relaxing the validation | No new security issues are introduced by relaxing the validation | |||
| procedure for IBGP learned flow specifications. With this proposal, | procedure for iBGP learned Flow Specifications. With this proposal, | |||
| the security characteristics of BGP flow specifications remain | the security characteristics of BGP Flow Specifications remain | |||
| equivalent to the existing security properties of BGP unicast | equivalent to the existing security properties of BGP unicast | |||
| routing. Traffic flow specifications learned from IBGP peers are | routing. Traffic Flow Specifications learned from iBGP peers are | |||
| trusted, hence, it is not required to validate that the originator of | trusted, hence, it is not required to validate that the originator of | |||
| an intra-domain traffic flow specification matches the originator of | an intra-domain traffic Flow Specification matches the originator of | |||
| the best-match unicast route for the flow destination prefix. | the best-match unicast route for the flow destination prefix. | |||
| Conversely, this proposal continues to enforce the validation | Conversely, this proposal continues to enforce the validation | |||
| procedure for EBGP learned traffic flow specifications. In this way, | procedure for eBGP learned traffic Flow Specifications. In this way, | |||
| the security properties of [RFC5575bis] are maintained such that an | the security properties of [RFC5575bis] are maintained such that an | |||
| EBGP peer cannot cause a denial-of-service attack by advertising an | eBGP peer cannot cause a denial-of-service attack by advertising an | |||
| inter-domain flow specification for a destination prefix that it does | inter-domain Flow Specification for a destination prefix that it does | |||
| not provide reachability information for. | not provide reachability information for. | |||
| 7. Acknowledgements | 9. Acknowledgements | |||
| The authors would like to thank Han Nguyen for his direction on this | The authors would like to thank Han Nguyen for his direction on this | |||
| work as well as Waqas Alam, Keyur Patel, Robert Raszuk, Eric Rosen | work as well as Waqas Alam, Keyur Patel, Robert Raszuk, Eric Rosen | |||
| and Shyam Sethuram for their review comments. | and Shyam Sethuram for their review comments. | |||
| 8. Normative References | 10. Normative References | |||
| [I-D.ietf-idr-rfc5575bis] | [I-D.ietf-idr-rfc5575bis] | |||
| Hares, S., Loibl, C., Raszuk, R., McPherson, D., and M. | Hares, S., Loibl, C., Raszuk, R., McPherson, D., and M. | |||
| Bacher, "Dissemination of Flow Specification Rules", | Bacher, "Dissemination of Flow Specification Rules", | |||
| draft-ietf-idr-rfc5575bis-14 (work in progress), April | draft-ietf-idr-rfc5575bis-14 (work in progress), April | |||
| 2019. | 2019. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| End of changes. 40 change blocks. | ||||
| 187 lines changed or deleted | 297 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||