| draft-ietf-idr-error-handling-06.txt | draft-ietf-idr-error-handling-07.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force E. Chen, Ed. | Internet Engineering Task Force E. Chen, Ed. | |||
| Internet-Draft Cisco Systems, Inc. | Internet-Draft Cisco Systems, Inc. | |||
| Updates: 1997, 4271, 4360, 4456, 4760, 5701 (if approved)J. Scudder, Ed. | Updates: 1997, 4271, 4360, 4456, 4760, 5701 (if approved)J. Scudder, Ed. | |||
| Intended status: Standards Track Juniper Networks | Intended status: Standards Track Juniper Networks | |||
| Expires: August 18, 2014 P. Mohapatra | Expires: November 8, 2014 P. Mohapatra | |||
| Cumulus Networks, Inc. | Sproute Networks | |||
| K. Patel | K. Patel | |||
| Cisco Systems, Inc. | Cisco Systems, Inc. | |||
| February 14, 2014 | May 7, 2014 | |||
| Revised Error Handling for BGP UPDATE Messages | Revised Error Handling for BGP UPDATE Messages | |||
| draft-ietf-idr-error-handling-06 | draft-ietf-idr-error-handling-07 | |||
| Abstract | Abstract | |||
| According to the base BGP specification, a BGP speaker that receives | According to the base BGP specification, a BGP speaker that receives | |||
| an UPDATE message containing a malformed attribute is required to | an UPDATE message containing a malformed attribute is required to | |||
| reset the session over which the offending attribute was received. | reset the session over which the offending attribute was received. | |||
| This behavior is undesirable as a session reset would impact not only | This behavior is undesirable as a session reset would impact not only | |||
| routes with the offending attribute, but also other valid routes | routes with the offending attribute, but also other valid routes | |||
| exchanged over the session. This document partially revises the | exchanged over the session. This document partially revises the | |||
| error handling for UPDATE messages, and provides guidelines for the | error handling for UPDATE messages, and provides guidelines for the | |||
| skipping to change at page 1, line 46 | skipping to change at page 1, line 46 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 18, 2014. | This Internet-Draft will expire on November 8, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 40 | skipping to change at page 2, line 40 | |||
| than English. | than English. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Revision to Base Specification . . . . . . . . . . . . . . . 4 | 2. Revision to Base Specification . . . . . . . . . . . . . . . 4 | |||
| 3. Parsing of NLRI Fields . . . . . . . . . . . . . . . . . . . 6 | 3. Parsing of NLRI Fields . . . . . . . . . . . . . . . . . . . 6 | |||
| 3.1. Inconsistency of Attribute Length Fields . . . . . . . . 6 | 3.1. Inconsistency of Attribute Length Fields . . . . . . . . 6 | |||
| 3.2. Syntactic Correctness of NLRI Fields . . . . . . . . . . 7 | 3.2. Syntactic Correctness of NLRI Fields . . . . . . . . . . 7 | |||
| 4. Operational Considerations . . . . . . . . . . . . . . . . . 7 | 3.3. Typed NLRI . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 5. Error Handling Procedures for Existing Attributes . . . . . . 8 | 4. Operational Considerations . . . . . . . . . . . . . . . . . 8 | |||
| 5.1. ORIGIN . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 5. Error Handling Procedures for Existing Attributes . . . . . . 9 | |||
| 5.2. AS_PATH . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 5.1. ORIGIN . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 5.2. AS_PATH . . . . . . . . . . . . . . . . . . . . . . . . . 9 | ||||
| 5.3. NEXT_HOP . . . . . . . . . . . . . . . . . . . . . . . . 9 | 5.3. NEXT_HOP . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 5.4. MULTI_EXIT_DESC . . . . . . . . . . . . . . . . . . . . . 9 | 5.4. MULTI_EXIT_DESC . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 5.5. LOCAL_PREF . . . . . . . . . . . . . . . . . . . . . . . 9 | 5.5. LOCAL_PREF . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 5.6. ATOMIC_AGGREGATE . . . . . . . . . . . . . . . . . . . . 9 | 5.6. ATOMIC_AGGREGATE . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.7. AGGREGATOR . . . . . . . . . . . . . . . . . . . . . . . 9 | 5.7. AGGREGATOR . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.8. Community . . . . . . . . . . . . . . . . . . . . . . . . 10 | 5.8. Community . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.9. Extended Community . . . . . . . . . . . . . . . . . . . 10 | 5.9. Extended Community . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.10. IPv6 Address Specific BGP Extended Community Attribute . 10 | 5.10. IPv6 Address Specific BGP Extended Community Attribute . 11 | |||
| 5.11. ORIGINATOR_ID . . . . . . . . . . . . . . . . . . . . . . 11 | 5.11. ORIGINATOR_ID . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 5.12. CLUSTER_LIST . . . . . . . . . . . . . . . . . . . . . . 11 | 5.12. CLUSTER_LIST . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 12 | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11 | 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 9. Normative References . . . . . . . . . . . . . . . . . . . . 12 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| Appendix A. Why not discard UPDATE messages? . . . . . . . . . . 12 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 12 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 13 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 1. Introduction | 1. Introduction | |||
| According to the base BGP specification [RFC4271], a BGP speaker that | According to the base BGP specification [RFC4271], a BGP speaker that | |||
| receives an UPDATE message containing a malformed attribute is | receives an UPDATE message containing a malformed attribute is | |||
| required to reset the session over which the offending attribute was | required to reset the session over which the offending attribute was | |||
| received. This behavior is undesirable as a session reset would | received. This behavior is undesirable as a session reset would | |||
| impact not only routes with the offending attribute, but also other | impact not only routes with the offending attribute, but also other | |||
| valid routes exchanged over the session. In the case of optional | valid routes exchanged over the session. In the case of optional | |||
| skipping to change at page 6, line 8 | skipping to change at page 6, line 8 | |||
| of "session reset", "treat-as-withdraw" and "attribute discard" from | of "session reset", "treat-as-withdraw" and "attribute discard" from | |||
| the strongest to the weakest. | the strongest to the weakest. | |||
| A document which specifies a new attribute MUST provide specifics | A document which specifies a new attribute MUST provide specifics | |||
| regarding what constitutes an error for that attribute and how that | regarding what constitutes an error for that attribute and how that | |||
| error is to be handled. | error is to be handled. | |||
| Finally, we observe that in order to use the approach of "treat-as- | Finally, we observe that in order to use the approach of "treat-as- | |||
| withdraw", the entire NLRI field and/or the MP_REACH_NLRI and | withdraw", the entire NLRI field and/or the MP_REACH_NLRI and | |||
| MP_UNREACH_NLRI attributes need to be successfully parsed. If this | MP_UNREACH_NLRI attributes need to be successfully parsed. If this | |||
| is not possible, the procedures of [RFC4271] continue to apply. | is not possible, the procedures of [RFC4271] continue to apply, | |||
| meaning that the session MUST be reset and a NOTIFICATION sent. | ||||
| Alternatively the error handling procedures specified in [RFC4760] | Alternatively the error handling procedures specified in [RFC4760] | |||
| for disabling a particular AFI/SAFI MAY be followed. One notable | for disabling a particular AFI/SAFI MAY be followed. One notable | |||
| case where it would be not possible to successfully parse the NLRI is | case where it would be not possible to successfully parse the NLRI is | |||
| if the NLRI field is found to be "syntactically incorrect" (see | if the NLRI field is found to be "syntactically incorrect" (see | |||
| Section 3.2). It can be seen that therefore, this part of [RFC4271] | Section 3.2). It can be seen that therefore, this part of [RFC4271] | |||
| Section 6.3 necessarily continues to apply: | Section 6.3 necessarily continues to apply: | |||
| The NLRI field in the UPDATE message is checked for syntactic | The NLRI field in the UPDATE message is checked for syntactic | |||
| validity. If the field is syntactically incorrect, then the Error | validity. If the field is syntactically incorrect, then the Error | |||
| Subcode MUST be set to Invalid Network Field. | Subcode MUST be set to Invalid Network Field. | |||
| skipping to change at page 7, line 32 | skipping to change at page 7, line 33 | |||
| considered to be incorrect if any of the following are true: | considered to be incorrect if any of the following are true: | |||
| o The length of any of the included NLRI is inconsistent with the | o The length of any of the included NLRI is inconsistent with the | |||
| given AFI/SAFI (for example, if an IPv4 NLRI has a length greater | given AFI/SAFI (for example, if an IPv4 NLRI has a length greater | |||
| than 32 or an IPv6 NLRI has a length greater than 128), | than 32 or an IPv6 NLRI has a length greater than 128), | |||
| o When parsing NLRI contained in the attribute, the length of the | o When parsing NLRI contained in the attribute, the length of the | |||
| last NLRI found exceeds the amount of unconsumed data remaining in | last NLRI found exceeds the amount of unconsumed data remaining in | |||
| the attribute. | the attribute. | |||
| o The attribute flags of the attribute are inconsistent with those | ||||
| specified in [RFC4760]. | ||||
| o The length of the MP_UNREACH attribute is less than 3, or the | ||||
| length of the MP_REACH attribute is less than 5. | ||||
| 3.3. Typed NLRI | ||||
| Certain address families, for example MVPN [RFC7117] and EVPN | ||||
| [I-D.ietf-l2vpn-evpn] have NLRI that are typed. Since supported type | ||||
| values with the address family are not expressed in the MP-BGP | ||||
| capability [RFC4760], it is possible for a BGP speaker to advertise | ||||
| support for the given address family and sub-address family while | ||||
| still not supporting a particular type of NLRI within that AFI/SAFI. | ||||
| A BGP speaker advertising support for such a typed address family | ||||
| MUST handle routes with unrecognized NLRI types within that address | ||||
| family by discarding them, unless the relevant specification for that | ||||
| address family specifies otherwise. | ||||
| 4. Operational Considerations | 4. Operational Considerations | |||
| Although the "treat-as-withdraw" error-handling behavior defined in | Although the "treat-as-withdraw" error-handling behavior defined in | |||
| Section 2 makes every effort to preserve BGP's correctness, we note | Section 2 makes every effort to preserve BGP's correctness, we note | |||
| that if an UPDATE received on an IBGP session is subjected to this | that if an UPDATE received on an IBGP session is subjected to this | |||
| treatment, inconsistent routing within the affected Autonomous System | treatment, inconsistent routing within the affected Autonomous System | |||
| may result. The consequences of inconsistent routing can include | may result. The consequences of inconsistent routing can include | |||
| long-lived forwarding loops and black holes. While lamentable, this | long-lived forwarding loops and black holes. While lamentable, this | |||
| issue is expected to be rare in practice, and more importantly is | issue is expected to be rare in practice, and more importantly is | |||
| seen as less problematic than the session-reset behavior it replaces. | seen as less problematic than the session-reset behavior it replaces. | |||
| skipping to change at page 8, line 12 | skipping to change at page 8, line 31 | |||
| received. This will help maintain routing consistency in the | received. This will help maintain routing consistency in the | |||
| network. | network. | |||
| Even if inconsistent routing does not arise, the "treat-as-withdraw" | Even if inconsistent routing does not arise, the "treat-as-withdraw" | |||
| behavior can cause either complete unreachability or sub-optimal | behavior can cause either complete unreachability or sub-optimal | |||
| routing for the destinations whose routes are carried in the affected | routing for the destinations whose routes are carried in the affected | |||
| UPDATE message. | UPDATE message. | |||
| Note that "treat-as-withdraw" is different from discarding an UPDATE | Note that "treat-as-withdraw" is different from discarding an UPDATE | |||
| message. The latter violates the basic BGP principle of incremental | message. The latter violates the basic BGP principle of incremental | |||
| update, and could cause invalid routes to be kept. (See also | update, and could cause invalid routes to be kept. | |||
| Appendix A.) | ||||
| For any malformed attribute which is handled by the "attribute | For any malformed attribute which is handled by the "attribute | |||
| discard" instead of the "treat-as-withdraw" approach, it is critical | discard" instead of the "treat-as-withdraw" approach, it is critical | |||
| to consider the potential impact of doing so. In particular, if the | to consider the potential impact of doing so. In particular, if the | |||
| attribute in question has or may have an effect on route selection or | attribute in question has or may have an effect on route selection or | |||
| installation, the presumption is that discarding it is unsafe, unless | installation, the presumption is that discarding it is unsafe, unless | |||
| careful analysis proves otherwise. The analysis should take into | careful analysis proves otherwise. The analysis should take into | |||
| account the tradeoff between preserving connectivity and potential | account the tradeoff between preserving connectivity and potential | |||
| side effects. | side effects. | |||
| skipping to change at page 11, line 51 | skipping to change at page 12, line 20 | |||
| routers (which thus propagate the attribute unchecked) but that | routers (which thus propagate the attribute unchecked) but that | |||
| causes session resets when it reaches routers that do recognize the | causes session resets when it reaches routers that do recognize the | |||
| given attribute type. | given attribute type. | |||
| In other respects, this specification does not change BGP's security | In other respects, this specification does not change BGP's security | |||
| characteristics. | characteristics. | |||
| 8. Acknowledgements | 8. Acknowledgements | |||
| The authors wish to thank Juan Alcaide, Ron Bonica, Mach Chen, Andy | The authors wish to thank Juan Alcaide, Ron Bonica, Mach Chen, Andy | |||
| Davidson, Bruno Decraene, Dong Jie, Rex Fernando, Joel Halpern, Akira | Davidson, Bruno Decraene, Rex Fernando, Jeff Haas, Joel Halpern, Dong | |||
| Kato, Miya Kohno, Tony Li, Alton Lo, Shin Miyakawa, Tamas Mondal, | Jie, Akira Kato, Miya Kohno, Tony Li, Alton Lo, Shin Miyakawa, Tamas | |||
| Jonathan Oddy, Robert Raszuk, Yakov Rekhter, Eric Rosen, Rob Shakir, | Mondal, Jonathan Oddy, Tony Przygienda, Robert Raszuk, Yakov Rekhter, | |||
| Naiming Shen, Shyam Sethuram, Ananth Suryanarayana, Kaliraj | Eric Rosen, Shyam Sethuram, Rob Shakir, Naiming Shen, Adam Simpson, | |||
| Vairavakkalai and Lili Wang for their observations and discussion of | Ananth Suryanarayana, Kaliraj Vairavakkalai and Lili Wang for their | |||
| this topic, and review of this document. | observations and discussion of this topic, and review of this | |||
| document. | ||||
| 9. Normative References | 9. References | |||
| 9.1. Normative References | ||||
| [RFC1997] Chandrasekeran, R., Traina, P., and T. Li, "BGP | [RFC1997] Chandrasekeran, R., Traina, P., and T. Li, "BGP | |||
| Communities Attribute", RFC 1997, August 1996. | Communities Attribute", RFC 1997, August 1996. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway | [RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway | |||
| Protocol 4 (BGP-4)", RFC 4271, January 2006. | Protocol 4 (BGP-4)", RFC 4271, January 2006. | |||
| skipping to change at page 12, line 38 | skipping to change at page 13, line 12 | |||
| "Multiprotocol Extensions for BGP-4", RFC 4760, January | "Multiprotocol Extensions for BGP-4", RFC 4760, January | |||
| 2007. | 2007. | |||
| [RFC5701] Rekhter, Y., "IPv6 Address Specific BGP Extended Community | [RFC5701] Rekhter, Y., "IPv6 Address Specific BGP Extended Community | |||
| Attribute", RFC 5701, November 2009. | Attribute", RFC 5701, November 2009. | |||
| [RFC6793] Vohra, Q. and E. Chen, "BGP Support for Four-Octet | [RFC6793] Vohra, Q. and E. Chen, "BGP Support for Four-Octet | |||
| Autonomous System (AS) Number Space", RFC 6793, December | Autonomous System (AS) Number Space", RFC 6793, December | |||
| 2012. | 2012. | |||
| Appendix A. Why not discard UPDATE messages? | 9.2. Informative References | |||
| A commonly asked question is "why not simply discard the UPDATE | ||||
| message instead of treating it like a withdraw? Isn't that safer and | ||||
| easier?" The answer is that it might be easier, but it would | ||||
| compromise BGP's correctness so is unsafe. Consider the following | ||||
| example of what might happen if UPDATE messages carrying bad | ||||
| attributes were simply discarded: | ||||
| AS1 ---- AS2 | ||||
| \ / | ||||
| \ / | ||||
| \ / | ||||
| AS3 | ||||
| Figure 1 | ||||
| o AS1 prefers to reach AS3 directly, and advertises its route to | ||||
| AS2. | ||||
| o AS2 prefers to reach AS3 directly, and advertises its route to | ||||
| AS1. | ||||
| o Connections AS3-AS1 and AS3-AS2 fail simultaneously. | ||||
| o AS1 switches to prefer AS2's route, and sends an update message | ||||
| which includes a withdraw of its previous announcement. The | ||||
| withdraw is bundled with some advertisements. It includes a bad | ||||
| attribute. As a result, AS2 ignores the message. | ||||
| o AS2 switches to prefer AS1's route, and sends an update message | ||||
| which includes a withdraw of its previous announcement. The | ||||
| withdraw is bundled with some advertisements. It includes a bad | ||||
| attribute. As a result, AS1 ignores the message. | ||||
| The end result is that AS1 forwards traffic for AS3 towards AS2, and | [I-D.ietf-l2vpn-evpn] | |||
| AS2 forwards traffic for AS3 towards AS1. This is a permanent (until | Sajassi, A., Aggarwal, R., Bitar, N., Isaac, A., and J. | |||
| corrected) forwarding loop. | Uttaro, "BGP MPLS Based Ethernet VPN", draft-ietf-l2vpn- | |||
| evpn-06 (work in progress), March 2014. | ||||
| Although the example above discusses route withdraws, we observe that | [RFC7117] Aggarwal, R., Kamite, Y., Fang, L., Rekhter, Y., and C. | |||
| in BGP the announcement of a route also withdraws the route | Kodeboniya, "Multicast in Virtual Private LAN Service | |||
| previously advertised. The implicit withdraw can be converted into a | (VPLS)", RFC 7117, February 2014. | |||
| real withdraw in a number of ways; for example, the previously- | ||||
| announced route might have been accepted by policy, but the new | ||||
| announcement might be rejected by policy. For this reason, the same | ||||
| concerns apply even if explicit withdraws are removed from | ||||
| consideration. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Enke Chen (editor) | Enke Chen (editor) | |||
| Cisco Systems, Inc. | Cisco Systems, Inc. | |||
| Email: enkechen@cisco.com | Email: enkechen@cisco.com | |||
| John G. Scudder (editor) | John G. Scudder (editor) | |||
| Juniper Networks | Juniper Networks | |||
| Email: jgs@juniper.net | Email: jgs@juniper.net | |||
| Pradosh Mohapatra | Pradosh Mohapatra | |||
| Cumulus Networks, Inc. | Sproute Networks | |||
| Email: pmohapat@cumulusnetworks.com | Email: mpradosh@yahoo.com | |||
| Keyur Patel | Keyur Patel | |||
| Cisco Systems, Inc. | Cisco Systems, Inc. | |||
| Email: keyupate@cisco.com | Email: keyupate@cisco.com | |||
| End of changes. 19 change blocks. | ||||
| 73 lines changed or deleted | 62 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||