| draft-ietf-idr-error-handling-07.txt | draft-ietf-idr-error-handling-08.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force E. Chen, Ed. | Internet Engineering Task Force E. Chen, Ed. | |||
| Internet-Draft Cisco Systems, Inc. | Internet-Draft Cisco Systems, Inc. | |||
| Updates: 1997, 4271, 4360, 4456, 4760, 5701 (if approved)J. Scudder, Ed. | Updates: 1997, 4271, 4360, 4456, 4760, 5701(if approved) J. Scudder, Ed. | |||
| Intended status: Standards Track Juniper Networks | Intended status: Standards Track Juniper Networks | |||
| Expires: November 8, 2014 P. Mohapatra | Expires: November 15, 2014 P. Mohapatra | |||
| Sproute Networks | Sproute Networks | |||
| K. Patel | K. Patel | |||
| Cisco Systems, Inc. | Cisco Systems, Inc. | |||
| May 7, 2014 | May 14, 2014 | |||
| Revised Error Handling for BGP UPDATE Messages | Revised Error Handling for BGP UPDATE Messages | |||
| draft-ietf-idr-error-handling-07 | draft-ietf-idr-error-handling-08 | |||
| Abstract | Abstract | |||
| According to the base BGP specification, a BGP speaker that receives | According to the base BGP specification, a BGP speaker that receives | |||
| an UPDATE message containing a malformed attribute is required to | an UPDATE message containing a malformed attribute is required to | |||
| reset the session over which the offending attribute was received. | reset the session over which the offending attribute was received. | |||
| This behavior is undesirable as a session reset would impact not only | This behavior is undesirable as a session reset would impact not only | |||
| routes with the offending attribute, but also other valid routes | routes with the offending attribute, but also other valid routes | |||
| exchanged over the session. This document partially revises the | exchanged over the session. This document partially revises the | |||
| error handling for UPDATE messages, and provides guidelines for the | error handling for UPDATE messages, and provides guidelines for the | |||
| authors of documents defining new attributes. Finally, it revises | authors of documents defining new attributes. Finally, it revises | |||
| the error handling procedures for a number of existing attributes. | the error handling procedures for a number of existing attributes. | |||
| This document updates error handling for RFCs 1997, 4271, 4360, 4456, | This document updates error handling for RFCs 1997, 4271, 4360, 4456, | |||
| 4760, and 5701. | 4760 and 5701. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on November 8, 2014. | This Internet-Draft will expire on November 15, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 35 | skipping to change at page 2, line 35 | |||
| Without obtaining an adequate license from the person(s) controlling | Without obtaining an adequate license from the person(s) controlling | |||
| the copyright in such materials, this document may not be modified | the copyright in such materials, this document may not be modified | |||
| outside the IETF Standards Process, and derivative works of it may | outside the IETF Standards Process, and derivative works of it may | |||
| not be created outside the IETF Standards Process, except to format | not be created outside the IETF Standards Process, except to format | |||
| it for publication as an RFC or to translate it into languages other | it for publication as an RFC or to translate it into languages other | |||
| than English. | than English. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Revision to Base Specification . . . . . . . . . . . . . . . 4 | 2. Error-Handling Approaches . . . . . . . . . . . . . . . . . . 4 | |||
| 3. Parsing of NLRI Fields . . . . . . . . . . . . . . . . . . . 6 | 3. Revision to BGP UPDATE Message Error Handling . . . . . . . . 4 | |||
| 3.1. Inconsistency of Attribute Length Fields . . . . . . . . 6 | 4. Parsing of NLRI Fields . . . . . . . . . . . . . . . . . . . 6 | |||
| 3.2. Syntactic Correctness of NLRI Fields . . . . . . . . . . 7 | 4.1. Attribute Length Fields . . . . . . . . . . . . . . . . . 7 | |||
| 3.3. Typed NLRI . . . . . . . . . . . . . . . . . . . . . . . 7 | 4.2. Syntactic Correctness of NLRI Fields . . . . . . . . . . 7 | |||
| 4. Operational Considerations . . . . . . . . . . . . . . . . . 8 | 4.3. Typed NLRI . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 5. Error Handling Procedures for Existing Attributes . . . . . . 9 | 5. Operational Considerations . . . . . . . . . . . . . . . . . 8 | |||
| 5.1. ORIGIN . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 6. Error Handling Procedures for Existing Attributes . . . . . . 9 | |||
| 5.2. AS_PATH . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 6.1. ORIGIN . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 5.3. NEXT_HOP . . . . . . . . . . . . . . . . . . . . . . . . 9 | 6.2. AS_PATH . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 5.4. MULTI_EXIT_DESC . . . . . . . . . . . . . . . . . . . . . 9 | 6.3. NEXT_HOP . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.5. LOCAL_PREF . . . . . . . . . . . . . . . . . . . . . . . 9 | 6.4. MULTI_EXIT_DISC . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.6. ATOMIC_AGGREGATE . . . . . . . . . . . . . . . . . . . . 10 | 6.5. LOCAL_PREF . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.7. AGGREGATOR . . . . . . . . . . . . . . . . . . . . . . . 10 | 6.6. ATOMIC_AGGREGATE . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.8. Community . . . . . . . . . . . . . . . . . . . . . . . . 10 | 6.7. AGGREGATOR . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 5.9. Extended Community . . . . . . . . . . . . . . . . . . . 10 | 6.8. Community . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 5.10. IPv6 Address Specific BGP Extended Community Attribute . 11 | 6.9. Extended Community . . . . . . . . . . . . . . . . . . . 11 | |||
| 5.11. ORIGINATOR_ID . . . . . . . . . . . . . . . . . . . . . . 11 | 6.10. IPv6 Address Specific BGP Extended Community Attribute . 11 | |||
| 5.12. CLUSTER_LIST . . . . . . . . . . . . . . . . . . . . . . 11 | 6.11. ORIGINATOR_ID . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | 6.12. CLUSTER_LIST . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 12 | 6.13. MP_REACH_NLRI and MP_UNREACH_NLRI . . . . . . . . . . . . 12 | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 | 7. Guidance for Authors of BGP Specifications . . . . . . . . . 12 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 12 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 13 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 13 | 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 13 | ||||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 14 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 | ||||
| 1. Introduction | 1. Introduction | |||
| According to the base BGP specification [RFC4271], a BGP speaker that | According to the base BGP specification [RFC4271], a BGP speaker that | |||
| receives an UPDATE message containing a malformed attribute is | receives an UPDATE message containing a malformed attribute is | |||
| required to reset the session over which the offending attribute was | required to reset the session over which the offending attribute was | |||
| received. This behavior is undesirable as a session reset would | received. This behavior is undesirable as a session reset would | |||
| impact not only routes with the offending attribute, but also other | impact not only routes with the offending attribute, but also other | |||
| valid routes exchanged over the session. In the case of optional | valid routes exchanged over the session. In the case of optional | |||
| transitive attributes, the behavior is especially troublesome and may | transitive attributes, the behavior is especially troublesome and may | |||
| present a potential security vulnerability. The reason is that such | present a potential security vulnerability. The reason is that such | |||
| attributes may have been propagated without being checked by | attributes may have been propagated without being checked by | |||
| intermediate routers that do not recognize the attributes -- in | intermediate routers that do not recognize the attributes -- in | |||
| effect the attribute may have been tunneled, and when they do reach a | effect the attribute may have been tunneled, and when they do reach a | |||
| router that recognizes and checks them, the session that is reset may | router that recognizes and checks them, the session that is reset may | |||
| not be associated with the router that is at fault. | not be associated with the router that is at fault. To make matters | |||
| worse, in such cases although the problematic attributes may have | ||||
| originated with a single update transmitted by a single BGP speaker, | ||||
| by the time they encounter a router that checks them they may have | ||||
| been replicated many times, and thus may cause the reset of many | ||||
| peering sessions. Thus the damage inflicted may be multiplied | ||||
| manyfold. | ||||
| The goal for revising the error handling for UPDATE messages is to | The goal for revising the error handling for UPDATE messages is to | |||
| minimize the impact on routing by a malformed UPDATE message, while | minimize the impact on routing by a malformed UPDATE message, while | |||
| maintaining protocol correctness to the extent possible. This can be | maintaining protocol correctness to the extent possible. This can be | |||
| achieved largely by maintaining the established session and keeping | achieved largely by maintaining the established session and keeping | |||
| the valid routes exchanged, but removing the routes carried in the | the valid routes exchanged, but removing the routes carried in the | |||
| malformed UPDATE from the routing system. | malformed UPDATE from the routing system. | |||
| This document partially revises the error handling for UPDATE | This document partially revises the error handling for UPDATE | |||
| messages, and provides guidelines for the authors of documents | messages, and provides guidelines for the authors of documents | |||
| defining new attributes. Finally, it revises the error handling | defining new attributes. Finally, it revises the error handling | |||
| procedures for a number of existing attributes. Specifically, the | procedures for a number of existing attributes. Specifically, the | |||
| error handling procedures of, [RFC1997], [RFC4271], [RFC4360], | error handling procedures of [RFC1997], [RFC4271], [RFC4360], | |||
| [RFC4456], [RFC4760] and [RFC5701] are revised. | [RFC4456], [RFC4760] and [RFC5701] are revised. | |||
| 1.1. Requirements Language | 1.1. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| 2. Revision to Base Specification | 2. Error-Handling Approaches | |||
| The first paragraph of Section 6.3 of [RFC4271] is revised as | In this document we refer to three different approaches to handling | |||
| follows: | errors found in BGP path attributes. They are as follows (listed in | |||
| order, from the one with the "strongest" action to the one with the | ||||
| "weakest" action): | ||||
| Old Text: | o Session reset: This is the approach used throughout the base BGP | |||
| specification [RFC4271], where a NOTIFICATION is sent and the | ||||
| session terminated. | ||||
| All errors detected while processing the UPDATE message MUST be | o Treat-as-withdraw: In this approach, the UPDATE message containing | |||
| indicated by sending the NOTIFICATION message with the Error Code | the path attribute in question MUST be treated as though all | |||
| UPDATE Message Error. The error subcode elaborates on the | contained routes had been withdrawn just as if they had been | |||
| specific nature of the error. | listed in the WITHDRAWN ROUTES field (or in the MP_UNREACH_NLRI | |||
| attribute if appropriate) of the UPDATE message, thus causing them | ||||
| to be removed from the Adj-RIB-In according to the procedures of | ||||
| [RFC4271]. | ||||
| New text: | o Attribute discard: In this approach the malformed attribute MUST | |||
| be discarded and the UPDATE message continues to be processed. | ||||
| This approach MUST NOT be used except in the case of an attribute | ||||
| that has no effect on route selection or installation. | ||||
| An error detected while processing the UPDATE message for which a | 3. Revision to BGP UPDATE Message Error Handling | |||
| session reset is specified MUST be indicated by sending the | ||||
| NOTIFICATION message with the Error Code UPDATE Message Error. | ||||
| The error subcode elaborates on the specific nature of the error. | ||||
| The error handling of the following case described in Section 6.3 of | This specification amends [RFC4271] Section 6.3 in a number of ways. | |||
| [RFC4271] remains unchanged: | See also Section 6 for treatment of specific path attributes. | |||
| If the Withdrawn Routes Length or Total Attribute Length is too | a. The first paragraph is revised as follows: | |||
| large (i.e., if Withdrawn Routes Length + Total Attribute Length + | ||||
| 23 exceeds the message Length), then the Error Subcode MUST be set | ||||
| to Malformed Attribute List. | ||||
| The error handling of the following case described in Section 6.3 of | Old Text: | |||
| [RFC4271] is revised | ||||
| If any recognized attribute has Attribute Flags that conflict with | All errors detected while processing the UPDATE message | |||
| the Attribute Type Code, then the Error Subcode MUST be set to | MUST be indicated by sending the NOTIFICATION message with | |||
| Attribute Flags Error. The Data field MUST contain the erroneous | the Error Code UPDATE Message Error. The error subcode | |||
| attribute (type, length, and value). | elaborates on the specific nature of the error. | |||
| as follows: | New text: | |||
| If any recognized attribute has Attribute Flags that conflict with | An error detected while processing the UPDATE message for | |||
| the Attribute Type Code, then the attribute MUST be treated as | which a session reset is specified MUST be indicated by | |||
| malformed and the treat-as-withdraw approach (see below) used, | sending the NOTIFICATION message with the Error Code UPDATE | |||
| unless the specification for the attribute mandates different | Message Error. The error subcode elaborates on the | |||
| handling for incorrect Attribute Flags. | specific nature of the error. | |||
| The error handling of all other cases involving path attributes as | b. Error handling for the following case remains unchanged: | |||
| described in Section 6.3 of [RFC4271] that specify a session reset is | ||||
| revised as follows. | ||||
| When a path attribute (other than the MP_REACH_NLRI attribute | If the Withdrawn Routes Length or Total Attribute Length is | |||
| [RFC4760] or the MP_UNREACH_NLRI attribute [RFC4760]) in an UPDATE | too large (i.e., if Withdrawn Routes Length + Total | |||
| message is determined to be malformed, the UPDATE message containing | Attribute Length + 23 exceeds the message Length), then the | |||
| that attribute MUST be treated as though all contained routes had | Error Subcode MUST be set to Malformed Attribute List. | |||
| been withdrawn just as if they had been listed in the WITHDRAWN | ||||
| ROUTES field (or in the MP_UNREACH_NLRI attribute if appropriate) of | ||||
| the UPDATE message, thus causing them to be removed from the Adj-RIB- | ||||
| In according to the procedures of [RFC4271]. In the case of an | ||||
| attribute which has no effect on route selection or installation, the | ||||
| malformed attribute MAY instead be discarded and the UPDATE message | ||||
| continue to be processed. For the sake of brevity, the former | ||||
| approach is termed "treat-as-withdraw", and the latter as "attribute | ||||
| discard". | ||||
| If any of the well-known mandatory attributes are not present in an | c. Attribute Flag error handling is revised as follows: | |||
| UPDATE message, then the approach of "treat-as-withdraw" MUST be used | ||||
| for the error handling. | ||||
| The approach of "treat-as-withdraw" MUST be used for the error | Old Text: | |||
| handling of the cases described in Section 6.3 of [RFC4271] that | ||||
| specify a session reset and involve any of the following attributes: | ||||
| ORIGIN, AS_PATH, NEXT_HOP, MULTI_EXIT_DISC, and LOCAL_PREF. | ||||
| The approach of "attribute discard" MUST be used for the error | If any recognized attribute has Attribute Flags that | |||
| handling of the cases described in Section 6.3 of [RFC4271] that | conflict with the Attribute Type Code, then the Error | |||
| specify a session reset and involve any of the following attributes: | Subcode MUST be set to Attribute Flags Error. The Data | |||
| ATOMIC_AGGREGATE and AGGREGATOR. | field MUST contain the erroneous attribute (type, length, | |||
| and value). | ||||
| If the MP_REACH_NLRI attribute or the MP_UNREACH_NLRI attribute | New Text: | |||
| appears more than once in the UPDATE message, then a NOTIFICATION | ||||
| message MUST be sent with the Error Subcode "Malformed Attribute | ||||
| List". If any other attribute appears more than once in an UPDATE | ||||
| message, then all the occurrences of the attribute other than the | ||||
| first one SHALL be discarded and the UPDATE message continue to be | ||||
| processed. | ||||
| When multiple attribute errors exist in an UPDATE message, if the | If any recognized attribute has Attribute Flags that | |||
| same approach (either "session reset", or "treat-as-withdraw" or | conflict with the Attribute Type Code, then the attribute | |||
| "attribute discard") is specified for the handling of these malformed | MUST be treated as malformed and the treat-as-withdraw | |||
| attributes, then the specified approach MUST be used. Otherwise the | approach used, unless the specification for the attribute | |||
| approach with the strongest action MUST be used following the order | mandates different handling for incorrect Attribute Flags. | |||
| of "session reset", "treat-as-withdraw" and "attribute discard" from | ||||
| the strongest to the weakest. | ||||
| A document which specifies a new attribute MUST provide specifics | d. If any of the well-known mandatory attributes are not present in | |||
| regarding what constitutes an error for that attribute and how that | an UPDATE message, then "treat-as-withdraw" MUST be used. | |||
| error is to be handled. | ||||
| Finally, we observe that in order to use the approach of "treat-as- | e. "Treat-as-withdraw" MUST be used for the cases that specify a | |||
| withdraw", the entire NLRI field and/or the MP_REACH_NLRI and | session reset and involve any of the attributes ORIGIN, AS_PATH, | |||
| MP_UNREACH_NLRI attributes need to be successfully parsed. If this | NEXT_HOP, MULTI_EXIT_DISC, or LOCAL_PREF. | |||
| is not possible, the procedures of [RFC4271] continue to apply, | ||||
| meaning that the session MUST be reset and a NOTIFICATION sent. | ||||
| Alternatively the error handling procedures specified in [RFC4760] | ||||
| for disabling a particular AFI/SAFI MAY be followed. One notable | ||||
| case where it would be not possible to successfully parse the NLRI is | ||||
| if the NLRI field is found to be "syntactically incorrect" (see | ||||
| Section 3.2). It can be seen that therefore, this part of [RFC4271] | ||||
| Section 6.3 necessarily continues to apply: | ||||
| The NLRI field in the UPDATE message is checked for syntactic | f. "Attribute discard" MUST be used for any of the cases that | |||
| validity. If the field is syntactically incorrect, then the Error | specify a session reset and involve ATOMIC_AGGREGATE or | |||
| Subcode MUST be set to Invalid Network Field. | AGGREGATOR. | |||
| Furthermore, this document extends RFC 4271 by mandating that the | g. If the MP_REACH_NLRI attribute or the MP_UNREACH_NLRI [RFC4760] | |||
| Withdrawn Routes field SHALL be checked for syntactic correctness in | attribute appears more than once in the UPDATE message, then a | |||
| the same manner as the NLRI field. | NOTIFICATION message MUST be sent with the Error Subcode | |||
| "Malformed Attribute List". If any other attribute appears more | ||||
| than once in an UPDATE message, then all the occurrences of the | ||||
| attribute other than the first one SHALL be discarded and the | ||||
| UPDATE message continue to be processed. | ||||
| 3. Parsing of NLRI Fields | h. When multiple attribute errors exist in an UPDATE message, if the | |||
| same approach (either "session reset", "treat-as-withdraw" or | ||||
| "attribute discard") is specified for the handling of these | ||||
| malformed attributes, then the specified approach MUST be used. | ||||
| Otherwise the approach with the strongest action MUST be used. | ||||
| i. The Withdrawn Routes field MUST be checked for syntactic | ||||
| correctness in the same manner as the NLRI field. This is | ||||
| discussed further below, and in Section 4.2. | ||||
| j. Finally, we observe that in order to use the approach of "treat- | ||||
| as-withdraw", the entire NLRI field and/or the MP_REACH_NLRI and | ||||
| MP_UNREACH_NLRI attributes need to be successfully parsed. If | ||||
| this is not possible, the procedures of [RFC4271] continue to | ||||
| apply, meaning that the "session reset" approach SHOULD be | ||||
| followed. Alternatively the error handling procedures specified | ||||
| in [RFC4760] for disabling a particular AFI/SAFI MAY be followed. | ||||
| One notable case where it would be not possible to successfully | ||||
| parse the NLRI is if the NLRI field is found to be "syntactically | ||||
| incorrect" (see Section 4.2). It can be seen that therefore, | ||||
| this part of [RFC4271] Section 6.3 necessarily continues to | ||||
| apply: | ||||
| The NLRI field in the UPDATE message is checked for syntactic | ||||
| validity. If the field is syntactically incorrect, then the | ||||
| Error Subcode MUST be set to Invalid Network Field. | ||||
| 4. Parsing of NLRI Fields | ||||
| To facilitate the determination of the NLRI field in an UPDATE with a | To facilitate the determination of the NLRI field in an UPDATE with a | |||
| malformed attribute, the MP_REACH_NLRI or MP_UNREACH_NLRI attribute | malformed attribute, the following restrictions on encoding NLRI MUST | |||
| (if present) SHALL be encoded as the very first path attribute in an | be followed: | |||
| UPDATE. An implementation, however, MUST still be prepared to | ||||
| receive these fields in any position. | o The MP_REACH_NLRI or MP_UNREACH_NLRI attribute (if present) SHALL | |||
| be encoded as the very first path attribute in an UPDATE. | ||||
| o The MP_REACH_NLRI or MP_UNREACH_NLRI SHALL NOT be combined in the | ||||
| same UPDATE message. | ||||
| o The MP_REACH_NLRI and MP_UNREACH_NLRI attributes MUST NOT be used | ||||
| in an UPDATE that also contains a non-empty Withdrawn Routes or | ||||
| Network Layer Reachability Information field. | ||||
| In all these cases, however, an implementation MUST still be prepared | ||||
| to receive these fields in any position or combination. | ||||
| If the encoding of [RFC4271] is used, the NLRI field for the IPv4 | If the encoding of [RFC4271] is used, the NLRI field for the IPv4 | |||
| unicast address family is carried immediately following all the | unicast address family is carried immediately following all the | |||
| attributes in an UPDATE. When such an UPDATE is received, we observe | attributes in an UPDATE. When such an UPDATE is received, we observe | |||
| that the NLRI field can be determined using the "Message Length", | that the NLRI field can be determined using the "Message Length", | |||
| "Withdrawn Route Length" and "Total Attribute Length" (when they are | "Withdrawn Route Length" and "Total Attribute Length" (when they are | |||
| consistent) carried in the message instead of relying on the length | consistent) carried in the message instead of relying on the length | |||
| of individual attributes in the message. | of individual attributes in the message. | |||
| 3.1. Inconsistency of Attribute Length Fields | 4.1. Attribute Length Fields | |||
| There are two error cases in which the Total Attribute Length value | There are two error cases in which the Total Attribute Length value | |||
| can be in conflict with the enclosed path attributes, which | can be in conflict with the enclosed path attributes, which | |||
| themselves carry length values. In the "overrun" case, as the | themselves carry length values. In the "overrun" case, as the | |||
| enclosed path attributes are parsed, the length of the last | enclosed path attributes are parsed, the length of the last | |||
| encountered path attribute would cause the Total Attribute Length to | encountered path attribute would cause the Total Attribute Length to | |||
| be exceeded. In the "underrun" case, as the enclosed path attributes | be exceeded. In the "underrun" case, as the enclosed path attributes | |||
| are parsed, after the last successfully-parsed attribute, fewer than | are parsed, after the last successfully-parsed attribute, fewer than | |||
| three bytes remain, or fewer than four bytes, if the Attribute Flags | three octets remain, or fewer than four octets, if the Attribute | |||
| field has the Extended Length bit set -- that is, there remains | Flags field has the Extended Length bit set -- that is, there remains | |||
| unconsumed data in the path attributes but yet insufficient data to | unconsumed data in the path attributes but yet insufficient data to | |||
| encode a single minimum-sized path attribute. In either of these | encode a single minimum-sized path attribute. In either of these | |||
| cases an error condition exists and the treat-as-withdraw approach | cases an error condition exists and the treat-as-withdraw approach | |||
| MUST be used (unless some other, more severe error is encountered | MUST be used (unless some other, more severe error is encountered | |||
| dictating a stronger approach), and the Total Attribute Length MUST | dictating a stronger approach), and the Total Attribute Length MUST | |||
| be relied upon to enable the beginning of the NLRI field to be | be relied upon to enable the beginning of the NLRI field to be | |||
| located. | located. | |||
| 3.2. Syntactic Correctness of NLRI Fields | For all path attributes other than those specified as having an | |||
| attribute length that may be zero it SHALL be considered a syntax | ||||
| error for the attribute to have a length of zero. (Of the path | ||||
| attributes considered in this specification, only AS_PATH and | ||||
| ATOMIC_AGGREGATE may validly have an attribute length of zero.) | ||||
| 4.2. Syntactic Correctness of NLRI Fields | ||||
| The NLRI field or Withdrawn Routes field SHALL be considered | The NLRI field or Withdrawn Routes field SHALL be considered | |||
| "syntactically incorrect" if either of the following are true: | "syntactically incorrect" if either of the following are true: | |||
| o The length of any of the included NLRI is greater than 32, | o The length of any of the included NLRI is greater than 32, | |||
| o When parsing NLRI contained in the field, the length of the last | o When parsing NLRI contained in the field, the length of the last | |||
| NLRI found exceeds the amount of unconsumed data remaining in the | NLRI found exceeds the amount of unconsumed data remaining in the | |||
| field. | field. | |||
| skipping to change at page 7, line 39 | skipping to change at page 8, line 19 | |||
| o When parsing NLRI contained in the attribute, the length of the | o When parsing NLRI contained in the attribute, the length of the | |||
| last NLRI found exceeds the amount of unconsumed data remaining in | last NLRI found exceeds the amount of unconsumed data remaining in | |||
| the attribute. | the attribute. | |||
| o The attribute flags of the attribute are inconsistent with those | o The attribute flags of the attribute are inconsistent with those | |||
| specified in [RFC4760]. | specified in [RFC4760]. | |||
| o The length of the MP_UNREACH attribute is less than 3, or the | o The length of the MP_UNREACH attribute is less than 3, or the | |||
| length of the MP_REACH attribute is less than 5. | length of the MP_REACH attribute is less than 5. | |||
| 3.3. Typed NLRI | 4.3. Typed NLRI | |||
| Certain address families, for example MVPN [RFC7117] and EVPN | Certain address families, for example MVPN [RFC7117] and EVPN | |||
| [I-D.ietf-l2vpn-evpn] have NLRI that are typed. Since supported type | [I-D.ietf-l2vpn-evpn] have NLRI that are typed. Since supported type | |||
| values with the address family are not expressed in the MP-BGP | values within the address family are not expressed in the MP-BGP | |||
| capability [RFC4760], it is possible for a BGP speaker to advertise | capability [RFC4760], it is possible for a BGP speaker to advertise | |||
| support for the given address family and sub-address family while | support for the given address family and sub-address family while | |||
| still not supporting a particular type of NLRI within that AFI/SAFI. | still not supporting a particular type of NLRI within that AFI/SAFI. | |||
| A BGP speaker advertising support for such a typed address family | A BGP speaker advertising support for such a typed address family | |||
| MUST handle routes with unrecognized NLRI types within that address | MUST handle routes with unrecognized NLRI types within that address | |||
| family by discarding them, unless the relevant specification for that | family by discarding them, unless the relevant specification for that | |||
| address family specifies otherwise. | address family specifies otherwise. | |||
| 4. Operational Considerations | 5. Operational Considerations | |||
| Although the "treat-as-withdraw" error-handling behavior defined in | Although the "treat-as-withdraw" error-handling behavior defined in | |||
| Section 2 makes every effort to preserve BGP's correctness, we note | Section 2 makes every effort to preserve BGP's correctness, we note | |||
| that if an UPDATE received on an IBGP session is subjected to this | that if an UPDATE received on an IBGP session is subjected to this | |||
| treatment, inconsistent routing within the affected Autonomous System | treatment, inconsistent routing within the affected Autonomous System | |||
| may result. The consequences of inconsistent routing can include | may result. The consequences of inconsistent routing can include | |||
| long-lived forwarding loops and black holes. While lamentable, this | long-lived forwarding loops and black holes. While lamentable, this | |||
| issue is expected to be rare in practice, and more importantly is | issue is expected to be rare in practice, and more importantly is | |||
| seen as less problematic than the session-reset behavior it replaces. | seen as less problematic than the session-reset behavior it replaces. | |||
| skipping to change at page 8, line 33 | skipping to change at page 9, line 14 | |||
| Even if inconsistent routing does not arise, the "treat-as-withdraw" | Even if inconsistent routing does not arise, the "treat-as-withdraw" | |||
| behavior can cause either complete unreachability or sub-optimal | behavior can cause either complete unreachability or sub-optimal | |||
| routing for the destinations whose routes are carried in the affected | routing for the destinations whose routes are carried in the affected | |||
| UPDATE message. | UPDATE message. | |||
| Note that "treat-as-withdraw" is different from discarding an UPDATE | Note that "treat-as-withdraw" is different from discarding an UPDATE | |||
| message. The latter violates the basic BGP principle of incremental | message. The latter violates the basic BGP principle of incremental | |||
| update, and could cause invalid routes to be kept. | update, and could cause invalid routes to be kept. | |||
| For any malformed attribute which is handled by the "attribute | ||||
| discard" instead of the "treat-as-withdraw" approach, it is critical | ||||
| to consider the potential impact of doing so. In particular, if the | ||||
| attribute in question has or may have an effect on route selection or | ||||
| installation, the presumption is that discarding it is unsafe, unless | ||||
| careful analysis proves otherwise. The analysis should take into | ||||
| account the tradeoff between preserving connectivity and potential | ||||
| side effects. | ||||
| Because of these potential issues, a BGP speaker MUST provide | Because of these potential issues, a BGP speaker MUST provide | |||
| debugging facilities to permit issues caused by a malformed attribute | debugging facilities to permit issues caused by a malformed attribute | |||
| to be diagnosed. At a minimum, such facilities MUST include logging | to be diagnosed. At a minimum, such facilities MUST include logging | |||
| an error listing the NLRI involved, and containing the entire | an error listing the NLRI involved, and containing the entire | |||
| malformed UPDATE message when such an attribute is detected. The | malformed UPDATE message when such an attribute is detected. The | |||
| malformed UPDATE message SHOULD be analyzed, and the root cause | malformed UPDATE message SHOULD be analyzed, and the root cause | |||
| SHOULD be investigated. | SHOULD be investigated. | |||
| 5. Error Handling Procedures for Existing Attributes | 6. Error Handling Procedures for Existing Attributes | |||
| 5.1. ORIGIN | In the following subsections, we elaborate on the conditions for | |||
| error-checking various path attributes, and specify what approach(es) | ||||
| should be used to handle malformations. It is possible that | ||||
| implementations may apply other error checks not contemplated here. | ||||
| If so, the error handling approach given here should generally be | ||||
| applied. | ||||
| 6.1. ORIGIN | ||||
| The attribute is considered malformed if its length is not 1, or it | The attribute is considered malformed if its length is not 1, or it | |||
| has an undefined value [RFC4271]. | has an undefined value [RFC4271]. | |||
| An UPDATE message with a malformed ORIGIN attribute SHALL be handled | An UPDATE message with a malformed ORIGIN attribute SHALL be handled | |||
| using the approach of "treat-as-withdraw". | using the approach of "treat-as-withdraw". | |||
| 5.2. AS_PATH | 6.2. AS_PATH | |||
| The error conditions for the attribute have been defined in | An AS_PATH is considered malformed if an unrecognized segment type is | |||
| [RFC4271]. | encountered, or if it contains a malformed segment. A segment is | |||
| considered malformed if any of the following obtains: | ||||
| o There is an overrun, where the path segment length field of the | ||||
| last segment encountered would cause the Attribute Length to be | ||||
| exceeded. | ||||
| o There is an underrun, where after the last successfully-parsed | ||||
| segment, there is only a single octet remaining (that is, there is | ||||
| not enough unconsumed data to provide even an empty segment | ||||
| header). | ||||
| o It has a path segment length field of zero. | ||||
| An UPDATE message with a malformed AS_PATH attribute SHALL be handled | An UPDATE message with a malformed AS_PATH attribute SHALL be handled | |||
| using the approach of "treat-as-withdraw". | using the approach of "treat-as-withdraw". | |||
| 5.3. NEXT_HOP | [RFC4271] also says that an implementation optionally "MAY check | |||
| whether the leftmost ... AS in the AS_PATH attribute is equal to the | ||||
| autonomous system number of the peer that sent the message". A BGP | ||||
| implementation SHOULD also handle routes that violate this check | ||||
| using "treat-as-withdraw", but MAY follow the session reset behavior | ||||
| if configured to do so. | ||||
| The error conditions for the NEXT_HOP attribute have been defined in | 6.3. NEXT_HOP | |||
| [RFC4271]. | ||||
| The attribute is considered malformed if it is syntactically | ||||
| incorrect according to [RFC4271]. | ||||
| An UPDATE message with a malformed NEXT_HOP attribute SHALL be | An UPDATE message with a malformed NEXT_HOP attribute SHALL be | |||
| handled using the approach of "treat-as-withdraw". | handled using the approach of "treat-as-withdraw". | |||
| 5.4. MULTI_EXIT_DESC | 6.4. MULTI_EXIT_DISC | |||
| The attribute is considered malformed if its length is not 4 | The attribute is considered malformed if its length is not 4 | |||
| [RFC4271]. | [RFC4271]. | |||
| An UPDATE message with a malformed MULTI_EXIT_DESC attribute SHALL be | An UPDATE message with a malformed MULTI_EXIT_DESC attribute SHALL be | |||
| handled using the approach of "treat-as-withdraw". | handled using the approach of "treat-as-withdraw". | |||
| 5.5. LOCAL_PREF | 6.5. LOCAL_PREF | |||
| The attribute is considered malformed if its length is not 4 | ||||
| [RFC4271]. | ||||
| An UPDATE message with a malformed LOCAL_PREF attribute SHALL be | ||||
| handled as follows: | ||||
| o using the approach of "attribute discard" if the UPDATE message is | The error handling of [RFC4271] is revised as follows. | |||
| received from an external neighbor, or | ||||
| o using the approach of "treat-as-withdraw" if the UPDATE message is | o If the LOCAL_PREF attribute is received from an external neighbor, | |||
| received from an internal neighbor. | it SHALL be discarded using the approach of "attribute discard", | |||
| or | ||||
| In addition, if the attribute is present in an UPDATE message from an | o if received from an internal neighbor, it SHALL be considered | |||
| external neighbor, the approach of "attribute discard" SHALL be used | malformed if its length is not equal to 4. If malformed, the | |||
| to handle the unexpected attribute in the message. | UPDATE SHALL be handled using the approach of "treat-as-withdraw". | |||
| 5.6. ATOMIC_AGGREGATE | 6.6. ATOMIC_AGGREGATE | |||
| The attribute SHALL be considered malformed if its length is not 0 | The attribute SHALL be considered malformed if its length is not 0 | |||
| [RFC4271]. | [RFC4271]. | |||
| An UPDATE message with a malformed ATOMIC_AGGREGATE attribute SHALL | An UPDATE message with a malformed ATOMIC_AGGREGATE attribute SHALL | |||
| be handled using the approach of "attribute discard". | be handled using the approach of "attribute discard". | |||
| 5.7. AGGREGATOR | 6.7. AGGREGATOR | |||
| The error conditions specified in [RFC4271] for the attribute are | The error conditions specified in [RFC4271] for the attribute are | |||
| revised as follows: | revised as follows: | |||
| The AGGREGATOR attribute SHALL be considered malformed if any of the | The AGGREGATOR attribute SHALL be considered malformed if any of the | |||
| following applies: | following applies: | |||
| o Its length is not 6 (when the "4-octet AS number capability" is | o Its length is not 6 (when the "4-octet AS number capability" is | |||
| not advertised to, or not received from the peer [RFC6793]). | not advertised to, or not received from the peer [RFC6793]). | |||
| o Its length is not 8 (when the "4-octet AS number capability" is | o Its length is not 8 (when the "4-octet AS number capability" is | |||
| both advertised to, and received from the peer). | both advertised to, and received from the peer). | |||
| An UPDATE message with a malformed AGGREGATOR attribute SHALL be | An UPDATE message with a malformed AGGREGATOR attribute SHALL be | |||
| handled using the approach of "attribute discard". | handled using the approach of "attribute discard". | |||
| 5.8. Community | 6.8. Community | |||
| The error handling of [RFC1997] is revised as follows: | The error handling of [RFC1997] is revised as follows: | |||
| The Community attribute SHALL be considered malformed if its length | The Community attribute SHALL be considered malformed if its length | |||
| is nonzero and is not a multiple of 4. | is not a nonzero multiple of 4. | |||
| An UPDATE message with a malformed Community attribute SHALL be | An UPDATE message with a malformed Community attribute SHALL be | |||
| handled using the approach of "treat-as-withdraw". | handled using the approach of "treat-as-withdraw". | |||
| 5.9. Extended Community | 6.9. Extended Community | |||
| The error handling of [RFC4360] is revised as follows: | The error handling of [RFC4360] is revised as follows: | |||
| The Extended Community attribute SHALL be considered malformed if its | The Extended Community attribute SHALL be considered malformed if its | |||
| length is nonzero and is not a multiple of 8. | length is not a nonzero multiple of 8. | |||
| An UPDATE message with a malformed Extended Community attribute SHALL | An UPDATE message with a malformed Extended Community attribute SHALL | |||
| be handled using the approach of "treat-as-withdraw". | be handled using the approach of "treat-as-withdraw". | |||
| Note that a BGP speaker MUST NOT treat an unrecognized Extended | Note that a BGP speaker MUST NOT treat an unrecognized Extended | |||
| Community Type or Sub-Type as an error. | Community Type or Sub-Type as an error. | |||
| 5.10. IPv6 Address Specific BGP Extended Community Attribute | 6.10. IPv6 Address Specific BGP Extended Community Attribute | |||
| The error handling of [RFC5701] is revised as follows: | The error handling of [RFC5701] is revised as follows: | |||
| The IPv6 Address Specific Extended Community attribute SHALL be | The IPv6 Address Specific Extended Community attribute SHALL be | |||
| considered malformed if its length is nonzero and is not a multiple | considered malformed if its length is not a nonzero multiple of 20. | |||
| of 20. | ||||
| An UPDATE message with a malformed IPv6 Address Specific Extended | An UPDATE message with a malformed IPv6 Address Specific Extended | |||
| Community attribute SHALL be handled using the approach of "treat-as- | Community attribute SHALL be handled using the approach of "treat-as- | |||
| withdraw". | withdraw". | |||
| Note that a BGP speaker MUST NOT treat an unrecognized IPv6 Address | Note that a BGP speaker MUST NOT treat an unrecognized IPv6 Address | |||
| Specific Extended Community Type or Sub-Type as an error. | Specific Extended Community Type or Sub-Type as an error. | |||
| 5.11. ORIGINATOR_ID | 6.11. ORIGINATOR_ID | |||
| The error handling of [RFC4456] is revised as follows. | The error handling of [RFC4456] is revised as follows. | |||
| o If the ORIGINATOR_ID attribute is received from an external | o If the ORIGINATOR_ID attribute is received from an external | |||
| neighbor, it SHALL be discarded using the approach of "attribute | neighbor, it SHALL be discarded using the approach of "attribute | |||
| discard", or | discard", or | |||
| o if received from an internal neighbor, it SHALL be considered | o if received from an internal neighbor, it SHALL be considered | |||
| malformed if its length is not equal to 4. If malformed, the | malformed if its length is not equal to 4. If malformed, the | |||
| UPDATE SHALL be handled using the approach of "treat-as-withdraw". | UPDATE SHALL be handled using the approach of "treat-as-withdraw". | |||
| 5.12. CLUSTER_LIST | 6.12. CLUSTER_LIST | |||
| The error handling of [RFC4456] is revised as follows. | The error handling of [RFC4456] is revised as follows. | |||
| o If the CLUSTER_LIST attribute is received from an external | o If the CLUSTER_LIST attribute is received from an external | |||
| neighbor, it SHALL be discarded using the approach of "attribute | neighbor, it SHALL be discarded using the approach of "attribute | |||
| discard", or | discard", or | |||
| o if received from an internal neighbor, it SHALL be considered | o if received from an internal neighbor, it SHALL be considered | |||
| malformed if its length is not a multiple 4. If malformed, the | malformed if its length is not a nonzero multiple of 4. If | |||
| UPDATE SHALL be handled using the approach of "treat-as-withdraw". | malformed, the UPDATE SHALL be handled using the approach of | |||
| "treat-as-withdraw". | ||||
| 6. IANA Considerations | 6.13. MP_REACH_NLRI and MP_UNREACH_NLRI | |||
| The handling of these attributes is discussed in Section 3 and | ||||
| Section 4. | ||||
| 7. Guidance for Authors of BGP Specifications | ||||
| A document that specifies a new BGP attribute MUST provide specifics | ||||
| regarding what constitutes an error for that attribute and how that | ||||
| error is to be handled. Allowable error-handling approaches are | ||||
| detailed in Section 2. The treat-as-withdraw approach is generally | ||||
| preferred. The document SHOULD also provide consideration of what | ||||
| debugging facilities may be required to permit issues caused by a | ||||
| malformed attribute to be diagnosed. | ||||
| For any malformed attribute that is handled by the "attribute | ||||
| discard" instead of the "treat-as-withdraw" approach, it is critical | ||||
| to consider the potential impact of doing so. In particular, if the | ||||
| attribute in question has or may have an effect on route selection or | ||||
| installation, the presumption is that discarding it is unsafe, unless | ||||
| careful analysis proves otherwise. The analysis should take into | ||||
| account the tradeoff between preserving connectivity and potential | ||||
| side effects. | ||||
| 8. IANA Considerations | ||||
| This document makes no request of IANA. | This document makes no request of IANA. | |||
| 7. Security Considerations | 9. Security Considerations | |||
| This specification addresses the vulnerability of a BGP speaker to a | This specification addresses the vulnerability of a BGP speaker to a | |||
| potential attack whereby a distant attacker can generate a malformed | potential attack whereby a distant attacker can generate a malformed | |||
| optional transitive attribute that is not recognized by intervening | optional transitive attribute that is not recognized by intervening | |||
| routers (which thus propagate the attribute unchecked) but that | routers (which thus propagate the attribute unchecked) but that | |||
| causes session resets when it reaches routers that do recognize the | causes session resets when it reaches routers that do recognize the | |||
| given attribute type. | given attribute type. | |||
| In other respects, this specification does not change BGP's security | In other respects, this specification does not change BGP's security | |||
| characteristics. | characteristics. | |||
| 8. Acknowledgements | 10. Acknowledgements | |||
| The authors wish to thank Juan Alcaide, Ron Bonica, Mach Chen, Andy | The authors wish to thank Juan Alcaide, Ron Bonica, Mach Chen, Andy | |||
| Davidson, Bruno Decraene, Rex Fernando, Jeff Haas, Joel Halpern, Dong | Davidson, Bruno Decraene, Rex Fernando, Jeff Haas, Chris Hall, Joel | |||
| Jie, Akira Kato, Miya Kohno, Tony Li, Alton Lo, Shin Miyakawa, Tamas | Halpern, Dong Jie, Akira Kato, Miya Kohno, Tony Li, Alton Lo, Shin | |||
| Mondal, Jonathan Oddy, Tony Przygienda, Robert Raszuk, Yakov Rekhter, | Miyakawa, Tamas Mondal, Jonathan Oddy, Tony Przygienda, Robert | |||
| Eric Rosen, Shyam Sethuram, Rob Shakir, Naiming Shen, Adam Simpson, | Raszuk, Yakov Rekhter, Eric Rosen, Shyam Sethuram, Rob Shakir, | |||
| Ananth Suryanarayana, Kaliraj Vairavakkalai and Lili Wang for their | Naiming Shen, Adam Simpson, Ananth Suryanarayana, Kaliraj | |||
| observations and discussion of this topic, and review of this | Vairavakkalai, Lili Wang and Ondrej Zajicek for their observations | |||
| document. | and discussion of this topic, and review of this document. | |||
| 9. References | 11. References | |||
| 9.1. Normative References | 11.1. Normative References | |||
| [RFC1997] Chandrasekeran, R., Traina, P., and T. Li, "BGP | [RFC1997] Chandrasekeran, R., Traina, P., and T. Li, "BGP | |||
| Communities Attribute", RFC 1997, August 1996. | Communities Attribute", RFC 1997, August 1996. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway | [RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway | |||
| Protocol 4 (BGP-4)", RFC 4271, January 2006. | Protocol 4 (BGP-4)", RFC 4271, January 2006. | |||
| skipping to change at page 13, line 12 | skipping to change at page 14, line 23 | |||
| "Multiprotocol Extensions for BGP-4", RFC 4760, January | "Multiprotocol Extensions for BGP-4", RFC 4760, January | |||
| 2007. | 2007. | |||
| [RFC5701] Rekhter, Y., "IPv6 Address Specific BGP Extended Community | [RFC5701] Rekhter, Y., "IPv6 Address Specific BGP Extended Community | |||
| Attribute", RFC 5701, November 2009. | Attribute", RFC 5701, November 2009. | |||
| [RFC6793] Vohra, Q. and E. Chen, "BGP Support for Four-Octet | [RFC6793] Vohra, Q. and E. Chen, "BGP Support for Four-Octet | |||
| Autonomous System (AS) Number Space", RFC 6793, December | Autonomous System (AS) Number Space", RFC 6793, December | |||
| 2012. | 2012. | |||
| 9.2. Informative References | 11.2. Informative References | |||
| [I-D.ietf-l2vpn-evpn] | [I-D.ietf-l2vpn-evpn] | |||
| Sajassi, A., Aggarwal, R., Bitar, N., Isaac, A., and J. | Sajassi, A., Aggarwal, R., Bitar, N., Isaac, A., and J. | |||
| Uttaro, "BGP MPLS Based Ethernet VPN", draft-ietf-l2vpn- | Uttaro, "BGP MPLS Based Ethernet VPN", draft-ietf-l2vpn- | |||
| evpn-06 (work in progress), March 2014. | evpn-07 (work in progress), May 2014. | |||
| [RFC7117] Aggarwal, R., Kamite, Y., Fang, L., Rekhter, Y., and C. | [RFC7117] Aggarwal, R., Kamite, Y., Fang, L., Rekhter, Y., and C. | |||
| Kodeboniya, "Multicast in Virtual Private LAN Service | Kodeboniya, "Multicast in Virtual Private LAN Service | |||
| (VPLS)", RFC 7117, February 2014. | (VPLS)", RFC 7117, February 2014. | |||
| Authors' Addresses | Authors' Addresses | |||
| Enke Chen (editor) | Enke Chen (editor) | |||
| Cisco Systems, Inc. | Cisco Systems, Inc. | |||
| End of changes. 71 change blocks. | ||||
| 198 lines changed or deleted | 262 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||