--- 1/draft-ietf-idr-ix-bgp-route-server-11.txt 2016-06-30 09:15:56.835366487 -0700 +++ 2/draft-ietf-idr-ix-bgp-route-server-12.txt 2016-06-30 09:15:56.863367187 -0700 @@ -1,51 +1,51 @@ IDR Working Group E. Jasinska Internet-Draft BigWave IT Intended status: Standards Track N. Hilliard -Expires: December 12, 2016 INEX +Expires: January 1, 2017 INEX R. Raszuk Bloomberg LP N. Bakker Akamai Technologies B.V. - June 10, 2016 + June 30, 2016 Internet Exchange BGP Route Server - draft-ietf-idr-ix-bgp-route-server-11 + draft-ietf-idr-ix-bgp-route-server-12 Abstract This document outlines a specification for multilateral interconnections at Internet exchange points (IXPs). Multilateral - interconnection is a method of exchanging routing information between + interconnection is a method of exchanging routing information among three or more external BGP speakers using a single intermediate broker system, referred to as a route server. Route servers are typically used on shared access media networks, such as Internet exchange points (IXPs), to facilitate simplified interconnection - between multiple Internet routers. + among multiple Internet routers. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on December 12, 2016. + This Internet-Draft will expire on January 1, 2017. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -57,89 +57,91 @@ Table of Contents 1. Introduction to Multilateral Interconnection . . . . . . . . 2 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 3 2. Technical Considerations for Route Server Implementations . . 3 2.1. Client UPDATE Messages . . . . . . . . . . . . . . . . . 4 2.2. Attribute Transparency . . . . . . . . . . . . . . . . . 4 2.2.1. NEXT_HOP Attribute . . . . . . . . . . . . . . . . . 4 2.2.2. AS_PATH Attribute . . . . . . . . . . . . . . . . . . 4 + 2.2.2.1. Route Server AS_PATH management . . . . . . . . . 5 + 2.2.2.2. Route Server client AS_PATH management . . . . . 5 2.2.3. MULTI_EXIT_DISC Attribute . . . . . . . . . . . . . . 5 2.2.4. Communities Attributes . . . . . . . . . . . . . . . 5 - 2.3. Per-Client Policy Control in Multilateral Interconnection 5 + 2.3. Per-Client Policy Control in Multilateral Interconnection 6 2.3.1. Path Hiding on a Route Server . . . . . . . . . . . . 6 2.3.2. Mitigation of Path Hiding . . . . . . . . . . . . . . 7 2.3.2.1. Multiple Route Server RIBs . . . . . . . . . . . 7 - 2.3.2.2. Advertising Multiple Paths . . . . . . . . . . . 7 - 2.3.3. Implementation Suggestions . . . . . . . . . . . . . 8 + 2.3.2.2. Advertising Multiple Paths . . . . . . . . . . . 8 + 2.3.3. Implementation Suggestions . . . . . . . . . . . . . 9 3. Security Considerations . . . . . . . . . . . . . . . . . . . 9 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 6.1. Normative References . . . . . . . . . . . . . . . . . . 10 6.2. Informative References . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 1. Introduction to Multilateral Interconnection Internet exchange points (IXPs) provide IP data interconnection facilities for their participants, typically using shared Layer-2 networking media such as Ethernet. The Border Gateway Protocol (BGP) [RFC4271], an inter-Autonomous System routing protocol, is commonly used to facilitate exchange of network reachability information over such media. While bilateral external BGP sessions between exchange participants were previously the most common means of exchanging reachability information, the overhead associated with dense interconnection can - cause substantial operational scaling problems for partipants of + cause substantial operational scaling problems for participants of larger Internet exchange points. Multilateral interconnection is a method of interconnecting BGP speaking routers using a third party brokering system, commonly referred to as a route server and typically managed by the IXP - operator. Each of the multilateral interconnection participants - (usually referred to as route server clients) announces network - reachability information to the route server using external BGP, and - the route server in turn forwards this information to each other - route server client connected to it, according to its configuration. + operator. Each multilateral interconnection participant (usually + referred to as a "route server client") announces network + reachability information to the route server using external BGP. The + route server, in turn, forwards this information to each other route + server client connected to it, according to its configuration. Although a route server uses BGP to exchange reachability information with each of its clients, it does not forward traffic itself and is therefore not a router. A route server can be viewed as similar in function to an [RFC4456] route reflector, except that it operates using EBGP instead of iBGP. Certain adaptions to [RFC4271] are required to enable an EBGP router to operate as a route server; these are outlined in Section 2 of this document. Route server functionality is not mandatory in BGP - implementations.`` + implementations. The term "route server" is often in a different context used to describe a BGP node whose purpose is to accept BGP feeds from multiple clients for the purpose of operational analysis and troubleshooting. A system of this form may alternatively be known as a "route collector" or a "route-views server". This document uses the term "route server" exclusively to describe multilateral peering brokerage systems. 1.1. Notational Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. Technical Considerations for Route Server Implementations A route server uses the [RFC4271] Border Gateway Protocol to broker - network reachability information between its clients. There are some + network reachability information amongst its clients. There are some differences between the behaviour of a BGP route server and a BGP implementation which is strictly compliant with [RFC4271]. These differences are described as follows. 2.1. Client UPDATE Messages A route server MUST accept all UPDATE messages received from each of its clients for inclusion in its Adj-RIB-In. These UPDATE messages MAY be omitted from the route server's Loc-RIB or Loc-RIBs, due to filters configured for the purposes of implementing routing policy. @@ -175,28 +177,35 @@ actual routing of traffic, the NEXT_HOP attribute MUST be passed unmodified to the route server clients, similar to the "third party" next hop feature described in section 5.1.3. of [RFC4271]. 2.2.2. AS_PATH Attribute AS_PATH is a well-known mandatory attribute which identifies the autonomous systems through which routing information carried in the UPDATE message has passed. +2.2.2.1. Route Server AS_PATH management + As a route server does not participate in the process of forwarding data between client routers, and because modification of the AS_PATH attribute could affect route server client BGP Decision Process, the route server SHOULD NOT prepend its own AS number to the AS_PATH segment nor modify the AS_PATH segment in any other way. This differs from the behaviour specified in section 5.1.2 of [RFC4271], which requires that the BGP speaker prepends its own AS number as the - last element of the AS_PATH segment. + last element of the AS_PATH segment. This is a recommendation rather + than a requirement solely to provide backwards compatibility with + legacy route server client implementations which do not yet support + the requirements specified in Section 2.2.2.2. + +2.2.2.2. Route Server client AS_PATH management In contrast to what is recommended in section 6.3 of [RFC4271], route server clients need to be able to accept UPDATE messages where the leftmost AS in the AS_PATH attribute is not equal to the AS number of the route server that sent the UPDATE message. If the route server client BGP system has implemented a check for this, the BGP implementation MUST allow this check to be disabled and SHOULD allow the check to be disabled on a per-peer basis. 2.2.3. MULTI_EXIT_DISC Attribute @@ -248,21 +257,23 @@ : / \ | : : ___/____\_|_ : : / \ / \ : ..| AS3 |..| AS4 |.. \___/ \___/ Figure 1: Per-Client Policy Controlled Interconnection at an IXP Using the example in Figure 1, AS1 does not directly exchange prefix information with either AS2 or AS3 at the IXP, but only interconnects - with AS4. + with AS4. The lines between AS1, AS2, AS3 and AS4 represent + interconnection relationships, whether via bilateral or multilateral + connections. In the traditional bilateral interconnection model, per-client policy control to a third party exchange participant is accomplished either by not engaging in a bilateral interconnection with that participant or else by implementing outbound filtering on the BGP session towards that participant. However, in a multilateral interconnection environment, only the route server can perform outbound filtering in the direction of the route server client; route server clients depend on the route server to perform their outbound filtering for them. @@ -281,32 +292,32 @@ to the BGP Decision Process on the route server, but AS2's policy prevented the route server from sending the path to AS1, then AS1 would never receive a path to this prefix, even though the route server had previously received a valid alternative path via AS4. This happens because the BGP Decision Process is performed only once on the route server for all clients. Path hiding will only occur on route servers which employ per-client policy control; if an IXP operator deploys a route server without implementing a per-client routing policy control system, then path - hiding does not occur as all paths are considered equally valid from + hiding does not occur, as all paths are considered equally valid from the point of view of the route server. 2.3.2. Mitigation of Path Hiding There are several approaches which can be taken to mitigate against path hiding. 2.3.2.1. Multiple Route Server RIBs The most portable method to allow for per-client policy control - without the occurrence of path hiding, is by using a route server BGP + without the occurrence of path hiding, is to use a route server BGP implementation which performs the per-client best path calculation for each set of paths to a prefix, which results after the route server's client policies have been taken into consideration. This can be implemented by using per-client Loc-RIBs, with path filtering implemented between the Adj-RIB-In and the per-client Loc-RIB. Implementations can optimize this by maintaining paths not subject to filtering policies in a global Loc-RIB, with per-client Loc-RIBs stored as deltas. This implementation is highly portable, as it makes no assumptions @@ -382,25 +393,25 @@ operators should be aware that security issues may arise unless steps are taken to mitigate against path hiding. The AS_PATH check described in Section 2.2.2 is normally enabled in order to check for malformed AS paths. If this check is disabled, the route server client loses the ability to check incoming UPDATE messages for certain categories of problems. This could potentially cause corrupted BGP UPDATE messages to be propagated where they might not be propagated if the check were enabled. Regardless of any problems relating to malformed UPDATE messages, this check is also - used to detect BGP loops, so removing the check could potentially - cause routing loops to be formed. Consequently, this check SHOULD - NOT be disabled by IXP participants unless it is needed to establish - BGP sessions with a route server, and if possible should only be - disabled for peers which are route servers. + used to detect BGP loops; removing the check could potentially cause + routing loops to be formed. Consequently, this check SHOULD NOT be + disabled by IXP participants unless it is needed to establish BGP + sessions with a route server, and if possible should only be disabled + for peers which are route servers. Route server operators should carefully consider the security practices discussed in [RFC7454], "BGP Operations and Security". 4. IANA Considerations The new set of mechanisms for route servers does not require any new allocations from IANA. 5. Acknowledgments