[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Idr] I-D ACTION:draft-ietf-idr-bgp-identifier-09.txt

To: <idr at ietf.org>
Subject: Re: [Idr] I-D ACTION:draft-ietf-idr-bgp-identifier-09.txt
From: "Ilya Varlashkin" <Ilya.Varlashkin at de.easynet.net>
Date: Wed, 14 May 2008 11:29:09 +0200
Delivered-to: ietfarch-idr-web-archive at core3.amsl.com
Delivered-to: idr at core3.amsl.com
In-reply-to: <20080513174501.449F63A683C@core3.amsl.com>
List-archive: <http://www.ietf.org/pipermail/idr>
List-help: <mailto:idr-request@ietf.org?subject=help>
List-id: Inter-Domain Routing <idr.ietf.org>
List-post: <mailto:idr@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
References: <20080513174501.449F63A683C@core3.amsl.com>
Sender: idr-bounces at ietf.org
Thread-index: Aci1IZwrxU82p+lfSYmOaQugORilIAAgRLyw
Thread-topic: [Idr] I-D ACTION:draft-ietf-idr-bgp-identifier-09.txt

> -----Original Message-----
> From: idr-bounces at ietf.org [mailto:idr-bounces at ietf.org] On 
> Behalf Of Internet-Drafts at ietf.org
> Sent: Tuesday, May 13, 2008 7:45 PM
> To: i-d-announce at ietf.org
> Cc: idr at ietf.org
> Subject: [Idr] I-D ACTION:draft-ietf-idr-bgp-identifier-09.txt
> 
> A New Internet-Draft is available from the on-line 
> Internet-Drafts directories.

I've looked at the draft and in current state there are potentially
problems with sections 2.3 and 4 as follow:

Consider existing iBGP session within AS-A where identifier of the
remote side is X, and then new session connection comes from AS-B but
also having BGP identifier of X. If AS-B is numerically larger than
AS-A, then according to section 2.3 of the draft iBGP session towards
router with id X should be closed. This is security issue - an attacker
with high AS number could deliberately set router-id to be same as some
other router of a peering network (they may or may not be penalised for
this but perhaps they want to do it anyway), effectively causing
shutdown of iBGP session in remote AS. Nevertheless, section 4 of the
draft says that security issues are not changed by the draft - I believe
they're, and they make protocol weaker than original spec.

If it's necessary to relax BGP ID definition and have it unique only
locally within given AS, then in all collision detections BGP ID should
only be compared when ASN are equal. If two sessions have same BGP ID on
remote end but each with different ASN, then they should be considered
as different routers.

Kind regards,
iLya
_______________________________________________
Idr mailing list
Idr at ietf.org
https://www.ietf.org/mailman/listinfo/idr

Follow-Ups:
- Re: [Idr] I-D ACTION:draft-ietf-idr-bgp-identifier-09.txt
  - From: Enke Chen

References:
- [Idr] I-D ACTION:draft-ietf-idr-bgp-identifier-09.txt
  - From: Internet-Drafts

Prev by Date: Re: [Idr] Early MIB Dr. Review of draft-ietf-idr-bgp4-mibv2-06.txt
Next by Date: Re: [Idr] Early MIB Dr. Review of draft-ietf-idr-bgp4-mibv2-06.txt
Previous by thread: [Idr] I-D ACTION:draft-ietf-idr-bgp-identifier-09.txt
Next by thread: Re: [Idr] I-D ACTION:draft-ietf-idr-bgp-identifier-09.txt
Index(es):
- Date
- Thread