[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Idr] [Fwd: I-D Action:draft-chen-rfc4893bis-00.txt]

To: Rob Shakir <rjs at eng.gxn.net>
Subject: Re: [Idr] [Fwd: I-D Action:draft-chen-rfc4893bis-00.txt]
From: Enke Chen <enkechen at cisco.com>
Date: Tue, 27 Jan 2009 11:18:01 -0800
Authentication-results: sj-dkim-1; header.From=enkechen at cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Cc: idr <idr at ietf.org>, quaizar.vohra at gmail.com, Jonathan Oddy <jonathan.oddy at hostway.co.uk>
Delivered-to: ietfarch-idr-web-archive at core3.amsl.com
Delivered-to: idr at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=4886; t=1233083882; x=1233947882; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=enkechen at cisco.com; z=From:=20Enke=20Chen=20<enkechen at cisco.com> |Subject:=20Re=3A=20[Idr]=20[Fwd=3A=20I-D=20Action=3Adraft- chen-rfc4893bis-00.txt] |Sender:=20; bh=fQq0B+RvqUfuk5Co8jNdjcDy+KTFE60GyZU2dmP7Cew=; b=F3r9IxfkC7vAq3GqK20L23XUEPJ3JFBokMaoQCGknuqjr/94ktd0OvOG0l 9mZN8vz2Pv/N3xisPXxZYfnkSooeFrhoNxzEHtgLvM8j1Ff5N7gZaOR1lgv1 uzyFs745IhaiVdlD4HXrPGjnRIgWIiK1uBwBCmicUDq9gSrbTp7CQ=;
In-reply-to: <20090127165214.GA27486 at cappuccino.rob.sh>
List-archive: <http://www.ietf.org/pipermail/idr>
List-help: <mailto:idr-request@ietf.org?subject=help>
List-id: Inter-Domain Routing <idr.ietf.org>
List-post: <mailto:idr@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
References: <497B85CC.4010302 at cisco.com> <20090126184849.GA23929 at bronze.eng.gxn.net> <497E4408.8060303 at cisco.com> <20090127004955.GA8673 at bronze.eng.gxn.net> <497E5E71.3020307 at cisco.com> <20090127165214.GA27486 at cappuccino.rob.sh>
Sender: idr-bounces at ietf.org
User-agent: Thunderbird 2.0.0.19 (X11/20081209)

Rob,

Rob Shakir wrote:

On Mon, Jan 26, 2009 at 05:08:01PM -0800, Enke Chen wrote:
The particular error involves "over supply of information" which can berepaired by removing the unnecessary information. At the risk ofrepeating myself, this is a recoverable, non-fatal error. Thetime-tested principle of "be liberal in what you accept" is preciselyfor dealing with this kind of non-fatal errors in protocol design.
We do not agree with your statement that this is "over supply ofinformation" as an AS_CONFED_SET/SEQUENCE is garbage data outside of thenetwork making use of confederations, and infact it could be consideredharmful misinformation if the neighbouring network also makes use ofconfederations.
We do, however, agree that your suggested method for handling thepresence of an AS_CONFED_SET/SEQUENCE is suitable for dealing with thisspecific bug, and comparatively easy to implement. Fom an operationalperspective, this is also probably the best way to deal with thespecific case since there are a large number of JunOS devices deployedthat may to continue to insert AS_CONFED_SET/SEQUENCE into AS4_PATH inthe future.
We therefore accept the new handling of this specific error condition asbeing a necessary evil.


Good.

Section 6 of the new draft defines handling for a general error casewith behaviour that we do not believe is safe. Considering that theAS4_PATH is mechanism for transporting unsupported AS_PATH informationthrough a number of AS4-unaware devices we must bear in mind that thereis a reconciliation process with AS_PATH. Given the role of AS_PATH inloop prevention we feel that general lax treatment of AS4_PATH may haveharmful concequences in the future.
We feel that the general behaviour on an error should be the withdrawalof the path, as discarding the attribute is equivalent in effect todiscarding part of the AS_PATH and may cause loops.

Yes, indeed. A routing loop may (or may not) occur when the AS4_PATHshould carry useful info but is either malformed or is absent.

There is no perfect solution here. There are some tradeoffs, however,between accepting the route and rejecting the route:

o rejecting the route would guarantee disruption (i.e., loss ofconnectivity).o accepting the route would maintain connectivity, but may (or maynot) introduce a routing loop.

Take for example thecase when an BGP speaker in a 32bit AS receiving an invalid AS4_PATHattribute. With the AS4_PATH unreadable and therefore discarded the BGPspeaker cannot know if its AS number was in the path. The only loop freeoptions are:
(a) treat it as a withdrawal
(b) treat any AS_TRANS in the AS_PATH as the local AS
(c) drop the session.
Option c is the behaviour that has led us to needing a change to theRFC, so is obviously unacceptable.


Why is Option C "obviously unacceptable"?

I think the reason is that it would result in loss of connectivity forall the routes over the session, and can be used as a remote attack vehicle.

In the case of a malform AS4_PATH attribute, rejecting the route wouldalso result in the loss of connectivity, and thus can also be used as aremote attack vehicle.


Considering the following factors:

    1) the tradeoffs,
    2) especially the concern for the remote attack,
    3) AS4_PATH being optional,

I believe that what is proposed in the draft (accepting the routes) ismore preferred than rejecting the route.

Admittedly, a malformed AS4_PATH attribute would fall into the categoryof inconsistency and would subject to the risks described in the document:


---------------------------------------------------------------------------------------
9. Security Considerations

  The inconsistency between the AS_PATH attribute and the AS4_PATH
  attribute can create loss of the AS path information, and potential
  routing loops in certain cases as discussed in the document.  This
  could be exploited by an attacker.
---------------------------------------------------------------------------------------

Regards,  -- Enke

Option a and b are equivalent since the AS4_PATH attribute would not bepresent if there wasn't an AS_TRANS in the AS_PATH.
While your "be liberal in what you accept" approach is commendable, andoften an excellent idea, a line does need to be drawn. We cannot andshould not extend the standards with special cases every time someonemakes an implementation error or we risk creating an RFC that's almostimpossible to implement without making further silly mistakes.
Kind regards,
	Jonathan Oddy (Hostway UK)
	Rob Shakir (GX Networks)


_______________________________________________
Idr mailing list
Idr at ietf.org
https://www.ietf.org/mailman/listinfo/idr

Follow-Ups:
- Re: [Idr] [Fwd: I-D Action:draft-chen-rfc4893bis-00.txt]
  - From: Rob Shakir
- Re: [Idr] [Fwd: I-D Action:draft-chen-rfc4893bis-00.txt]
  - From: David Freedman

References:
- [Idr] [Fwd: I-D Action:draft-chen-rfc4893bis-00.txt]
  - From: Enke Chen
- Re: [Idr] [Fwd: I-D Action:draft-chen-rfc4893bis-00.txt]
  - From: Rob Shakir
- Re: [Idr] [Fwd: I-D Action:draft-chen-rfc4893bis-00.txt]
  - From: Enke Chen
- Re: [Idr] [Fwd: I-D Action:draft-chen-rfc4893bis-00.txt]
  - From: Rob Shakir
- Re: [Idr] [Fwd: I-D Action:draft-chen-rfc4893bis-00.txt]
  - From: Enke Chen
- Re: [Idr] [Fwd: I-D Action:draft-chen-rfc4893bis-00.txt]
  - From: Rob Shakir

Prev by Date: Re: [Idr] [Fwd: I-D Action:draft-chen-rfc4893bis-00.txt]
Next by Date: Re: [Idr] [Fwd: I-D Action:draft-chen-rfc4893bis-00.txt]
Previous by thread: Re: [Idr] [Fwd: I-D Action:draft-chen-rfc4893bis-00.txt]
Next by thread: Re: [Idr] [Fwd: I-D Action:draft-chen-rfc4893bis-00.txt]
Index(es):
- Date
- Thread