| < draft-ietf-idr-deprecate-as-set-confed-set-01.txt | draft-ietf-idr-deprecate-as-set-confed-set-02.txt > | |||
|---|---|---|---|---|
| Network Working Group W. Kumari | Network Working Group W. Kumari | |||
| Internet-Draft Google, Inc. | Internet-Draft Google, Inc. | |||
| Obsoletes: 6472 (if approved) K. Sriram | Obsoletes: 6472 (if approved) K. Sriram | |||
| Updates: 4271 5065 (if approved) L. Hannachi | Updates: 4271 5065 (if approved) L. Hannachi | |||
| Intended status: Standards Track USA NIST | Intended status: Standards Track USA NIST | |||
| Expires: May 1, 2020 October 29, 2019 | Expires: May 6, 2020 November 3, 2019 | |||
| Deprecation of AS_SET and AS_CONFED_SET in BGP | Deprecation of AS_SET and AS_CONFED_SET in BGP | |||
| draft-ietf-idr-deprecate-as-set-confed-set-01 | draft-ietf-idr-deprecate-as-set-confed-set-02 | |||
| Abstract | Abstract | |||
| BCP 172 (i.e., RFC 6472) recommends not using AS_SET and | BCP 172 (i.e., RFC 6472) recommends not using AS_SET and | |||
| AS_CONFED_SET in the Border Gateway Protocol. This document advances | AS_CONFED_SET in the Border Gateway Protocol. This document advances | |||
| this recommendation to a standards requirement in BGP; it proscribes | this recommendation to a standards requirement in BGP; it proscribes | |||
| the use of the AS_SET and AS_CONFED_SET types of path segments in the | the use of the AS_SET and AS_CONFED_SET types of path segments in the | |||
| AS_PATH. This is done to simplify the design and implementation of | AS_PATH. This is done to simplify the design and implementation of | |||
| BGP and to make the semantics of the originator of a route clearer. | BGP and to make the semantics of the originator of a route clearer. | |||
| This will also simplify the design, implementation, and deployment of | This will also simplify the design, implementation, and deployment of | |||
| skipping to change at page 1, line 41 ¶ | skipping to change at page 1, line 41 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 1, 2020. | This Internet-Draft will expire on May 6, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 | 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Recommendation to Network Operators . . . . . . . . . . . . . 3 | 3. Recommendations . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 4. Updates to Existing RFCs . . . . . . . . . . . . . . . . . . 4 | 4. Updates to Existing RFCs . . . . . . . . . . . . . . . . . . 4 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 4 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 4 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 5 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 5 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 5 | 8.2. Informative References . . . . . . . . . . . . . . . . . 5 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 1. Introduction | 1. Introduction | |||
| BCP 172 [RFC6472] makes a recommendation for not using AS_SET (see | BCP 172 [RFC6472] makes a recommendation for not using AS_SET (see | |||
| [RFC4271]) and AS_CONFED_SET (see [RFC5065]) in the Border Gateway | [RFC4271]) and AS_CONFED_SET (see [RFC5065]) in the Border Gateway | |||
| skipping to change at page 3, line 24 ¶ | skipping to change at page 3, line 24 ¶ | |||
| incorrectly -- only a single AS in the AS_SET are by far the most | incorrectly -- only a single AS in the AS_SET are by far the most | |||
| common cases. Also, very often the same AS appears in the | common cases. Also, very often the same AS appears in the | |||
| AS_SEQUENCE and the AS_SET in the BGP update. The occurrence of | AS_SEQUENCE and the AS_SET in the BGP update. The occurrence of | |||
| reserved AS numbers ([IANA-SP-ASN]) is also somewhat frequent. | reserved AS numbers ([IANA-SP-ASN]) is also somewhat frequent. | |||
| Because the aggregation involving AS_SETs is very rarely used, the | Because the aggregation involving AS_SETs is very rarely used, the | |||
| reduction in table size provided by this is extremely small, and any | reduction in table size provided by this is extremely small, and any | |||
| advantage thereof is outweighed by additional complexity in BGP. As | advantage thereof is outweighed by additional complexity in BGP. As | |||
| noted above, AS_SETs also pose impediments to implementation of new | noted above, AS_SETs also pose impediments to implementation of new | |||
| BGP security technologies. | BGP security technologies. | |||
| In the past, AS_SET had been used in a few rare cases to allow route | ||||
| aggregation where two or more providers could form the same aggregate | ||||
| prefix, using the exact match of the other's aggregate prefix in some | ||||
| advertisement and configuring the aggregation differently elsewhere. | ||||
| The key to configuring this correctly was to form the aggregate at | ||||
| the border in the outbound BGP policy and omit prefixes from the AS | ||||
| that the aggregate was being advertised to. The AS_SET therefore | ||||
| allowed this practice without the loss of BGP's AS_PATH loop | ||||
| protection. This use of AS_SET served a purpose that fell in line | ||||
| with the original intended use. Without the use of AS_SET, | ||||
| aggregates must always contain only less-specific prefixes (not less | ||||
| than or equal to) and must never aggregate an exact match. | ||||
| 2. Requirements Language | 2. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 3. Recommendation to Network Operators | 3. Recommendations | |||
| Network operators MUST NOT generate any new announcements containing | BGP speakers conforming to this document (i.e., conformant BGP | |||
| AS_SETs or AS_CONFED_SETs. If they have already announced routes | speakers) MUST NOT locally generate BGP UPDATE messages containing | |||
| with AS_SETs or AS_CONFED_SETs in them, then they MUST withdraw those | AS_SET or AS_CONFED_SET. Conformant BGP speakers SHOULD NOT send BGP | |||
| routes and re-announce routes for the component prefixes (i.e., the | UPDATE messages containing AS_SET or AS_CONFED_SET. Upon receipt of | |||
| more-specific routes subsumed by the previously aggregated route) | such messages, conformant BGP speakers SHOULD use the "Treat-as- | |||
| without AS_SETs or AS_CONFED_SETs in the updates. A sending router | withdraw" error handling behavior as per [RFC7606]. | |||
| MUST not generate a BGP UPDATE with AS_SET or AS_CONFED_SET. A | ||||
| receiving router MUST treat the announced routes in a BGP UPDATE with | ||||
| AS_SET or AS_CONFED_SET as withdrawn routes. | ||||
| If a network operator wishes to consider a BGP UPDATE with AS_SET or | If a network operator wishes to consider BGP UPDATE messages with | |||
| AS_CONFED_SET for path selection, they MAY have a feature (knob) in | AS_SET or AS_CONFED_SET (received from an external peer) for path | |||
| the router to opt to do so. The operator should understand the full | selection, they MAY have a feature (knob) in their BGP speaker to opt | |||
| implications of choosing this option. | to do so on a per peer basis. The operator should understand the | |||
| full implications of choosing this option. There is no knob | ||||
| concerning locally generated BGP UPDATE messages, i.e., as stated | ||||
| before a conformant BGP speaker must not locally generate BGP UPDATE | ||||
| messages with AS_SET or AS_CONFED_SET. | ||||
| Route aggregation that was previously performed by proxy aggregation | Network operators MUST NOT locally generate any new announcements | |||
| without the use of AS_SETs is still possible under some conditions. | containing AS_SET or AS_CONFED_SET. If they have announced routes | |||
| When doing this, operators MUST form the aggregate at the border in | with AS_SET or AS_CONFED_SET in them, then they SHOULD withdraw those | |||
| the outbound BGP policy and omit any prefixes from the AS that the | routes and re-announce routes for the aggregate or component prefixes | |||
| aggregate is being advertised to. As with any change, the operator | (i.e., the more-specific routes subsumed by the previously aggregated | |||
| should understand the full implications of the change. | route) without AS_SET or AS_CONFED_SET in the updates. | |||
| It is worth noting that new BGP security technologies (such as those | It is worth noting that new BGP security technologies (such as those | |||
| that take advantage of X.509 extensions for IP addresses and AS | that take advantage of X.509 extensions for IP addresses and AS | |||
| identifiers [RFC3779] [RFC6480] [RFC6811] [RFC8205]) might not | identifiers [RFC3779] [RFC6480] [RFC6811] [RFC8205]) might not | |||
| support routes with AS_SETs/AS_CONFED_SETs in them, and may treat | support routes with AS_SET or AS_CONFED_SET in them, and may treat | |||
| routes containing them as infeasible even before the updated BGP in | routes containing them as infeasible even before the updated BGP in | |||
| this document is implemented. | this document is implemented. | |||
| 4. Updates to Existing RFCs | 4. Updates to Existing RFCs | |||
| This document eliminates AS_PATH segment type 1, namely, AS_SET that | This document deprecates the AS_SET (type 1) AS_PATH segment type | |||
| is specified in Section 4.3 of [RFC4271]. That is, in a future | from [RFC4271]. BGP speakers conforming to this document (i.e., | |||
| specification of BGP -- one that would obsolete RFC 4271 -- the use | conformant BGP speakers) MUST NOT locally generate BGP UPDATE | |||
| of AS_SET will not be specified. | messages containing AS_SET. Conformant BGP speakers SHOULD NOT send | |||
| BGP UPDATE messages containing AS_SET. Upon receipt of such | ||||
| messages, conformant BGP speakers SHOULD use the "Treat-as-withdraw" | ||||
| error handling behavior as per [RFC7606]. | ||||
| This document also eliminates AS_PATH segment type 4, namely, | This document deprecates the AS_CONFED_SET (type 4) AS_PATH segment | |||
| AS_CONFED_SET that is specified in Section 3 of [RFC5065]. That is, | type from [RFC5065]. Conformant BGP speakers MUST NOT locally | |||
| in a future specification of Autonomous System Confederations for BGP | generate BGP UPDATE messages containing AS_CONFED_SET. Conformant | |||
| -- one that would obsolete RFC 5065 -- the use of AS_CONFED_SET will | BGP speakers SHOULD NOT send BGP UPDATE messages containing | |||
| not be specified. | AS_CONFED_SET. Upon receipt of such messages, conformant BGP | |||
| speakers SHOULD use the "Treat-as-withdraw" error handling behavior | ||||
| as per [RFC7606]. | ||||
| Wherever mentions of AS_SET or AS_CONFED_SET occur in [RFC4271] and | ||||
| [RFC5065], appropriate modification or elimination of the text must | ||||
| be made in future RFCs that would replace these RFCs, consistent with | ||||
| the deprecation of AS_SET and AS_CONFED_SET. | ||||
| 5. Security Considerations | 5. Security Considerations | |||
| This document obsoletes the use of aggregation techniques that create | This document obsoletes the use of aggregation techniques that create | |||
| AS_SETs or AS_CONFED_SETs. Obsoleting these path segment types from | AS_SETs or AS_CONFED_SETs. Obsoleting these path segment types from | |||
| BGP and removal of the related code from implementations would | BGP and removal of the related code from implementations would | |||
| potentially decrease the attack surface for BGP. Deployments of new | potentially decrease the attack surface for BGP. Deployments of new | |||
| BGP security technologies [RFC6480] [RFC6811] [RFC8205] benefit | BGP security technologies [RFC6480] [RFC6811] [RFC8205] benefit | |||
| greatly if AS_SET and AS_CONFED_SET are not used in BGP. | greatly if AS_SET and AS_CONFED_SET are not used in BGP. | |||
| skipping to change at page 6, line 24 ¶ | skipping to change at page 6, line 19 ¶ | |||
| [RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support | [RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support | |||
| Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480, | Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480, | |||
| February 2012, <https://www.rfc-editor.org/info/rfc6480>. | February 2012, <https://www.rfc-editor.org/info/rfc6480>. | |||
| [RFC6811] Mohapatra, P., Scudder, J., Ward, D., Bush, R., and R. | [RFC6811] Mohapatra, P., Scudder, J., Ward, D., Bush, R., and R. | |||
| Austein, "BGP Prefix Origin Validation", RFC 6811, | Austein, "BGP Prefix Origin Validation", RFC 6811, | |||
| DOI 10.17487/RFC6811, January 2013, | DOI 10.17487/RFC6811, January 2013, | |||
| <https://www.rfc-editor.org/info/rfc6811>. | <https://www.rfc-editor.org/info/rfc6811>. | |||
| [RFC7606] Chen, E., Ed., Scudder, J., Ed., Mohapatra, P., and K. | ||||
| Patel, "Revised Error Handling for BGP UPDATE Messages", | ||||
| RFC 7606, DOI 10.17487/RFC7606, August 2015, | ||||
| <https://www.rfc-editor.org/info/rfc7606>. | ||||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [RFC8205] Lepinski, M., Ed. and K. Sriram, Ed., "BGPsec Protocol | [RFC8205] Lepinski, M., Ed. and K. Sriram, Ed., "BGPsec Protocol | |||
| Specification", RFC 8205, DOI 10.17487/RFC8205, September | Specification", RFC 8205, DOI 10.17487/RFC8205, September | |||
| 2017, <https://www.rfc-editor.org/info/rfc8205>. | 2017, <https://www.rfc-editor.org/info/rfc8205>. | |||
| Authors' Addresses | Authors' Addresses | |||
| End of changes. 14 change blocks. | ||||
| 48 lines changed or deleted | 51 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||