idnits 2.17.1 draft-bashir-idr-inter-provider-flowspec-actions-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 1) being 123 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 24 instances of too long lines in the document, the longest one being 150 characters in excess of 72. ** There are 8 instances of lines with control characters in the document. -- The draft header indicates that this document updates RFC5575, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 61 has weird spacing: '... source prefi...' (Using the creation date from RFC5575, updated by this document, for RFC5378 checks: 2007-08-15) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (12 December 2016) is 2691 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? '2' on line 80 looks like a reference -- Missing reference section? 'RFC 7674' on line 90 looks like a reference -- Missing reference section? 'RFC5575' on line 92 looks like a reference Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Internet Engineering Task Force Ahmed Bashir 2 Internet-Draft 12 December 2016 3 Updates: 5575 (if approved) 4 Intended status: Standards Track 5 Expires: December 12, 2017 7 Inter-provider Propagation of BGP Flow specification Rules 8 draft-bashir-idr-inter-provider-flowspec-actions-00 10 Abstract 11 This document describes a mechanism to propagate and handle flowspec messages beyond adjacent flowspec address family peers. 12 The message propagation and handling techniques described in this draft allows the actions to be taken in the nearst point to DDoS Attack origin. 14 Status of This Memo 16 This Internet-Draft is submitted in full conformance with the 17 provisions of BCP 78 and BCP 79. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF). Note that other groups may also distribute 21 working documents as Internet-Drafts. The list of current Internet- 22 Drafts is at http://datatracker.ietf.org/drafts/current/. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as "work in progress." 29 Copyright Notice 31 Copyright (c) 2016 IETF Trust and the persons identified as the 32 document authors. All rights reserved. 34 This document is subject to BCP 78 and the IETF Trust's Legal 35 Provisions Relating to IETF Documents 36 (http://trustee.ietf.org/license-info) in effect on the date of 37 publication of this document. Please review these documents 38 carefully, as they describe your rights and restrictions with respect 39 to this document. Code Components extracted from this document must 40 include Simplified BSD License text as described in Section 4.e of 41 the Trust Legal Provisions and are provided without warranty as 42 described in the Simplified BSD License. 44 1. Introduction 46 BGP Flowspec , (AFI,SAFI) pairs allocated by IANA are (1, 133) for IPv4 and (1,134) for VPNv4. 47 Although, flowspec message handling depends on the semantics derived from the (AFI, SAFI) pair. 48 This limits it?s ?transitivity? to BGP peers within the same Subsequent Address Family, unlike unicast routing which is propagated all over the internet. 49 The original motivation of mitigating DDoS attacks is inturn limited to the hardware capabilities in which flowspec filtering actions is apllied in. 51 2. Proposed Flowspec message handling proccess. 53 Message Originator: 54 - The initiating router sends flowspec message with the destination prefix embedded in the flow specification along with other parameters, (source prefix, and action) 55 - The initiator should also add a special transitive extended community. 57 Intra-AS peers: 58 - Intra-AS peers which are configured under flowspec address family be instructed by the special community to propagate the update as a BGP unicast update to ordinary BGPv4 adjacent peers 60 Intermediary/Terminal Routers: 61 - Upon receiving the flowspec-BGP update message from a neighbor as unicast-BGP-update , the source prefix embedded in the flowspec rule should be examined against the BGP table. 62 - If the AS path that corresponds to the longest prefix match in the BGP table is not empty the update message should be further propagated. 63 - If the AS path is empty the flowspec filtering action should be installed on that router. 65 The logical explanation is that BGP routes with an empty AS-Path are injected into BGP from within the local AS 67 In simple words, the flowspec rule will be propagated until it reaches to the nearest attack point and filtering actions will be installed there. 69 3. Operational Considerations 71 Apart from the obvious requirement that BGP implementations should be able to handle and propagate the proposed Flowspec message encodings. From a design and implementation perspective. 72 When routers receive the proposed flowspec update messages they should not initiate any path recalculation based on the messages being received, in a large-scale attack, such behavior can lead to unpredictable instability. 74 4. Security Considerations 76 Citing RFC 5575 , ?A flow specification NLRI must be validated such that it is 77 considered feasible if and only if: a) The originator of the flow specification matches the originator of the best-match unicast route for the destination prefix embedded in the flow specification..?. 78 The precautionary procedure of accepting an incoming flowspec rule aims to verify that the origin of the flowspec route is an authorized source. 79 If not validated , an attacker can carry out a new DoS attack by advertising a flowspec route to filter traffic owned by any service provider to any destination. 80 In intra-provider flowspec deployments, there are efforts [2] to revise the validation procedures to allow a centralized Client-Server deployment models. 81 This allows a server populate and send flowspec routes even if it isn?t the best path for the unicast route advertised in the flowspec rule. 82 In our proposed model, which aims to disseminate flowspec rules across inter-provider it is crucial to have the precautionary validation procedures specified in RFC 5575. 84 5. IANA Considerations 86 TBD 88 5. Refernces 90 [RFC 7674] Clarification of the Flowspec Redirect Extended Community 92 [RFC5575] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J., 93 and D. McPherson, "Dissemination of Flow Specification 94 Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009, 96 Expires: December 12, 2017 98 Author's Address 100 Ahmed Bashir 101 +971 50 1192280 102 Dubai 103 UAE 105 Email: amdbasheir@gmail.com