idnits 2.17.1 draft-ietf-idr-ix-bgp-route-server-12.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 30, 2016) is 2856 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 1863 (Obsoleted by RFC 4223) Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IDR Working Group E. Jasinska 3 Internet-Draft BigWave IT 4 Intended status: Standards Track N. Hilliard 5 Expires: January 1, 2017 INEX 6 R. Raszuk 7 Bloomberg LP 8 N. Bakker 9 Akamai Technologies B.V. 10 June 30, 2016 12 Internet Exchange BGP Route Server 13 draft-ietf-idr-ix-bgp-route-server-12 15 Abstract 17 This document outlines a specification for multilateral 18 interconnections at Internet exchange points (IXPs). Multilateral 19 interconnection is a method of exchanging routing information among 20 three or more external BGP speakers using a single intermediate 21 broker system, referred to as a route server. Route servers are 22 typically used on shared access media networks, such as Internet 23 exchange points (IXPs), to facilitate simplified interconnection 24 among multiple Internet routers. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at http://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on January 1, 2017. 43 Copyright Notice 45 Copyright (c) 2016 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (http://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction to Multilateral Interconnection . . . . . . . . 2 61 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 3 62 2. Technical Considerations for Route Server Implementations . . 3 63 2.1. Client UPDATE Messages . . . . . . . . . . . . . . . . . 4 64 2.2. Attribute Transparency . . . . . . . . . . . . . . . . . 4 65 2.2.1. NEXT_HOP Attribute . . . . . . . . . . . . . . . . . 4 66 2.2.2. AS_PATH Attribute . . . . . . . . . . . . . . . . . . 4 67 2.2.2.1. Route Server AS_PATH management . . . . . . . . . 5 68 2.2.2.2. Route Server client AS_PATH management . . . . . 5 69 2.2.3. MULTI_EXIT_DISC Attribute . . . . . . . . . . . . . . 5 70 2.2.4. Communities Attributes . . . . . . . . . . . . . . . 5 71 2.3. Per-Client Policy Control in Multilateral Interconnection 6 72 2.3.1. Path Hiding on a Route Server . . . . . . . . . . . . 6 73 2.3.2. Mitigation of Path Hiding . . . . . . . . . . . . . . 7 74 2.3.2.1. Multiple Route Server RIBs . . . . . . . . . . . 7 75 2.3.2.2. Advertising Multiple Paths . . . . . . . . . . . 8 76 2.3.3. Implementation Suggestions . . . . . . . . . . . . . 9 77 3. Security Considerations . . . . . . . . . . . . . . . . . . . 9 78 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 79 5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9 80 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 81 6.1. Normative References . . . . . . . . . . . . . . . . . . 10 82 6.2. Informative References . . . . . . . . . . . . . . . . . 10 83 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 85 1. Introduction to Multilateral Interconnection 87 Internet exchange points (IXPs) provide IP data interconnection 88 facilities for their participants, typically using shared Layer-2 89 networking media such as Ethernet. The Border Gateway Protocol (BGP) 90 [RFC4271], an inter-Autonomous System routing protocol, is commonly 91 used to facilitate exchange of network reachability information over 92 such media. 94 While bilateral external BGP sessions between exchange participants 95 were previously the most common means of exchanging reachability 96 information, the overhead associated with dense interconnection can 97 cause substantial operational scaling problems for participants of 98 larger Internet exchange points. 100 Multilateral interconnection is a method of interconnecting BGP 101 speaking routers using a third party brokering system, commonly 102 referred to as a route server and typically managed by the IXP 103 operator. Each multilateral interconnection participant (usually 104 referred to as a "route server client") announces network 105 reachability information to the route server using external BGP. The 106 route server, in turn, forwards this information to each other route 107 server client connected to it, according to its configuration. 108 Although a route server uses BGP to exchange reachability information 109 with each of its clients, it does not forward traffic itself and is 110 therefore not a router. 112 A route server can be viewed as similar in function to an [RFC4456] 113 route reflector, except that it operates using EBGP instead of iBGP. 114 Certain adaptions to [RFC4271] are required to enable an EBGP router 115 to operate as a route server; these are outlined in Section 2 of this 116 document. Route server functionality is not mandatory in BGP 117 implementations. 119 The term "route server" is often in a different context used to 120 describe a BGP node whose purpose is to accept BGP feeds from 121 multiple clients for the purpose of operational analysis and 122 troubleshooting. A system of this form may alternatively be known as 123 a "route collector" or a "route-views server". This document uses 124 the term "route server" exclusively to describe multilateral peering 125 brokerage systems. 127 1.1. Notational Conventions 129 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 130 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 131 "OPTIONAL" in this document are to be interpreted as described in 132 [RFC2119]. 134 2. Technical Considerations for Route Server Implementations 136 A route server uses the [RFC4271] Border Gateway Protocol to broker 137 network reachability information amongst its clients. There are some 138 differences between the behaviour of a BGP route server and a BGP 139 implementation which is strictly compliant with [RFC4271]. These 140 differences are described as follows. 142 2.1. Client UPDATE Messages 144 A route server MUST accept all UPDATE messages received from each of 145 its clients for inclusion in its Adj-RIB-In. These UPDATE messages 146 MAY be omitted from the route server's Loc-RIB or Loc-RIBs, due to 147 filters configured for the purposes of implementing routing policy. 148 The route server SHOULD perform one or more BGP Decision Processes to 149 select routes for subsequent advertisement to its clients, taking 150 into account possible configuration to provide multiple NLRI paths to 151 a particular client as described in Section 2.3.2.2 or multiple Loc- 152 RIBs as described in Section 2.3.2.1. The route server SHOULD 153 forward UPDATE messages from its Loc-RIB or Loc-RIBs to its clients 154 as determined by local policy. 156 2.2. Attribute Transparency 158 As a route server primarily performs a brokering service, 159 modification of attributes could cause route server clients to alter 160 their BGP Decision Process for received prefix reachability 161 information, thereby changing the intended routing policies of 162 exchange participants. Therefore, contrary to what is specified in 163 section 5. of [RFC4271], route servers SHOULD NOT by default (unless 164 explicitly configured) update well-known BGP attributes received from 165 route server clients before redistributing them to their other route 166 server clients. Optional recognized and unrecognized BGP attributes, 167 whether transitive or non-transitive, SHOULD NOT be updated by the 168 route server (unless enforced by local IXP operator configuration) 169 and SHOULD be passed on to other route server clients. 171 2.2.1. NEXT_HOP Attribute 173 The NEXT_HOP is a well-known mandatory BGP attribute which defines 174 the IP address of the router used as the next hop to the destinations 175 listed in the Network Layer Reachability Information field of the 176 UPDATE message. As the route server does not participate in the 177 actual routing of traffic, the NEXT_HOP attribute MUST be passed 178 unmodified to the route server clients, similar to the "third party" 179 next hop feature described in section 5.1.3. of [RFC4271]. 181 2.2.2. AS_PATH Attribute 183 AS_PATH is a well-known mandatory attribute which identifies the 184 autonomous systems through which routing information carried in the 185 UPDATE message has passed. 187 2.2.2.1. Route Server AS_PATH management 189 As a route server does not participate in the process of forwarding 190 data between client routers, and because modification of the AS_PATH 191 attribute could affect route server client BGP Decision Process, the 192 route server SHOULD NOT prepend its own AS number to the AS_PATH 193 segment nor modify the AS_PATH segment in any other way. This 194 differs from the behaviour specified in section 5.1.2 of [RFC4271], 195 which requires that the BGP speaker prepends its own AS number as the 196 last element of the AS_PATH segment. This is a recommendation rather 197 than a requirement solely to provide backwards compatibility with 198 legacy route server client implementations which do not yet support 199 the requirements specified in Section 2.2.2.2. 201 2.2.2.2. Route Server client AS_PATH management 203 In contrast to what is recommended in section 6.3 of [RFC4271], route 204 server clients need to be able to accept UPDATE messages where the 205 leftmost AS in the AS_PATH attribute is not equal to the AS number of 206 the route server that sent the UPDATE message. If the route server 207 client BGP system has implemented a check for this, the BGP 208 implementation MUST allow this check to be disabled and SHOULD allow 209 the check to be disabled on a per-peer basis. 211 2.2.3. MULTI_EXIT_DISC Attribute 213 MULTI_EXIT_DISC is an optional non-transitive attribute intended to 214 be used on external (inter-AS) links to discriminate among multiple 215 exit or entry points to the same neighboring AS. Contrary to section 216 5.1.4 of [RFC4271], if applied to an NLRI UPDATE sent to a route 217 server, this attribute SHOULD be propagated to other route server 218 clients and the route server SHOULD NOT modify its value. 220 2.2.4. Communities Attributes 222 The BGP COMMUNITIES ([RFC1997]) and Extended Communities ([RFC4360]) 223 attributes are attributes intended for labeling information carried 224 in BGP UPDATE messages. Transitive as well as non-transitive 225 Communities attributes applied to an NLRI UPDATE sent to a route 226 server SHOULD NOT be modified, processed or removed, except as 227 defined by local policy. If a Communities Attribute is intended for 228 processing by the route server itself, as determined by local policy, 229 it MAY be modified or removed. 231 2.3. Per-Client Policy Control in Multilateral Interconnection 233 While IXP participants often use route servers with the intention of 234 interconnecting with as many other route server participants as 235 possible, there are circumstances where control of path distribution 236 on a per-client basis is important to ensure that desired 237 interconnection policies are met. 239 The control of path distribution on a per-client basis can lead to a 240 path being hidden from the route server client. We refer to this as 241 "path hiding". 243 Neither Section 2.3 nor its subsections form part of the normative 244 specification of this document, but are included for information 245 purposes only. 247 2.3.1. Path Hiding on a Route Server 249 ___ ___ 250 / \ / \ 251 ..| AS1 |..| AS2 |.. 252 : \___/ \___/ : 253 : \ / | : 254 : \ / | : 255 : IXP \/ | : 256 : /\ | : 257 : / \ | : 258 : ___/____\_|_ : 259 : / \ / \ : 260 ..| AS3 |..| AS4 |.. 261 \___/ \___/ 263 Figure 1: Per-Client Policy Controlled Interconnection at an IXP 265 Using the example in Figure 1, AS1 does not directly exchange prefix 266 information with either AS2 or AS3 at the IXP, but only interconnects 267 with AS4. The lines between AS1, AS2, AS3 and AS4 represent 268 interconnection relationships, whether via bilateral or multilateral 269 connections. 271 In the traditional bilateral interconnection model, per-client policy 272 control to a third party exchange participant is accomplished either 273 by not engaging in a bilateral interconnection with that participant 274 or else by implementing outbound filtering on the BGP session towards 275 that participant. However, in a multilateral interconnection 276 environment, only the route server can perform outbound filtering in 277 the direction of the route server client; route server clients depend 278 on the route server to perform their outbound filtering for them. 280 Assuming the [RFC4271] BGP Decision Process is used, when the same 281 prefix is advertised to a route server from multiple route server 282 clients, the route server will select a single path for propagation 283 to all connected clients. If, however, the route server has been 284 configured to filter the calculated best path from reaching a 285 particular route server client, then that client will not receive a 286 path for that prefix, although alternate paths received by the route 287 server might have been policy compliant for that client. This 288 phenomenon is referred to as "path hiding". 290 For example, in Figure 1, if the same prefix were sent to the route 291 server via AS2 and AS4, and the route via AS2 was preferred according 292 to the BGP Decision Process on the route server, but AS2's policy 293 prevented the route server from sending the path to AS1, then AS1 294 would never receive a path to this prefix, even though the route 295 server had previously received a valid alternative path via AS4. 296 This happens because the BGP Decision Process is performed only once 297 on the route server for all clients. 299 Path hiding will only occur on route servers which employ per-client 300 policy control; if an IXP operator deploys a route server without 301 implementing a per-client routing policy control system, then path 302 hiding does not occur, as all paths are considered equally valid from 303 the point of view of the route server. 305 2.3.2. Mitigation of Path Hiding 307 There are several approaches which can be taken to mitigate against 308 path hiding. 310 2.3.2.1. Multiple Route Server RIBs 312 The most portable method to allow for per-client policy control 313 without the occurrence of path hiding, is to use a route server BGP 314 implementation which performs the per-client best path calculation 315 for each set of paths to a prefix, which results after the route 316 server's client policies have been taken into consideration. This 317 can be implemented by using per-client Loc-RIBs, with path filtering 318 implemented between the Adj-RIB-In and the per-client Loc-RIB. 319 Implementations can optimize this by maintaining paths not subject to 320 filtering policies in a global Loc-RIB, with per-client Loc-RIBs 321 stored as deltas. 323 This implementation is highly portable, as it makes no assumptions 324 about the feature capabilities of the route server clients. 326 2.3.2.2. Advertising Multiple Paths 328 The path distribution model described above assumes standard BGP 329 session encoding where the route server sends a single path to its 330 client for any given prefix. This path is selected using the BGP 331 path selection decision process described in [RFC4271]. If, however, 332 it were possible for the route server to send more than a single path 333 to a route server client, then route server clients would no longer 334 depend on receiving a single path to a particular prefix; 335 consequently, the path hiding problem described in Section 2.3.1 336 would disappear. 338 We present two methods which describe how such increased path 339 diversity could be implemented. 341 2.3.2.2.1. Diverse BGP Path Approach 343 The Diverse BGP Path proposal as defined in [RFC6774] is a simple way 344 to distribute multiple prefix paths from a route server to a route 345 server client by using a separate BGP session from the route server 346 to a client for each different path. 348 The number of paths which may be distributed to a client is 349 constrained by the number of BGP sessions which the server and the 350 client are willing to establish with each other. The distributed 351 paths may be established from the global BGP Loc-RIB on the route 352 server in addition to any per-client Loc-RIB. As there may be more 353 potential paths to a given prefix than configured BGP sessions, this 354 method is not guaranteed to eliminate the path hiding problem in all 355 situations. Furthermore, this method may significantly increase the 356 number of BGP sessions handled by the route server, which may 357 negatively impact its performance. 359 2.3.2.2.2. BGP ADD-PATH Approach 361 The [I-D.ietf-idr-add-paths] Internet draft proposes a different 362 approach to multiple path propagation, by allowing a BGP speaker to 363 forward multiple paths for the same prefix on a single BGP session. 364 As [RFC4271] specifies that a BGP listener must implement an implicit 365 withdraw when it receives an UPDATE message for a prefix which 366 already exists in its Adj-RIB-In, this approach requires explicit 367 support for the feature both on the route server and on its clients. 369 If the ADD-PATH capability is negotiated bidirectionally between the 370 route server and a route server client, and the route server client 371 propagates multiple paths for the same prefix to the route server, 372 then this could potentially cause the propagation of inactive, 373 invalid or suboptimal paths to the route server, thereby causing loss 374 of reachability to other route server clients. For this reason, ADD- 375 PATH implementations on a route server should enforce send-only mode 376 with the route server clients, which would result in negotiating 377 receive-only mode from the client to the route server. 379 2.3.3. Implementation Suggestions 381 Route server implementation authors may wish to consider one of the 382 methods described in Section 2.3.2 to allow per-client route server 383 policy control without "path hiding". 385 Recommendations for route server operations are described separately 386 in [I-D.ietf-grow-ix-bgp-route-server-operations]. 388 3. Security Considerations 390 The path hiding problem outlined in section Section 2.3.1 can be used 391 in certain circumstances to proactively block third party path 392 announcements from other route server clients. Route server 393 operators should be aware that security issues may arise unless steps 394 are taken to mitigate against path hiding. 396 The AS_PATH check described in Section 2.2.2 is normally enabled in 397 order to check for malformed AS paths. If this check is disabled, 398 the route server client loses the ability to check incoming UPDATE 399 messages for certain categories of problems. This could potentially 400 cause corrupted BGP UPDATE messages to be propagated where they might 401 not be propagated if the check were enabled. Regardless of any 402 problems relating to malformed UPDATE messages, this check is also 403 used to detect BGP loops; removing the check could potentially cause 404 routing loops to be formed. Consequently, this check SHOULD NOT be 405 disabled by IXP participants unless it is needed to establish BGP 406 sessions with a route server, and if possible should only be disabled 407 for peers which are route servers. 409 Route server operators should carefully consider the security 410 practices discussed in [RFC7454], "BGP Operations and Security". 412 4. IANA Considerations 414 The new set of mechanisms for route servers does not require any new 415 allocations from IANA. 417 5. Acknowledgments 419 The authors would like to thank Ryan Bickhart, Steven Bakker, Martin 420 Pels, Chris Hall, Aleksi Suhonen, Bruno Decraene, Pierre Francois and 421 Eduardo Ascenco Reis for their valuable input. 423 In addition, the authors would like to acknowledge the developers of 424 BIRD, OpenBGPD, Quagga and IOS whose BGP implementations include 425 route server capabilities which are compliant with this document. 427 Route server functionality was described in 1995 in [RFC1863] and 428 modern route server implementations are based on concepts developed 429 in the 1990s by the Routing Arbiter Project and the Route Server Next 430 Generation Project, managed by ISI and Merit. Although the original 431 RSNG code is no longer in use at any IXPs, the IXP community owes a 432 debt of gratitude to the many people who were involved in route 433 server development in the 1990s. Note that [RFC1863] was made 434 historical by [RFC4223]. 436 6. References 438 6.1. Normative References 440 [RFC1997] Chandra, R., Traina, P., and T. Li, "BGP Communities 441 Attribute", RFC 1997, DOI 10.17487/RFC1997, August 1996, 442 . 444 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 445 Requirement Levels", BCP 14, RFC 2119, 446 DOI 10.17487/RFC2119, March 1997, 447 . 449 [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A 450 Border Gateway Protocol 4 (BGP-4)", RFC 4271, 451 DOI 10.17487/RFC4271, January 2006, 452 . 454 [RFC4360] Sangli, S., Tappan, D., and Y. Rekhter, "BGP Extended 455 Communities Attribute", RFC 4360, DOI 10.17487/RFC4360, 456 February 2006, . 458 6.2. Informative References 460 [I-D.ietf-grow-ix-bgp-route-server-operations] 461 Hilliard, N., Jasinska, E., Raszuk, R., and N. Bakker, 462 "Internet Exchange BGP Route Server Operations", draft- 463 ietf-grow-ix-bgp-route-server-operations-05 (work in 464 progress), June 2015. 466 [I-D.ietf-idr-add-paths] 467 Walton, D., Retana, A., Chen, E., and J. Scudder, 468 "Advertisement of Multiple Paths in BGP", draft-ietf-idr- 469 add-paths-15 (work in progress), May 2016. 471 [RFC1863] Haskin, D., "A BGP/IDRP Route Server alternative to a full 472 mesh routing", RFC 1863, DOI 10.17487/RFC1863, October 473 1995, . 475 [RFC4223] Savola, P., "Reclassification of RFC 1863 to Historic", 476 RFC 4223, DOI 10.17487/RFC4223, October 2005, 477 . 479 [RFC4456] Bates, T., Chen, E., and R. Chandra, "BGP Route 480 Reflection: An Alternative to Full Mesh Internal BGP 481 (IBGP)", RFC 4456, DOI 10.17487/RFC4456, April 2006, 482 . 484 [RFC6774] Raszuk, R., Ed., Fernando, R., Patel, K., McPherson, D., 485 and K. Kumaki, "Distribution of Diverse BGP Paths", 486 RFC 6774, DOI 10.17487/RFC6774, November 2012, 487 . 489 [RFC7454] Durand, J., Pepelnjak, I., and G. Doering, "BGP Operations 490 and Security", BCP 194, RFC 7454, DOI 10.17487/RFC7454, 491 February 2015, . 493 Authors' Addresses 495 Elisa Jasinska 496 BigWave IT 497 ul. Skawinska 27/7 498 Krakow, MP 31-066 499 Poland 501 Email: elisa@bigwaveit.org 503 Nick Hilliard 504 INEX 505 4027 Kingswood Road 506 Dublin 24 507 IE 509 Email: nick@inex.ie 510 Robert Raszuk 511 Bloomberg LP 512 731 Lexington Ave 513 New York City, NY 10022 514 USA 516 Email: robert@raszuk.net 518 Niels Bakker 519 Akamai Technologies B.V. 520 Kingsfordweg 151 521 Amsterdam 1043 GR 522 NL 524 Email: nbakker@akamai.com