idnits 2.17.1 draft-ietf-ptomaine-nopeer-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. == There are 4 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (April 2002) is 8044 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Downref: Normative reference to an Informational RFC: RFC 3221 (ref. '2') -- Possible downref: Non-RFC (?) normative reference: ref. '3' Summary: 4 errors (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force Geoff. Huston 3 Internet Draft Telstra 4 Document: draft-ietf-ptomaine-nopeer-00.txt April 2002 5 Expires: October 2002 7 NOPEER community for BGP route scope control 9 Status of this Memo 11 This document is an Internet-Draft and is in full conformance with 12 all provisions of Section 10 of RFC2026 [1]. 14 Internet-Drafts are working documents of the Internet Engineering 15 Task Force (IETF), its areas, and its working groups. Note that 16 other groups may also distribute working documents as Internet- 17 Drafts. Internet-Drafts are draft documents valid for a maximum of 18 six months and may be updated, replaced, or obsoleted by other 19 documents at any time. It is inappropriate to use Internet- Drafts 20 as reference material or to cite them other than as "work in 21 progress." 23 The list of current Internet-Drafts can be accessed at 24 http://www.ietf.org/ietf/1id-abstracts.txt 26 The list of Internet-Draft Shadow Directories can be accessed at 27 http://www.ietf.org/shadow.html. 29 Comments on this draft should be directed to gih@telstra.net. 31 Abstract 33 This document proposes the use of a scope control BGP community. 34 This proposed well-known advisory transitive community is intended 35 to allow an origin AS to specify the extent to which a specific 36 route should be externally propagated. In particular this community, 37 termed here as NOPEER, allows an origin AS to specify that a route 38 with this attribute need not be advertised across bilateral peer 39 connections. 41 1. Introduction 43 BGP today has a limited number of commonly defined mechanisms that 44 allow a route to be propagated across some subset of the routing 45 system. The NOEXPORT community allows a BGP speaker to specify that 46 redistribution should extend only to the neighbouring AS. Providers 47 commonly define a number of communities that allow their neighbours 48 to specify how advertised routes should be re-advertised. Current 49 operational practice is that such communities are defined on as AS 50 by AS basis, and while they allow an AS to influence the re- 51 advertisement behaviour of routes passed from a neighbouring AS, 52 they do not allow this scope definition ability to be passed in a 53 transitive fashion to a remote AS. 55 Advertisement scope specification is of most use in specifying the 56 boundary conditions of route propagation. The specification can take 57 on a number of forms, including as AS transit hop count, a set of 58 target ASs, the presence of a particular route object, or a 59 particular characteristic of the inter-AS connection. 61 There are a number of motivations for controlling the scope of 62 advertisement of route prefixes, including support of limited 63 transit services where advertisements are restricted to certain 64 transit providers, and various forms of selective transit in a 65 multi-homed environment. 67 This proposal does not attempt to address all such motivations of 68 scope control, and addresses in particular the situation of both 69 multi-homing and traffic engineering. The commonly adopted 70 operational technique is that the originating AS advertises an 71 encompassing aggregate route to all multi-home neighbours, and also 72 selectively advertises a collection of more specific routes. This 73 implements a form of destination-based traffic engineering with some 74 level of fail over protection. The more specific routes typically 75 cease to lever any useful traffic engineering outcome beyond a 76 certain radius of redistribution, and a means of advising that such 77 routes need not to be distributed beyond such a point is of some 78 value in moderating one of the factors of continued route table 79 growth. 81 Analysis of the BGP routing tables reveals a significant use of the 82 technique of advertising more specific prefixes in addition to 83 advertising a covering aggregate. In an effort to ameliorate some of 84 the effects of this practice, in terms of overall growth of the BGP 85 routing tables in the Internet and the associated burden of global 86 propagation of dynamic changes in the reachability of such more 87 specific address prefixes, this draft proposes the use of a 88 transitive BGP route attribute that is intended to allow more 89 specific route tables entries to be discarded from the BGP tables 90 under appropriate conditions. Specifically, this attribute, NOPEER, 91 allows a remote AS not to advertise a route object to a neighbour AS 92 when the two AS's are interconnected under the conditions of some 93 form of sender keep all arrangement, as distinct from some form of 94 provider / customer arrangement. 96 2. Proposal 97 The proposal is to define a new well-known bgp transitive community, 98 NOPEER. 100 The intended semantics of this attribute is to allow an AS to 101 interpret the presence of this community as an advisory 102 qualification to re advertisement of a route prefix, permitting an 103 AS not to re advertise the route prefix to all external bilateral 104 peer neighbour AS's. It is consistent with the intended semantics 105 that an AS may filter received prefixes that are received across a 106 peering session that the receiver regards as a bilateral peer 107 sessions. 109 3. Motivation 111 The size of the BGP routing table has been increasing at an 112 accelerating rate since late 1998. At the time of writing (April 113 2002) the BGP forwarding table contains over 100,000 entries, and 114 the three year growth rate of this table shows a trend rate which 115 can be correlated to a compound growth rate of no less than 40% per 116 year [2]. 118 One of the aspects of the current BGP routing table is the 119 widespread use of the technique of advertising both an aggregate and 120 a number of more specific address prefixes. For example, the table 121 may contain a routing entry for the prefix 10.0.0.0/23 and also 122 contain entries for the prefixes 10.0.0.0/24 and 10.0.1.0/24. In 123 this example the specific routes fully cover the aggregate 124 announcement. Sparse coverage of aggregates with more specifics is 125 also observed, where, for example, routing entries for 10.0.0.0/8 126 and 10.0.1.0/24 both exist in the routing table. In total, these 127 more specific route entries occupy some 52% of the routing table[3], 128 so that more than one half of the routing table does not add 129 additional address reachability information into the routing system, 130 but instead is used to impose a finer level of detail on existing 131 reachability information. 133 There are a number of motivations for having both an aggregate route 134 and a number of more specific routes in the routing table, including 135 various forms of multi-homed configurations, where there is a 136 requirement to specify a different reachability policy for a part of 137 the advertised address space. 139 One of the observed common requirements in the multi-homed network 140 configuration is that of undertaking some form of load balancing of 141 incoming traffic across a number of external connections to a number 142 of different neighbouring ASs. If, for example, an AS wishes to use 143 a multi-homed configuration for routing-based load balancing and 144 some form of mutual fail over between the multiple access 145 connections for incoming traffic, then one approach is for the AS to 146 advertise the same aggregate address prefix to a number of its 147 upstream transit providers, and then advertise a number of more 148 specifics to individual upstream providers. In such a case all of 149 the traffic destined to the more specific address prefixes will be 150 received only over those connections where the more specific has 151 been advertised. If the neighbour BGP peering session of the more 152 specific advertisement fails, the more specific will cease to be 153 announced and incoming traffic will then be passed to the 154 originating network based on the path associated with the 155 advertisement of the encompassing aggregate. In this situation the 156 more specific routes are not automatically subsumed by the presence 157 of the aggregate at any remote AS. Both the aggregate and the 158 associated more specifics are redistributed across the entire 159 external BGP routing domain. In many cases, particularly those 160 associated with desire to undertake traffic engineering and service 161 resilience, the more specific routes are redistributed well beyond 162 the scope where there is any outcomes in terms of traffic 163 differentiation. 165 To the extent that remote analysis of BGP tables can observe this 166 form of configuration, the number of entries in the BGP forwarding 167 table where more specific entries share a common origin AS with 168 their immediately enclosing aggregates comprise some 20% of the 169 total number of FIB entries. Using a slightly stricter criteria 170 where the AS path of the more specific route matches the immediately 171 enclosing aggregate, the number of more specific routes comprises 172 some 13% of the number of FIB entries [3]. 174 One protocol mechanism that could be useful in this context is to 175 allow the originator of an advertisement to state some additional 176 qualification on the redistribution of the advertisement, allowing a 177 remote AS to suppress further redistribution under some originator- 178 specified criteria. 180 The redistribution qualification condition can be specified either 181 by enumeration or by classification. Enumeration would encompass the 182 use of a well-known transitive extended community to specify a list 183 of remote AS's where further redistribution is not advised. The 184 weakness of this approach is that the originating AS would need to 185 constantly revise this enumerated AS list to reflect the changes in 186 inter-AS topology, as, otherwise, the more specific routes would 187 leak beyond the intended redistribution scope. An approach of 188 classification allows an originating AS to specify the conditions 189 where further redistribution is not advised without having to refer 190 to the particular AS's where a match to such conditions are 191 anticipated. 193 The approach proposed here to specifying the redistribution boundary 194 condition is one based on the type of bilateral inter-AS peering. 195 Where one AS can be considered as a customer, and the other AS can 196 be considered as a contracted agent of the customer, or provider, 197 then the relationship is one where the provider, as an agent of the 198 customer, carries the routes and associated policy associated with 199 the routes. Where neither AS can be considered as a customer of the 200 other, then the relationship is one of bilateral peering, and 201 neither AS can be considered as an agent of the other in 202 redistributing policies associated with routes. This latter 203 arrangement is commonly referred to as a "sender keep all peer" 204 relationship, or "peering". This peer boundary can be regarded as a 205 logical point where the redistribution of additional reachability 206 policy imposed by the origin AS on a route is no longer an imposed 207 requirement. 209 This approach allows an originator of a prefix to attach a commonly 210 defined policy to a route prefix, indicate that a route should be 211 re-advertised conditionally, based on the characteristics of the 212 inter-AS connection. 214 4. IANA considerations 216 Adoption of this proposal would imply the request to IANA for the 217 registration of a new BGP well-known transitive community field from 218 IANA. 220 5. Security considerations 222 This proposal has the capability to introduce additional security 223 concerns into BGP by allowing the potential for denial of service 224 attacks for an address prefix range being launched by a remote AS. 226 Unauthorized addition of this community to a route prefix by a 227 transit provider where this is no covering aggregate route prefix 228 may cause a denial of service attack based on denial of reachability 229 to the prefix. Even in the case that there is a covering aggregate, 230 if the more specific route has a different origin AS than the 231 aggregate, the addition of this community by a transit AS may cause 232 a denial of service attack on the origin AS of the more specific 233 prefix. 235 BGP is already vulnerable to a denial of service attack based on the 236 injection of false routing information. It is possible to use this 237 community to limit the redistribution of a false route entry such 238 that its visibility can be limited and detection and rectification 239 of the problem can be more difficult under the circumstances of 240 limited redistribution. 242 References 244 [1] "The Internet Standards Process -- Revision 3", S. Bradner, RFC 245 2026, October 1996. 247 [2] "Commentary in Inter-Domain Routing in the Internet", G. 248 Huston, RFC 3221, December 2001. 250 [3] Analysis of BGP table data - http://bgp.potaroo.net 252 Author's Address 254 Geoff Huston 255 Telstra 256 Email: gih@telstra.net