draft-ietf-bess-datacenter-gateway-01.txt   draft-ietf-bess-datacenter-gateway-02.txt 
BESS Working Group J. Drake BESS Working Group A. Farrel
Internet-Draft A. Farrel Internet-Draft Old Dog Consulting
Intended status: Standards Track E. Rosen Intended status: Standards Track J. Drake
Expires: November 3, 2018 Juniper Networks Expires: August 30, 2019 E. Rosen
Juniper Networks
K. Patel K. Patel
Arrcus, Inc. Arrcus, Inc.
L. Jalil L. Jalil
Verizon Verizon
May 2, 2018 February 26, 2019
Gateway Auto-Discovery and Route Advertisement for Segment Routing Gateway Auto-Discovery and Route Advertisement for Segment Routing
Enabled Domain Interconnection Enabled Domain Interconnection
draft-ietf-bess-datacenter-gateway-01 draft-ietf-bess-datacenter-gateway-02
Abstract Abstract
Data centers have become critical components of the infrastructure Data centers are critical components of the infrastructure used by
used by network operators to provide services to their customers. network operators to provide services to their customers. Data
Data centers are attached to the Internet or a backbone network by centers are attached to the Internet or a backbone network by gateway
gateway routers. One data center typically has more than one gateway routers. One data center typically has more than one gateway for
for commercial, load balancing, and resiliency reasons. commercial, load balancing, and resiliency reasons.
Segment routing is a popular protocol mechanism for operating within Segment Routing is a popular protocol mechanism for use within a data
a data center, but also for steering traffic that flows between two center, but also for steering traffic that flows between two data
data center sites. In order that one data center site may load center sites. In order that one data center site may load balance
balance the traffic it sends to another data center site it needs to the traffic it sends to another data center site, it needs to know
know the complete set of gateway routers at the remote data center, the complete set of gateway routers at the remote data center, the
the points of connection from those gateways to the backbone network, points of connection from those gateways to the backbone network, and
and the connectivity across the backbone network. the connectivity across the backbone network.
Segment routing may also be operated in other domains, such as access Segment Routing may also be operated in other domains, such as access
networks. Those domains also need to be connected across backbone networks. Those domains also need to be connected across backbone
networks through gateways. networks through gateways.
This document defines a mechanism using the BGP Tunnel Encapsulation This document defines a mechanism using the BGP Tunnel Encapsulation
attribute to allow each gateway router to advertise the routes to the attribute to allow each gateway router to advertise the routes to the
prefixes in the segment routing domains to which it provides access, prefixes in the Segment Routing domains to which it provides access,
and also to advertise on behalf of each other gateway to the same and also to advertise on behalf of each other gateway to the same
segment routing domain. Segment Routing domain.
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 3, 2018. This Internet-Draft will expire on August 30, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. SR Domain Gateway Auto-Discovery . . . . . . . . . . . . . . 5 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 5
3. Relationship to BGP Link State and Egress Peer Engineering . 6 3. SR Domain Gateway Auto-Discovery . . . . . . . . . . . . . . 5
4. Advertising an SR Domain Route Externally . . . . . . . . . . 7 4. Relationship to BGP Link State and Egress Peer Engineering . 7
5. Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . 7 5. Advertising an SR Domain Route Externally . . . . . . . . . . 7
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 6. Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . 7
7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
8. Manageability Considerations . . . . . . . . . . . . . . . . 9 8. Security Considerations . . . . . . . . . . . . . . . . . . . 8
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 9. Manageability Considerations . . . . . . . . . . . . . . . . 9
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9
10.1. Normative References . . . . . . . . . . . . . . . . . . 9 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
10.2. Informative References . . . . . . . . . . . . . . . . . 10 11.1. Normative References . . . . . . . . . . . . . . . . . . 9
11.2. Informative References . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction 1. Introduction
Data centers (DCs) have become critical components of the Data centers (DCs) are critical components of the infrastructure used
infrastructure used by network operators to provide services to their by network operators to provide services to their customers. DCs are
customers. DCs are attached to the Internet or a backbone network by attached to the Internet or a backbone network by gateway routers
gateway routers (GWs). One DC typically has more than one GW for (GWs). One DC typically has more than one GW for various reasons
various reasons including commercial preferences, load balancing, and including commercial preferences, load balancing, and resiliency
resiliency against connection of device failure. against connection of device failure.
Segment routing (SR) [I-D.ietf-spring-segment-routing] is a popular Segment Routing (SR) [RFC8402] is a popular protocol mechanism for
protocol mechanism for operating within a DC, but also for steering use within a DC, but also for steering traffic that flows between two
traffic that flows between two DC sites. In order for an ingress DC DC sites. In order for a source (ingress) DC that uses SR to load
that uses SR to load balance the flows it sends to an egress DC, it balance the flows it sends to a destination (egress) DC, it needs to
needs to know the complete set of entry nodes (i.e., GWs) for that know the complete set of entry nodes (i.e., GWs) for that egress DC
egress DC from the backbone network connecting the two DCs. Note from the backbone network connecting the two DCs. Note that it is
that it is assumed that the connected set of DCs and the backbone assumed that the connected set of DCs and the backbone network
network connecting them are part of the same SR BGP Link State (LS) connecting them are part of the same SR BGP Link State (LS) instance
instance ([RFC7752] and [I-D.ietf-idr-bgpls-segment-routing-epe]) so ([RFC7752] and [I-D.ietf-idr-bgpls-segment-routing-epe]) so that
that traffic engineering using SR may be used for these flows. traffic engineering using SR may be used for these flows.
Segment routing may also be operated in other domains, such as access SR may also be operated in other domains, such as access networks.
networks. Those domains also need to be connected across backbone Those domains also need to be connected across backbone networks
networks through gateways. through gateways.
Suppose that there are two gateways, GW1 and GW2 as shown in Suppose that there are two gateways, GW1 and GW2 as shown in
Figure 1, for a given egress segment routing domain and that they Figure 1, for a given egress SR domain and that they each advertise a
each advertise a route to prefix X which is located within the egress route to prefix X which is located within the egress SR domain with
segment routing domain with each setting itself as next hop. One each setting itself as next hop. One might think that the GWs for X
might think that the GWs for X could be inferred from the routes' could be inferred from the routes' next hop fields, but typically it
next hop fields, but typically it is not the case that both routes is not the case that both routes get distributed across the backbone:
get distributed across the backbone: rather only the best route, as rather only the best route, as selected by BGP, is distributed. This
selected by BGP, is distributed. This precludes load balancing flows precludes load balancing flows across both GWs.
across both GWs.
----------------- --------------------- ----------------- ---------------------
| Ingress | | Egress ------ | | Ingress | | Egress ------ |
| SR Domain | | SR Domain |Prefix| | | SR Domain | | SR Domain |Prefix| |
| | | | X | | | | | | X | |
| | | ------ | | | | ------ |
| -- | | --- --- | | -- | | --- --- |
| |GW| | | |GW1| |GW2| | | |GW| | | |GW1| |GW2| |
-------++-------- ----+-----------+-+-- -------++-------- ----+-----------+-+--
| \ | / | | \ | / |
skipping to change at page 5, line 8 skipping to change at page 5, line 8
The solution uses the Tunnel Encapsulation attribute The solution uses the Tunnel Encapsulation attribute
[I-D.ietf-idr-tunnel-encaps] as follows: [I-D.ietf-idr-tunnel-encaps] as follows:
We define a new tunnel type, "SR tunnel". When the GWs to a given We define a new tunnel type, "SR tunnel". When the GWs to a given
SR domain advertise a route to a prefix X within the SR domain, SR domain advertise a route to a prefix X within the SR domain,
they will each include a Tunnel Encapsulation attribute with they will each include a Tunnel Encapsulation attribute with
multiple tunnel instances each of type "SR tunnel", one for each multiple tunnel instances each of type "SR tunnel", one for each
GW, and each containing a Remote Endpoint sub-TLV with that GW's GW, and each containing a Remote Endpoint sub-TLV with that GW's
address. address.
In other words, each route advertised by any GW identifies all of the In other words, each route advertised by a GW identifies all of the
GWs to the same SR domain (see Section 2 for a discussion of how GWs GWs to the same SR domain (see Section 3 for a discussion of how GWs
discover each other). Therefore, even if only one of the routes is discover each other). Therefore, even if only one of the routes is
distributed to other ASes, it will not matter how many times the next distributed to other ASes, it will not matter how many times the next
hop changes, as the Tunnel Encapsulation attribute (and its remote hop changes, as the Tunnel Encapsulation attribute (and its remote
endpoint sub-TLVs) will remain unchanged. endpoint sub-TLVs) will remain unchanged.
To put this in the context of Figure 1, GW1 and GW2 discover each To put this in the context of Figure 1, GW1 and GW2 discover each
other as gateways for the egress SR domain. Both GW1 and GW2 other as gateways for the egress SR domain. Both GW1 and GW2
advertise themselves as having routes to prefix X. Furthermore, GW1 advertise themselves as having routes to prefix X. Furthermore, GW1
includes a Tunnel Encapsulation attribute with a tunnel instance of includes a Tunnel Encapsulation attribute with a tunnel instance of
type "SR tunnel" for itself and another for GW2. Similarly, GW2 type "SR tunnel" for itself and another for GW2. Similarly, GW2
includes a Tunnel Encapsulation for itself and another for GW1. The includes a Tunnel Encapsulation for itself and another for GW1. The
gateway in the ingress SR domain can now see all possible paths to gateway in the ingress SR domain can now see all possible paths to
the egress SR domain regardless of which route advertisement is the egress SR domain regardless of which route advertisement is
propagated to it, and it can choose one or balance traffic flows as propagated to it, and it can choose one, or balance traffic flows as
it sees fit. it sees fit.
The protocol extensions defined in this document are put into the The protocol extensions defined in this document are put into the
broader context of SR domain interconnection by broader context of SR domain interconnection by
[I-D.farrel-spring-sr-domain-interconnect]. That document shows how [I-D.farrel-spring-sr-domain-interconnect]. That document shows how
other existing protocol elements may be combined with the extensions other existing protocol elements may be combined with the extensions
defined in this document to provide a full system. defined in this document to provide a full system.
2. SR Domain Gateway Auto-Discovery 2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. SR Domain Gateway Auto-Discovery
To allow a given SR domain's GWs to auto-discover each other and to To allow a given SR domain's GWs to auto-discover each other and to
coordinate their operations, the following procedures are coordinate their operations, the following procedures are
implemented: implemented:
o Each GW is configured with an identifier for the SR domain that is o Each GW is configured with an identifier for the SR domain. That
common across all GWs to the domain (i.e., the same identifier is identifier is common across all GWs to the domain (i.e., the same
used by all GWs to the same SR domain) and unique across all SR identifier is used by all GWs to the same SR domain), and unique
domains that are connected (i.e., across all GWs to all SR domains across all SR domains that are connected (i.e., across all GWs to
that are interconnected). all SR domains that are interconnected).
o A route target ([RFC4360]) is attached to each GW's auto-discovery o A route target ([RFC4360]) is attached to each GW's auto-discovery
route and has its value set to the SR domain identifier. route and has its value set to the SR domain identifier.
o Each GW constructs an import filtering rule to import any route o Each GW constructs an import filtering rule to import any route
that carries a route target with the same SR domain identifier that carries a route target with the same SR domain identifier
that the GW itself uses. This means that only these GWs will that the GW itself uses. This means that only these GWs will
import those routes and that all GWs to the same SR domain will import those routes, and that all GWs to the same SR domain will
import each other's routes and will learn (auto-discover) the import each other's routes and will learn (auto-discover) the
current set of active GWs for the SR domain. current set of active GWs for the SR domain.
The auto-discovery route that each GW advertises consists of the The auto-discovery route that each GW advertises consists of the
following: following:
o An IPv4 or IPv6 NLRI containing one of the GW's loopback addresses o An IPv4 or IPv6 NLRI containing one of the GW's loopback addresses
(that is, with AFI/SAFI that is one of 1/1, 2/1, 1/4, or 2/4). (that is, with an AFI/SAFI pair that is one of 1/1, 2/1, 1/4, or
2/4).
o A Tunnel Encapsulation attribute containing the GW's encapsulation o A Tunnel Encapsulation attribute containing the GW's encapsulation
information, which at a minimum consists of an SR tunnel TLV (type information, which at a minimum consists of an SR tunnel TLV (type
to be allocated by IANA) with a Remote Endpoint sub-TLV as to be allocated by IANA) with a Remote Endpoint sub-TLV as
specified in [I-D.ietf-idr-tunnel-encaps]. specified in [I-D.ietf-idr-tunnel-encaps].
To avoid the side effect of applying the Tunnel Encapsulation To avoid the side effect of applying the Tunnel Encapsulation
attribute to any packet that is addressed to the GW itself, the GW attribute to any packet that is addressed to the GW itself, the GW
SHOULD use a different loopback address for the two cases. SHOULD use a different loopback address for the two cases.
skipping to change at page 6, line 40 skipping to change at page 7, line 5
If a gateway becomes disconnected from the backbone network, or if If a gateway becomes disconnected from the backbone network, or if
the SR domain operator decides to terminate the gateway's activity, the SR domain operator decides to terminate the gateway's activity,
it withdraws the advertisements described above. This means that it withdraws the advertisements described above. This means that
remote gateways at other sites will stop seeing advertisements from remote gateways at other sites will stop seeing advertisements from
this gateway. It also means that other local gateways at this site this gateway. It also means that other local gateways at this site
will "unlearn" the removed gateway and stop including a Tunnel will "unlearn" the removed gateway and stop including a Tunnel
Encapsulation attribute for the removed gateway in their Encapsulation attribute for the removed gateway in their
advertisements. advertisements.
3. Relationship to BGP Link State and Egress Peer Engineering 4. Relationship to BGP Link State and Egress Peer Engineering
When a remote GW receives a route to a prefix X it can use the SR When a remote GW receives a route to a prefix X it can use the SR
tunnel instances within the contained Tunnel Encapsulation attribute tunnel instances within the contained Tunnel Encapsulation attribute
to identify the GWs through which X can be reached. It uses this to identify the GWs through which X can be reached. It uses this
information to compute SR TE paths across the backbone network information to compute SR Traffic Engineering (SR TE) paths across
looking at the information advertised to it in SR BGP Link State the backbone network looking at the information advertised to it in
(BGP-LS) [I-D.ietf-idr-bgp-ls-segment-routing-ext] and correlated SR BGP Link State (BGP-LS) [I-D.ietf-idr-bgp-ls-segment-routing-ext]
using the SR domain identity. SR Egress Peer Engineering (EPE) and correlated using the SR domain identity. SR Egress Peer
[I-D.ietf-idr-bgpls-segment-routing-epe] can be used to supplement Engineering (EPE) [I-D.ietf-idr-bgpls-segment-routing-epe] can be
the information advertised in the BGP-LS. used to supplement the information advertised in BGP-LS.
4. Advertising an SR Domain Route Externally 5. Advertising an SR Domain Route Externally
When a packet destined for prefix X is sent on an SR TE path to a GW When a packet destined for prefix X is sent on an SR TE path to a GW
for the SR domain containing X, it needs to carry the receiving GW's for the SR domain containing X, it needs to carry the receiving GW's
label for X such that this label rises to the top of the stack before label for X such that this label rises to the top of the stack before
the GW completes its processing of the packet. To achieve this we the GW completes its processing of the packet. To achieve this we
place a prefix-SID sub-TLV for X in each SR tunnel instance in the place a prefix-SID sub-TLV for X in each SR tunnel instance in the
Tunnel Encapsulation attribute in the externally advertised route for Tunnel Encapsulation attribute in the externally advertised route for
X. X.
Alternatively, if the GWs for a given SR domain are configured to Alternatively, if the GWs for a given SR domain are configured to
allow remote GWs to perform SR TE through that SR domain for a prefix allow remote GWs to perform SR TE through that SR domain for a prefix
X, then each GW computes an SR TE path through that SR domain to X X, then each GW computes an SR TE path through that SR domain to X
from each of the currently active GWs, and places each in an MPLS from each of the currently active GWs, and places each in an MPLS
label stack sub-TLV [I-D.ietf-idr-tunnel-encaps] in the SR tunnel label stack sub-TLV [I-D.ietf-idr-tunnel-encaps] in the SR tunnel
instance for that GW. instance for that GW.
5. Encapsulation 6. Encapsulation
If the GWs for a given SR domain are configured to allow remote GWs If the GWs for a given SR domain are configured to allow remote GWs
to send them a packet in that SR domain's native encapsulation, then to send them a packet in that SR domain's native encapsulation, then
each GW will also include multiple instances of a tunnel TLV for that each GW will also include multiple instances of a tunnel TLV for that
native encapsulation in externally advertised routes: one for each GW native encapsulation in externally advertised routes: one for each GW
and each containing a remote endpoint sub-TLV with that GW's address. and each containing a remote endpoint sub-TLV with that GW's address.
A remote GW may then encapsulate a packet according to the rules A remote GW may then encapsulate a packet according to the rules
defined via the sub-TLVs included in each of the tunnel TLV defined via the sub-TLVs included in each of the tunnel TLV
instances. instances.
6. IANA Considerations 7. IANA Considerations
IANA maintains a registry called "BGP parameters" with a sub-registry IANA maintains a registry called "BGP Monitoring Protocol (BMP)
called "BGP Tunnel Encapsulation Tunnel Types." The registration Parameters" with a sub-registry called "BGP Tunnel Encapsulation
policy for this registry is First-Come First-Served. Attribute Tunnel Types." The registration policy for this registry
is First-Come First-Served [RFC8126].
IANA is requested to assign a codepoint from this sub-registry for IANA is requested to assign a codepoint from this sub-registry for
"SR Tunnel". The next available value may be used and reference "SR Tunnel". The next available value may be used and reference
should be made to this document. should be made to this document.
[[Note: This text is likely to be replaced with a specific code point [[Note: This text is likely to be replaced with a specific code point
value once FCFS allocation has been made.]] value once FCFS allocation has been made.]]
7. Security Considerations 8. Security Considerations
From a protocol point of view, the mechanisms described in this From a protocol point of view, the mechanisms described in this
document can leverage the security mechanisms already defined for document can leverage the security mechanisms already defined for
BGP. Further discussion of security considerations for BGP may be BGP. Further discussion of security considerations for BGP may be
found in the BGP specification itself [RFC4271] and in the security found in the BGP specification itself [RFC4271] and in the security
analysis for BGP [RFC4272]. The original discussion of the use of analysis for BGP [RFC4272]. The original discussion of the use of
the TCP MD5 signature option to protect BGP sessions is found in the TCP MD5 signature option to protect BGP sessions is found in
[RFC5925], while [RFC6952] includes an analysis of BGP keying and [RFC5925], while [RFC6952] includes an analysis of BGP keying and
authentication issues. authentication issues.
The mechanisms described in this document involve sharing routing or The mechanisms described in this document involve sharing routing or
reachability information between domains: that may mean disclosing reachability information between domains: that may mean disclosing
information that is normally contained within a domain. So it needs information that is normally contained within a domain. So it needs
to be understood that normal security paradigms based on the to be understood that normal security paradigms based on the
boundaries of domains are weakened. Discussion of these issues with boundaries of domains are weakened. Discussion of these issues with
respect to VPNs can be found in [RFC4364] while [RFC7926] describes respect to VPNs can be found in [RFC4364], while [RFC7926] describes
many of the issues associated with the exchange of topology or TE many of the issues associated with the exchange of topology or TE
information between domains. information between domains.
Particular exposures resulting from this work include: Particular exposures resulting from this work include:
o Gateways to a domain will know about all other gateways to the o Gateways to a domain will know about all other gateways to the
same domain. This feature applies within a domain and so is not a same domain. This feature applies within a domain and so is not a
substantial exposure, but it does mean that if the protocol BGP substantial exposure, but it does mean that if the BGP exchanges
exchanges within a domain can be snooped or if a gateway can be within a domain can be snooped or if a gateway can be subverted
subverted then an attacker may learn the full set of gateways to a then an attacker may learn the full set of gateways to a domain.
domain. This facilitates more effective attacks on that domain. This would facilitate more effective attacks on that domain.
o The existence of multiple gateways to a domain becomes more o The existence of multiple gateways to a domain becomes more
visible across the backbone and even into remote domains. This visible across the backbone and even into remote domains. This
means that an attacker is able to prepare a more comprehensive means that an attacker is able to prepare a more comprehensive
attack than exists when only the locally attached backbone network attack than exists when only the locally attached backbone network
(e.g., the AS that hosts the domain) can see all of the gateways (e.g., the AS that hosts the domain) can see all of the gateways
to a site. to a site. For example, a Denial of Service attack on a single GW
is mitigated by the existence of other GWs, but if the attacker
knows about all the gateways then the whole set can be attacked at
once.
o A node in a domain that does not have external BGP peering (i.e., o A node in a domain that does not have external BGP peering (i.e.,
is not really a domain gateway and cannot speak BGP into the is not really a domain gateway and cannot speak BGP into the
backbone network) may be able to get itself advertised as a backbone network) may be able to get itself advertised as a
gateway by letting other genuine gateways discover it (by speaking gateway by letting other genuine gateways discover it (by speaking
BGP to them within the domain) and so may get those genuine BGP to them within the domain) and so may get those genuine
gateways to advertise it as a gateway into the backbone network. gateways to advertise it as a gateway into the backbone network.
This would allow the malicious node to attract traffic without
having to have secure BGP peerings with out-of-domain nodes.
o If it is possible to modify a BGP message within the backbone, it o If it is possible to modify a BGP message within the backbone, it
may be possible to spoof the existence of a gateway. This could may be possible to spoof the existence of a gateway. This could
cause traffic to be attracted to a specific node and might result cause traffic to be attracted to a specific node and might result
in black-holing of traffic. in black-holing of traffic.
All of the issues in the list above could cause disruption to domain All of the issues in the list above could cause disruption to domain
interconnection, but are not new protocol vulnerabilities so much as interconnection, but are not new protocol vulnerabilities so much as
new exposures of information that could be protected against using new exposures of information that SHOULD be protected against using
existing protocol mechanisms. Furthermore, it is a general existing protocol mechanisms. Furthermore, it is a general
observation that if these attacks are possible then it is highly observation that if these attacks are possible then it is highly
likely that far more significant attacks can be made on the routing likely that far more significant attacks can be made on the routing
system. It should be noted that BGP peerings are not discovered, but system. It should be noted that BGP peerings are not discovered, but
always arise from explicit configuration. always arise from explicit configuration.
8. Manageability Considerations 9. Manageability Considerations
The principal configuration item added by this solution is the The principal configuration item added by this solution is the
allocation of an SR domain identifier. The same identifier must be allocation of an SR domain identifier. The same identifier MUST be
assigned to every GW to the same domain, and each domain must have a assigned to every GW to the same domain, and each domain MUST have a
different identifier. This requires coordination probably through a different identifier. This requires coordination, probably through a
central management agent. central management agent.
TBD It should be noted that BGP peerings are not discovered, but always
arise from explicit configuration. This is no different from any
other BGP operation.
9. Acknowledgements 10. Acknowledgements
Thanks to Bruno Rijsman for review comments, and to Robert Raszuk for Thanks to Bruno Rijsman for review comments, and to Robert Raszuk for
useful discussions. useful discussions.
10. References 11. References
10.1. Normative References 11.1. Normative References
[I-D.ietf-idr-bgpls-segment-routing-epe] [I-D.ietf-idr-bgpls-segment-routing-epe]
Previdi, S., Filsfils, C., Patel, K., Ray, S., and J. Previdi, S., Talaulikar, K., Filsfils, C., Patel, K., Ray,
Dong, "BGP-LS extensions for Segment Routing BGP Egress S., and J. Dong, "BGP-LS extensions for Segment Routing
Peer Engineering", draft-ietf-idr-bgpls-segment-routing- BGP Egress Peer Engineering", draft-ietf-idr-bgpls-
epe-15 (work in progress), March 2018. segment-routing-epe-17 (work in progress), October 2018.
[I-D.ietf-idr-tunnel-encaps] [I-D.ietf-idr-tunnel-encaps]
Rosen, E., Patel, K., and G. Velde, "The BGP Tunnel Rosen, E., Patel, K., and G. Velde, "The BGP Tunnel
Encapsulation Attribute", draft-ietf-idr-tunnel-encaps-09 Encapsulation Attribute", draft-ietf-idr-tunnel-encaps-11
(work in progress), February 2018. (work in progress), February 2019.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
Border Gateway Protocol 4 (BGP-4)", RFC 4271, Border Gateway Protocol 4 (BGP-4)", RFC 4271,
DOI 10.17487/RFC4271, January 2006, DOI 10.17487/RFC4271, January 2006,
<https://www.rfc-editor.org/info/rfc4271>. <https://www.rfc-editor.org/info/rfc4271>.
skipping to change at page 10, line 15 skipping to change at page 10, line 34
[RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP [RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP
Authentication Option", RFC 5925, DOI 10.17487/RFC5925, Authentication Option", RFC 5925, DOI 10.17487/RFC5925,
June 2010, <https://www.rfc-editor.org/info/rfc5925>. June 2010, <https://www.rfc-editor.org/info/rfc5925>.
[RFC7752] Gredler, H., Ed., Medved, J., Previdi, S., Farrel, A., and [RFC7752] Gredler, H., Ed., Medved, J., Previdi, S., Farrel, A., and
S. Ray, "North-Bound Distribution of Link-State and S. Ray, "North-Bound Distribution of Link-State and
Traffic Engineering (TE) Information Using BGP", RFC 7752, Traffic Engineering (TE) Information Using BGP", RFC 7752,
DOI 10.17487/RFC7752, March 2016, DOI 10.17487/RFC7752, March 2016,
<https://www.rfc-editor.org/info/rfc7752>. <https://www.rfc-editor.org/info/rfc7752>.
10.2. Informative References [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
11.2. Informative References
[I-D.farrel-spring-sr-domain-interconnect] [I-D.farrel-spring-sr-domain-interconnect]
Farrel, A. and J. Drake, "Interconnection of Segment Farrel, A. and J. Drake, "Interconnection of Segment
Routing Domains - Problem Statement and Solution Routing Domains - Problem Statement and Solution
Landscape", draft-farrel-spring-sr-domain-interconnect-03 Landscape", draft-farrel-spring-sr-domain-interconnect-05
(work in progress), January 2018. (work in progress), October 2018.
[I-D.ietf-idr-bgp-ls-segment-routing-ext] [I-D.ietf-idr-bgp-ls-segment-routing-ext]
Previdi, S., Talaulikar, K., Filsfils, C., Gredler, H., Previdi, S., Talaulikar, K., Filsfils, C., Gredler, H.,
and M. Chen, "BGP Link-State extensions for Segment and M. Chen, "BGP Link-State extensions for Segment
Routing", draft-ietf-idr-bgp-ls-segment-routing-ext-06 Routing", draft-ietf-idr-bgp-ls-segment-routing-ext-11
(work in progress), April 2018. (work in progress), October 2018.
[I-D.ietf-spring-segment-routing]
Filsfils, C., Previdi, S., Ginsberg, L., Decraene, B.,
Litkowski, S., and R. Shakir, "Segment Routing
Architecture", draft-ietf-spring-segment-routing-15 (work
in progress), January 2018.
[RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis", [RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis",
RFC 4272, DOI 10.17487/RFC4272, January 2006, RFC 4272, DOI 10.17487/RFC4272, January 2006,
<https://www.rfc-editor.org/info/rfc4272>. <https://www.rfc-editor.org/info/rfc4272>.
[RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private [RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private
Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364, February Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364, February
2006, <https://www.rfc-editor.org/info/rfc4364>. 2006, <https://www.rfc-editor.org/info/rfc4364>.
[RFC6952] Jethanandani, M., Patel, K., and L. Zheng, "Analysis of [RFC6952] Jethanandani, M., Patel, K., and L. Zheng, "Analysis of
skipping to change at page 11, line 12 skipping to change at page 11, line 31
DOI 10.17487/RFC7911, July 2016, DOI 10.17487/RFC7911, July 2016,
<https://www.rfc-editor.org/info/rfc7911>. <https://www.rfc-editor.org/info/rfc7911>.
[RFC7926] Farrel, A., Ed., Drake, J., Bitar, N., Swallow, G., [RFC7926] Farrel, A., Ed., Drake, J., Bitar, N., Swallow, G.,
Ceccarelli, D., and X. Zhang, "Problem Statement and Ceccarelli, D., and X. Zhang, "Problem Statement and
Architecture for Information Exchange between Architecture for Information Exchange between
Interconnected Traffic-Engineered Networks", BCP 206, Interconnected Traffic-Engineered Networks", BCP 206,
RFC 7926, DOI 10.17487/RFC7926, July 2016, RFC 7926, DOI 10.17487/RFC7926, July 2016,
<https://www.rfc-editor.org/info/rfc7926>. <https://www.rfc-editor.org/info/rfc7926>.
Authors' Addresses [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>.
John Drake [RFC8402] Filsfils, C., Ed., Previdi, S., Ed., Ginsberg, L.,
Juniper Networks Decraene, B., Litkowski, S., and R. Shakir, "Segment
Routing Architecture", RFC 8402, DOI 10.17487/RFC8402,
July 2018, <https://www.rfc-editor.org/info/rfc8402>.
Email: jdrake@juniper.net Authors' Addresses
Adrian Farrel Adrian Farrel
Juniper Networks Old Dog Consulting
Email: afarrel@juniper.net Email: adrian@olddog.co.uk
John Drake
Juniper Networks
Email: jdrake@juniper.net
Eric Rosen Eric Rosen
Juniper Networks Juniper Networks
Email: erosen@juniper.net Email: erosen52@gmail.com
Keyur Patel Keyur Patel
Arrcus, Inc. Arrcus, Inc.
Email: keyur@arrcus.com Email: keyur@arrcus.com
Luay Jalil Luay Jalil
Verizon Verizon
Email: luay.jalil@verizon.com Email: luay.jalil@verizon.com
 End of changes. 51 change blocks. 
132 lines changed or deleted 151 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/