--- 1/draft-ietf-idr-bgp-open-policy-18.txt 2022-01-07 12:13:11.013397930 -0800 +++ 2/draft-ietf-idr-bgp-open-policy-19.txt 2022-01-07 12:13:11.041398633 -0800 @@ -1,26 +1,26 @@ Network Working Group A. Azimov Internet-Draft Qrator Labs & Yandex Intended status: Standards Track E. Bogomazov -Expires: June 7, 2022 Qrator Labs +Expires: July 11, 2022 Qrator Labs R. Bush Internet Initiative Japan & Arrcus, Inc. K. Patel Arrcus K. Sriram USA NIST - December 4, 2021 + January 7, 2022 Route Leak Prevention and Detection using Roles in UPDATE and OPEN Messages - draft-ietf-idr-bgp-open-policy-18 + draft-ietf-idr-bgp-open-policy-19 Abstract Route leaks are the propagation of BGP prefixes that violate assumptions of BGP topology relationships, e.g., announcing a route learned from one transit provider to another transit provider or a lateral (i.e., non-transit) peer or announcing a route learned from one lateral peer to another lateral peer or a transit provider. These are usually the result of misconfigured or absent BGP route filtering or lack of coordination between autonomous systems (ASes). @@ -50,52 +50,52 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on June 7, 2022. + This Internet-Draft will expire on July 11, 2022. Copyright Notice - Copyright (c) 2021 IETF Trust and the persons identified as the + Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 2. Peering Relationships . . . . . . . . . . . . . . . . . . . . 4 - 3. BGP Role . . . . . . . . . . . . . . . . . . . . . . . . . . 4 + 3. BGP Role . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.1. BGP Role Capability . . . . . . . . . . . . . . . . . . . 5 3.2. Role Correctness . . . . . . . . . . . . . . . . . . . . 6 4. BGP Only to Customer (OTC) Attribute . . . . . . . . . . . . 7 - 5. Additional Considerations . . . . . . . . . . . . . . . . . . 8 + 5. Additional Considerations . . . . . . . . . . . . . . . . . . 9 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 8.1. Normative References . . . . . . . . . . . . . . . . . . 11 - 8.2. Informative References . . . . . . . . . . . . . . . . . 11 + 8.2. Informative References . . . . . . . . . . . . . . . . . 12 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 12 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 1. Introduction Route leaks are the propagation of BGP prefixes that violate assumptions of BGP topology relationships, e.g., announcing a route learned from one transit provider to another transit provider or a lateral (i.e., non-transit) peer or announcing a route learned from @@ -162,38 +162,48 @@ Route Server (RS): MAY propagate any available route to a Route Server Client (RS-Client). RS-Client: MAY propagate any route learned from a Customer, or locally originated, to an RS. All other routes MUST NOT be propagated. Peer: MAY propagate any route learned from a Customer, or locally originated, to a Peer. All other routes MUST NOT be propagated. + If the local AS has one of the above Roles (in the order shown), then + the corresponding peering relationship with the remote AS is + Provider-to-Customer, Customer-to-Provider, RS-to-RS-Client, RS- + Client-to-RS, or Peer-to-Peer (i.e., lateral peers), respectively. + These are called normal peering relationships. + + If the local AS has more than one peering role with the remote AS + such peering relation is called Complex. An example is when the + peering relationship is Provider-to-Customer for some prefixes while + it is Peer-to-Peer for other prefixes [Gao]. + A BGP speaker may apply policy to reduce what is announced, and a recipient may apply policy to reduce the set of routes they accept. Violation of the above rules may result in route leaks. Automatic enforcement of these rules should significantly reduce route leaks that may otherwise occur due to manual configuration mistakes. As specified in Section 4, the Only to Customer (OTC) Attribute is used to identify all the routes in the AS that have been received from a Peer, Provider, or RS. 3. BGP Role The BGP Role characterizes the relationship between the eBGP speakers forming a session. One of the Roles described below SHOULD be configured at the local AS for each eBGP session (see definitions in Section 1.1) based on the local AS's knowledge of its Role. The only - exception is when the eBGP connection is 'complex' (see Section 5). - + exception is when the eBGP connection is Complex (see Section 5). BGP Roles are mutually confirmed using the BGP Role Capability (described in Section 3.1) on each eBGP session. Allowed Roles for eBGP sessions are: o Provider - the local AS is a transit Provider of the remote AS; o Customer - the local AS is a transit Customer of the remote AS; o RS - the local AS is a Route Server (usually at an Internet @@ -235,21 +245,22 @@ 3.2. Role Correctness Section 3.1 described how BGP Role encodes the relationship on each eBGP session between autonomous systems (ASes). The mere receipt of BGP Role Capability does not automatically guarantee the Role agreement between two eBGP neighbors. If the BGP Role Capability is advertised, and one is also received from the peer, the roles MUST correspond to the relationships in Table 2. If the roles do not correspond, the BGP speaker MUST reject the - connection using the Role Mismatch Notification (code 2, subcode 8). + connection using the Role Mismatch Notification (code 2, subcode + TBD). +---------------+----------------+ | Local AS Role | Remote AS Role | +---------------+----------------+ | Provider | Customer | | Customer | Provider | | RS | RS-Client | | RS-Client | RS | | Peer | Peer | +---------------+----------------+ @@ -259,53 +270,54 @@ For backward compatibility, if the BGP Role Capability is sent but one is not received, the BGP Speaker SHOULD ignore the absence of the BGP Role Capability and proceed with session establishment. The locally configured BGP Role is used for the procedures described in Section 4. An operator may choose to apply a "strict mode" in which the receipt of a BGP Role Capability from the remote AS is required. When operating in the "strict mode", if the BGP Role Capability is sent, but one is not received, then the connection is rejected using the - Role Mismatch Notification (code 2, subcode 8). See comments in + Role Mismatch Notification (code 2, subcode TBD). See comments in Section 7. If an eBGP speaker receives multiple but identical BGP Role Capabilities with the same value in each, then the speaker must consider it to be a single BGP Role Capability and proceed [RFC5492]. If multiple BGP Role Capabilities are received and not all of them have the same value, then the BGP speaker MUST reject the connection - using the Role Mismatch Notification (code 2, subcode 8). + using the Role Mismatch Notification (code 2, subcode TBD). - The BGP Role value for the local AS is used in the route leak + The BGP Role value for the local AS (in conjunction with the OTC + Attribute in the received UPDATE message) is used in the route leak prevention and detection procedures described in Section 4. 4. BGP Only to Customer (OTC) Attribute The Only to Customer (OTC) Attribute is an optional transitive path - attribute with Attribute Type Code 35 and a length of 4 octets. The - purpose of this attribute is to guarantee that once a route is sent - to a Customer, Peer, or RS-Client, it will subsequently go only to - Customers. The attribute value is an AS number (ASN) determined by - the policy described below. + attribute of the UPDATE message with Attribute Type Code 35 and a + length of 4 octets. The purpose of this attribute is to guarantee + that once a route is sent to a Customer, Peer, or RS-Client, it will + subsequently go only to Customers. The attribute value is an AS + number (ASN) determined by the policy described below. The following ingress policy applies to the processing of the OTC Attribute: 1. If a route with the OTC Attribute is received from a Customer or RS-Client, then it is a route leak and MUST be considered ineligible (see Section 1.1). - 2. If a route with the OTC Attribute is received from a Peer and at - least one of the OTC Attributes has a value that is not equal to - the remote (i.e., Peer's) AS number, then it is a route leak and - MUST be considered ineligible. + 2. If a route with the OTC Attribute is received from a Peer and the + Attribute has a value that is not equal to the remote (i.e., + Peer's) AS number, then it is a route leak and MUST be considered + ineligible. 3. If a route is received from a Provider, Peer, or RS, and the OTC Attribute is not present, then it MUST be added with a value equal to the AS number of the remote AS. The following egress policy applies to the processing of the OTC Attribute: 1. If a route is to be advertised to a Customer, Peer, or RS-Client (when the sender is an RS), and the OTC Attribute is not present, @@ -345,47 +357,38 @@ The procedures specified in this document in scenarios that use private AS numbers behind an Internet-facing ASN (e.g., a data center network [RFC7938] or stub customer) may be used, but any details are outside the scope of this document. On egress from the Internet- facing AS, the OTC Attribute MUST NOT contain a value other than the Internet-facing ASN. Once the OTC Attribute has been set, it MUST be preserved unchanged (this also applies to an AS Confederation). - Correct implementation of the procedures specified in this document - is not expected to result in the presence of multiple OTC Attributes - in an UPDATE. However, if an eBGP speaker receives multiple OTC - Attributes with a route, then the only difference in the processing - is in Step 2 of the ingress policy. - The described ingress and egress policies are applicable only for unicast IPv4 and IPv6 address families and MUST NOT be applied to other address families by default. The operator MUST NOT have the ability to modify the policies defined in this section. 5. Additional Considerations - There are peering relationships that are 'complex', i.e., both - parties intentionally advertise prefixes received from each other to - their Peers and/or transit Providers. If multiple eBGP sessions can - segregate the 'complex' parts of the relationship, then the complex - peering roles can be segregated into different normal eBGP sessions, - and BGP Roles MUST be used on each of the resulting normal (non- - complex) eBGP sessions. + Roles MUST NOT be configured on an eBGP session with a Complex + peering relationship. If multiple eBGP sessions can segregate the + Complex peering relationship into eBGP sessions with normal peering + relationships, BGP Roles SHOULD be used on each of the resulting eBGP + sessions. - No Roles SHOULD be configured on a 'complex' eBGP session (assuming - it is not segregated). An operator may want to achieve an equivalent - outcome by configuring policies on a per-prefix basis to follow the - definitions of peering relations as described in Section 2. However, - in this case, there are no built-in measures to check the correctness - of the per-prefix peering configuration. + An operator may want to achieve an equivalent outcome by configuring + policies on a per-prefix basis to follow the definitions of peering + relations as described in Section 2. However, in this case, there + are no built-in measures to check the correctness of the per-prefix + peering configuration. The incorrect setting of BGP Roles and/or OTC Attributes may affect prefix propagation. Further, this document does not specify any special handling of incorrect AS numbers in the OTC Attribute. 6. IANA Considerations IANA has registered a new BGP Capability (Section 3.1) in the "Capability Codes" registry's "IETF Review" range [RFC5492]. The description for the new capability is "BGP Role". IANA has assigned @@ -409,21 +412,21 @@ | 2 | RS-Client | This document | | 3 | Customer | This document | | 4 | Peer (i.e., Lateral Peer) | This document | | 5-255 | To be assigned by IETF Review | +-------+--------------------------------+---------------+ Table 3: IANA Registry for BGP Role IANA has registered a new OPEN Message Error subcode named the "Role Mismatch" (see Section 3.2) in the OPEN Message Error subcodes - registry. IANA has assigned the value 8 [to be removed upon + registry. IANA has assigned the value TBD [to be removed upon publication: https://www.iana.org/assignments/bgp-parameters/bgp- parameters.xhtml#bgp-parameters-6]. This document is the reference for the new subcode. IANA has also registered a new path attribute named "Only to Customer (OTC)" (see Section 4) in the "BGP Path Attributes" registry. IANA has assigned code value 35 [To be removed upon publication: http://www.iana.org/assignments/bgp-parameters/bgp- parameters.xhtml#bgp-parameters-2]. This document is the reference for the new attribute.