| draft-ietf-idr-deprecate-as-sets-03.txt | draft-ietf-idr-deprecate-as-sets-04.txt | |||
|---|---|---|---|---|
| Network Working Group W. Kumari | Network Working Group W. Kumari | |||
| Internet-Draft Google, Inc. | Internet-Draft Google, Inc. | |||
| Intended status: Informational K. Sriram | Intended status: Informational K. Sriram | |||
| Expires: October 24, 2011 U.S. NIST | Expires: November 2, 2011 U.S. NIST | |||
| April 22, 2011 | May 1, 2011 | |||
| Deprecation of the use of BGP AS_SET, AS_CONFED_SET. | Deprecation of the use of BGP AS_SET, AS_CONFED_SET. | |||
| draft-ietf-idr-deprecate-as-sets-03 | draft-ietf-idr-deprecate-as-sets-04 | |||
| Abstract | Abstract | |||
| This document deprecates the use of the AS_SET and AS_CONFED_SET | This document deprecates the use of the AS_SET and AS_CONFED_SET | |||
| types of the AS_PATH in BGPv4. This is done to simplify the design | types of the AS_PATH in BGPv4. This is done to simplify the design | |||
| and implementation of the BGP protocol and to make the semantics of | and implementation of the BGP protocol and to make the semantics of | |||
| the originator of a route more clear. This will also simplify the | the originator of a route more clear. This will also simplify the | |||
| design, implementation and deployment of ongoing work in the Secure | design, implementation and deployment of ongoing work in the Secure | |||
| Inter-Domain Routing Working Group. | Inter-Domain Routing Working Group. | |||
| skipping to change at page 1, line 36 | skipping to change at page 1, line 36 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on October 24, 2011. | This Internet-Draft will expire on November 2, 2011. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2011 IETF Trust and the persons identified as the | Copyright (c) 2011 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 16 | skipping to change at page 2, line 16 | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Requirements notation . . . . . . . . . . . . . . . . . . . . . 3 | 2. Requirements notation . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Recommendation to Network Operators . . . . . . . . . . . . . . 4 | 3. Recommendation to Network Operators . . . . . . . . . . . . . . 4 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 4 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 4 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 4 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 7. Informative References . . . . . . . . . . . . . . . . . . . . 5 | 7. Informative References . . . . . . . . . . . . . . . . . . . . 5 | |||
| Appendix A. Proxy Aggregation without AS_SETs . . . . . . . . . . 5 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7 | ||||
| 1. Introduction | 1. Introduction | |||
| The AS_SET path segment type of the AS_PATH attribute ([RFC4271], | The AS_SET path segment type of the AS_PATH attribute ([RFC4271], | |||
| Section 4.3) is created by a router that is performing route | Section 4.3) is created by a router that is performing route | |||
| aggregation and contains an unordered set of ASs that the update has | aggregation and contains an unordered set of ASs that the update has | |||
| traversed. The AS_CONFED_SET path type ([RFC5065]) of the AS_PATH | traversed. The AS_CONFED_SET path type ([RFC5065]) of the AS_PATH | |||
| attribute is created by a router that is performing route aggregation | attribute is created by a router that is performing route aggregation | |||
| and contains an unordered set of Member AS Numbers in the local | and contains an unordered set of Member AS Numbers in the local | |||
| confederation that the update has traversed. It is very similar to | confederation that the update has traversed. It is very similar to | |||
| skipping to change at page 3, line 40 | skipping to change at page 3, line 40 | |||
| In the past AS_SET had been used in a few rare cases to allow route | In the past AS_SET had been used in a few rare cases to allow route | |||
| aggregation where two or more providers could form the same prefix, | aggregation where two or more providers could form the same prefix, | |||
| using the exact match of the others prefix in some advertisement and | using the exact match of the others prefix in some advertisement and | |||
| configuring the aggregation differently elsewhere. The key to | configuring the aggregation differently elsewhere. The key to | |||
| configuring this correctly was to form the aggregate at the border in | configuring this correctly was to form the aggregate at the border in | |||
| the outbound BGP policy and omit prefixes from the AS that the | the outbound BGP policy and omit prefixes from the AS that the | |||
| aggregate was being advertised to. The AS_SET therefore allowed this | aggregate was being advertised to. The AS_SET therefore allowed this | |||
| practice without the loss of BGP's AS_PATH loop protection. This use | practice without the loss of BGP's AS_PATH loop protection. This use | |||
| of AS_SET served a purpose which fell in line with the original | of AS_SET served a purpose which fell in line with the original | |||
| intended use. Without AS_SET aggregates must always contain only | intended use. | |||
| less specific prefixes (not less than or equal to), and must never | ||||
| aggregate an exact match. Since this practice is thought to no | Without AS_SET aggregates must always contain only less specific | |||
| longer be widely used, it is thought to be safe to deprecate the use | prefixes (not less than or equal to), and must never aggregate an | |||
| of AS_SET. | exact match. Since this practice is thought to no longer be widely | |||
| used, it is thought to be safe to deprecate the use of AS_SET. | ||||
| 2. Requirements notation | 2. Requirements notation | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 3. Recommendation to Network Operators | 3. Recommendation to Network Operators | |||
| Operators are strongly advised to not generate any new announcements | Operators are strongly advised to not generate any new announcements | |||
| containing AS_SETs or AS_CONFED_SETs. If they have already announced | containing AS_SETs or AS_CONFED_SETs. If they have already announced | |||
| routes with AS_SETs or AS_CONFED_SETs in them, then they should | routes with AS_SETs or AS_CONFED_SETs in them, then they should | |||
| withdraw and re-announce those prefixes without AS_SETs in the | withdraw and re-announce those prefixes without AS_SETs in the | |||
| updates. This may require undoing the aggregation that was | updates. This may require undoing the aggregation that was | |||
| previously performed, and announcing more specifics. Route | previously performed, and announcing more specifics. Route | |||
| aggregation is possible under some conditions without the use of | aggregation that was previously performed by proxy aggregation is | |||
| AS_SETs (please see Appendix A for relevant discussion and | still possible under some conditions without the use of AS_SETs. As | |||
| suggestions). As with any change, the operator should understand the | with any change, the operator should understand the full implications | |||
| full implications of the change. | of the change. | |||
| It is worth noting that new technologies (such as those that take | It is worth noting that new technologies (such as those that take | |||
| advantage of the "X.509 Extensions for IP Addresses and AS | advantage of the "X.509 Extensions for IP Addresses and AS | |||
| Identifiers" ([RFC3779]) may not support routes with AS_SETs / | Identifiers" ([RFC3779]) may not support routes with AS_SETs / | |||
| AS_CONFED_SETs in them, and MAY treat as infeasible routes containing | AS_CONFED_SETs in them, and MAY treat as infeasible routes containing | |||
| them. Future BGP implementations may also do the same. | them. Future BGP implementations may also do the same. | |||
| It is expected that, even before the deployment of these | It is expected that, even before the deployment of these | |||
| technologies, operators may begin filtering routes that contain | technologies, operators may begin filtering routes that contain | |||
| AS_SETs or AS_CONFED_SETs. | AS_SETs or AS_CONFED_SETs. | |||
| skipping to change at page 5, line 4 | skipping to change at page 5, line 4 | |||
| on it. | on it. | |||
| 6. Acknowledgements | 6. Acknowledgements | |||
| The authors would like to thank Tony Li, Randy Bush, John Scudder, | The authors would like to thank Tony Li, Randy Bush, John Scudder, | |||
| Curtis Villamizar, Danny McPherson, Chris Morrow, Tom Petch, Ilya | Curtis Villamizar, Danny McPherson, Chris Morrow, Tom Petch, Ilya | |||
| Varlashkin as well as Douglas Montgomery, Enke Chen, Florian Weimer, | Varlashkin as well as Douglas Montgomery, Enke Chen, Florian Weimer, | |||
| Jakob Heitz, John Leslie, Keyur Patel, Paul Jakma, Rob Austein, Russ | Jakob Heitz, John Leslie, Keyur Patel, Paul Jakma, Rob Austein, Russ | |||
| Housley, Sandra Murphy, Steve Bellovin, Steve Kent, Steve Padgett, | Housley, Sandra Murphy, Steve Bellovin, Steve Kent, Steve Padgett, | |||
| Alfred Hones, Alvaro Retana, everyone in IDR and everyone else who | Alfred Hones, Alvaro Retana, everyone in IDR and everyone else who | |||
| provided input. | provided input | |||
| Apologies to those who I may have missed, it was not intentional. | Apologies to those who we may have missed, it was not intentional. | |||
| 7. Informative References | 7. Informative References | |||
| [RFC1930] Hawkinson, J. and T. Bates, "Guidelines for creation, | [RFC1930] Hawkinson, J. and T. Bates, "Guidelines for creation, | |||
| selection, and registration of an Autonomous System (AS)", | selection, and registration of an Autonomous System (AS)", | |||
| BCP 6, RFC 1930, March 1996. | BCP 6, RFC 1930, March 1996. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP | [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP | |||
| Addresses and AS Identifiers", RFC 3779, June 2004. | Addresses and AS Identifiers", RFC 3779, June 2004. | |||
| [RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway | [RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway | |||
| Protocol 4 (BGP-4)", RFC 4271, January 2006. | Protocol 4 (BGP-4)", RFC 4271, January 2006. | |||
| [RFC5065] Traina, P., McPherson, D., and J. Scudder, "Autonomous | [RFC5065] Traina, P., McPherson, D., and J. Scudder, "Autonomous | |||
| System Confederations for BGP", RFC 5065, August 2007. | System Confederations for BGP", RFC 5065, August 2007. | |||
| Appendix A. Proxy Aggregation without AS_SETs | ||||
| Using the illustration in Figure 1 below, we attempt to point out how | ||||
| an aggregating AS can perform proxy aggregation without using an | ||||
| AS_SET in the aggregate announcement. | ||||
| In Figure 1, more specific prefixes p0/24, p1/24, p2/24, and p3/24 | ||||
| are originated by AS-A, AS-B, AS-C, and AS-D, respectively. AS-E and | ||||
| AS-F choose not to aggregate; they forward the more specifics to | ||||
| AS-G. AS-G aggregates the four more specifics into a single less | ||||
| specific prefix p/22, and propagates updates in BGP to its neighbors | ||||
| (including AS-E and AS-F) to announce the p/22 prefix. If G were to | ||||
| insert the AS_SET [A,B,C,D,E,F] in the update, then AS-E and AS-F | ||||
| will be aware of the looping possibility and not install the route | ||||
| for p/22. The undesirable consequence here would be that AS-E would | ||||
| not have reachability to p2/24 and p3/24, and similarly AS-F would | ||||
| not have reachability to p0/24 and p1/24. So there is a hidden | ||||
| downside of this nature in proxy aggregation with the use of AS_SET. | ||||
| Now consider the case when AS-G performs the same aggregation but | ||||
| does not use an AS_SET in the aggregate announcement. The following | ||||
| recommendation is in order: | ||||
| o An AS should proxy aggregate only prefixes which belong to its | ||||
| administrative domain. | ||||
| With this recommendation in mind, we attempt to explain here how the | ||||
| data-plane looping possibility can still be avoided, and the | ||||
| reachability problem identified above is also prevented. | ||||
| In Figure 1, please take note of the aggregate announcements (without | ||||
| AS_SET) from AS-G to its neighbors. Absent the AS_SET in the | ||||
| aggregate announcement, now AS-E and AS-F would install the route for | ||||
| p/22 via AS-G in their routing tables. So AS-E will have | ||||
| reachability to p2/24 and p3/24, and similarly AS-F will have | ||||
| reachability to p0/24 and p1/24. Also, the looping possibility | ||||
| between AS-E and AS-G (and likewise between AS-F and AS-G) is avoided | ||||
| provided that AS-G observes a slight caution in its aggregation | ||||
| decision and packet forwarding. As already stated, AS-G should | ||||
| aggregate only those prefixes which belong in its admin domain, and | ||||
| secondly if any of those prefixes are withdrawn then AS-G should drop | ||||
| the route for that prefix from its FIB even though it still maintains | ||||
| the aggregation and continues to announce p/22 to its neighbors. If | ||||
| AS-E were to withdraw a prefix (say, p1/24) then AS-G will no longer | ||||
| forward packets for that prefix to AS-E. Hence, under said | ||||
| circumstance, even though AS-E may forward packets for p1/24 to AS-G, | ||||
| those packets will be dropped at AS-G and thus data-plane looping | ||||
| would not occur. The other reason for recommending aggregation of | ||||
| prefixes from within the same admin domain is that in that case, the | ||||
| aggregating AS (AS-G in the example) can create a ROA (in the RPKI | ||||
| repository) for the aggregate (p/22) showing itself (AS-G) as the | ||||
| origin. | ||||
| p0/24--A Update {E,A, p0/24} --> | ||||
| \ Update {E,B, p1/24} --> | ||||
| E-------------------------------\ | ||||
| / <-- Update {G, p/22} \ | ||||
| p1/24--B (w/o AS_SET) \ | ||||
| or \ | ||||
| <-- Update {G,[A,B,C,D,E,F], p/22} \ | ||||
| (with AS_SET) \ | ||||
| \ | ||||
| \ | ||||
| \ | ||||
| \ | ||||
| G---------H | ||||
| <-- Update {G, p/22} / ---> | ||||
| (w/o AS_SET) / same aggregate | ||||
| or / update as sent | ||||
| p2/24--C <-- Update {G,[A,B,C,D,E,F], p/22} / to E or F | ||||
| \ (with AS_SET) / | ||||
| F-----------------------------------/ | ||||
| / Update {F,C, p2/24} --> | ||||
| p3/24--D Update {F,D, p3/24} --> | ||||
| Note: p0/24+p1/24+p2/24+p3/24 = p/22 | ||||
| BGP speaker G has chosen to Aggregate | ||||
| Figure 1: Illustration for discussion of loop possibility in data | ||||
| forwarding when AS_SET is not used and how it can be mitigated. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Warren Kumari | Warren Kumari | |||
| Google, Inc. | Google, Inc. | |||
| 1600 Amphitheatre Parkway | 1600 Amphitheatre Parkway | |||
| Mountain View, CA 94043 | Mountain View, CA 94043 | |||
| US | US | |||
| Phone: +1 571 748 4373 | Phone: +1 571 748 4373 | |||
| Email: warren@kumari.net | Email: warren@kumari.net | |||
| End of changes. 9 change blocks. | ||||
| 98 lines changed or deleted | 17 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||