Mailing List Archive

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

On 12/19/20 10:45, Saku Ytti wrote:

> I think the community largely got blindsided by this, I suspect
> marketability of the whole solution would have been a lot poorer if
> this argument was thrown around at standardisation. However, that ship
> has sailed, we can implement new cheaper methods, but the damage is
> done and it will be there long after we've retired.
>
> I know I got blindsided, and it was so obvious, but not a problem I
> was aware until a customer complained about excessive refresh. It
> would be funny to analyse how much more wattage is drawn because of
> this globally. how many early control-plane upgrades. Is it
> immaterial or material? I don't know. But it does seem to put some
> customers control-planes over the edge.

We suffered with this a great deal when we used ASR9001's for peering. A
bunch of peers complained about it, to the extent that they had to drop
sessions.

Problem was fixed by moving to the MX204. Not elegant, and an
unnecessary spend.

Mark.
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

On 12/19/20 11:13, Robert Raszuk wrote:

> Jakob,
>
> It has been a while, but IIRC the original idea for the validation was
> that regardless if this is done by configuration enabling pre-best
> path eligibility or in route map no path will be dropped. At no point
> in the BGP design discussions there was a plan to automatically do any
> of this. So your REFRESH story or soft-in alternative sound like the
> original plan has somehow changed.
>
> See even if you validate in route map you may just mark it
> not-eligible or set higher local pref for VALID etc .... I am not sure
> how anyone could come with the idea to just drop there.
>
> So IMHO there is nothing wrong with specification.
>
> It is suboptimal implementation or configuration which needs to be
> fixed. It beats me why it is taking so long ...

Absolutely!

The spec. is clear on nodes only performing validation at the behest of
the operator, and never automatically or inherently.

This is a Cisco-specific issue, and either a mis-interpretation of the
RFC, or a workaround to the impact of the spec. on their implementation.

Mark.
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Hi,

On Sat, Dec 19, 2020 at 10:13:36AM +0100, Robert Raszuk wrote:
> See even if you validate in route map you may just mark it not-eligible or
> set higher local pref for VALID etc .... I am not sure how anyone could
> come with the idea to just drop there.

In the face of invalid more-specifics, the "local-pref" thing just plain
doesn't work.

So "ineligible or drop for INVALID" is the only option.

We do "drop in route-map", on ASR 9k, and this thread has me thinking if
this was a good idea. As far as I know, no way to set "ineligible" from
a route-map. Is there?

So back to the drawing board.

gert

--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany gert@greenie.muc.de

> As far as I know, no way to set "ineligible" from a route-map. Is there?

A workaround could be to set unreachable next hop instead of dropping :)
That automatically disables such path from best path comparison yet it
keeps in BGP.

But as said implementation could make it easier with a knob.

The question to ask if you want to advertise INVALID paths around ? Even if
not best path once you enable add-paths it may be advertised.

Thx,
R.


On Sat, Dec 19, 2020 at 10:47 AM Gert Doering <gert@greenie.muc.de> wrote:

> Hi,
>
> On Sat, Dec 19, 2020 at 10:13:36AM +0100, Robert Raszuk wrote:
> > See even if you validate in route map you may just mark it not-eligible
> or
> > set higher local pref for VALID etc .... I am not sure how anyone could
> > come with the idea to just drop there.
>
> In the face of invalid more-specifics, the "local-pref" thing just plain
> doesn't work.
>
> So "ineligible or drop for INVALID" is the only option.
>
> We do "drop in route-map", on ASR 9k, and this thread has me thinking if
> this was a good idea. As far as I know, no way to set "ineligible" from
> a route-map. Is there?
>
> So back to the drawing board.
>
> gert
>
> --
> "If was one thing all people took for granted, was conviction that if you
> feed honest figures into a computer, honest figures come out. Never
> doubted
> it myself till I met a computer with a sense of humor."
> Robert A. Heinlein, The Moon is a Harsh
> Mistress
>
> Gert Doering - Munich, Germany
> gert@greenie.muc.de
>
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Hi,

On Sat, Dec 19, 2020 at 11:02:16AM +0100, Robert Raszuk wrote:
> > As far as I know, no way to set "ineligible" from a route-map. Is there?
>
> A workaround could be to set unreachable next hop instead of dropping :)
> That automatically disables such path from best path comparison yet it
> keeps in BGP.

Interesting trick. Need to test.

> But as said implementation could make it easier with a knob.
>
> The question to ask if you want to advertise INVALID paths around ? Even if
> not best path once you enable add-paths it may be advertised.

We do not use add-paths today, but if we did, I wouldn't want INVALIDs
advertised anywhere.

gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany gert@greenie.muc.de

On Sat, 19 Dec 2020 at 10:40, Gert Doering <gert@greenie.muc.de> wrote:
>
> Hi,
>
> On Sat, Dec 19, 2020 at 10:13:36AM +0100, Robert Raszuk wrote:
> > See even if you validate in route map you may just mark it not-eligible or
> > set higher local pref for VALID etc .... I am not sure how anyone could
> > come with the idea to just drop there.
>
> In the face of invalid more-specifics, the "local-pref" thing just plain
> doesn't work.
>
> So "ineligible or drop for INVALID" is the only option.
>
> We do "drop in route-map", on ASR 9k, and this thread has me thinking if
> this was a good idea. As far as I know, no way to set "ineligible" from
> a route-map. Is there?

soft-reconfig inbound always amounts to 100 MB of memory consumption
for a v4 + v6 full feed as of last week on 32-bit XR. I can live with
100MB of memory consumption per full feed, so I'm doing soft-reconfig
inbound always everywhere. This also helps with troubleshooting.


lukas
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

On Sat, 19 Dec 2020 at 13:45, Lukas Tribus <lukas@ltri.eu> wrote:

> soft-reconfig inbound always amounts to 100 MB of memory consumption
> for a v4 + v6 full feed as of last week on 32-bit XR. I can live with
> 100MB of memory consumption per full feed, so I'm doing soft-reconfig
> inbound always everywhere. This also helps with troubleshooting.

It is also DRAM exhaustion attack vector. But of course routers are
extremely fragile and anyone motivated can easily bring them down by
plethora of methods. Even with max-prefix it may be, as max-prefix may
mean before or after policy count, depending on platform and
configuration toggle.

--
++ytti
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Hello Jakob,


On Fri, 18 Dec 2020 at 07:58, Jakob Heitz (jheitz) <jheitz@cisco.com> wrote:
>
> Hi Lukas, Mark, Ben,
>
> The default bestpath prefix-validate behavior treats invalid routes
> as unfeasible and prefers valid routes over not-found.
>
> The default bestpath prefix-validate behavior cannot be used unless
> all paths of a net have the correct RPKI validity. That can only
> happen if all EBGP sessions into an AS validate their incoming
> routes and apply the RFC8097 extended community.

First of all let me say that I appreciate your effort to improve the
situation very much, thank you for this.

The problem is that this is not a "default". If this would be a
default, we could just disable it. However we can only disable it by
disabling validation, which is incorrect according to the
documentation (see below).

I understand that this works just fine in a greenfield deployment
(just deploy the network with everything enabled), but I never
understood how this implementation should work in existing networks.

An existing network would need to enable validation on all routers
SIMULTANEOUSLY. If this is a small shop, let's say 5 routers, maybe
they could bypass change management procedures, get both engineers in
a room, each engineer enables RPKI validation on 2 routers as fast as
possible, and maybe they could get Janice from Accounting to help on
the fifth terminal for Router nr 5 ("just hit the Enter button,
Janice") on the terminal of the fifth router. The deployment would be
quasi-simultaneously and routing anomalies would be limited to a short
period of time.

But you cannot make a configuration change atomically across an entire
backbone, and also even if this would be technically possible, nobody
would ever approve this change because the risk is just too great.

"We will shutdown our entire fully redundant and geographically
diverse AS for 2 hours on Saturday as we deploy RPKI ROV" <-- that's
not how SP's deploy new features.

Network operators need to be able to roll this out over a period of
time and rollback the configuration on individual nodes, based on the
operational requirements.

I understand that there are configuration knobs that impact best path
selection that will have such effects, like the bgp best-path med
knobs. That doesn't mean RPKI ROV has to be.



> If these conditions are not satisfied, then you cannot use the
> bestpath prefix-validate behavior and you must use
> route-maps to process the RPKI validity, like this:
>
> router bgp ...
> bgp rpki server tcp [...]
> address-family ipv4
> bgp bestpath prefix-validate disable
> [...]
> route-map RM_EBGP_IN deny 10
> match rpki invalid
> [...]

Which also disables any visibility into the RPKI status in the routing
table. At least we can drop RPKI invalids this way, although it does
come with the complete lack of visibility. Also there is the issue you
mention in your subsequent email (router refresh, CPU load, memory
exhaustion with soft-reconfig inbound always).



> I have a proposal to improve the bestpath prefix-validate behavior
> to better match how most operators use it. By a new configuration,
> I would treat valid and not-found with the same preference. Invalid
> would continue to be unfeasible. Then, a received IBGP route without
> the RFC8097 community will be fine.


All those years the documentation already claims that this should work
by just allowing invalids [1]:

> - You can completely disable the validation of prefixes [...]
> - You can allow an invalid prefix to be used as the BGP best path [...]
> [...]
> During BGP best path selection, the default behavior, ***if neither of the
> above options is configured***, is that the system will prefer prefixes in
> the following order:

It's just not actually implemented this way.

If you want to introduce a new configuration knob, please just do it
EXACTLY like IOS-XR: if the new code path is used, there needs to be
NO best path intervention, NONE whatsoever, not even for INVALIDs.

XR only modifies the bestpath when enabling the (afaik non-default) option:

bgp bestpath origin-as use validity behavior

It will not change anything based on the RPKI validation status
without this option enabled, not even for invalids.


Let's not introduce yet another bandaid change for one single specific
routing anomalie, that still doesn't fully disable best path
intervention. Let's get it right this time.



Thank you!

Lukas


[1] https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/xe-17/irg-xe-17-book/bgp-origin-as-validation.html
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

> Robert Raszuk
> Sent: Saturday, December 19, 2020 10:02 AM
>
> > As far as I know, no way to set "ineligible" from a route-map. Is
there?
>
> A workaround could be to set unreachable next hop instead of dropping :)
> That automatically disables such path from best path comparison yet it
keeps
> in BGP.
>
> But as said implementation could make it easier with a knob.
>
Yeah I was thinking along the same lines, keep it in BGP for sure, just not
use it for actual data routing, (if that's the desired local policy).
(was thinking filtering invalids on RIB->FIB level, BGP table map/selective
route download -and limit the churn between RIB and FIB on a local box
rather than BGP between boxes).
-is there an option to filter invalids at the table map/selective route
download attach point?

> The question to ask if you want to advertise INVALID paths around ? Even
if
> not best path once you enable add-paths it may be advertised.
>
Well I'd say yes?
-to leave BGP in a role of a messenger, then let each individual box/AS
decide locally what to do (with the message).

adam


_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

> Saku Ytti
> Sent: Saturday, December 19, 2020 12:57 PM
>
> On Sat, 19 Dec 2020 at 13:45, Lukas Tribus <lukas@ltri.eu> wrote:
>
> > soft-reconfig inbound always amounts to 100 MB of memory consumption
> > for a v4 + v6 full feed as of last week on 32-bit XR. I can live with
> > 100MB of memory consumption per full feed, so I'm doing soft-reconfig
> > inbound always everywhere. This also helps with troubleshooting.
>
> It is also DRAM exhaustion attack vector. But of course routers are
extremely
> fragile and anyone motivated can easily bring them down by plethora of
> methods. Even with max-prefix it may be, as max-prefix may mean before or
> after policy count, depending on platform and configuration toggle.
>
Good point, also all the potential attribute filtering (in XR) would it be
applied prior to accepting the route into soft-reconfig version of the
table?
I guess the enhance bgp error correction would kick in prior to letting the
malformed update (i.e. at the update process time).

adam


_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

> was thinking filtering invalids on RIB->FIB level,

Globally this would not work as in global RIB only best path is installed
(unless you run multipath).

Even for bRIB it would be the same.

The selection of eligible paths must happen prior to best path selection
for a given net.

Thx,
R.


On Mon, Dec 21, 2020 at 5:03 PM <adamv0025@netconsultings.com> wrote:

> > Robert Raszuk
> > Sent: Saturday, December 19, 2020 10:02 AM
> >
> > > As far as I know, no way to set "ineligible" from a route-map. Is
> there?
> >
> > A workaround could be to set unreachable next hop instead of dropping :)
> > That automatically disables such path from best path comparison yet it
> keeps
> > in BGP.
> >
> > But as said implementation could make it easier with a knob.
> >
> Yeah I was thinking along the same lines, keep it in BGP for sure, just not
> use it for actual data routing, (if that's the desired local policy).
> (was thinking filtering invalids on RIB->FIB level, BGP table map/selective
> route download -and limit the churn between RIB and FIB on a local box
> rather than BGP between boxes).
> -is there an option to filter invalids at the table map/selective route
> download attach point?
>
> > The question to ask if you want to advertise INVALID paths around ? Even
> if
> > not best path once you enable add-paths it may be advertised.
> >
> Well I'd say yes?
> -to leave BGP in a role of a messenger, then let each individual box/AS
> decide locally what to do (with the message).
>
> adam
>
>
>
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

On Mon, 21 Dec 2020 at 18:07, <adamv0025@netconsultings.com> wrote:

> Good point, also all the potential attribute filtering (in XR) would it be
> applied prior to accepting the route into soft-reconfig version of the
> table?

IOS-XR is only post-policy. So whatever you reject does not contribute
towards the limit, allowing DRAM exhaustion attack.
SROS is only pre-policy. So if someone leaks bad prefixes you reject
in policy, it's still going to be flap, potentially BGP reset attack.
JunOS supports pre and post.

Both are needed as they protect from different issues.
--
++ytti
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/