draft-ietf-maxprefix/todo at master · stucchimax/draft-ietf-maxprefix · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
Todo:

feedback from Sue Hares 3 september 2019
    - rename from grow to idr
    - update 4271 (but not 4486, since 4486 links to 4271)
    - recycle cease code 1 for both pre and post inbound policy
    - new cease notififation subcode for outbound
rfc 4271
    - page 45 / event 8 AutomaticStop, expand
    - page 71 /

permutations in new world:
    - inbound pre-policy limit, keep session open, don't accept new
    - inbound pre-policy limit, close session
    - inbound post-policy limit, keep session open, don't accept new
    - inbound post-policy limit, close session
    - outbound post-policy limit, keep session open, don't send <<--- moeilijk
    - outbound post-policy limit, close session

feedback from IETF 104:

    - talk with John & Susan from IDR whether the document belongs there or in GROW
    - discuss what things can be done when outbound threshold is met (igor/john)
    - make it very clear that the outbound limit is post-policy (reudiger)
    - jared mauch wants to help

feedback from IETF 105:

    - make it clear that this is a *hard* cease, reference rfc8538, thank jacob + robert

Document structuur:

introduction:
    probleem stelling
    oplossing

control theory:
    valves
    fail closed
    prioritise security over convinience

inbound maximum prefix limits
    type A: pre-policy
        - describe placement in conceptual model: Adj-RIB-In
        - protect against full table leaks
        - RIB exhaustion
        - 'soft reconfiguration inbound' needed to do pre-policy

    type B: post-policy
        - describe placement in conceptual model: after PIB in Adj-RIB-In -> Loc-RIB
        - protect against FIB exhaution

outbound maximum prefix limits
    type C: (implicitly) post-policy
        - describe placement in conceptual model: Adj-RIB-Out
        - dead man's switch
        - protects others against your own misconfigurations

considerations when using Multi Protocol BGP-4:
    - best current practise is to do ipv4 over ipv4, ipv6 over ipv6
    - isolation between AFIs / fate sharing between AFIs on single session
    - implementors should be able to specify per AFI limits

how to decide on how high or low to set limits

known implementations

IANA:
    - update https://www.iana.org/assignments/bgp-parameters/bgp-parameters.xhtml#bgp-parameters-8 that '1 is used for inbound'
    - request new cease notification for outbound limit reached

references:

    RFC 4271, 8.2.2.  Finite State Machine:
        "One reason for an AutomaticStop event is: A BGP receives an UPDATE
        messages with a number of prefixes for a given peer such that the
        total prefixes received exceeds the maximum number of prefixes
        configured.  The local system automatically disconnects the peer."

    RFC 4486 "Subcodes for BGP Cease Notification Message"
        "If a BGP speaker decides to terminate its peering with a neighbor
        because the number of address prefixes received from the neighbor
        exceeds a locally configured upper bound (as described in [BGP-4]),
        then the speaker MUST send to the neighbor a NOTIFICATION message
        with the Error Code Cease and the Error Subcode "Maximum Number of
        Prefixes Reached".  The message MAY optionally include the Address
        Family information [BGP-MP] and the upper bound in the "Data" field,
        as shown in Figure 1, where the meaning and use of the <AFI, SAFI>
        tuple is the same as defined in [BGP-MP], Section 7."

   RFC 7908 - route leak definitions