draft-ietf-grow-filtering-threats-04.txt   draft-ietf-grow-filtering-threats-05.txt 
Network Working Group Camilo Cardona Network Working Group Camilo Cardona
Internet-Draft IMDEA Networks/UC3M Internet-Draft IMDEA Networks/UC3M
Intended status: Informational Pierre Francois Intended status: Informational Pierre Francois
Expires: August 13, 2015 IMDEA Networks Expires: August 27, 2015 IMDEA Networks
Paolo Lucente Paolo Lucente
Cisco Systems Cisco Systems
February 9, 2015 February 23, 2015
Impact of BGP filtering on Inter-Domain Routing Policies Impact of BGP filtering on Inter-Domain Routing Policies
draft-ietf-grow-filtering-threats-04 draft-ietf-grow-filtering-threats-05
Abstract Abstract
This document describes how unexpected traffic flows can emerge This document describes how unexpected traffic flows can emerge
across an autonomous system, as the result of other autonomous across an autonomous system, as the result of other autonomous
systems filtering, or restricting the propagation of more specific systems filtering, or restricting the propagation of more specific
prefixes. We provide a review of the techniques to detect the prefixes. We provide a review of the techniques to detect the
occurrence of this issue and defend against it. occurrence of this issue and defend against it.
Status of This Memo Status of This Memo
skipping to change at page 1, line 37 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 13, 2015. This Internet-Draft will expire on August 27, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 8, line 10 skipping to change at page 8, line 10
is such an AS, and that its best path towards 2001:DB8::/32 is is such an AS, and that its best path towards 2001:DB8::/32 is
through AS64502. Packets sent towards 2001:DB8::1 by AS64505 will through AS64502. Packets sent towards 2001:DB8::1 by AS64505 will
reach AS64502. However, in the data-plane of the nodes of AS64502, reach AS64502. However, in the data-plane of the nodes of AS64502,
the longest prefix match for 2001:DB8::1 is 2001:DB8::/34, which is the longest prefix match for 2001:DB8::1 is 2001:DB8::/34, which is
reached through AS64503, a settlement-free peer of AS64502. Since reached through AS64503, a settlement-free peer of AS64502. Since
AS64505 is not in the customer branch of AS64502, we are in a AS64505 is not in the customer branch of AS64502, we are in a
situation in which traffic flows between non-customer ASes take place situation in which traffic flows between non-customer ASes take place
in AS64502. in AS64502.
,-----. ,-----.
,' `. ,' `. ------- Connections to other ASes
/ AS64505 \ / AS64505 \ /32
( ) ( ) <-+
\ / \ /
`. ,' `. ,'
'-----' '-----'
^ \ / ^ ^ \ / ^ ^ \ / ^ ^ \ / ^
| /32 \ / /32 | | /32 \ / /32 | | /32 \ / /32 | | /32 \ / /32 |
+ ,-----. + + ,-----. + + ,-----. + + ,-----. +
,' `. ,' `. ,' `. ,' `.
/ AS64502 \ / AS64503 \ / AS64502 \ / AS64503 \
( )-------------( ) ( )-------------( )
,-----. \ / /32 /32 \ / ,-----. \ / /32 /32 \ /
skipping to change at page 9, line 38 skipping to change at page 9, line 38
specific prefix. Due to the distributed nature and restricted specific prefix. Due to the distributed nature and restricted
visibility of the steering of BGP policies, such analysis is deemed visibility of the steering of BGP policies, such analysis is deemed
to not identify the origin of the problem with guaranteed accuracy. to not identify the origin of the problem with guaranteed accuracy.
We are not aware, at the time of this writing, of any openly We are not aware, at the time of this writing, of any openly
available tool that can automatically perform this operation. available tool that can automatically perform this operation.
3.2. Contribution to the existence of unexpected traffic flows in 3.2. Contribution to the existence of unexpected traffic flows in
another AS another AS
It can be considered problematic to be causing unexpected traffic It can be considered problematic to be causing unexpected traffic
flows in other ASes. This situation may appear as an abuse to the flows in other ASes. It is thus advisable for an AS to assess the
network resources of other ISPs. risks of filtering more specific prefixes before implementing them by
obtaining as much data information as possible about its surrounding
routing environment.
There may be justifiable reasons for one ISP to perform filtering; There may be justifiable reasons for one ISP to perform filtering;
either to enforce established policies or to provide prefix either to enforce established policies or to provide prefix
advertisement scoping features to its customers. These can vary from advertisement scoping features to its customers. These can vary from
trouble-shooting purposes to business relationship implementations. trouble-shooting purposes to business relationship implementations.
Restricting the use of these features for the sake of avoiding the Restricting the use of these features for the sake of avoiding the
creation of unexpected traffic flows is not a practical option. creation of unexpected traffic flows is not a practical option.
It is advisable for an AS to assess the risks of filtering more In order to assess the rist of filtering more specific prefixes, the
specific prefixes before implementing them by obtaining as much data AS would need information of the routing policies and the
information as possible about its surrounding routing environment.
The AS would need information of the routing policies and the
relationships among external ASes to detect if its actions could relationships among external ASes to detect if its actions could
trigger the appearance of unexpected traffic flows. With this trigger the appearance of unexpected traffic flows. With this
information, the operator could detect other ASes receiving the more information, the operator could detect other ASes receiving the more
specific prefix from non-customer ASes, while announcing the less specific prefix from non-customer ASes, while announcing the less
specific prefix to other non-customer ASes. If the filtering of the specific prefix to other non-customer ASes. If the filtering of the
more specific prefix leads other ASes to send traffic for the more more specific prefix leads other ASes to send traffic for the more
specific prefix to these ASes, an unexpected traffic flow can arise. specific prefix to these ASes, an unexpected traffic flow can arise.
However, the information required for this operation is difficult to However, the information required for this operation is difficult to
obtain, due to the distributed nature of BGP policies. We are not obtain, due to the distributed nature of BGP policies. We are not
aware, at the time of this writing, of any openly available tool that aware, at the time of this writing, of any openly available tool that
 End of changes. 7 change blocks. 
13 lines changed or deleted 13 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/