--- 1/draft-ietf-grow-filtering-threats-04.txt 2015-02-23 10:14:58.140114306 -0800 +++ 2/draft-ietf-grow-filtering-threats-05.txt 2015-02-23 10:14:58.184115376 -0800 @@ -1,21 +1,21 @@ Network Working Group Camilo Cardona Internet-Draft IMDEA Networks/UC3M Intended status: Informational Pierre Francois -Expires: August 13, 2015 IMDEA Networks +Expires: August 27, 2015 IMDEA Networks Paolo Lucente Cisco Systems - February 9, 2015 + February 23, 2015 Impact of BGP filtering on Inter-Domain Routing Policies - draft-ietf-grow-filtering-threats-04 + draft-ietf-grow-filtering-threats-05 Abstract This document describes how unexpected traffic flows can emerge across an autonomous system, as the result of other autonomous systems filtering, or restricting the propagation of more specific prefixes. We provide a review of the techniques to detect the occurrence of this issue and defend against it. Status of This Memo @@ -26,21 +26,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on August 13, 2015. + This Internet-Draft will expire on August 27, 2015. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -320,23 +320,23 @@ is such an AS, and that its best path towards 2001:DB8::/32 is through AS64502. Packets sent towards 2001:DB8::1 by AS64505 will reach AS64502. However, in the data-plane of the nodes of AS64502, the longest prefix match for 2001:DB8::1 is 2001:DB8::/34, which is reached through AS64503, a settlement-free peer of AS64502. Since AS64505 is not in the customer branch of AS64502, we are in a situation in which traffic flows between non-customer ASes take place in AS64502. ,-----. - ,' `. - / AS64505 \ - ( ) + ,' `. ------- Connections to other ASes + / AS64505 \ /32 + ( ) <-+ \ / `. ,' '-----' ^ \ / ^ ^ \ / ^ | /32 \ / /32 | | /32 \ / /32 | + ,-----. + + ,-----. + ,' `. ,' `. / AS64502 \ / AS64503 \ ( )-------------( ) ,-----. \ / /32 /32 \ / @@ -395,34 +395,34 @@ specific prefix. Due to the distributed nature and restricted visibility of the steering of BGP policies, such analysis is deemed to not identify the origin of the problem with guaranteed accuracy. We are not aware, at the time of this writing, of any openly available tool that can automatically perform this operation. 3.2. Contribution to the existence of unexpected traffic flows in another AS It can be considered problematic to be causing unexpected traffic - flows in other ASes. This situation may appear as an abuse to the - network resources of other ISPs. + flows in other ASes. It is thus advisable for an AS to assess the + risks of filtering more specific prefixes before implementing them by + obtaining as much data information as possible about its surrounding + routing environment. There may be justifiable reasons for one ISP to perform filtering; either to enforce established policies or to provide prefix advertisement scoping features to its customers. These can vary from trouble-shooting purposes to business relationship implementations. Restricting the use of these features for the sake of avoiding the creation of unexpected traffic flows is not a practical option. - It is advisable for an AS to assess the risks of filtering more - specific prefixes before implementing them by obtaining as much data - information as possible about its surrounding routing environment. - The AS would need information of the routing policies and the + In order to assess the rist of filtering more specific prefixes, the + AS would need information of the routing policies and the relationships among external ASes to detect if its actions could trigger the appearance of unexpected traffic flows. With this information, the operator could detect other ASes receiving the more specific prefix from non-customer ASes, while announcing the less specific prefix to other non-customer ASes. If the filtering of the more specific prefix leads other ASes to send traffic for the more specific prefix to these ASes, an unexpected traffic flow can arise. However, the information required for this operation is difficult to obtain, due to the distributed nature of BGP policies. We are not aware, at the time of this writing, of any openly available tool that