| rfc9774v1.txt | rfc9774.txt | |||
|---|---|---|---|---|
| skipping to change at line 80 ¶ | skipping to change at line 80 ¶ | |||
| 6.2. Not Advertising Aggregate Routes to Contributing ASes | 6.2. Not Advertising Aggregate Routes to Contributing ASes | |||
| 6.3. Mitigating Forwarding Loops | 6.3. Mitigating Forwarding Loops | |||
| 7. Security Considerations | 7. Security Considerations | |||
| 8. IANA Considerations | 8. IANA Considerations | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| 9.2. Informative References | 9.2. Informative References | |||
| Appendix A. Example of Route Filtering for Aggregate Routes and | Appendix A. Example of Route Filtering for Aggregate Routes and | |||
| Their Contributors | Their Contributors | |||
| Appendix B. Examples of Consistent and Inconsistent BGP Origin AS | Appendix B. Examples of Consistent and Inconsistent BGP Origin AS | |||
| Generated by Traditional Brief Aggregation | Generated by Brief Aggregation | |||
| B.1. Scenario 1: First one route, then another, each with a | B.1. Scenario 1: First one route, then another, each with a | |||
| fully disjoint AS_PATH | fully disjoint AS_PATH | |||
| B.2. Scenario 2: First one route, then another, and the AS_PATHs | B.2. Scenario 2: First one route, then another, and the AS_PATHs | |||
| overlap at the origin AS | overlap at the origin AS | |||
| B.3. Scenario 3: First one route, then another, and the AS_PATHs | B.3. Scenario 3: First one route, then another, and the AS_PATHs | |||
| overlap at the neighbor AS | overlap at the neighbor AS | |||
| B.4. Achieving Consistent Origin AS During Aggregation | B.4. Achieving Consistent Origin AS During Aggregation | |||
| Appendix C. Discussion on Forwarding Loops and AS_SETs | Appendix C. Discussion on Forwarding Loops and AS_SETs | |||
| Acknowledgements | Acknowledgements | |||
| Authors' Addresses | Authors' Addresses | |||
| 1. Introduction | 1. Introduction | |||
| BCP 172 [RFC6472] recommends not using AS_SET [RFC4271] and | [BCP172] recommends not using AS_SET [RFC4271] and AS_CONFED_SET | |||
| AS_CONFED_SET [RFC5065] AS_PATH path segment types in the Border | [RFC5065] AS_PATH path segment types in the Border Gateway Protocol | |||
| Gateway Protocol (BGP). This document advances the BCP | (BGP). This document advances the BCP recommendation to a standards | |||
| recommendation to a standards requirement in BGP; it prohibits the | requirement in BGP; it prohibits the use of the AS_SET and | |||
| use of the AS_SET and AS_CONFED_SET types of path segments in the | AS_CONFED_SET types of path segments in the AS_PATH. The purpose is | |||
| AS_PATH. The purpose is to simplify the design and implementation of | to simplify the design and implementation of BGP and to make the | |||
| BGP and to make the semantics of the originator of a BGP route | semantics of the originator of a BGP route clearer. This will also | |||
| clearer. This will also simplify the design, implementation, and | simplify the design, implementation, and deployment of various BGP | |||
| deployment of various BGP security mechanisms. In particular, the | security mechanisms. In particular, the prohibition of AS_SETs and | |||
| prohibition of AS_SETs and AS_CONFED_SETs removes any ambiguity about | AS_CONFED_SETs removes any ambiguity about the origin AS in RPKI- | |||
| the origin AS in RPKI-based Route Origin Validation (RPKI-ROV) | based Route Origin Validation (RPKI-ROV) [RFC6811] [RFC6907] | |||
| [RFC6811] [RFC6907] [RFC9319]. | [RFC9319]. | |||
| The AS_SET path segment in the AS_PATH attribute (Sections 4.3 and | The AS_SET path segment in the AS_PATH attribute (Sections 4.3 and | |||
| 5.1.2 of [RFC4271]) is created by a router that is performing route | 5.1.2 of [RFC4271]) is created by a router that is performing route | |||
| aggregation and contains an unordered set of Autonomous Systems | aggregation and contains an unordered set of Autonomous Systems | |||
| (ASes) that contributing prefixes in the aggregate have traversed. | (ASes) that contributing prefixes in the aggregate have traversed. | |||
| The AS_CONFED_SET path segment [RFC5065] in the AS_PATH attribute is | The AS_CONFED_SET path segment [RFC5065] in the AS_PATH attribute is | |||
| created by a router that is performing route aggregation and contains | created by a router that is performing route aggregation and contains | |||
| an unordered set of Member AS Numbers in the local confederation that | an unordered set of Member AS Numbers in the local confederation that | |||
| contributing prefixes in the aggregate have traversed. It is very | contributing prefixes in the aggregate have traversed. It is very | |||
| skipping to change at line 198 ¶ | skipping to change at line 198 ¶ | |||
| | advertised without the AS_SET, and without forming route loops. | | advertised without the AS_SET, and without forming route loops. | |||
| | | | | |||
| | If an aggregate excludes at least some of the AS numbers present | | If an aggregate excludes at least some of the AS numbers present | |||
| | in the AS_PATH of the routes that are aggregated as a result of | | in the AS_PATH of the routes that are aggregated as a result of | |||
| | dropping the AS_SET, the aggregated route, when advertised to the | | dropping the AS_SET, the aggregated route, when advertised to the | |||
| | peer, SHOULD include the ATOMIC_AGGREGATE attribute. | | peer, SHOULD include the ATOMIC_AGGREGATE attribute. | |||
| When BGP AS_PATH aggregation is done according to the procedures in | When BGP AS_PATH aggregation is done according to the procedures in | |||
| [RFC4271], Section 9.2.2.2, and any resulting AS_SETs are discarded, | [RFC4271], Section 9.2.2.2, and any resulting AS_SETs are discarded, | |||
| it is typically referred to as "brief" aggregation in | it is typically referred to as "brief" aggregation in | |||
| implementations. Brief aggregation results in an AS_PATH that has | implementations. That terminology is adopted here: In this document, | |||
| the property (from [RFC4271], Section 9.2.2.2): | brief aggregation refers to what is described in this section, in | |||
| contrast to consistent brief aggregation as described in Section 5.2. | ||||
| Brief aggregation results in an AS_PATH that has the following | ||||
| property (from [RFC4271], Section 9.2.2.2): | ||||
| | [D]etermine the longest leading sequence of tuples (as defined | | [D]etermine the longest leading sequence of tuples (as defined | |||
| | above) common to all the AS_PATH attributes of the routes to be | | above) common to all the AS_PATH attributes of the routes to be | |||
| | aggregated. Make this sequence the leading sequence of the | | aggregated. Make this sequence the leading sequence of the | |||
| | aggregated AS_PATH attribute. | | aggregated AS_PATH attribute. | |||
| The ATOMIC_AGGREGATE Path Attribute is subsequently attached to the | The ATOMIC_AGGREGATE Path Attribute is subsequently attached to the | |||
| BGP route, if AS_SETs are dropped. | BGP route, if AS_SETs are dropped. | |||
| 5.1. Issues with "Brief" AS_PATH Aggregation and RPKI-ROV | 5.1. Issues with "Brief" AS_PATH Aggregation and RPKI-ROV | |||
| skipping to change at line 303 ¶ | skipping to change at line 306 ¶ | |||
| AS_CONFED_SETs are not used in BGP. | AS_CONFED_SETs are not used in BGP. | |||
| 8. IANA Considerations | 8. IANA Considerations | |||
| This document has no IANA actions. | This document has no IANA actions. | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [BCP172] Best Current Practice 172, | ||||
| <https://www.rfc-editor.org/info/bcp172>. | ||||
| At the time of writing, this BCP comprises the following: | ||||
| Kumari, W. and K. Sriram, "Recommendation for Not Using | ||||
| AS_SET and AS_CONFED_SET in BGP", BCP 172, RFC 6472, | ||||
| DOI 10.17487/RFC6472, December 2011, | ||||
| <https://www.rfc-editor.org/info/rfc6472>. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A | [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A | |||
| Border Gateway Protocol 4 (BGP-4)", RFC 4271, | Border Gateway Protocol 4 (BGP-4)", RFC 4271, | |||
| DOI 10.17487/RFC4271, January 2006, | DOI 10.17487/RFC4271, January 2006, | |||
| <https://www.rfc-editor.org/info/rfc4271>. | <https://www.rfc-editor.org/info/rfc4271>. | |||
| [RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing | [RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing | |||
| (CIDR): The Internet Address Assignment and Aggregation | (CIDR): The Internet Address Assignment and Aggregation | |||
| Plan", BCP 122, RFC 4632, DOI 10.17487/RFC4632, August | Plan", BCP 122, RFC 4632, DOI 10.17487/RFC4632, August | |||
| 2006, <https://www.rfc-editor.org/info/rfc4632>. | 2006, <https://www.rfc-editor.org/info/rfc4632>. | |||
| [RFC5065] Traina, P., McPherson, D., and J. Scudder, "Autonomous | [RFC5065] Traina, P., McPherson, D., and J. Scudder, "Autonomous | |||
| System Confederations for BGP", RFC 5065, | System Confederations for BGP", RFC 5065, | |||
| DOI 10.17487/RFC5065, August 2007, | DOI 10.17487/RFC5065, August 2007, | |||
| <https://www.rfc-editor.org/info/rfc5065>. | <https://www.rfc-editor.org/info/rfc5065>. | |||
| [RFC6472] Kumari, W. and K. Sriram, "Recommendation for Not Using | ||||
| AS_SET and AS_CONFED_SET in BGP", BCP 172, RFC 6472, | ||||
| DOI 10.17487/RFC6472, December 2011, | ||||
| <https://www.rfc-editor.org/info/rfc6472>. | ||||
| [RFC6793] Vohra, Q. and E. Chen, "BGP Support for Four-Octet | [RFC6793] Vohra, Q. and E. Chen, "BGP Support for Four-Octet | |||
| Autonomous System (AS) Number Space", RFC 6793, | Autonomous System (AS) Number Space", RFC 6793, | |||
| DOI 10.17487/RFC6793, December 2012, | DOI 10.17487/RFC6793, December 2012, | |||
| <https://www.rfc-editor.org/info/rfc6793>. | <https://www.rfc-editor.org/info/rfc6793>. | |||
| [RFC7606] Chen, E., Ed., Scudder, J., Ed., Mohapatra, P., and K. | [RFC7606] Chen, E., Ed., Scudder, J., Ed., Mohapatra, P., and K. | |||
| Patel, "Revised Error Handling for BGP UPDATE Messages", | Patel, "Revised Error Handling for BGP UPDATE Messages", | |||
| RFC 7606, DOI 10.17487/RFC7606, August 2015, | RFC 7606, DOI 10.17487/RFC7606, August 2015, | |||
| <https://www.rfc-editor.org/info/rfc7606>. | <https://www.rfc-editor.org/info/rfc7606>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| 9.2. Informative References | 9.2. Informative References | |||
| [Analysis] "Detailed analysis of AS_SETs in BGP updates", commit | [Analysis] "Detailed analysis of AS_SETs in BGP updates", commit | |||
| eb0fc22, March 2022, | ef3f4a9, March 2022, | |||
| <https://github.com/ksriram25/IETF/blob/main/Detailed- | <https://github.com/ksriram25/IETF/blob/main/Detailed- | |||
| AS_SET-analysis.txt>. | AS_SET-analysis.txt>. | |||
| [ASPA-VERIFICATION] | [ASPA-VERIFICATION] | |||
| Azimov, A., Bogomazov, E., Bush, R., Patel, K., Snijders, | Azimov, A., Bogomazov, E., Bush, R., Patel, K., Snijders, | |||
| J., and K. Sriram, "BGP AS_PATH Verification Based on | J., and K. Sriram, "BGP AS_PATH Verification Based on | |||
| Autonomous System Provider Authorization (ASPA) Objects", | Autonomous System Provider Authorization (ASPA) Objects", | |||
| Work in Progress, Internet-Draft, draft-ietf-sidrops-aspa- | Work in Progress, Internet-Draft, draft-ietf-sidrops-aspa- | |||
| verification-22, 23 March 2025, | verification-22, 23 March 2025, | |||
| <https://datatracker.ietf.org/doc/html/draft-ietf-sidrops- | <https://datatracker.ietf.org/doc/html/draft-ietf-sidrops- | |||
| skipping to change at line 448 ¶ | skipping to change at line 455 ¶ | |||
| AS 64505 | AS 64505 | |||
| ========================== | ========================== | |||
| p/22 AS_PATH "" AGGREGATOR 64505 ATOMIC_AGGREGATE | p/22 AS_PATH "" AGGREGATOR 64505 ATOMIC_AGGREGATE | |||
| p1/24 AS_PATH "64501" | p1/24 AS_PATH "64501" | |||
| p2/24 AS_PATH "64502" | p2/24 AS_PATH "64502" | |||
| p3/24 AS_PATH "64503" | p3/24 AS_PATH "64503" | |||
| p4/24 AS_PATH "64504" | p4/24 AS_PATH "64504" | |||
| Appendix B. Examples of Consistent and Inconsistent BGP Origin AS | Appendix B. Examples of Consistent and Inconsistent BGP Origin AS | |||
| Generated by Traditional Brief Aggregation | Generated by Brief Aggregation | |||
| The examples below illustrate how traditional brief aggregation may | The examples below illustrate how brief aggregation may result in an | |||
| result in an inconsistent origin AS. | inconsistent origin AS. | |||
| AS 64500 aggregates more specific routes into 192.0.2.0/24. | AS 64500 aggregates more specific routes into 192.0.2.0/24. | |||
| Consider the following scenarios where brief aggregation is done by | Consider the following scenarios where brief aggregation is done by | |||
| AS 64500 and what the resultant origin ASes would be. | AS 64500 and what the resultant origin ASes would be. | |||
| Routes: | Routes: | |||
| R1 - 192.0.2.0/26 AS_PATH "64501" | R1 - 192.0.2.0/26 AS_PATH "64501" | |||
| R2 - 192.0.2.64/26 AS_PATH "64502" | R2 - 192.0.2.64/26 AS_PATH "64502" | |||
| R3 - 192.0.2.128/26 AS_PATH "64504 64502" | R3 - 192.0.2.128/26 AS_PATH "64504 64502" | |||
| skipping to change at line 518 ¶ | skipping to change at line 525 ¶ | |||
| Receive R4. Aggregate 192.0.2.0/24 AS_PATH "[ 64504 64501 ]" | Receive R4. Aggregate 192.0.2.0/24 AS_PATH "[ 64504 64501 ]" | |||
| If brief aggregation is in use, the AS_PATH is truncated to "". | If brief aggregation is in use, the AS_PATH is truncated to "". | |||
| The resulting AS_PATH is thus not stable and depends on the presence | The resulting AS_PATH is thus not stable and depends on the presence | |||
| of specific routes. | of specific routes. | |||
| B.3. Scenario 3: First one route, then another, and the AS_PATHs | B.3. Scenario 3: First one route, then another, and the AS_PATHs | |||
| overlap at the neighbor AS | overlap at the neighbor AS | |||
| Receive R3. Aggregate 192.0.2.0/24 AS_PATH "64504 64501". | Receive R3. Aggregate 192.0.2.0/24 AS_PATH "64504 64501" | |||
| Receive R4. Aggregate 192.0.2.0/24 AS_PATH "64504 [ 64501 64502 ]" | Receive R4. Aggregate 192.0.2.0/24 AS_PATH "64504 [ 64501 64502 ]" | |||
| If brief aggregation is in use, the AS_PATH is truncated to "64504". | If brief aggregation is in use, the AS_PATH is truncated to "64504". | |||
| The resulting AS_PATH is thus not stable and depends on the presence | The resulting AS_PATH is thus not stable and depends on the presence | |||
| of specific routes. | of specific routes. | |||
| B.4. Achieving Consistent Origin AS During Aggregation | B.4. Achieving Consistent Origin AS During Aggregation | |||
| In the three scenarios above, the aggregating AS 64500 is using | In the three scenarios above, the aggregating AS 64500 is using brief | |||
| traditional brief aggregation. This results in inconsistent origin | aggregation. This results in inconsistent origin ASes as the | |||
| ASes as the contributing routes are learned. This motivates the | contributing routes are learned. This motivates the "consistent | |||
| "consistent brief" BGP aggregation mentioned in Section 5.2 and | brief" BGP aggregation mentioned in Section 5.2 and discussed further | |||
| discussed further with examples below. | with examples below. | |||
| The trivial solution to addressing the issue is to simply discard all | The trivial solution to addressing the issue is to simply discard all | |||
| of the ASes for the contributing routes. In simple BGP aggregation | of the ASes for the contributing routes. In simple BGP aggregation | |||
| topologies, this is likely the correct thing to do. The AS | topologies, this is likely the correct thing to do. The AS | |||
| originating the aggregate, 192.0.2.0/24 in this example, is likely | originating the aggregate, 192.0.2.0/24 in this example, is likely | |||
| the resource holder for the route in question. In such a case, | the resource holder for the route in question. In such a case, | |||
| simply originating the route to its BGP upstream neighbors in the | simply originating the route to its BGP upstream neighbors in the | |||
| Internet with its own AS, 64500, means that a consistent ROA could be | Internet with its own AS, 64500, means that a consistent ROA could be | |||
| registered in the RPKI for this prefix. This satisfies the need for | registered in the RPKI for this prefix. This satisfies the need for | |||
| a consistent (unambiguous) origin AS. | a consistent (unambiguous) origin AS. | |||
| End of changes. 10 change blocks. | ||||
| 30 lines changed or deleted | 37 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||