Moin, Some things have changed since BCP194 came to be, and I figured it might make sense to take shot at updating it. I presented the idea at OPSEC at 117, and after reading the draft Job suggested to rather discuss it in GROW instead of OPSEC, so here it is to pick apart:
https://datatracker.ietf.org/doc/draft-fiebig-grow-bgpopsecupd/ The draft is an import and change of BCP194, currently focusing on a 'maximum recommendation' option as a starting point for discussion; Specifically, the following things have been changed/added: - Unify terminology, import from RFC9234 and the ASPA draft; Expand definitions. - Use peer only in the AS relationship context; Add mutual-upstream relation. - Add note on the (hypothetical) PMTUD attack. - Clarify that IXPs decide whether their IXP LAN(s) should be advertised; Removed IXP example in the Appendix. - Noted additional IXP Lan cases (upstream via etc.) and next-hop filtering - Split between dynamic (IRR and down) and (semi) static filter (bogons etc.) sources - Add ASPA and BGP roles/OTC - Note use of community-based filtering, also discussing leak-potential of static filters being used. - Add large-communities/scrubbing - Describe Rulesets more explicitly and in terms of ideal order for more relationships - Emphasize outbound filtering - Suggest iBGP filtering (this may be a bridge too far) - Add MAY for scrubbing of attributes - Add note on ASPATH max-length filtering - Reference RFC9319 - Add max-prefix limits and global limits - Add considerations for filter implementation and generation/runtime - Removed the definition of what a Tier-1 is. Current Todo/Discussion points: - Unify terminology around route/prefix/NLRI, which is currently a bit mixed up. - Consider adding a point on not using LPREF on RS sessions/honoring GSHUT - Use of MUST vs. SHOULD; Other contemporary drafts use stronger language; From a general standpoint I'd argue 'MUST' might be better under the premise of 'to follow best practices this MUST be done' with the caveat of 'best practices SHOULD' be followed; Still, currently it still uses BCP14 SHOULD for all points. - Putting in a point on having preparations in place to filter specific BGP options at the border in case one's infrastructure topples when a specific option is sent. - Figure out if this should be update or obsolete. - Fix nits in the abstract. Looking forward to hear opinions, especially on the somewhat more stretchy points (recommending filtering iBGP for example ;-)). Also, if anyone wants to join in on writing, let me know. With best regards, Tobias -- Dr.-Ing. Tobias Fiebig T +31 616 80 98 99 M [email protected] _______________________________________________ GROW mailing list [email protected] https://www.ietf.org/mailman/listinfo/grow
