Heads-up: Changing default EBGP route handling behaviour

By on 14 Jul 2017

Category: Tech matters

Tags: , ,

Blog home

After a bit of tug-of-war, common sense has prevailed and RFC 8212External BGP (EBGP) Route Propagation Behavior without Policies” was published earlier this month.

This industry has a long history of improving default behaviour: DEC MOP is no longer enabled by default, telnet was swapped out in favour of SSH, and SHA-1 is now deprecated. Therefore, I’m confident we can manage this one too.

TL;DR
This post offers advice on test scenarios to add to your evaluation checklist and a call to action to ask your vendor to implement RFC 8212. Please share this post with other communities.

 

Background

Prior to RFC 8212, the default behaviour of BGP implementations (when no policy is configured on an EBGP session) was undefined. This resulted in myriad vendor defaults: some implementations not accepting routes and not advertising anything; some would accept anything, but announce nothing; some would announce only internal routes and accept anything; and some would indiscriminately accept everything and announce everything. The latter mode of operation is, of course, the most harmful one.

An example of minimal configuration:

!
router bgp 15562
neighbor 192.0.2.1 remote-as 174
neighbor 192.0.2.5 remote-as 2914
!

Most of us have learnt (the hard way) that on many platforms the above configuration will not only bring up two BGP sessions, but will also immediately result in a “Lateral ISP-ISP-ISP Leak”, simply because no routing policy was associated with these EBGP sessions and an implicit ‘permit-any’ is assumed.

The above configuration is, of course, an oversimplification of what happens in real life: operators may attempt to change a BGP peer to a peer-group that has missing configuration, or a copy+paste of a snippet of configuration only partially succeeds, or, in an attempt to debug a BGP session, some configuration is removed without realizing the full ramifications of doing so (until you see smoke coming off the circuit).

RFC 8212 updates the core BGP specification (RFC 4271) to specify that the above behaviour is incorrect, and an implicit deny-all must be associated with the EBGP session. In other words, “fail closed” rather than “fail open and oops you tripped max-prefix all over the place (or worse)”.

The document purposefully does not cover IBGP, nor does it proscribe what the contents of configured policy on EBGP sessions should be. If an operator explicitly configures a ‘permit-any’ style policy, that is perfectly fine — it was a conscious choice to do so.

Evaluation checklist

Going forward, when you evaluate a BGP implementation or a new software release, it is advisable to take note of the default behaviour of that specific release. As vendors come into compliance with RFC 8212, it may be beneficial to track this.

I also strongly recommend auditing your network configurations for instances that depend on implicit ‘permit-any’ behaviour and reconfigure those instances to be an explicit ‘permit-any’. This way, software upgrades are less likely to cause surprises, and, as a bonus, the readability of the device’s configuration is improved!

Call to action

Some vendors will need encouragement to take their implementation from EBGP “fail open” to “fail closed”. We are keeping track of the industry’s current state of affairs here: https://github.com/bgp/RFC8212

Please contact your account management team and express your interest in their supporting RFC 8212. Also, make sure to include RFC 8212 in your next round of “Request for Proposals” (RFPs) as a ‘must have’. Purchasing is usually an excellent opportunity to have meaningful dialogue with the vendor.

Some vendors may argue “but our customers depend on our unsafe behaviour!”, but this only holds true if we don’t speak up collectively and show them otherwise. EBGP is an Internet-wide shared resource; we all benefit from sane defaults.

Hat tip to Jared Mauch for initiating this project and to Greg Hankins for demonstrating that change is possible.

Original post appeared on Medium

Job Snijders is IP Development Engineer at NTT Communications.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

Please answer the math question * Time limit is exhausted. Please reload CAPTCHA.

Top