<?xml version="1.0"encoding="US-ASCII"?> <?rfc sortrefs="yes"?> <?rfc subcompact="no"?> <?rfc symrefs="yes"?> <?rfc toc="yes"?> <?rfc tocdepth="3"?> <?rfc compact="yes"?> <?rfc subcompact="no"?>encoding="UTF-8"?> <!DOCTYPE rfc [ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" submissionType="IETF" category="std" consensus="true"submissionType="IETF"docName="draft-ietf-sidrops-rov-no-rr-08" number="9324" ipr="trust200902"updates="8481">updates="8481" obsoletes="" sortRefs="true" symRefs="true" tocInclude="true" tocDepth="3" xml:lang="en" version="3"> <front> <title abbrev="RPKI-Based PolicyWithoutwithout RouteRefresh"> RPKI-Based Policy WithoutRefresh">Policy Based on the Resource Public Key Infrastructure (RPKI) without RouteRefresh </title>Refresh</title> <seriesInfo name="RFC" value="9324"/> <author fullname="Randy Bush" initials="R." surname="Bush"> <organization>IIJ Research Lab & Arrcus, Inc.</organization> <address> <postal> <street>1856 SW Edgewood Dr</street> <city>Portland</city><region>Oregon</region><region>OR</region> <code>97210</code> <country>United States of America</country> </postal> <email>randy@psg.com</email> </address> </author> <author fullname="Keyur Patel" initials="K." surname="Patel"> <organization>Arrcus, Inc.</organization> <address> <postal> <street>2077 Gateway Place, Suite #400</street> <city>San Jose</city> <region>CA</region> <code>95119</code> <country>United States of America</country> </postal> <email>keyur@arrcus.com</email> </address> </author> <author fullname="Philip Smith" initials="P." surname="Smith"> <organization>PFS Internet Development Pty Ltd</organization> <address> <postal> <street>PO Box 1908</street> <city>Milton</city> <region>QLD</region> <code>4064</code> <country>Australia</country> </postal> <email>pfsinoz@gmail.com</email> </address> </author> <author fullname="Mark Tinka" initials="M." surname="Tinka"> <organization>SEACOM</organization> <address> <postal><street>Building<extaddr>Building 7, Design QuarterDistrict, LeslieDistrict</extaddr> <street>Leslie Avenue, Magaliessig</street> <city>Fourways, Gauteng</city> <code>2196</code> <country>South Africa</country> </postal> <email>mark@tinka.africa</email> </address> </author> <date year="2022" month="December" /> <area>ops</area> <workgroup>sidrops</workgroup> <abstract> <t> A BGPSpeakerspeaker performingRPKI-basedpolicy based on the Resource Public Key Infrastructure (RPKI) should not issueRoute Refreshroute refresh to its neighbors because it has received new RPKI data. This document updates<xref target="RFC8481"/>RFC 8481 by describing how to avoid doing so by either keeping a full Adj-RIB-In or saving paths dropped due to ROV (Route Origin Validation) so they may be reevaluated with respect to new RPKI data. </t> </abstract><note title="Requirements Language"> <t> The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here. </t> </note></front> <middle> <sectionanchor="intro" title="Introduction">anchor="intro"> <name>Introduction</name> <t> Memory constraints in early BGP speakers caused classic<xref target="RFC4271"/>BGP implementations <xref target="RFC4271"/> to not keep a full Adj-RIB-In(Sec. 1.1).(<xref target="RFC4271" sectionFormat="of" section="1.1"/>). When doing RPKI-based Route Origin Validation (ROV)(<xref<xref target="RFC6811"/>and<xreftarget="RFC8481"/>),target="RFC8481"/> and similar RPKI-based policy, if such a BGP speaker receives new RPKI data, it might not have kept paths previously marked asInvalidInvalid, etc. Such an implementation must then request aRoute Refresh,route refresh <xref target="RFC2918"/>and<xreftarget="RFC7313"/>,target="RFC7313"/> from its neighbors to recover the pathswhichthat might be covered by these new RPKI data. This will be perceived as rude by those neighbors as it passes a serious resource burden on to them. This document recommends implementations keep and mark paths affected by RPKI-based policy, soRoute Refreshroute refresh is no longer needed. </t> <section> <name>Requirements Language</name> <t> The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here. </t> </section> </section> <sectionanchor="related" title="Related Work">anchor="related"> <name>Related Work</name> <t> It is assumed that the reader understandsBGP,BGP <xreftarget="RFC4271"/> and Route Refreshtarget="RFC4271"/>, route refresh <xref target="RFC7313"/>, the RPKI <xref target="RFC6480"/>, Route Origin Authorizations(ROAs),(ROAs) <xref target="RFC6482"/>,Thethe Resource Public Key Infrastructure (RPKI) to Router Protocol <xref target="I-D.ietf-sidrops-8210bis"/>,RPKI-basedRPKI-Based PrefixValidation,Validation <xref target="RFC6811"/>, and Origin ValidationClarifications,Clarifications <xref target="RFC8481"/>. </t> <t> Note that the term "RPKI-based Route Origin Validation" in this document means the same as the term "Prefix Origin Validation" used in <xref target="RFC6811"/>. </t> </section> <sectionanchor="experience" title="ROV Experience">anchor="experience"> <name>ROV Experience</name> <t> As Route Origin Validation dropping Invalids has deployed, some BGP speaker implementations have been foundwhich,that, when receiving new RPKI data(VRPs, see(Validated ROA Payloads (VRPs) <xreftarget="I-D.ietf-sidrops-8210bis"/>)target="I-D.ietf-sidrops-8210bis"/>), issue a BGPRoute Refreshroute refresh <xref target="RFC7313"/> to all sending BGP peers so thatitthey can reevaluate the received paths against the new data. </t> <t> In actualdeploymentdeployment, this has been found to be very destructive, transferring a serious resource burden to the unsuspecting peers. In reaction,RPKI basedRPKI-based Route Origin Validation (ROV) has been turned off. There have been actual de-peerings. </t> <t> As RPKI registration and ROA creation have steadily increased, this problem has increased, not just proportionally, but on the order of the in-degree of ROV implementing BGP speakers. AsASPA (<xref target="I-D.ietf-sidrops-aspa-verification"/>)Autonomous System Provider Authorization (ASPA) <xref target="I-D.ietf-sidrops-aspa-verification"/> becomes used, the problem will increase. </t> <t> Other mechanisms, such as automated policy provisioning, which have flux rates similar to ROV(i.e.(i.e., on the order of minutes), could very well cause similar problems. </t> <t>ThereforeTherefore, this document updates <xref target="RFC8481"/> by describing how to avoid this problem. </t> </section> <sectionanchor="rib" title="Keepinganchor="rib"> <name>Keeping Partial Adj-RIB-InData">Data</name> <t> If new RPKI data arrivewhichthat cause operator policy to invalidate the bestroute,route and the BGP speaker did not keep the dropped routes, thenitthe BGP speaker would issue a route refresh, which this feature aims to prevent. </t> <t> A route that is dropped by operator policy due to ROV is, by nature, considered ineligible to compete for the bestroute,route andMUST<bcp14>MUST</bcp14> be kept in the Adj-RIB-In for potential future evaluation. </t> <t> Ameliorating theRoute Refreshroute refresh problem by keeping a full Adj-RIB-In can be a problem forresource constrainedresource-constrained BGP speakers. In reality, only some data need be retained. If an implementation chooses not to retain the full Adj-RIB-In, itMUST<bcp14>MUST</bcp14> retain at least routes dropped due toROV,ROV for potential future evaluation. </t> <t> As storing these routes could cause problems inresource constrainedresource-constrained devices, thereMUST<bcp14>MUST</bcp14> be a global operation, CLI, YANG,etc. allowingor other mechanism that allows the operator to enable thisfeature, storingfeature and store the dropped routes. Such an operator controlMUST NOT<bcp14>MUST NOT</bcp14> be per peer, as this could cause inconsistent behavior. </t> <t> As a sidenote:note, policywhichthat may drop routes due to RPKI-based checks such as ROV (and ASPA, BGPsec <xref target="RFC8205"/>,etc.etc., in the future)MUST<bcp14>MUST</bcp14> berun,run and the dropped routes saved per this section, before non-RPKI policies are run, as the latter may change path attributes. </t> </section> <sectionanchor="ops" title="Operational Recommendations">anchor="ops"> <name>Operational Recommendations</name> <t> Operators deploying ROV and/or otherRPKI basedRPKI-based policies should ensure that the BGP speaker implementation is not causingRoute Refreshroute refresh requests to neighbors. </t> <t> BGPSpeakers MUSTspeakers <bcp14>MUST</bcp14> either keep the full Adj-RIB-In or implement the specification in <xref target="rib"/>. Conformance to this behavior isaan additional, mandatory capability for BGP speakers performing ROV. </t> <t> If the BGP speaker does not implement these recommendations, the operator should enable the vendor's control to keep the full Adj-RIB-In, sometimes referred to as "soft reconfiguration inbound". The operator should then measure to ensure that there are no unnecessaryRoute Refreshroute refresh requests sent to neighbors. </t> <t> If the BGP speaker's equipment has insufficient resources to support either of the two proposed options (keeping a full AdjRibIn or at least the dropped routes), the equipmentSHOULD<bcp14>SHOULD</bcp14> either be replaced with capable equipment orSHOULD NOT<bcp14>SHOULD NOT</bcp14> be used for ROV. </t> <t> The configuration setting in <xref target="rib"/> should only be used in verywell knownwell-known and controlled circumstances where the scaling issues are well understood and anticipated. </t> <t> Operators using the specification in <xref target="rib"/> should be aware that a misconfigured neighbor might erroneously send a massive number of paths, thus consuming a lot of memory.HenceHence, pre-policy filtering such as described in <xref target="I-D.sas-idr-maxprefix-inbound"/> could be used to reduce this exposure. </t> <t> IfRoute Refreshroute refresh has been issued toward more than one peer, the order of receipt of the refresh data can cause churn in both best route selection andinoutbound signaling. </t> <t> Internet Exchange Points (IXPs)whichthat provide route servers <xref target="RFC7947"/>Route Serversshould be aware that some members could be causing an undueRoute Refreshroute refresh load on theRoute Serversroute servers and take appropriate administrative and/or technical measures. IXPs using BGP speakers as route servers should ensure that they are not generating excessive route refresh requests. </t> </section> <sectionanchor="Security" title="Security Considerations">anchor="Security"> <name>Security Considerations</name> <t> This document describes a denial of servicewhichthat Route Origin Validation or other RPKI policy may place on a BGPneighbor,neighbor and describes how it may be ameliorated. </t> <t> Otherwise, this document adds no additional security considerations to those already described by the referenced documents. </t> </section> <sectionanchor="IANA" title="IANA Considerations">anchor="IANA"> <name>IANA Considerations</name> <t>NoneThis document has no IANA actions. </t> </section> </middle> <back> <displayreference target="I-D.ietf-sidrops-8210bis" to="RPKI-ROUTER-PROT-v2"/> <displayreference target="I-D.ietf-sidrops-aspa-verification" to="AS_PATH-VER"/> <displayreference target="I-D.sas-idr-maxprefix-inbound" to="MAXPREFIX-INBOUND"/> <references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2918.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4271.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6811.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7313.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8481.xml"/> </references> <references> <name>Informative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6480.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6482.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7947.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8205.xml"/> <!-- [I-D.ietf-sidrops-8210bis] in MISSREF state as of 09/22/22 --> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-sidrops-8210bis.xml"/> <!-- [I-D.ietf-sidrops-aspa-verification] IESG state I-D Exists. xi:include missing editor role --> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-sidrops-aspa-verification.xml"/> <!-- [I-D.sas-idr-maxprefix-inbound] IESG state Expired --> <reference anchor="I-D.sas-idr-maxprefix-inbound" target="https://datatracker.ietf.org/doc/html/draft-sas-idr-maxprefix-inbound-04"> <front> <title>BGP Maximum Prefix Limits Inbound</title> <author initials="M." surname="Aelmans" fullname="Melchior Aelmans"> <organization>Juniper Networks</organization> </author> <author initials="M." surname="Stucchi" fullname="Massimiliano Stucchi"> <organization>Independent</organization> </author> <author initials="J." surname="Snijders" fullname="Job Snijders"> <organization>Fastly</organization> </author> <date month="January" day="19" year="2022"/> </front> <seriesInfo name="Internet-Draft" value="draft-sas-idr-maxprefix-inbound-04"/> </reference> </references> </references> <section anchor="acks"title="Acknowledgements">numbered="false"> <name>Acknowledgements</name> <t> The authors wish to thankAlvaro Retana, Ben Maddison, Derek Yeung, John Heasley, John Scudder, Matthias Waehlisch, Nick Hilliard, Saku Ytti,<contact fullname="Alvaro Retana"/>, <contact fullname="Ben Maddison"/>, <contact fullname="Derek Yeung"/>, <contact fullname="John Heasley"/>, <contact fullname="John Scudder"/>, <contact fullname="Matthias Waehlisch"/>, <contact fullname="Nick Hilliard"/>, <contact fullname="Saku Ytti"/>, andTies<contact fullname="Ties deKock.Kock"/>. </t> </section></middle> <back> <references title="Normative References"> <?rfc include="reference.RFC.2119.xml"?> <?rfc include="reference.RFC.2918.xml"?> <?rfc include="reference.RFC.4271.xml"?> <?rfc include="reference.RFC.6811.xml"?> <?rfc include="reference.RFC.7313.xml"?> <?rfc include="reference.RFC.8174.xml"?> <?rfc include="reference.RFC.8481.xml"?> </references> <references title="Informative References"> <?rfc include="reference.RFC.6480.xml"?> <?rfc include="reference.RFC.6482.xml"?> <?rfc include="reference.RFC.7947.xml"?> <?rfc include="reference.RFC.8205.xml"?> <?rfc include="reference.I-D.ietf-sidrops-8210bis.xml"?> <?rfc include="reference.I-D.ietf-sidrops-aspa-verification.xml"?> <?rfc include="reference.I-D.sas-idr-maxprefix-inbound.xml"?> </references></back> </rfc>