Version Capability for BGP
draft-abraitis-bgp-version-capability-05
The information below is for an old version of the document.
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Author | Donatas Abraitis | ||
| Last updated | 2020-08-03 (Latest revision 2020-03-24) | ||
| Stream | Independent Submission | ||
| Formats | plain text xml htmlized pdfized bibtex | ||
| IETF conflict review | conflict-review-abraitis-bgp-version-capability, conflict-review-abraitis-bgp-version-capability, conflict-review-abraitis-bgp-version-capability | ||
| Stream | ISE state | In ISE Review | |
| Consensus boilerplate | Unknown | ||
| Document shepherd | Eliot Lear | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | Adrian Farrel <rfc-ise@rfc-editor.org> |
draft-abraitis-bgp-version-capability-05
Network Working Group D. Abraitis
Internet-Draft Hostinger
Intended status: Informational March 24, 2020
Expires: September 25, 2020
Version Capability for BGP
draft-abraitis-bgp-version-capability-05
Abstract
In this document, we introduce a new BGP capability that allows the
advertisement of a BGP speaker's version.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 25, 2020.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Abraitis Expires September 25, 2020 [Page 1]
Internet-Draft Version Capability for BGP March 2020
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Specification of Requirements . . . . . . . . . . . . . . . . 2
3. Version Capability . . . . . . . . . . . . . . . . . . . . . 2
4. Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 3
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4
6. Security Considerations . . . . . . . . . . . . . . . . . . . 4
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5
7.1. Normative References . . . . . . . . . . . . . . . . . . 5
7.2. Informative References . . . . . . . . . . . . . . . . . 5
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5
1. Introduction
In modern data center designs, we tend to have conventional hosts
participating in the routing process. And the fleet of hosts has
different versions of routing daemon. This means that
troubleshooting is a crucial part to quickly identify the root cause.
This document introduces the new BGP capability to advertise the
version of the routing daemon.
2. Specification of Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Version Capability
The Version Capability is a new BGP capability [RFC5492]. The
implementation is specific to the vendor. The version is
unstructured and can be defined in any format the vendor decides.
The length of the version SHOULD be limited to 64 bytes. This is the
limit to allow other capabilities as much space as they require. The
version MUST NOT be empty.
This capability is OPTIONAL. The vendor MUST implement a capability
switch to enable or disable it.
In case you reached 255 bytes of capabilities, you can disable this
capability. The capability is designed more to non-production
environments where you need more visibility for troubleshooting
purposes. It's RECOMMENDED to turn it only inside a single
Autonomous System domain or Autonomous System Confederations.
Abraitis Expires September 25, 2020 [Page 2]
Internet-Draft Version Capability for BGP March 2020
Such protocols like LLDP, CDP can provide the same information as
well, but in containerized environments, it's very hard and NOT
RECOMMENDED run background processes. To minimize operational costs
it would help having all the necessary information in place.
+--------------------------------+
| Version Length (1 octet) |
+--------------------------------+
| Version (variable) |
+--------------------------------+
Figure 1
Version Length:
The number of characters in the Version
Version:
The Version encoded via UTF-8
4. Operation
The Version capability MUST only be used for displaying the version
of a speaker to make troubleshooting easier. You have a bunch of
routers with a number of upstreams each. All of them are with a
different operating system and routing daemon installed. Assuming
that a specific feature is not working or a bug which is not fixed in
an appropriate version, would allow us to quickly identify the
pattern which versions are affected.
Enabling this capability REQUIRED bouncing all existing BGP sessions.
It MUST be explicitly configured to advertise the Version capability.
Below is an example of implementation in [FRRouting] how it looks
like with version advertised by a BGP sender:
:~# vtysh -c 'show ip bgp summary failed'
...
Neighbor EstdCnt DropCnt ResetTime Reason
198.51.100.2 3 3 00:00:35 Waiting for peer OPEN (n/a)
198.51.100.3 3 3 00:01:12 Peer closed the session (FRRouting 7.2-b3ac21114g)
198.51.100.4 3 3 00:00:14 Peer closed the session (FRRouting 7.3-g4c566878f)
198.51.100.5 3 3 00:00:45 Peer closed the session (FRRouting 7.4-a25sg503g2)
...
Figure 2
Abraitis Expires September 25, 2020 [Page 3]
Internet-Draft Version Capability for BGP March 2020
:~# vtysh -c 'show ip bgp neighbors 198.51.100.1 json' \
> | jq '."198.51.100.1".neighborCapabilities.versions'
{
"advertisedVersion": "FRRouting 7.2-dev-MyOwnFRRVersion",
"receivedVersion": "FRRouting 7.2-dev-MyOwnFRRVersion-gc68bb14"
}
Figure 3
5. IANA Considerations
IANA maintains the "Border Gateway Protocol (BGP) Parameters"
registry with a subregistry called "Capabilities Codes". IANA is
requested to assign a capability number from the First Come First
Served range for the Version Capability in this document as follows:
+-------+-----------------+-----------------------------------------+
| Value | Description | Reference |
+-------+-----------------+-----------------------------------------+
| TBD | Version | [draft-abraitis-bgp-version-capability] |
| | Capability | |
+-------+-----------------+-----------------------------------------+
Table 1: Version Capability
6. Security Considerations
The Version Capability can be treated as sensitive information, thus
it would be easier for an attacker to exploit by knowing the specific
version of the BGP speaker. This information can be gathered in BGP
OPEN messages.
The Version Capability MUST be configurable with a vendor-specific
knob to be able to enable or disable the capability. The vendor
might implement to disable this capability per neighbor.
It would be safe to enable this for iBGP or inside the same tenant
where you have full control and the BGP speaker is behind exit
points.
The Version Capability information can be gathered in BGP OPEN
messages.
Modifying the information advertised by a router might lead to
attacks including bogus software upgrades and also might mask the
causes of faults in the network.
Abraitis Expires September 25, 2020 [Page 4]
Internet-Draft Version Capability for BGP March 2020
Advertising which versions of code and from which vendor it comes may
facilitate a number of social-engineering attacks. A lot of BGP
implementations leave TCP/179 open and this could lead to sensitive
information disclosure. This capability is NOT RECOMMENDED for eBGP
use.
Sensitive information leaks can be minimized by using the [RFC5082]
mechanism or firewalls to filter out TCP 179 port from untrusted
networks. This capability can be disabled per neighbor, thus the
sensitive information can't be disclosed to untrusted neighbors.
7. References
7.1. Normative References
[FRRouting]
Abraitis, D., "FRRouting - BGP Version Capability", 2019,
<https://github.com/ton31337/frr/
commit/4c566878fd1a7df9f8c84ee03f419c0b00ae444b>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
7.2. Informative References
[RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC
Text on Security Considerations", BCP 72, RFC 3552,
DOI 10.17487/RFC3552, July 2003,
<https://www.rfc-editor.org/info/rfc3552>.
Author's Address
Donatas Abraitis
Hostinger
Jonavos g. 60C
Kaunas 44192
LT
Phone: +370 614 18958
Email: donatas.abraitis@hostinger.com
Abraitis Expires September 25, 2020 [Page 5]