Fwd: BGP session closed after receipt of flowspec route without destination prefix

[Ondrej Zajicek]

On Wed, Feb 05, 2020 at 09:14:13PM +0100, Maria Matějka wrote:
> Hello!
> 
> Well, RFC 5575 doesn't explicitly say that the flowspec rule must
> contain the destination chunk, anyway it specifies that these rules
> should be understood as additional information for unicast BGP prefixes.
> 
> Therefore we assume that the dst is de facto mandatory, despite de iure it is optional.

Hi

It seems more convoluted:

1) flow_validate() function checks for destination prefix, but only for IPv4

2) BGP NLRI decoding functions also check for destination prefix, but
this time for both IPv4 and IPv6

3) I was sure that RFC 5575 requires it (just for IPv4, IPv6 flowspec is
covered by draft), but now i cannot find any explicit mention of that in
RFC 5575, except implicit assumption of existence of dst prefix in
section 6 (validation procedure), which is probable source of that
assumption, considering that validation proceure was not in IPv6 draft.

4) Newer drafts (draft-ietf-idr-rfc5575bis-17 and draft-ietf-idr-flow-spec-v6-10)
clarify that dst prefix is required for validation procedure for feasibility, so
flow without dst prefix is syntactically valid, but unfeasible.

Note that BIRD just checks for syntactic validity. Feasibility check is
not implemented. Therefore we should clean that and allow flowspec rules
without dst prefix. i will check that.

-- 
Elen sila lumenn' omentielvo

Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."