IETF Logo Mail Archive

Re: [Idr] New draft submitted: draft-loibl-bacher-idr-flowspec-clarification

Robert Raszuk <robert@raszuk.net> Tue, 23 August 2016 14:48 UTC

Return-Path: <rraszuk@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA30412DA15 for <idr@ietfa.amsl.com>; Tue, 23 Aug 2016 07:48:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7MKN0acabWZU for <idr@ietfa.amsl.com>; Tue, 23 Aug 2016 07:47:58 -0700 (PDT)
Received: from mail-qk0-x22c.google.com (mail-qk0-x22c.google.com [IPv6:2607:f8b0:400d:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 316D512DA17 for <idr@ietf.org>; Tue, 23 Aug 2016 07:28:16 -0700 (PDT)
Received: by mail-qk0-x22c.google.com with SMTP id v123so107867178qkh.2 for <idr@ietf.org>; Tue, 23 Aug 2016 07:28:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=rNedad3AUiZD018uEHscDHIYJF8t7tcESDNuHqLY6IY=; b=E8v8z85vCBhBlby2efhdvC+RiQ08KPtMNkg5UlstWa2clBBPj6d+U5RzujtZxwAqT4 qoTHM6rAbUcvNGuFvb7jGH+Diyg40JaTI/pC+AvGcC9ErzXrgFcqUgifZqlms/ygQzCo iV2CzEEvcX+7AaggQS1rLL/SXdWIHjFK2j/dhysImYEzJ0vTilsA7En8Cus3t+mCWxjh rkjEayPN3SCMQbywQ9LgiS6EqQeW1dpgcZcts304trXfREZbhfGWxDkoYJ438mrhc7Eo J74oo4QH7HfD6bCcyWIlo9A0G76Y3sFQeWrPR3cbl8oBMedm4c/wpuxpWlGtn4YvFVoA rvoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=rNedad3AUiZD018uEHscDHIYJF8t7tcESDNuHqLY6IY=; b=mRuRN+cd4Jbmhen2tBlS/ffI25UaLsdB2jOaBB2NhglrAyvhZ5NFKdtYxY/UlC+2g0 DpZAhZFdWoLUYiCvV6vTTgw0+YkWgGrZrdoVClkdZ5TML0baZxjwlxEpn3lVsWOhCeqi gJNDJnj+YZkNCdQhyJYHjHUJVpBsxqXvmcKeJp7WZD33gUxvDNLTpAsMjkIXd8xM0PaL /B7xLNNNvio82Na/tbuwp//oWWzk1nX4lTGH0gYpklpzh1zjAS5ha2cwdIXInFBlt2CF 9zOI9OFiRax16VVmO/1Sd+JPlyBjsXAD2Sd7SiOc3uwVMTP9u0DhVacnpGsXJrRR0fhe q+sw==
X-Gm-Message-State: AE9vXwO31FS1aJnoMwIt2hlPD4yh5QWR0Z+g8X1G9T1ADVEenIHa5lyKMZ5NL65I0qQOli0cmBrK4QvdZ9SzzQ==
X-Received: by 10.55.127.1 with SMTP id a1mr29735226qkd.80.1471962495249; Tue, 23 Aug 2016 07:28:15 -0700 (PDT)
MIME-Version: 1.0
Sender: rraszuk@gmail.com
Received: by 10.140.30.130 with HTTP; Tue, 23 Aug 2016 07:28:14 -0700 (PDT)
In-Reply-To: <B17A6910EEDD1F45980687268941550F1FF1FD73@MISOUT7MSGUSRCD.ITServices.sbc.com>
References: <65345B6C-D24F-4F32-BF3C-E9343A7C61E1@tix.at> <B17A6910EEDD1F45980687268941550F1FF1FD73@MISOUT7MSGUSRCD.ITServices.sbc.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Tue, 23 Aug 2016 16:28:14 +0200
X-Google-Sender-Auth: uboHSv0--7x0B7PtnW8XDqwPZbw
Message-ID: <CA+b+ER=SJbKEq4Vqd3iJoU1R1hzS-sWquctof_p89t2tuSgNzA@mail.gmail.com>
To: "UTTARO, JAMES" <ju1738@att.com>
Content-Type: multipart/alternative; boundary="94eb2c0665caa6f3a6053abdf9e5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/3odek7gTjW2LqSB0ZRdXHGSY5T8>
Cc: "idr@ietf.org" <idr@ietf.org>
Subject: Re: [Idr] New draft submitted: draft-loibl-bacher-idr-flowspec-clarification
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Aug 2016 14:48:03 -0000

Hey Jim,

Indeed I alluded to your and others contributions to generalize flowspec
when I mentioned the intra-domain case. Even putting aside SDN use cases
there still can be valid DDoS filters injected centrally - hence my
comment.

For your point however I (*still*) think it would be much easier and
simpler to put all SDN and related work into Flowspec_v2 and run in in
different SAFI. Yourself, Sue and bunch of other people are actively
helping with. That v2 spec may have completely different validation rules
or not have them at all assuming validation happens on controller only.

IMHO mixing both quite separate use cases will not help each other at all
deployment wise - even if both deployment models are very valid. The reason
being that what knobs work for one flowspec NLRIs for the other could turn
to be harmful. So if we do not separate them and someone would like to use
both it will get pretty ugly soon.

Cheers,
R.



On Tue, Aug 23, 2016 at 4:13 PM, UTTARO, JAMES <ju1738@att.com> wrote:

> Christoph,
>
>         One could also us flow-spec as a mechanism to disseminate
> flow-spec "filters" via an SDN controller. I am my co-authors specified
> changes to the validation procedure such that the unicast route is not
> required for a router to accept and program the slow-spec path/filter.
> When reading through the draft it seems to assume that flow-spec is only
> used as originally intended this is not the case. IMO this is a good piece
> of work and it should broaden the scope to include how flow-spec can be
> used from an SDN Controller.. There are other challenges with the draft as
> originally written
>
> - Order of Traffic Filtering Rules
> - More specific unicast routes
> - AS value position in the AS-Path
>
> Here is the draft..
>
> https://tools.ietf.org/html/draft-ietf-idr-bgp-flowspec-oid-03
>
> Jim Uttaro
>
> -----Original Message-----
> From: Idr [mailto:idr-bounces@ietf.org] On Behalf Of Christoph Loibl
> Sent: Tuesday, August 23, 2016 8:09 AM
> To: idr@ietf.org
> Subject: [Idr] New draft submitted: draft-loibl-bacher-idr-
> flowspec-clarification
>
> Hi,
>
> We submitted a new draft and are happy to receive feedback:
>
> Since interoperability is key to an flowspec Internet deployment we tried
> to clarify the ambiguous parts of the flowspec RFC 5575 in order to allow a
> consistent implementation by equipment vendors.
>
> Title: draft-loibl-bacher-idr-flowspec-clarification
>
> https://datatracker.ietf.org/doc/draft-loibl-bacher-idr-
> flowspec-clarification/
>
> The reason for this draft submission is, that we recently performed a
> rather large flowspec interop test (the main goal was to evaluate possible
> inter-AS flowspec scenarios in a multi vendor environment) and discovered
> many bugs and vendor interop problems that we want to solve.
>
> Unfortunately we currently cannot share all our findings in a test report,
> because we hit some serious bugs that have (under circumstances) potential
> to remotely melt down entire networks and are working with the vendors to
> get bugs fixed.
>
> Christoph
>
> --
> Christoph Loibl
> c@tix.at | CL8-RIPE | PGP-Key-ID: 0x4B2C0055 | http://www.nextlayer.at
>
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>

v2.23.0 | Report a Bug | By Email