IETF Logo Mail Archive

Re: [Idr] New draft submitted: draft-loibl-bacher-idr-flowspec-clarification

"UTTARO, JAMES" <ju1738@att.com> Tue, 23 August 2016 14:50 UTC

Return-Path: <ju1738@att.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AFA112D0F7 for <idr@ietfa.amsl.com>; Tue, 23 Aug 2016 07:50:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MxAun3wREupl for <idr@ietfa.amsl.com>; Tue, 23 Aug 2016 07:50:29 -0700 (PDT)
Received: from mx0a-00191d01.pphosted.com (mx0a-00191d01.pphosted.com [67.231.149.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A85312DB23 for <idr@ietf.org>; Tue, 23 Aug 2016 07:29:57 -0700 (PDT)
Received: from pps.filterd (m0049297.ppops.net [127.0.0.1]) by m0049297.ppops.net-00191d01. (8.16.0.17/8.16.0.17) with SMTP id u7NENrmB042930; Tue, 23 Aug 2016 10:29:56 -0400
Received: from alpi155.enaf.aldc.att.com (sbcsmtp7.sbc.com [144.160.229.24]) by m0049297.ppops.net-00191d01. with ESMTP id 250qkkuu6t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 23 Aug 2016 10:29:56 -0400
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id u7NETsAE016431; Tue, 23 Aug 2016 10:29:55 -0400
Received: from mlpi407.sfdc.sbc.com (mlpi407.sfdc.sbc.com [130.9.128.239]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id u7NETlgt016243 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 23 Aug 2016 10:29:50 -0400
Received: from MISOUT7MSGHUBAB.ITServices.sbc.com (MISOUT7MSGHUBAB.itservices.sbc.com [130.9.129.146]) by mlpi407.sfdc.sbc.com (RSA Interceptor); Tue, 23 Aug 2016 14:29:36 GMT
Received: from MISOUT7MSGUSRCD.ITServices.sbc.com ([169.254.4.23]) by MISOUT7MSGHUBAB.ITServices.sbc.com ([130.9.129.146]) with mapi id 14.03.0301.000; Tue, 23 Aug 2016 10:29:36 -0400
From: "UTTARO, JAMES" <ju1738@att.com>
To: Robert Raszuk <robert@raszuk.net>
Thread-Topic: [Idr] New draft submitted: draft-loibl-bacher-idr-flowspec-clarification
Thread-Index: AQHR/UqZj5zkcYA/zkaBJNJwgXsDTaBWmtqg
Date: Tue, 23 Aug 2016 14:29:35 +0000
Message-ID: <B17A6910EEDD1F45980687268941550F1FF1FF3B@MISOUT7MSGUSRCD.ITServices.sbc.com>
References: <65345B6C-D24F-4F32-BF3C-E9343A7C61E1@tix.at> <B17A6910EEDD1F45980687268941550F1FF1FD73@MISOUT7MSGUSRCD.ITServices.sbc.com> <CA+b+ER=SJbKEq4Vqd3iJoU1R1hzS-sWquctof_p89t2tuSgNzA@mail.gmail.com>
In-Reply-To: <CA+b+ER=SJbKEq4Vqd3iJoU1R1hzS-sWquctof_p89t2tuSgNzA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.91.76.251]
Content-Type: multipart/alternative; boundary="_000_B17A6910EEDD1F45980687268941550F1FF1FF3BMISOUT7MSGUSRCD_"
MIME-Version: 1.0
X-RSA-Inspected: yes
X-RSA-Classifications: public
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-08-23_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 priorityscore=1501 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 impostorscore=0 lowpriorityscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1608230144
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/4kXFVWfX9Rss4PNcETRPMUIaPpQ>
Cc: "idr@ietf.org" <idr@ietf.org>
Subject: Re: [Idr] New draft submitted: draft-loibl-bacher-idr-flowspec-clarification
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Aug 2016 14:50:34 -0000

Robert,

                Makes sense..

Thanks,
                Jim Uttaro

From: rraszuk@gmail.com [mailto:rraszuk@gmail.com] On Behalf Of Robert Raszuk
Sent: Tuesday, August 23, 2016 10:28 AM
To: UTTARO, JAMES <ju1738@att.com>
Cc: Christoph Loibl <c@tix.at>; idr@ietf.org
Subject: Re: [Idr] New draft submitted: draft-loibl-bacher-idr-flowspec-clarification

Hey Jim,

Indeed I alluded to your and others contributions to generalize flowspec when I mentioned the intra-domain case. Even putting aside SDN use cases there still can be valid DDoS filters injected centrally - hence my comment.

For your point however I (*still*) think it would be much easier and simpler to put all SDN and related work into Flowspec_v2 and run in in different SAFI. Yourself, Sue and bunch of other people are actively helping with. That v2 spec may have completely different validation rules or not have them at all assuming validation happens on controller only.

IMHO mixing both quite separate use cases will not help each other at all deployment wise - even if both deployment models are very valid. The reason being that what knobs work for one flowspec NLRIs for the other could turn to be harmful. So if we do not separate them and someone would like to use both it will get pretty ugly soon.

Cheers,
R.



On Tue, Aug 23, 2016 at 4:13 PM, UTTARO, JAMES <ju1738@att.com<mailto:ju1738@att.com>> wrote:
Christoph,

        One could also us flow-spec as a mechanism to disseminate flow-spec "filters" via an SDN controller. I am my co-authors specified changes to the validation procedure such that the unicast route is not required for a router to accept and program the slow-spec path/filter.  When reading through the draft it seems to assume that flow-spec is only used as originally intended this is not the case. IMO this is a good piece of work and it should broaden the scope to include how flow-spec can be used from an SDN Controller.. There are other challenges with the draft as originally written

- Order of Traffic Filtering Rules
- More specific unicast routes
- AS value position in the AS-Path

Here is the draft..

https://tools.ietf.org/html/draft-ietf-idr-bgp-flowspec-oid-03

Jim Uttaro

-----Original Message-----
From: Idr [mailto:idr-bounces@ietf.org<mailto:idr-bounces@ietf.org>] On Behalf Of Christoph Loibl
Sent: Tuesday, August 23, 2016 8:09 AM
To: idr@ietf.org<mailto:idr@ietf.org>
Subject: [Idr] New draft submitted: draft-loibl-bacher-idr-flowspec-clarification

Hi,

We submitted a new draft and are happy to receive feedback:

Since interoperability is key to an flowspec Internet deployment we tried to clarify the ambiguous parts of the flowspec RFC 5575 in order to allow a consistent implementation by equipment vendors.

Title: draft-loibl-bacher-idr-flowspec-clarification

https://datatracker.ietf.org/doc/draft-loibl-bacher-idr-flowspec-clarification/

The reason for this draft submission is, that we recently performed a rather large flowspec interop test (the main goal was to evaluate possible inter-AS flowspec scenarios in a multi vendor environment) and discovered many bugs and vendor interop problems that we want to solve.

Unfortunately we currently cannot share all our findings in a test report, because we hit some serious bugs that have (under circumstances) potential to remotely melt down entire networks and are working with the vendors to get bugs fixed.

Christoph

--
Christoph Loibl
c@tix.at<mailto:c@tix.at> | CL8-RIPE | PGP-Key-ID: 0x4B2C0055 | http://www.nextlayer.at
_______________________________________________
Idr mailing list
Idr@ietf.org<mailto:Idr@ietf.org>
https://www.ietf.org/mailman/listinfo/idr

v2.23.0 | Report a Bug | By Email