Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06

"Smith, Donald" <Donald.Smith@CenturyLink.com> Fri, 11 May 2018 19:30 UTC

Return-Path: <Donald.Smith@CenturyLink.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A001D12D941; Fri, 11 May 2018 12:30:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MPbA2WKfK6ou; Fri, 11 May 2018 12:30:20 -0700 (PDT)
Received: from lxomp52w.centurylink.com (lxomp52w.centurylink.com [155.70.50.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D026312D879; Fri, 11 May 2018 12:30:19 -0700 (PDT)
Received: from lxomp90v.corp.intranet (emailout.qintra.com [151.117.203.59]) by lxomp52w.centurylink.com (8.14.8/8.14.8) with ESMTP id w4BJUGSR017096 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 11 May 2018 14:30:16 -0500
Received: from lxomp90v.corp.intranet (localhost [127.0.0.1]) by lxomp90v.corp.intranet (8.14.8/8.14.8) with ESMTP id w4BJUAEu023349; Fri, 11 May 2018 14:30:10 -0500
Received: from lxomp06u.corp.intranet (lxomp81v.corp.intranet [151.117.18.14]) by lxomp90v.corp.intranet (8.14.8/8.14.8) with ESMTP id w4BJUAoN023282 (version=TLSv1/SSLv3 cipher=AES256-SHA256 bits=256 verify=NO); Fri, 11 May 2018 14:30:10 -0500
Received: from lxomp06u.corp.intranet (localhost [127.0.0.1]) by lxomp06u.corp.intranet (8.14.8/8.14.8) with ESMTP id w4BJUA0K053725; Fri, 11 May 2018 14:30:10 -0500
Received: from vddcwhubex501.ctl.intranet (vddcwhubex501.ctl.intranet [151.119.128.28]) by lxomp06u.corp.intranet (8.14.8/8.14.8) with ESMTP id w4BJUAHZ053708 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 11 May 2018 14:30:10 -0500
Received: from PDDCWMBXEX503.ctl.intranet ([fe80::9033:ef22:df02:32a9]) by vddcwhubex501.ctl.intranet ([151.119.128.28]) with mapi id 14.03.0339.000; Fri, 11 May 2018 13:30:10 -0600
From: "Smith, Donald" <Donald.Smith@CenturyLink.com>
To: "Juan Alcaide (jalcaide)" <jalcaide@cisco.com>, "Jakob Heitz (jheitz)" <jheitz@cisco.com>, John Scudder <jgs@juniper.net>, "idr@ietf. org" <idr@ietf.org>
CC: "nl7942@att.com" <nl7942@att.com>, "Schiel, John" <John.Schiel@centurylink.com>, "draft-ietf-idr-bgp-flowspec-oid@ietf.org" <draft-ietf-idr-bgp-flowspec-oid@ietf.org>
Thread-Topic: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06
Thread-Index: AQHT3ZkE/arcG/QefEmi41lu0QPjP6QpwroA//+fEJ6AARx2AIAANIT8gACqhwD//6L4TA==
Date: Fri, 11 May 2018 19:30:09 +0000
Message-ID: <68EFACB32CF4464298EA2779B058889D53DB50BF@PDDCWMBXEX503.ctl.intranet>
References: <DB4DB79D-22DD-45A7-980A-B33C5E58C1C7@juniper.net> <2997BE5D-F4C6-4AC2-9B00-126436FC5141@juniper.net> <68EFACB32CF4464298EA2779B058889D53DB49B4@PDDCWMBXEX503.ctl.intranet> <e0e1857b46104431be4f655fe8d1e0b1@XCH-ALN-014.cisco.com> <68EFACB32CF4464298EA2779B058889D53DB4D80@PDDCWMBXEX503.ctl.intranet>, <7cc92070-d480-cd91-e572-36dc36836732@cisco.com>
In-Reply-To: <7cc92070-d480-cd91-e572-36dc36836732@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [151.119.128.7]
Content-Type: multipart/alternative; boundary="_000_68EFACB32CF4464298EA2779B058889D53DB50BFPDDCWMBXEX503ct_"
MIME-Version: 1.0
X-TM-AS-MML: disable
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/5CK2DHXPwZvMh9vi9QWJgoS_mG0>
Subject: Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 May 2018 19:30:27 -0000

I am not entirely sure if that works here or not.

But I think with that you could show some AS as the last AS in the past (far left) and maybe not show the original customer AS?

As long as your advertising that space to me, and I don't have a better path it should work.



Now what happens when a customer is a customer of ISP A and ISP B both have routes to it, if A advertises flowspec to B for that network wouldn't it be blocked as the best path to the customer inside of B is B's path.

This is actually a different problem, or subset of the original issue.



What should happen in that case? I might want to take action, I might not be seeing a huge flood, while the original announcer (A) is and wants us to take action as they expect we will be seeing that traffic soon?









Metric System < +000 > -000
Extra People's Terribly Good Meals Kept mY uNCLE    Ned   Purring For     Ages
Exa   Peta        Tera     Giga   Mega  Kilo milli Micro(u) Nano Pico    Femto Atto
Donald.Smith@centurylink.com<mailto:Donald.Smith@centurylink.com>
________________________________
From: Juan Alcaide (jalcaide) [jalcaide@cisco.com]
Sent: Friday, May 11, 2018 12:57 PM
To: Smith, Donald; Jakob Heitz (jheitz); John Scudder; idr@ietf. org
Cc: nl7942@att.com; Schiel, John; draft-ietf-idr-bgp-flowspec-oid@ietf.org
Subject: Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06

Don,

(just to be clear, this has nothing to directly with the redirect extended-community draft)

We already thought about it and added a 'clause' in the last revision.

"Optionally, an implementation
   could be configured to allow only flow specification NLRIs containing
   only a subset of ASes.  This could be useful, for example, with
   networks that consist of multiple ASes that operate under the same
   administrative domain."

This is not what you want?

-J

On 5/11/2018 4:50 PM, Smith, Donald wrote:

That would work of course MAY would be caps :) But that should cover the case I was describing.

All the other BGP security issues would still apply.

Cc'ing the two architects that have been working on this concept with me, in case they have anything to add.





Metric System < +000 > -000
Extra People's Terribly Good Meals Kept mY uNCLE    Ned   Purring For     Ages
Exa   Peta        Tera     Giga   Mega  Kilo milli Micro(u) Nano Pico    Femto Atto
Donald.Smith@centurylink.com<mailto:Donald.Smith@centurylink.com>
________________________________
From: Jakob Heitz (jheitz) [jheitz@cisco.com<mailto:jheitz@cisco.com>]
Sent: Thursday, May 10, 2018 11:39 PM
To: Smith, Donald; John Scudder; idr@ietf. org
Cc: draft-ietf-idr-bgp-flowspec-oid@ietf.org<mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org>
Subject: RE: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06

I support the draft.

Donald, are you saying that AS1 should accept a flowspec rule from AS2 for traffic going to AS3?
If AS1 can trust the flowspec from AS2, then I don't see why not.
Maybe we can add text to the effect of:
The rules stated here are for default behavior.
Local policy may allow flow specifications from other EBGP neighbors to be accepted.

Thanks,
Jakob

From: Idr <idr-bounces@ietf.org><mailto:idr-bounces@ietf.org> On Behalf Of Smith, Donald
Sent: Thursday, May 10, 2018 11:58 AM
To: John Scudder <jgs@juniper.net><mailto:jgs@juniper.net>; idr@ietf. org <idr@ietf..org><mailto:idr@ietf..org>
Cc: draft-ietf-idr-bgp-flowspec-oid@ietf.org<mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org>
Subject: Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06


This supports some of the bi-lateral, ddos-peering work we want to do, so support.



https://pc.nanog.org/static/published/meetings/NANOG71/1447/20171003_Levy_Operationalizing_Isp_v2.pdf



That is almost always going to be between some set of systems not one hop away, not directly in the forwarding plane, probably not really IBGP peers.



" It thus becomes necessary to modify step (a) of the RFC 5575<https://tools.ietf.org/html/rfc5575>
   validation procedure such that an IBGP peer that is not within the
   data forwarding plane may originate flow specification NLRIs."



While you could have the IBGP peer directly in the forwarding plane, forward it like a route reflector, requiring it to seems counter intuitive as it is more likely to come from some BGP speaking tool in ISP requesting the filter.



Next lots of references to IBGP and a few to EBGP, when I think of IBGP, IBGP is internal to a single AS (yes I know there are exceptions) but that is kind of the meaning, while this is mostly between peers (whom could do IBGP between them but is that required? Can't we validate without IBGP direct connections?)




Metric System < +000 > -000
Extra People's Terribly Good Meals Kept mY uNCLE    Ned   Purring For     Ages
Exa   Peta        Tera     Giga   Mega  Kilo milli Micro(u) Nano Pico    Femto Atto
Donald.Smith@centurylink.com<mailto:Donald.Smith@centurylink.com>
________________________________
From: Idr [idr-bounces@ietf.org<mailto:idr-bounces@ietf.org>] on behalf of John Scudder [jgs@juniper.net<mailto:jgs@juniper.net>]
Sent: Thursday, May 10, 2018 12:28 PM
To: idr@ietf. org
Cc: draft-ietf-idr-bgp-flowspec-oid@ietf.org<mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org>
Subject: Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06
Hi All,

On Apr 26, 2018, at 3:58 PM, John Scudder <jgs@juniper.net<mailto:jgs@juniper.net>> wrote:

The authors have requested a working group last call for draft-ietf-idr-bgp-flowspec-oid-06. Please respond with your comments before Friday, May 11.

A quick update on the status of this WGLC:

- All the authors have responded about IPR (thank you!).
- Three people who are not authors (Acee, Shyam, Keyur) have responded supporting publication.
- Nobody has responded with other comments or opposition.

Three respondents is not a very large number; it would be helpful if others would chime in.

The WGLC period is scheduled to end tomorrow.

Thanks,

--John
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.



_______________________________________________
Idr mailing list
Idr@ietf.org<mailto:Idr@ietf.org>
https://www.ietf.org/mailman/listinfo/idr



This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.