[Idr] Re: 2 week adoption call for draft-hares-ietf-idr-fsv2-ip-basic (6/1/2024 to 6/14/2024)

Susan Hares <shares@ndzh.com> Tue, 11 June 2024 18:50 UTC

Return-Path: <shares@ndzh.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDF2FC14F71D for <idr@ietfa.amsl.com>; Tue, 11 Jun 2024 11:50:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p_IJ2kUEpX8c for <idr@ietfa.amsl.com>; Tue, 11 Jun 2024 11:50:16 -0700 (PDT)
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2128.outbound.protection.outlook.com [40.107.237.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A50DC14F5FF for <idr@ietf.org>; Tue, 11 Jun 2024 11:50:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=l1v1n84kI+IjrArLQC2X8+psXc5JxumTc+oZl4+a/5m0hP+TAFdBqzmegVDjOj0EghJYccT+o1a+XUHfO345TrlUdiSX115l1CnadN/GqsyyJatFQOdgHj4IPg6UsecvdSHlXelkAcrVPrAIrIkCcjdfUJT0381bZSqnLWyjvY3pVtowVJQ69B4YKoQe4wHbQ57gpb9VnBdvOXY6Jfhgi+oPr9a0HHP1gcIA0eJZfkkJ0SdBpnQ+XBIZDiYhOpnYKUkEJ4iEAUrkFPzE++QMOLMCC0KI7P1h0kpZuABtVraM7GsE5Ejcsd2PF3lJIxCk4TRoLkdCZMpGkVUKZgkAaA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/Ga+5M3Yk0tyu6JT3meNTUKluAbb4e3Yrx/bWVmOHeY=; b=fehpJdjS7QULw18/Wpi93fyrFHYhKDEXXOtHb8KXELvixw40eyle7fvjJ+kz6/XmOTP/u7qf8eqUFa3Ykx2M7pWPLCe4LRt9J8AEwd9XoX2pfTH3qVsRUz9pGeRqjzsZO5KG3BatdLWIPk7AMajhcMwl/1MZdZeB01An4QPaY2NUEc6SwiOEDBCwcDELtf+bplYKOAe2nPko3tUZtrDdtmdSpO5S169WllfWJU40Atbwtsx2hSRLdI1NzrB34ewOi9bwGAKI0ofrsKrcGP9WQJdFqziFqY21VDj0EcPz8AOYPAeDO9E2BvQYItmqU95wxV6szUbeRh5UGy20v6osAg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 104.47.57.169) smtp.rcpttodomain=ietf.org smtp.mailfrom=ndzh.com; dmarc=bestguesspass action=none header.from=ndzh.com; dkim=none (message not signed); arc=none (0)
Received: from SN7PR04CA0058.namprd04.prod.outlook.com (2603:10b6:806:120::33) by PH0PR08MB6550.namprd08.prod.outlook.com (2603:10b6:510:33::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7633.37; Tue, 11 Jun 2024 18:50:10 +0000
Received: from SA2PEPF00003F67.namprd04.prod.outlook.com (2603:10b6:806:120:cafe::4c) by SN7PR04CA0058.outlook.office365.com (2603:10b6:806:120::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7677.17 via Frontend Transport; Tue, 11 Jun 2024 18:50:10 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 104.47.57.169) smtp.mailfrom=ndzh.com; dkim=none (message not signed) header.d=none;dmarc=bestguesspass action=none header.from=ndzh.com;
Received-SPF: Pass (protection.outlook.com: domain of ndzh.com designates 104.47.57.169 as permitted sender) receiver=protection.outlook.com; client-ip=104.47.57.169; helo=NAM11-DM6-obe.outbound.protection.outlook.com; pr=C
Received: from obx-outbound.inkyphishfence.com (35.166.188.152) by SA2PEPF00003F67.mail.protection.outlook.com (10.167.248.42) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.7677.15 via Frontend Transport; Tue, 11 Jun 2024 18:50:10 +0000
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2169.outbound.protection.outlook.com [104.47.57.169]) by obx-inbound.inkyphishfence.com (Postfix) with ESMTPS id E1D3A57994; Tue, 11 Jun 2024 18:50:08 +0000 (UTC)
Received: from CO1PR08MB6611.namprd08.prod.outlook.com (2603:10b6:303:98::12) by SA6PR08MB10428.namprd08.prod.outlook.com (2603:10b6:806:445::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7633.36; Tue, 11 Jun 2024 18:50:05 +0000
Received: from CO1PR08MB6611.namprd08.prod.outlook.com ([fe80::7744:8abd:9769:c2bf]) by CO1PR08MB6611.namprd08.prod.outlook.com ([fe80::7744:8abd:9769:c2bf%7]) with mapi id 15.20.7633.037; Tue, 11 Jun 2024 18:50:05 +0000
From: Susan Hares <shares@ndzh.com>
To: Robert Raszuk <robert@raszuk.net>
Thread-Topic: [Idr] 2 week adoption call for draft-hares-ietf-idr-fsv2-ip-basic (6/1/2024 to 6/14/2024)
Thread-Index: Adq0BRV+dQIfVDDrR5qTtfsN3M9X+gIE5U2AAAWhsnA=
Date: Tue, 11 Jun 2024 18:50:05 +0000
Message-ID: <CO1PR08MB6611B1DF4DD7ACD3B0F3C64FB3C72@CO1PR08MB6611.namprd08.prod.outlook.com>
References: <CO1PR08MB66117CACDCAAB406DB620FEAB3FD2@CO1PR08MB6611.namprd08.prod.outlook.com> <CAOj+MMF4pRrVUKjumE92B0THvJARnsBW0o+jNrZwknok5iBx1w@mail.gmail.com>
In-Reply-To: <CAOj+MMF4pRrVUKjumE92B0THvJARnsBW0o+jNrZwknok5iBx1w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-traffictypediagnostic: CO1PR08MB6611:EE_|SA6PR08MB10428:EE_|SA2PEPF00003F67:EE_|PH0PR08MB6550:EE_
X-MS-Office365-Filtering-Correlation-Id: 261df5d5-46a0-4d3d-b809-08dc8a475237
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;ARA:13230032|376006|366008|1800799016|38070700010;
X-Microsoft-Antispam-Message-Info-Original: U6bjAAPC37VSZv/ciEkhAYSpFMkY87zQT8j0aY2lqX70Ed99k0p24YOZqAj3+fCZJXgEr3q33v8F9zFPgyMSOsY5lkLIimQyvCNsd0GSSO1E+Xn+orwL2Ue/jyZK4Fc72BzdoqTCCXt1hsAS8MdoVs53RuOpL/lr7HSoSy4d2fVH+jShDqwLB6oe+g6f67zm5v8WWjoMOC9d1L2U1dtKJHfXpFAt08MTHm5/BVQweAAy+CRS1BHIbhCRAISzUQzaVLKSxWSmH8QXIz3xe06LihM/5u9Wx+YKAWP/3xV3vRsmZglcv4Edz6bhGQwModBTU4Ag1jd3w8ybLL7rdKR5s61FCYmXSU9JtnkdYbGAgsLfjuoQmz+MsszEYRJ7iaGj7Ba823MANK5geUlgKJBdZ1BQDqkki2SQPcD9f0xSrvbImcNBAIOxApbx5Ls4uQZd1a63pdI6xQs2DS3aDv81O41aXZL9rL/kRCj53ca3YfwB1d4bWxQBUQL6/4E7p+SFce+tTuVxU0tu3y8CKDNEQM3ZgH4zUHBymIfkkJTcMS5DVC9rY2xhIniudICUP5FhDwKtbjjAEgFvk1TodBGwdqt1Nzj+/80z1qEj+wGsBNCweyIJYy3mwnvgNCBY3ooEQEt978lF/wRKFXwDXzOtf/Nyx22Da/QW2PghePN+mb/izFv2FueHViYcf4mWCQYmat5wqj3p/uAUjTFdr5+oRqukq5HgWF91MQDIpuu85TprTVekuV0sslM9MHtNY+iyX2WYJWHhRgEgPx0KP8cH/0mJPDs4D3STE/lb1z18TONdFJsnhG6/lx9vYw3pd3QhM7EnyflNqm6eOWpHMI5eamfsHg+N/g6YZ8Um+TEvDaTwycj0QzIfTwpdskyQ30tDPOB3oXifcVWmV0J3V82YN2UGOS95PNQq9VrzcHSfNy41SMZhBtr5ba0hM8zxYH40OZ4bME2znIylMRgRCc0s+8jxhwJmW93gq8AyVTtI+W6o78EqyBBz4KNOqCdA3EK4uFuzY+1uzMM0rRMpTKPcJ26TkSp17njW1E84drYGbfknBIQf8GQS/+RxefY3fj8AGdLlO1qg/Ifbpa7vPQS/0Ip0kEAAYtodZronkjHH7zFXM6Nq58xysQ12lPtSiYWGGeA1ogdYsrz7QK91973+O8e4Rhs0VK/+LwOQ7Az29ICbgCpCtQ60JnxLYW90pouzfyWRI9Da2fLktLE8vMWceavm2WWLtMSYkwYT5LFI4RmdiWjnqp1qWbUPFDPYhh/PtDRBuSU4YewpItexSKb1RGB9C8KehGjnBNb6Mesw013YLdiy93RF6s8q3Pz9UeDd
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CO1PR08MB6611.namprd08.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230032)(376006)(366008)(1800799016)(38070700010);DIR:OUT;SFP:1102;
Content-Type: multipart/alternative; boundary="_000_CO1PR08MB6611B1DF4DD7ACD3B0F3C64FB3C72CO1PR08MB6611namp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA6PR08MB10428
X-Inky-Outbound-Processed: True
X-EOPAttributedMessage: 0
X-MS-Exchange-SkipListedInternetSender: ip=[104.47.57.169];domain=NAM11-DM6-obe.outbound.protection.outlook.com
X-MS-Exchange-ExternalOriginalInternetSender: ip=[104.47.57.169];domain=NAM11-DM6-obe.outbound.protection.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersStripped: SA2PEPF00003F67.namprd04.prod.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: ed1e0040-2378-47f0-a07e-08dc8a474ef2
X-IPW-GroupMember: False
X-Microsoft-Antispam: BCL:0;ARA:13230032|35042699014|82310400018|36860700005|376006|1800799016;
X-Microsoft-Antispam-Message-Info: 2GemCAJzk5bQhaD0Obo/zB/v50yUCgAHINdLCWeX0xfl7USsExij4XAzWDPosvD43E7O2iladhL0JlrDGKr7uk03ITPxHJ5K9HjDbWSvi8CTFct28eBaAlokFs1FFJ0+z+QaTmuwHJbZd4sFEkB7+zhY8QFheh/9YAJ5dZFsm5q2DzvoRK8ADZypxEs+yn4k9sxi4U5NgA6NCxlRMS7Zh2dEJhuTPzB5NJ0zYqPkaVfztT8Dkrut63aAnytsJ6QmNKAFGnEccqPAFyforndZe3MfsD7EY5V+5KIog55/MTETRa7CaFW2EloydoMsp38MAsD8fzFGM1Rh2GWCgbluFqxH3gYx6dUWVyBzFqGv7DIT16TeuTsG8Q5oSNzfijZvREAVyoDn/YM5N6FKqhDtqTYAg54bPrlytk84ZiesH/pYAoTy7odLVhFLJd/ieR5elT7LR4zw6ckzNxyLpm2ucBj+JXz6wFtrg2SLj0VNfs9/nRrSfe/2VrSkrgDhxJ8OnknP1zNPuxqosQBjPmvrR/z8jGKo0NJ3EYskqTDIUfqvAK+Jn/nmUmfohR4I6K/a1L1OaASf4hwLlD996GrwcCX4koy+1TkkU0kvArhoLL3Yncbyd6J0W67MbHwRpIdT0Q0LfqthVsxFxbEDWA4aKuJmNNODdoRXg/YJTtT3QfsOT5Y23U7cmHYFwcjxmCPhU0sduaRaq0K9iabk+MApQh98o8dl1iR+tBJPb1v2WX6mxqqlDWioYCVncLLrp8yd1HeBIEG1tuvS27fvXp0sN9vsYAx7Y3vyWLKwkh8kU5VfR4SmKvJ7v3xUuSCALmtmLvFZy7xwih+UdAHqK+8Ogw==
X-Forefront-Antispam-Report: CIP:35.166.188.152;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:NAM11-DM6-obe.outbound.protection.outlook.com;PTR:mail-dm6nam11lp2169.outbound.protection.outlook.com;CAT:NONE;SFS:(13230032)(35042699014)(82310400018)(36860700005)(376006)(1800799016);DIR:OUT;SFP:1102;
X-OriginatorOrg: ndzh.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Jun 2024 18:50:10.4430 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 261df5d5-46a0-4d3d-b809-08dc8a475237
X-MS-Exchange-CrossTenant-Id: d6c573f1-34ce-4e5a-8411-94cc752db3e5
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d6c573f1-34ce-4e5a-8411-94cc752db3e5;Ip=[35.166.188.152];Helo=[obx-outbound.inkyphishfence.com]
X-MS-Exchange-CrossTenant-AuthSource: SA2PEPF00003F67.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR08MB6550
Message-ID-Hash: Y6GPTT3J7SPQ2BN3HLKKRGHWV6AJF4RH
X-Message-ID-Hash: Y6GPTT3J7SPQ2BN3HLKKRGHWV6AJF4RH
X-MailFrom: shares@ndzh.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-idr.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "idr@ietf.org" <idr@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Idr] Re: 2 week adoption call for draft-hares-ietf-idr-fsv2-ip-basic (6/1/2024 to 6/14/2024)
List-Id: Inter-Domain Routing <idr.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/5G6UKh_Pa_bHDCyPUX0_MvB1SpQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Owner: <mailto:idr-owner@ietf.org>
List-Post: <mailto:idr@ietf.org>
List-Subscribe: <mailto:idr-join@ietf.org>
List-Unsubscribe: <mailto:idr-leave@ietf.org>

Robert:

Given your example, the 1000 nodes could rate their filters as priority 1-10.  As they distribute their filters, they could

  1.  Set their DDOS filters as one  of the order 1-10 depending on the seriousness of the filters,
  2.  Let default ordering (FSv1 ordering) – ordering things per priority,

I hope this FSv2 examples shows that user ordering handle both your use case and the central controller.

Cheers, Sue


From: Robert Raszuk <robert@raszuk.net>
Sent: Tuesday, June 11, 2024 12:02 PM
To: Susan Hares <shares@ndzh.com>
Cc: idr@ietf.org
Subject: Re: [Idr] 2 week adoption call for draft-hares-ietf-idr-fsv2-ip-basic (6/1/2024 to 6/14/2024)

Hi Sue, I have one fundamental question in respect to addition of user ordering ... From text of the subject draft we read: During the deployment of BGP FSv1 a number of issues were detected due to la
External (robert@raszuk.net<mailto:robert@raszuk.net>)
  Report This Email<https://protection.inkyphishfence.com/report?id=bmV0b3JnMTA1ODY5MTIvc2hhcmVzQG5kemguY29tLzYyYjZmNWFmNmUyNTYwZDYzODdkNjE1NGQ0MDJlYTI3LzE3MTgxMjE3MjcuNjM=#key=3d177a864de9ba2f5cce70943c8b7621>  FAQ<https://www.godaddy.com/help/report-email-with-advanced-email-security-40813>  GoDaddy Advanced Email Security, Powered by INKY<https://www.inky.com/protection-by-inky>

Hi Sue,

I have one fundamental question in respect to addition of user ordering ...

From text of the subject draft we read:

   During the deployment of BGP FSv1 a number of issues were detected
   due to lack of consistent TLV encoding for rules for flow
   specifications, lack of user ordering of filter rules and/or actions,

Well ... please kindly observe that the primary basis of FlowSpec proposal was its distributed nature not a BGP based configuration or policy push from central oracle.

Scenario:

Let's  imagine that 1000 edge nodes are to notice some attacks and inject their flow spec DDoS descriptions into the network

Question:

How would those 1000 edge nodes detecting malicious attack patterns now synchronize with each other to inject Flow Spec rules with fixed ordering such that it would still network wide make sense ?

If FlowSpec v2 is aimed as protocol extension to be ONLY used from user operated controller as a central brain of the network rules let's make it very clear up front in the scope of v2.

Kind regards,
Robert


On Sat, Jun 1, 2024 at 11:32 AM Susan Hares <shares@ndzh.com<mailto:shares@ndzh.com>> wrote:
Greetings:

This begins a 2 week IDR WG adoption call for draft-ietf-idr-fsv2-ip-basic-02.txt.

This draft provides a sub-set of the flow specification v2 work that provides:

  1.  Flow specification v2 – user ordering,
  2.  Flow specification v1 – filters, and
  3.  Flow specification v1 actions in Extended Community.

All FSv2 work would be required to implement this minimum subset.

All of this work comes from the IDR approved draft:
draft-ietf-idr-flowspec-v2-04.txt
https://datatracker.ietf.org/doc/draft-ietf-idr-flowspec-v2/<https://shared.outlook.inky.com/link?domain=datatracker.ietf.org&t=h.eJxFjcEOgyAQBX-l4VxAUMF68lfQXarRilmwTWz675Veep15mfdmOy2svbAxpS22UoJLLpEbZiQxYfIi0F1CGCSQ84lnxCcg7pfwihsO_Kklu17YnCMrpnOuiroxN6VlHB1h7FY4RjGEhzS6N7523qCuTQGmbCwYVVdQFRqdtlJZ1SitrLbClLmKuUqhR0oduXjsszg_soGf-aPPF9VoPp0.MEUCIEOF0f0QTj-oFfDQo9ccxhE_CVtgKcOgT5tNMpUsWrMTAiEAvk62MDEJ4r9eBcz2AQp_rBTiqQBHfgRGEinfOFf2TR8>

The purpose of this WG Adoption is to confirm that the minimum subset aligns with the IDR WG wishes.

Additional features that would be added to FSv2 are:

  1.  Additional IP filters,
  2.  Additional FSv2 Actions in Extended Communities
  3.  Additional FSv2 Actions in Community Path Attribute, and
  4.  Non-IP Filters, and
  5.  Non-IP Actions.

The FSv2 work will continue to have its interims on
6/3 (draft-hares-fsv2-ip-basic), 6/10 (more filters),  and 6/17 (actions + Non-IP work).

All Interims in June  (6/3, 6/10, and 6/17) start go from 10:00-11:30am EDT.

Cheerily, Sue Hares

_______________________________________________
Idr mailing list -- idr@ietf.org<mailto:idr@ietf.org>
To unsubscribe send an email to idr-leave@ietf.org<mailto:idr-leave@ietf.org>