Re: [Idr] Returning draft-ietf-idr-rfc5575bis to WG, new 2 week discussion period

Christoph Loibl <c@tix.at> Thu, 13 June 2019 19:22 UTC

Return-Path: <c@tix.at>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8A1A12061D; Thu, 13 Jun 2019 12:22:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xyJ2JaLUSY5q; Thu, 13 Jun 2019 12:22:20 -0700 (PDT)
Received: from mail.hated.at (mail.hated.at [IPv6:2001:858:2:8::235]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80E70120619; Thu, 13 Jun 2019 12:22:20 -0700 (PDT)
Received: from 80-110-113-122.cgn.dynamic.surfer.at ([80.110.113.122] helo=[192.168.66.207]) by mail.hated.at with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <c@tix.at>) id 1hbVD9-0001Qm-Pb; Thu, 13 Jun 2019 21:16:36 +0200
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Christoph Loibl <c@tix.at>
In-Reply-To: <A68BF050-9846-4E14-918D-297548E078A2@juniper.net>
Date: Thu, 13 Jun 2019 21:22:15 +0200
Cc: "idr@ietf. org" <idr@ietf.org>, "draft-ietf-idr-rfc5575bis@ietf.org" <draft-ietf-idr-rfc5575bis@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <99A607F0-84C5-4D3D-99EF-36B733DE205A@tix.at>
References: <A68BF050-9846-4E14-918D-297548E078A2@juniper.net>
To: John Scudder <jgs=40juniper.net@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/6OmQNrhZ2sAar75UNCSHEMkBL8U>
Subject: Re: [Idr] Returning draft-ietf-idr-rfc5575bis to WG, new 2 week discussion period
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jun 2019 19:22:24 -0000

Hi John and Robert,

Thanks for pointing that out. This is a very good point! I think that a missing dest-ip component could be treated as 0/0 in terms of validation.

Making the destination-ip component mandatory may badly break existing implementations (that do not treat destination-ip as mandatory and may break deployments). It may also be problematic for certain extensions that do not need dest-ip addresses (with this draft we did not only try to be more precise in the specification, we also wanted improve extensibility -> relaxed behaviour on un-decodable NLRI).

I think that in this context we can treat a non-existing destination-ip flow-component as 0/0 and I suggest something like this:

OLD:

     a) The originator of the Flow Specification matches the originator
     of the best-match unicast route for the destination prefix
     embedded in the Flow Specification.

NEW:

     a) The originator of the Flow Specification matches the originator
     of the best-match unicast route for the destination prefix
     embedded in the Flow Specification. 0/0 is assumed as destination prefix in 
     this context if it is not embedded in the Flow Specification.  

Extensions may need to revise this validation behaviour for their needs anyway.

The draft itself does not deal with / mention any possible vendor-specific exception mechanisms that allow to circumvent the validation (complete or partly), thus I think there is no additional paragraph needed that tries to explain how such validation can be relaxed. (maybe only very minimal “This validation procedure MAY be relaxed by configuration.”) 

Cheers Christoph

-- 
Christoph Loibl
c@tix.at | CL8-RIPE | PGP-Key-ID: 0x4B2C0055 | http://www.nextlayer.at



> On 13.06.2019, at 19:42, John Scudder <jgs=40juniper.net@dmarc.ietf.org> wrote:
> 
> Hi Authors and WG,
> 
> I just had it brought to my attention that RFC 5575 and draft-ietf-idr-rfc5575bis both are underspecified with regard to the validation procedures. The problem is what to do if a flow-spec NLRI doesn't contain a destination prefix component. Section 4.2 makes it clear that destination prefix is optional, so it's valid for it not to be present. But the first set of validation steps in section 6 are written in terms of the destination prefix, without acknowledging it might not be there.
> 
> This leaves a gap for an interoperability problem, where some implementations might choose to consider validation to have succeeded if the destination prefix component isn't present, and others might consider it to have failed.
> 
> To fix this ambiguity I'd like to suggest the following change. The summary is we add a new rule (a), renumber the old (a) and (b), and add a note following.
> 
> OLD:
>   A Flow Specification NLRI must be validated such that it is
>   considered feasible if and only if:
> 
>      a) The originator of the Flow Specification matches the originator
>      of the best-match unicast route for the destination prefix
>      embedded in the Flow Specification.
> 
>      b) There are no more specific unicast routes, when compared with
>      the flow destination prefix, that has been received from a
>      different neighboring AS than the best-match unicast route, which
>      has been determined in step a).
> 
> NEW:
>   A Flow Specification NLRI must be validated such that it is
>   considered feasible if and only if:
> 
>      a) A destination prefix component is embedded in the Flow 
>      Specification.
> 
>      b) The originator of the Flow Specification matches the originator
>      of the best-match unicast route for the destination prefix
>      embedded in the Flow Specification.
> 
>      c) There are no more specific unicast routes, when compared with
>      the flow destination prefix, that has been received from a
>      different neighboring AS than the best-match unicast route, which
>      has been determined in step b).
> 
>   Rule a) MAY be relaxed by configuration, permitting Flow
>   Specifications that include no destination prefix component. If such
>   is the case, rules b) and c) are moot and MUST be disregarded.
> 
> We need the MAY clause since 4.2 does say destination prefix is optional, and also because an operator might actually want to permit this under some circumstances, particularly if the route is internally sourced. I'll also point out that another way according to the proposed rule set to have a flow-spec that matches every packet is to actually put /0 in the destination prefix, then you don't need the optional configuration mentioned in the MAY clause (you do need to accept default for validation to succeed, but that's inherent in flow-spec's design).
> 
> The draft has already passed WGLC and been sent to the IESG. But given that it's always easier to correct problems sooner rather than later, I've just pulled it back to the WG. I'm hoping we can have quick consensus on what to do --
> 
> - Adopt the fix I've suggested,
> - Adopt a different fix,
> - Determine that no fix is needed.
> 
> We could also let the IESG resolve this but it doesn't seem like good WG hygiene.
> 
> I'd like to keep the discussion tightly scoped to just the minimum necessary to clarify section 6.
> 
> Let's have the traditional two week window for discussion, to end by June 28.
> 
> Thanks,
> 
> --John
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr