IETF Logo Mail Archive

Re: [Idr] Feedback from mike during IETF 119 (was Re: FW: New Version Notification for draft-wu-idr-flowspec-dip-community-filter-00.txt)

Ketan Talaulikar <ketant.ietf@gmail.com> Tue, 19 March 2024 07:34 UTC

Return-Path: <ketant.ietf@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D6E4C14F71F for <idr@ietfa.amsl.com>; Tue, 19 Mar 2024 00:34:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ooyCgr_n0R6l for <idr@ietfa.amsl.com>; Tue, 19 Mar 2024 00:34:45 -0700 (PDT)
Received: from mail-ej1-x636.google.com (mail-ej1-x636.google.com [IPv6:2a00:1450:4864:20::636]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94FFCC15106A for <idr@ietf.org>; Tue, 19 Mar 2024 00:33:03 -0700 (PDT)
Received: by mail-ej1-x636.google.com with SMTP id a640c23a62f3a-a46dd7b4bcbso40079266b.3 for <idr@ietf.org>; Tue, 19 Mar 2024 00:33:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710833582; x=1711438382; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=gVOC7cAR7aESPgg5z9033wwQpO/MYTXHxxMW7bLceG0=; b=L0MU01BhBjp9PskAJZ8pvUy7jNb6HQW0f4YBk2Grh9sautNZE8Xto8z/2kF64OCZpr bpiGf6/b1PbA4tqVQPLpWHuH+2miRWyCO0umDbuqVwz/6O2qiy+/yikAUjYB77YwP42l ZcOPmR+DfmjccjP3FSwa5RolP2dR04qZm2GfFvxhQ81Obtrgh0+yWJXe3inrLa0xSg3z tcZAy+CtQ08oeEZHWXJ40/tuAqEXXURc0lD1vse6QZyM4h3RL8nkryvc3VKZn0qgpVXz 9zO79IPNmUkrGHetFwwDaJtIhmmUFzwUGTfDpXjFE5tWU8adKTBOK5ibd3tZnpx9ZXhL 3WLw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710833582; x=1711438382; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=gVOC7cAR7aESPgg5z9033wwQpO/MYTXHxxMW7bLceG0=; b=gsq1UC42kP/+wFTCbcKqaDyBEK2QYnpstF8xyQfHny02wcQFP8qFXvdSfy8AMod7+g NHWHO9iEo0q1pv0OaInqzDkdz/xnc5n33Nn0x+bmpeSZAwRYqrJZEYHDTh6RHIqFQ4DW 0a3ZbOfr4Nr+1xVwyvLrgXb5QDErPVwQcBZTn3dpinN0qjdd1Rr6qOVRcx0knfg/rrur FzCTfsySFQYFh8/IBVBH8MdxfTKFY/3UDazadUk2LaTIaIzCV4PKjk8N5icTFecf74gO TCKYdsmxKx+scsZ1G6W54k5WstuBzq3hmhlN8g1k2lDcYJ1xIJFdDqL2Xsl8lczSIwIZ Lz5g==
X-Forwarded-Encrypted: i=1; AJvYcCUmq7qCfCnI40wpPMgJz5sqPm6G1EoYRK3k7G4OdHGwq6XoJMgNeDt4vZnEtMaGUvLlyGSsi8iZCyT3td0=
X-Gm-Message-State: AOJu0YyOSRm87L9cbN+RsJo1k0VuAqpdELWo25rd5WMHD7elUq4Lp1gg 7ijpuPFDfhqPYc+0CIfqqrOGgPBLwhWNmYnn2CMEIQ3E64s1eCVzwixIPXOeaIqF3eOd6/8JKqg DJpU+mqp1igFNZEmRQpCmr1cVcV0=
X-Google-Smtp-Source: AGHT+IHsqM2lxCFgf6P6CEmFG74vcr3hCYyUF3jISUDi/XlX1bJ28QikfhO/fOZZ25Ps4PcLP+1vHbSe94SvFeJ4C88=
X-Received: by 2002:a17:906:6898:b0:a46:d6f7:e8f5 with SMTP id n24-20020a170906689800b00a46d6f7e8f5mr1070143ejr.18.1710833581807; Tue, 19 Mar 2024 00:33:01 -0700 (PDT)
MIME-Version: 1.0
References: <1d8a9005350548acae681108370cb22d@huawei.com> <D405B3AE-2B9D-446E-AE39-4CD6FC9152C8@pfrc.org> <CAOj+MMFZLK4eEYqDZPaiyrayfTHEKkNLkjpCUQB=PTRR5E8dFg@mail.gmail.com> <CAH6gdPyYd-ERSRGz7dSygiQS=Pq_SgqOdEvyx3Eou=MXg58zPw@mail.gmail.com> <be2866fb8d0143809a25b179a5097bab@huawei.com>
In-Reply-To: <be2866fb8d0143809a25b179a5097bab@huawei.com>
From: Ketan Talaulikar <ketant.ietf@gmail.com>
Date: Tue, 19 Mar 2024 13:02:50 +0530
Message-ID: <CAH6gdPwOJ92Cp_p6c1Bks7+_NkacCVfX8wNBCRmwoMeBhWkzFA@mail.gmail.com>
To: wutianhao <wutianhao10@huawei.com>
Cc: Jeff Haas <jhaas@pfrc.org>, "idr@ietf. org" <idr@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e9dce90613fe7bf9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/6sOwnCsOoCsosOr8wn-LcRg_jd8>
Subject: Re: [Idr] Feedback from mike during IETF 119 (was Re: FW: New Version Notification for draft-wu-idr-flowspec-dip-community-filter-00.txt)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2024 07:34:46 -0000

Hi Tianhao,

Thanks for your response.

When we build protocol extensions, we need to also consider that they are
mechanisms that can be used more generally and more widely than what one
may assume in the beginning.

Just my 2c

Thanks,
Ketan


On Tue, Mar 19, 2024 at 12:48 PM wutianhao <wutianhao10@huawei.com> wrote:

> Hi Ketan,
>
>
>
> Thank you for your comments.
>
>
>
> I want to first clarify the scenario where this extension is applied. This
> draft is not targeted to DDOS scenario, but to traffic redirections for
> imporving network performance.
>
>
>
> In this scenario, the network operators use Destination-IP-Community
> filters as follows.
>
>
>
> 1. identify which prefixes to be redirected
>
> 2. choose an unused BGP communities for generating FlowSpec rules
>
> 3. announce the BGP updates (destination prefixes are those prefixes) with
> this BGP community
>
>
>
> Thus, the prefixes and communities are planned in advance.
>
>
>
> Hope this answer can solve your problem. Please don't hesitate to contact
> us if you have any further questions.
>
>
>
> Best regards,
>
>
>
> Tianhao Wu
>
>
>
> *From:* Ketan Talaulikar <ketant.ietf@gmail.com>
> *Sent:* Monday, March 18, 2024 12:56 PM
> *To:* Robert Raszuk <robert@raszuk.net>
> *Cc:* Jeff Haas <jhaas@pfrc.org>; wutianhao <wutianhao10@huawei.com>;
> idr@ietf. org <idr@ietf.org>
> *Subject:* Feedback from mike during IETF 119 (was Re: [Idr] FW: New
> Version Notification for draft-wu-idr-flowspec-dip-community-filter-00.txt)
>
>
>
> Hello Authors,
>
>
>
> I am repeating my comments from the IDR session earlier today.
>
>
>
> For Flowspec the larger scale challenge is the resources in the hardware
> for the actual rule - something that this proposal does not alter. The
> FlowSpec route space in the BGP control plane is not really a big deal for
> routers (not when compared to the h/w resources). So, does this really
> solve a real/practical problem?
>
>
>
> By using this mechanism of matching community, both the router and the
> FlowSpec controller is losing control over the number of rules generated.
> Even if there was a cap, it is tricky on what prefixes are picked and what
> happens with there are issues with the setting of these communities. How
> does the FlowSpec controller know which specific destinations are being
> filtered? Is that not important for a deployment - e.g., for DDOS scenario?
>
>
>
> While this proposal sounds interesting, I would suggest to please consider
> the above aspects and at least update the draft to cover those
> considerations.
>
>
>
> Thanks,
>
> Ketan
>
>
>
> On Fri, Mar 15, 2024 at 2:39 PM Robert Raszuk <robert@raszuk.net> wrote:
>
> Hi Jeff,
>
>
>
> So just to make sure we are on the same page.
>
>
>
> Are you saying that it is perfectly ok to turn BGP into a control plane
> filtering protocol pushing BGP configuration (here  policies) around the
> network ?
>
>
>
> Cheers,
>
> R.
>
>
>
>
>
>
>
>
>
>
>
> On Fri, Mar 15, 2024 at 4:29 AM Jeff Haas <jhaas@pfrc.org> wrote:
>
> Tianhao,
>
> While I don’t quite share the same concerns that Robert does, I do have
> concerns about these RIB properties-based filters in terms of filter
> stability and deployment.
>
> Section 6 procedures in RFC 8955 provide an example of RIB interaction,
> albeit only on the flowspec destination component and the RIB-in route
> covering that component. While there may be some instability of the route,
> there is some reasonable expectation that stability is the intent for that
> procedure.
>
> In the case of the AS filter, the origin as is usually stable.
>
> Communities can be very unstable, especially for the set of candidate
> routes for the loc-rib entry.
>
> Please consider discussing this point during your presentation.
>
> Jeff.
>
>
> Sent from my iPad
>
> > On Mar 4, 2024, at 05:55, wutianhao <wutianhao10=
> 40huawei.com@dmarc.ietf.org> wrote:
> >
> > Dear all,
> >
> > We've submitted a new draft: draft-wu-idr-flowspec-dip-community-filter.
> >
> > This draft specifies a new BGP Flowspec component type to support
> community-level filtering. Flowspec rules can be reduced by using the
> method defining in this draft. It saves a lot of entry spaces on the
> control plane and forwarding plane, and it would greatly simplify the
> operation of the control plane, and the more destination prefixes with the
> same community has, the more obvious the benefit.
> >
> > Review and comments are welcome.
> >
> > Best regards,
> > Tianhao
> >
> > -----Original Message-----
> > From: internet-drafts@ietf.org <internet-drafts@ietf.org>
> > Sent: 2024年2月29日 17:26
> > To: Wanghaibo (Rainsword) <rainsword.wang@huawei.com>; Gejun (Jack,
> BGP) <jack.gejun@huawei.com>; wutianhao <wutianhao10@huawei.com>;
> Dingxiangfeng <dingxiangfeng@huawei.com>
> > Subject: New Version Notification for
> draft-wu-idr-flowspec-dip-community-filter-00.txt
> >
> > A new version of Internet-Draft
> > draft-wu-idr-flowspec-dip-community-filter-00.txt has been successfully
> submitted by Tianhao Wu and posted to the IETF repository.
> >
> > Name:     draft-wu-idr-flowspec-dip-community-filter
> > Revision: 00
> > Title:    Destination-IP-Community Filter for BGP Flow Specification
> > Date:     2024-02-28
> > Group:    Individual Submission
> > Pages:    7
> > URL:
> https://www.ietf.org/archive/id/draft-wu-idr-flowspec-dip-community-filter-00.txt
> > Status:
> https://datatracker.ietf.org/doc/draft-wu-idr-flowspec-dip-community-filter/
> > HTMLized:
> https://datatracker.ietf.org/doc/html/draft-wu-idr-flowspec-dip-community-filter
> >
> >
> > Abstract:
> >
> >   BGP Flowspec mechanism (BGP-FS) propagates both traffic Flow
> >   Specifications and Traffic Filtering Actions by making use of the BGP
> >   NLRI and the BGP Extended Community encoding formats.  This document
> >   specifies a new BGP-FS component type to support community-level
> >   filtering.  The match field is the community of the destination IP
> >   address that is encoded in the Flowspec NLRI.  This function is
> >   applied in a single administrative domain.
> >
> >
> >
> > The IETF Secretariat
> >
> >
> > _______________________________________________
> > Idr mailing list
> > Idr@ietf.org
> > https://www.ietf.org/mailman/listinfo/idr
>
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>
>

v2.23.0 | Report a Bug | By Email