Re: [Idr] WG adoption for draft-haas-flowspec-capability-bits - 3/30 to 4/13

Jeffrey Haas <jhaas@pfrc.org> Fri, 09 April 2021 15:22 UTC

Return-Path: <jhaas@slice.pfrc.org>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C46143A24B2 for <idr@ietfa.amsl.com>; Fri, 9 Apr 2021 08:22:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lZYPOnvHUXu3 for <idr@ietfa.amsl.com>; Fri, 9 Apr 2021 08:22:52 -0700 (PDT)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id ED0B23A24B4 for <idr@ietf.org>; Fri, 9 Apr 2021 08:22:51 -0700 (PDT)
Received: by slice.pfrc.org (Postfix, from userid 1001) id 228531E459; Fri, 9 Apr 2021 11:45:19 -0400 (EDT)
Date: Fri, 9 Apr 2021 11:45:18 -0400
From: Jeffrey Haas <jhaas@pfrc.org>
To: Robert Raszuk <robert@raszuk.net>
Cc: "Jakob Heitz (jheitz)" <jheitz=40cisco.com@dmarc.ietf.org>, Aijun Wang <wangaijun@tsinghua.org.cn>, "Aseem Choudhary (asechoud)" <asechoud=40cisco.com@dmarc.ietf.org>, "idr@ietf. org" <idr@ietf.org>
Message-ID: <20210409154518.GC29502@pfrc.org>
References: <CAOj+MMEmpMA9YOSU304mQed6o5gm1eUKbYNwyt88M5_E-7=woA@mail.gmail.com> <20210408004720.GF7355@pfrc.org> <CAOj+MMGukAL-fNpWh1yu=AHqnONPq9mCqqFGjK5pspFkHfn0UA@mail.gmail.com> <20210408104259.GH7355@pfrc.org> <BYAPR11MB3207F949DD2C8ECA0465CD1EC0739@BYAPR11MB3207.namprd11.prod.outlook.com> <CABNhwV1fxAXHjy7=bc5QGWi0Jt89330U93tp8Hs0wvj3wdy6og@mail.gmail.com> <8B262FE8-EEFB-44E4-8AD0-2EBD3348DEF2@cisco.com> <005b01d72cf3$4f39c4a0$edad4de0$@tsinghua.org.cn> <BYAPR11MB32077D9D69646B7181F72182C0739@BYAPR11MB3207.namprd11.prod.outlook.com> <CAOj+MMHi5kkze8HbBf8yL8E8zomaBzcPz1ciER8_JeB8h9VVsw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAOj+MMHi5kkze8HbBf8yL8E8zomaBzcPz1ciER8_JeB8h9VVsw@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/7S0b9TCus438JuQyRGxnxk4lAoM>
Subject: Re: [Idr] WG adoption for draft-haas-flowspec-capability-bits - 3/30 to 4/13
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2021 15:22:54 -0000

On Fri, Apr 09, 2021 at 12:18:18PM +0200, Robert Raszuk wrote:
> All,
> 
> Yes recent comments seems to align with my concern/observations.
> 
> There are two points which make the draft unclear/muddy:
> 
> 1.  A claim that if you use direct BGP sessions between the ultimate single
> target node and controller the proposal makes sense.

It is deployed reality, Robert.  Your like or dislike of it isn't helpful
here.

Since it's not secret sauce but it's not in any readily accessible online
documentation, Arbor Network's flowspec mitigation mechanism - which was a
core operator contributor for the design of flowspec - supports it as a
common deployment mode.  This is broadly because:
- Many flowspec router implementations didn't do selective implementation of
  the rules on their interfaces, and imposed forwarding impact where it
  wasn't helping to mitigate the attack.
- In many cases, attacks can be mitigated on a subset of interfaces in a
  region, or a subset of interfaces by role (peer, customer, etc.)
- The two of these together was a motivator for the flowspec interface-set
  feature.
- The blast radius of flowspec bugs, partially due to the encoding rules,
  was high enough that limiting it to subsets of the network was risk
  mitigation.

The use case for distribution of rules via parallel route reflector
infrastructure is more common, especially for transit service providers.

The use case for customer injected flowspec routes, which complicates the
security model in the RFC, is almost universally avoided at this point.

The motivation to note the targeted peering option is it illustrates
immediately a basis case for issues in incremental deployment of the
feature.  The iterative case is clear from there and observed to be the
non-targeted case.

> 2. The intention of this draft is actually to signal filtering
> capabilities and not BGP control plane parsing capabilities.

The opposite is the intention.  Incremental deployment for parsing is what
you cannot do today.  The side effect of the procedure is that a device may
choose what it is willing to accept.  This is no different than policy.

It's perhaps worth emphasizing at this point that my employer has a backlog
of feature requests for additional filtering on flowspec routes.  At some
point, filtering will become a more broadly deployed behavior with, or
without this capability.  

Part of the motivation for section 5 is to get written down into a draft a
common narrative I have to explain about flowspec deployment - if your rules
are not independent, filtering can have unexpected or nasty behaviors.
Caveat operator.

As features for flowspec gain deployment, islands of selective support are
going to happen.  Switch hardware may implement L2 filtering, while line
cards for core routers may not have support for it.  Data center edge will
need different filtering criteria than network edge.  SD-WAN and 5G
deployments will have different filtering.

The era of a single flooding scope for flowspec routes is not long for this
world.  While my draft was intended to motivate that discussion and that
discussion has been woefully absent from the plethora of extensions we've
had adopted by IDR, the implications will have to be dealt with.  Is my
draft intended to be a broad fix for that?  No.

> Ad 1 -  Yes it does but to me this is a very corner case of how BGP (a p2mp
> protocol) is supposed to work at scale.

You'll also find much work in the spring Working Group to your dislike then.

> Ad 2 -  Jeff agreed to ack that explicitly in the draft leaving option to
> at least enforce by cfg to only signal what BGP can parse. But I am not
> sure if there is a wider agreement that this is good enough.

The point of the proposal is to offer an option that addresses incremental
deployment of new flowspec features without requiring a flowspec v2.  You
are encouraged to offer alternative proposals, if you have any.

-- Jeff