IETF Logo Mail Archive

Re: [Idr] draft-litkowski-idr-flowspec-interfaceset => NLRI vs EXTCT (part 2)

"Juan Alcaide (jalcaide)" <jalcaide@cisco.com> Fri, 28 July 2017 13:13 UTC

Return-Path: <jalcaide@cisco.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73076131C36 for <idr@ietfa.amsl.com>; Fri, 28 Jul 2017 06:13:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.522
X-Spam-Level:
X-Spam-Status: No, score=-14.522 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H8mWoX4fRidK for <idr@ietfa.amsl.com>; Fri, 28 Jul 2017 06:13:25 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B66F131C35 for <idr@ietf.org>; Fri, 28 Jul 2017 06:13:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=88139; q=dns/txt; s=iport; t=1501247605; x=1502457205; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to; bh=EmZAEbMgXWI1ybmTw0ZELHwrveoBqqg+4ubaVXwHK5I=; b=XAbNE8rJu32SN0rkskaan7+phHyZ+gp6iN2Rvi5dUM7l6tkAVbl01mbf x+Y2gz5mGJTrPWznpFi5/SKmemn2MRNhk12pFPHUO8sqHBP/oiu7R3lpI ec6tvqJ2/18kMtuSI9Q/7qKSWCC6vYEx/3nyeVACkjE/EiIBwcXAfALMn E=;
X-IronPort-AV: E=Sophos;i="5.40,425,1496102400"; d="scan'208,217";a="279366514"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 28 Jul 2017 13:13:24 +0000
Received: from [10.82.210.242] (rtp-vpn4-754.cisco.com [10.82.210.242]) (authenticated bits=0) by alln-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id v6SDDLTl016159 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Fri, 28 Jul 2017 13:13:23 GMT
To: Robert Raszuk <robert@raszuk.net>, "Acee Lindem (acee)" <acee@cisco.com>
Cc: idr wg <idr@ietf.org>
References: <9fa67eb0-8f99-a46f-aff1-d42a279ab833@cisco.com> <CA+b+ERmaARaPLQv-g58WGNJCDcKN3gdf-F9wnCwusw+jwX7paw@mail.gmail.com> <8dd3e766b58944a3b176fc743e478137@XCH-ALN-014.cisco.com> <CA+b+ERnDHgk6gVi3K1+yAbRaXoft2+xqNig=pTbgRsWRC98-zA@mail.gmail.com> <dd8e0cb4-56d3-524c-9f68-296e8457fcc9@cisco.com> <CA+b+ERmG=EQxJBuMaTD+oDdwcwZ0hCCjEsjNqD_A_jXYLgnw2Q@mail.gmail.com> <e8e834ec-5074-7d35-a06c-5837f2f39e12@cisco.com> <CA+b+ERkCfiEa=RfDaxkOz3Si-qp9axKcgDycW1+GqfKvTcsePw@mail.gmail.com> <D5A09F0B.BA519%acee@cisco.com> <CA+b+ERnan6SmiZcEJ=K-jnPXSY7d=6L31NDbCGr37jDejFy2gw@mail.gmail.com>
From: "Juan Alcaide (jalcaide)" <jalcaide@cisco.com>
Message-ID: <5d686b49-9a4d-2610-153a-1e778c9b80af@cisco.com>
Date: Fri, 28 Jul 2017 15:13:21 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <CA+b+ERnan6SmiZcEJ=K-jnPXSY7d=6L31NDbCGr37jDejFy2gw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------418C929DA511825A04988310"
Content-Language: en-US
X-Authenticated-User: jalcaide
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/BXO18vePhhwBPBKjJIWmJfMVSkI>
Subject: Re: [Idr] draft-litkowski-idr-flowspec-interfaceset => NLRI vs EXTCT (part 2)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jul 2017 13:13:29 -0000

Authors mention it on section 8, but  I don't think the real 
implications were discussed.
Treating traffic differently based the direction it arrives may be out 
of scope of 5575, but it's the reason of this draft and customer are 
asking for it. I think in some cases it makes sense not treating all 
interfaces equally

For flowspec in particular, you don't have to use a new SAFI. It's an 
extensible NLRI, so we can just define a dummy component that doesn't 
match anything (similar to an RD)

Acee, we didn't make the group-id part of the NLRI per inter-AS 
considerations (imagine AS1 means group-id =1 => customer interfaces, 
but AS2 means group-id=1 provider interfaces; you want to be able to do 
the translation). Look for thread "[Idr] 
draft-litkowski-idr-flowspec-interfaceset => NLRI vs EXTCT" a couple 
years ago (w/o the '(part 2)')

-J

On 7/28/2017 2:15 PM, Robert Raszuk wrote:
>
> To change format of NLRI you need essentially a new SAFI.
>
> Clearly an option for this new draft, but I think authors never 
> envisioned that given set of match rules should have different actions 
> depending on the arriving interfaces for traffic matching such rules. 
> If at all I would recommend it to move it to flowspec v2 discussion.
>
> It is in fact very wired and quite bad to treat on the same router the 
> same traffic differently based on the direction it arrives ... clearly 
> out of scope of original 5575.
>
> The config push part indeed can be interface scoped, but is BGP really 
> a right tool for this ?
>
> Cheers,
> R.
>
>
> On Fri, Jul 28, 2017 at 2:02 PM, Acee Lindem (acee) <acee@cisco.com 
> <mailto:acee@cisco.com>> wrote:
>
>     What was the reason for not making the interface-group part a new
>     component type in the NLRI? It seems that making it just another
>     Flow Spec match condition would  handle all these situations
>     naturally.
>
>      I remember that this was discussed but don’t recall whether it
>     was backward compatibility or that the semantics of interface
>     group-id was a better fit for an extended community.
>
>     Thanks,
>     Acee
>
>     From: Idr <idr-bounces@ietf.org <mailto:idr-bounces@ietf.org>> on
>     behalf of Robert Raszuk <robert@raszuk.net <mailto:robert@raszuk.net>>
>     Date: Friday, July 28, 2017 at 7:52 AM
>     To: "Juan Alcaide (jalcaide)" <jalcaide@cisco.com
>     <mailto:jalcaide@cisco.com>>
>     Cc: IDR List <idr@ietf.org <mailto:idr@ietf.org>>
>
>     Subject: Re: [Idr] draft-litkowski-idr-flowspec-interfaceset =>
>     NLRI vs EXTCT (part 2)
>
>         Hi Juan,
>
>             (group-id: what to you specify in ext-community;
>             interface-group: what you specify under interface
>             configuration)
>
>
>         ​Obvious. ​
>
>             If you use ADD-PATHS, you can send identical NLRIs and you
>             consider them as valid (no implicit withdraw)
>
>
>         ​If your controller or management station does not support
>         ADD-PATHS this is not the case. Only when you have ADD-PATHS
>         everywhere you may play that game.
>
>         Remember flow-spec was designed to be a DDoS mitigation tool
>         across ASes. Across ASes last time I checked deployment of
>         ADD-PATHS is zero. Now since some folks turned it into config
>         push ​is not something original 5575 can be blamed for.
>
>             There is a requirement that the same flowspec rule, could
>             be used for 2 different interface-groups (let's say
>             interfaces customer-facing and interfaces
>             provider-facing). But also you may want to use different
>             actions based on the group-id (section 8 of the draft)
>
>
>         ​That is just operational mess. To do that you can use SAFI
>         134 where 8 octet RD is part of the NLRI what makes NLRI unique.
>
>             I think we basically need to expand/clarify the ADD-PATHS
>             part. Regarding your points:
>             1. For a given NLRI, we change group-ids or actions based
>             on what we want to achieve. So it's based on how customer
>             sets the rule in the controller. There may be a need to
>             send same NLRI with 2 different sets of action+group-id
>
>
>         ​I think doing this in such way is very messy. Pushing FS
>         routes with RD as indicated above is much cleaner if there
>         such need to apply different actions or group IDs for the same
>         NLRIs. ​
>
>             2. If receiver receives more than one group-id, it should
>             apply all the actions specified to *all* the
>             interface-group associated to all the group-ids it
>             received. Draft does explicitly say what to do when you
>             receive a NLRI with multiple group-ids, but I think it
>             should be applied to all interface-groups (probably it
>             should be clarified)
>
>
>         ​ok.
>
>         Thx,
>         R.​
>
>
>
>
>             -J
>
>
>
>
>             On 7/27/2017 11:43 PM, Robert Raszuk wrote:
>>             Juan,
>>
>>             Sending from single controller (single BGP peer) two
>>             updates with identical NLRIs is an implicit withdraw.
>>             ADD-PATHs has nothing to here.
>>
>>             Likewise RR should treat is as implicit withdraw of the
>>             previous one too.
>>
>>             If you go by your line of thinking what would make
>>             controller to change for given NLRI1 group-id 1 to
>>             group-id 2 if there is need to do so ?
>>
>>             In any case if you decide to add additional text to the
>>             current draft or decide to write new draft to address
>>             this please do make sure to clearly define two things:
>>
>>             1. How for a given NLRI we change either actions or
>>             group-ids
>>
>>             2. What should receiver do when for a given NLRI he
>>             received more then one group-id or more then one set of
>>             actions ?
>>
>>             Thanks,
>>             R.
>>
>>
>>
>>
>>
>>             On Thu, Jul 27, 2017 at 11:37 PM, Juan Alcaide (jalcaide)
>>             <jalcaide@cisco.com <mailto:jalcaide@cisco.com>> wrote:
>>
>>                 Robert,
>>
>>                 We may support or not support unsynchronized controllers
>>                 But let's assume for a second we are just using one
>>                 controller
>>                 but can a single controller sending
>>
>>                 NLRI1 + group-id 1
>>                 NLRI1 + group-id 2
>>
>>                 The RR receives both this routes (must be ADD-PATHS,
>>                 as mentioned in the draft). The RR needs to use
>>                 ADD-PATHS itself to send it to the PE (final receiver)
>>
>>                 -J
>>
>>
>>
>>
>>                 On 7/27/2017 9:44 PM, Robert Raszuk wrote:
>>>                 Hi Jakob,
>>>
>>>                     Two flowspec routes with the same NLRI may be
>>>                     originated by different speakers.
>>>
>>>
>>>                 Group-id (scoped application of specific flow-spec
>>>                 rules) is addressing a special case where it is
>>>                 generated carefully by either controller or
>>>                 provisioning tools. I do not see therefor a
>>>                 practical case where the same such rule would be
>>>                 coming from two or more independent sources and
>>>                 would be applicable ​to different interface groups.
>>>
>>>                 It sounds more like a protocol conflict or
>>>                 provisioning bug and not something we should worry
>>>                 about how to carry it across RRs. Standard protocol
>>>                 behavior would be fine here.
>>>
>>>                 Now also notice what would receiver do ... treat the
>>>                 subsequent update with the exactly same NLRI as
>>>                 implicit withdraw or run best path if they come from
>>>                 different peers and still apply single one to local
>>>                 data plane. So really there is no point to give it
>>>                 both such paths with ADD-PATHs. As it is on final
>>>                 receivers the same should be done on RRs ...
>>>
>>>                 ​Cheers,
>>>                 //RR.​
>>>
>>>                     The first route will have one group-id. The
>>>                     second route will have another group-id.
>>>
>>>                     Thanks,
>>>
>>>                     Jakob.
>>>
>>>                     *From:*Idr [mailto:idr-bounces@ietf.org
>>>                     <mailto:idr-bounces@ietf.org>] *On Behalf Of
>>>                     *Robert Raszuk
>>>                     *Sent:* Wednesday, July 26, 2017 4:38 PM
>>>                     *To:* Juan Alcaide (jalcaide)
>>>                     <jalcaide@cisco.com <mailto:jalcaide@cisco.com>>
>>>                     *Cc:* idr wg <idr@ietf.org <mailto:idr@ietf.org>>
>>>                     *Subject:* Re: [Idr]
>>>                     draft-litkowski-idr-flowspec-interfaceset =>
>>>                     NLRI vs EXTCT (part 2)
>>>
>>>                     Hi Juan,
>>>
>>>                     >  (we assume controller(s) may not want to send multiple
>>>                     ext-communities with same NLRI).
>>>
>>>                     If I recall group-ids are carried in new RT format:
>>>
>>>                     "This new BGP Route Target extended community is
>>>                     encoded as follows :
>>>
>>>                          0           1   2         3
>>>
>>>                          0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
>>>                     2 3 4 5 6 7 8 9 0 1
>>>
>>>                     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>>
>>>                         |  Type (TBD)   |  0x02     |  Autonomous
>>>                     System Number   :
>>>
>>>                     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>>
>>>                         :     AS Number (cont.)         |O|I|    
>>>                      Group Identifier |
>>>
>>>                     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>>
>>>                     "
>>>
>>>                     So just like an UPDATE message of SAFI 128 may
>>>                     contain many RTs why would you see any
>>>
>>>                     issue to carry multiple ext communities of the
>>>                     above format here ?
>>>
>>>                     Best,
>>>
>>>                     R.
>>>
>>>                     On Thu, Jul 27, 2017 at 1:01 AM, Juan Alcaide
>>>                     (jalcaide) <jalcaide@cisco.com
>>>                     <mailto:jalcaide@cisco.com>> wrote:
>>>
>>>                         Hi,
>>>
>>>                         From a previous thread, I see from the that
>>>                         using EXTCOMM to carry group-id information
>>>                         the choice. Reason was that every AS could
>>>                         use their own the group-id (perhaps
>>>                         different than another AS). With this
>>>                         choice, ADD-PATHS must be mandatory in order
>>>                         to support multiple group-ids for the same
>>>                         flowspec rule (we assume controller(s) may
>>>                         not want to send multiple ext-communities
>>>                         with same NLRI).
>>>
>>>                         But the draft really does not describe how
>>>                         to use ADD-PATHS, and it does not discuss
>>>                         its problems:
>>>
>>>                         - Usually, ADD-PATHS is used for path
>>>                         diversity, and implementations typically
>>>                         don't advertise 2 paths with the same
>>>                         next-hop (otherwise, we could have path
>>>                         explosion across multiple levels of RRs)
>>>
>>>                         - If ADD-PATHS has to advertise the same
>>>                         NLRI with different ext-communities, one
>>>                         solution would be for ADD-PAHTS not
>>>                         advertise the same set of ext-communities.
>>>                         Unless, I guess, next-hops are different.
>>>                         Otherwise, we would have path explosion.
>>>
>>>                         - Assuming the above, we should define a
>>>                         particular set of ADD-PATHS rules for
>>>                         flowspec AF. And, of course, leave the door
>>>                         open for future specific ADD-PATHs rules for
>>>                         other AFs (it would not be about path
>>>                         diversity anymore, but about propagating
>>>                         different information for forwarding
>>>                         purposes -imagine what we could have done
>>>                         with an IPv4 prefix: send the same net part
>>>                         as a NLRI and multiple ext-communities
>>>                         representing different prefix-lengths -).
>>>
>>>                         - Since paths in a net are typically
>>>                         implemented as a list, there could be
>>>                         scalability problems if we ever want to
>>>                         support many group-ids.
>>>
>>>                         My solution to simplify all these problems
>>>                         would be to add a discriminator on the NLRI
>>>                         (by defining a new dummy type for flowspec).
>>>                         We could still use ext-communities to
>>>                         actually match the NLRIs to interfaces.
>>>                         Similar to RD and RT usage.
>>>
>>>                         Thoughts?
>>>
>>>                         -J
>>>
>>>
>>>                         _______________________________________________
>>>                         Idr mailing list
>>>                         Idr@ietf.org <mailto:Idr@ietf.org>
>>>                         https://www.ietf.org/mailman/listinfo/idr
>>>                         <https://www.ietf.org/mailman/listinfo/idr>
>>>
>>>
>>
>>
>
>
>

v2.23.0 | Report a Bug | By Email