Re: [Idr] I-D Action: draft-ietf-idr-flowspec-l2vpn-09.txt

Robert Raszuk <robert@raszuk.net> Mon, 30 September 2019 09:16 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1812912003F for <idr@ietfa.amsl.com>; Mon, 30 Sep 2019 02:16:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mM5UusupzUfL for <idr@ietfa.amsl.com>; Mon, 30 Sep 2019 02:16:02 -0700 (PDT)
Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0508C12000F for <idr@ietf.org>; Mon, 30 Sep 2019 02:16:01 -0700 (PDT)
Received: by mail-qt1-x82e.google.com with SMTP id w14so16042131qto.9 for <idr@ietf.org>; Mon, 30 Sep 2019 02:16:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=p6Z+bwl3oGJY12TTQqnrVm8bI2xPEfMRrioM+FehWp0=; b=WXjaPsFwB4xJsJl9v3MWKndmVQOKGjWk6rD3tUntelQqj8uQ2lBOWjGv6sfUrQUZZD WgqRvwpUNx2QEeZxphb/15bMDTCe41kBJuKo7VoZDVgirQUNPsEDX3mhNKUtqqR7HpuM Lb0qbDZRQT6qXMmlOnt9fjfnazWNOTI/zYuTPKT7NHXxIIbGl5FrVokWgkQywLm6Nnpp k6MRfvmQ4RnJcWf4o0vj9dCPDjjFrUUnNKOTNusBiip8samUYAQu3kcgRtOHlggqAL+U oVhH1h07hKWfjSfNp9liFwOR0617PTwRcfmioh2siVeSszxeU+SHPCVuauTtl13FF75+ mRUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=p6Z+bwl3oGJY12TTQqnrVm8bI2xPEfMRrioM+FehWp0=; b=TwqdlR5YKfHuFxpYRToNpdX7laj58eRl7v9ZB7NXVzehj004NYE6zuW4PUkddcupUC WnNfdNQ7n3hvPCkE0MyrtKpM3v1REjNiyXQUoxWPR5Cawe4uyIDF9UN7ELkeLzipWHx9 o1djJ15IH1+8ZPFi5F5hWhM8wpYTTLGcD+DAEMVwGsCGtu3HmBBZdjnq3d7ZTR30h6AZ OjGGhowzWuLHU5krBHv28mw0Li1XVBIjfTPmoBDyQMMofPuA/q4nQH+Q2bF3RWmKDO6h vnp62GWWz4JGAl8dNOoDCIWuZWV0PRQRC79J7Pp8M8av+iECFj8o5JoaGUl9RBZfoCwe gUgw==
X-Gm-Message-State: APjAAAU2Q2Ah9uLKReTIZ+mcX0cnPyYK+FTeNU2SOZbfvH2JtC8Mp4I9 Z26QsXRr0kfZoyEXK/cONo/CCOYmog4BMxDuIfGTFA==
X-Google-Smtp-Source: APXvYqxIcb+GBzo2UfWNGaTeJBduaErG/eQkZABbEBTue/apcpg+qahbwF8nuGaixFjfVxKEdodN4q5iq5ne3FzlN0M=
X-Received: by 2002:ac8:2ae9:: with SMTP id c38mr23497059qta.311.1569834960891; Mon, 30 Sep 2019 02:16:00 -0700 (PDT)
MIME-Version: 1.0
References: <154650798507.29744.11843661823190688795@ietfa.amsl.com> <CAOj+MMGPmUs4fAzDEwhq4z47r=TK78Kk-6Tp+KMHS0K4O=VdGg@mail.gmail.com> <CAF4+nEHwwPNL4cmXH-TMhL3xnT3LGiP-hWov-YCf=h4B-+N7QQ@mail.gmail.com> <CAOj+MMFQbY3WY9jYSLVXMUvOVMGzOCd1LsFKJupPM0W_3oFJDQ@mail.gmail.com> <CAF4+nEG4=0ew=ZzjaxT9ignbKeA3CgLBwhLp2mteQLfaBLh7VQ@mail.gmail.com>
In-Reply-To: <CAF4+nEG4=0ew=ZzjaxT9ignbKeA3CgLBwhLp2mteQLfaBLh7VQ@mail.gmail.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Mon, 30 Sep 2019 11:15:50 +0200
Message-ID: <CAOj+MMGwpUhspjxNiUiqoMnrpVnyyFTwGLTdPzpJNpzjL-vURA@mail.gmail.com>
To: Donald Eastlake <d3e3e3@gmail.com>
Cc: "idr@ietf. org" <idr@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000333d850593c1afc6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/C8jU7O25H0ZlMzopoghKNaU3u9s>
Subject: Re: [Idr] I-D Action: draft-ietf-idr-flowspec-l2vpn-09.txt
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Sep 2019 09:16:05 -0000

Hi Donald,

> You have expressed your opinion very clearly but I don't see
> why it is so bad to replace "VPNv4" with "VPN" rather than "L3VPN"
> given that the IANA registry has to change anyway.

The difference is (well at least to me) fundamental. Match criteria which
are more or less the same for IP L3 layer are completely different for L2
layer so IMO it makes sense to keep them separate.

Also I am not stating that the work should not move on if there is real
requirement to extend flow spec for filtering L2 VPNs. Asking for new SAFI
is easy if proposal is worth it.

Please remember that flow spec original goal was to automate filtering for
DDoS which to the best of my knowledge is L3 type of attack. But of course
since then many people pulled FS left and right :).

Thank you,
R.


On Mon, Sep 30, 2019 at 2:58 AM Donald Eastlake <d3e3e3@gmail.com> wrote:

> Hi Robert,
>
> On Sun, Sep 29, 2019 at 6:00 AM Robert Raszuk <robert@raszuk.net> wrote:
> >
> > Hi Donald,
> >
> > The draft says:
> >
> > The following changes are defined:
> >
> >    "SAFI 134 for dissemination of L3VPN flow specification rules" to now
> >    be defined as "SAFI 134 for dissemination of VPN flow specification
> >    rules"
> >
> >    For SAFI 134 the indication to which address family it is referring
> >    to will be recognized by AFI value (AFI=1 for VPNv4, AFI=2 VPNv6 and
> >    AFI=25 for L2VPN).  Such modification is fully backwards compatible
> >    with existing implementation and production deployments.
> >
> >    For SAFI 134 the indication to which address family it is referring
> >    to will be recognized by AFI value (AFI=1 for VPNv4, AFI=2 VPNv6 and
> >    AFI=25 for L2VPN).  Such modification is fully backwards compatible
> >    with existing implementation and production deployments.
> >
> >
> > Which at least to me clearly gives the impression that newly defined
> NLRI elements and format are targeted to all AFIs listed 1, 2 & 25.
>
> As far as I know, that impression is wrong, which is why I said, after
> saying that the draft applies to AFI=25/SAFI=134, that "The draft
> should be clarified" to say that.
>
> > If you do not intend to ever use them with AFI 1 or 2 then the draft
> must state this very clearly that they are only applicable to AFI 25.
> >
> > On the topic of renaming IANA registry to extend  L3VPN SAFI 134 to also
> cover L2VPN my personal view is that we should not do it. We should define
> a new SAFI for L2VPN and clearly separate those two.
> >
> > You either match on L2 or L3 and not both in a given packet. Of course
> you can send both SAFIs and match on both against traffic on a given
> interface. Changing SAFI 134 now will require not only adjustment to IANA
> registry ... Just imagine the effort required to change all vendor's
> documentation.
>
> Well, isn't it also true that you either match on IPv4 or IPv6?
>
> The current IANA registry entry for SAFI 134 says "VPNv4 dissemination
> of flow specification rules". It has to be changed anyway to encompass
> IPv6... You have expressed your opinion very clearly but I don't see
> why it is so bad to replace "VPNv4" with "VPN" rather than "L3VPN"
> given that the IANA registry has to change anyway. As for vendor
> documentation, if a vendor organized their documentation by the
> capabilities they support, that is the AFI/SAFI pairs, then I'm not
> sure why any change at all would be required unless they actually
> supported L2VPN flowspec.
>
> in any case, I'll do what the consensus of the WG is.
>
> Thanks,
> Donald
> ===============================
>  Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
>  1424 Pro Shop Court, Davenport, FL 33896 USA
>  d3e3e3@gmail.com
>
> > Many thx,
> > Robert
> >
> > On Sun, Sep 29, 2019 at 6:05 AM Donald Eastlake <d3e3e3@gmail.com>
> wrote:
> >>
> >> Hi Robert,
> >>
> >> Thanks for your review. Apologies for the delay in response.
> >>
> >> On Thu, Jan 3, 2019 at 6:04 AM Robert Raszuk <robert@raszuk.net> wrote:
> >> >
> >> > Hi,
> >> >
> >> > Two observations:
> >> >
> >> > 1.
> >> >
> >> > The current draft extends exisiting SAFI 134 with new NLRI types.
> >> > That means that now we have new giant NLRI in SAFI 134.
> >> >
> >> > Have any consideration been made to just define a new flow spec SAFI
> >> > instead for L2 filtering ? I am quite skeptical from implementation,
> >> > operational and deployment points of view to extend the existing
> >> > SAFI and it makes a gradual deployment a nightmare if not mission
> >> > impossible.
> >> >
> >> > Any change to NLRI format without signalling it with new capability is
> >> > far from good practice.
> >>
> >> My understanding is that flow spec capabilities are signalled by an
> >> AFI/SAFI pair as specified in RFC 2858. So I think that
> >> AFI=25/SAFI=134 already is a new capability. The draft should be
> >> clarified to present things in those terms.
> >>
> >> It would be easy, from the IANA Considerations point of view, to get a
> >> new SAFI that could be used with AFI=25 for L2VPN flowspec. But I
> >> don't really see the benefit of burning a new SAFI value, say xyz, and
> >> using AFI=25/SAFI=xyz instead of ARI=25/SAFI=134.
> >>
> >> In my opinion, the general format for the NLRI in this draft ia
> >> similar to the flow specs for IPv4 and IPv6.  The components that are
> >> added by this draft differ from the IPv4 and IPv6 components in the
> >> generally the same way that the IPv4 and IPv6 components differ from
> >> each other.
> >>
> >> > 2.
> >> >
> >> > The draft is pretty silent on adjusting validation procedures to make
> sure only
> >> > senders of the original L2 information may inject the L2 flow routes..
> >> >
> >> > I would hope that this is basic omission and will be consider for
> addition into
> >> > next version of he draft.
> >>
> >> That is an excellent point and the next version should have adjusted
> >> validation procedures in it.
> >>
> >> Thanks,
> >> Donald
> >> =============================
> >>  Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
> >>  1424 Pro Shop Court, Davenport, FL 33896 USA
> >>  d3e3e3@gmail.com
> >>
> >> > Thx,
> >> > R.
> >> >
> >> >
> >> >
> >> > On Thu, Jan 3, 2019 at 10:33 AM <internet-drafts@ietf.org> wrote:
> >> >>
> >> >> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> >> >> This draft is a work item of the Inter-Domain Routing WG of the IETF.
> >> >>
> >> >>         Title           : BGP Dissemination of L2VPN Flow
> Specification Rules
> >> >>         Authors         : Weiguo Hao
> >> >>                           Donald E. Eastlake, 3rd
> >> >>                           James Uttaro
> >> >>                           Stephane Litkowski
> >> >>                           Shunwan Zhuang
> >> >>         Filename        : draft-ietf-idr-flowspec-l2vpn-09.txt
> >> >>         Pages           : 13
> >> >>         Date            : 2019-01-03
> >> >>
> >> >> Abstract:
> >> >>    This document defines a BGP flow-spec extension to disseminate L2
> VPN
> >> >>    Ethernet traffic filtering rules.  SAFI=134 in [RFC5575] is
> redefined
> >> >>    for this purpose.  A new subset of component types and extended
> >> >>    community also are defined.  A new subset of component types and
> new
> >> >>    extended community also are defined.
> >> >>
> >> >>
> >> >>
> >> >> The IETF datatracker status page for this draft is:
> >> >> https://datatracker.ietf.org/doc/draft-ietf-idr-flowspec-l2vpn/
> >> >>
> >> >> There are also htmlized versions available at:
> >> >> https://tools.ietf.org/html/draft-ietf-idr-flowspec-l2vpn-09
> >> >>
> https://datatracker.ietf.org/doc/html/draft-ietf-idr-flowspec-l2vpn-09
> >> >>
> >> >> A diff from the previous version is available at:
> >> >> https://www.ietf.org/rfcdiff?url2=draft-ietf-idr-flowspec-l2vpn-09
> >> >>
> >> >>
> >> >> Please note that it may take a couple of minutes from the time of
> submission
> >> >> until the htmlized version and diff are available at tools.ietf.org.
> >> >>
> >> >> Internet-Drafts are also available by anonymous FTP at:
> >> >> ftp://ftp.ietf.org/internet-drafts/
>