Re: [Idr] WG adoption call for draft-hr-idr-rfc5575bis-02 "Dissemination of Flow Specification Rules"

Matthieu Texier <matthieu@texier.tv> Thu, 24 August 2017 15:14 UTC

Return-Path: <matthieu@texier.tv>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5141132BD0 for <idr@ietfa.amsl.com>; Thu, 24 Aug 2017 08:14:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.621
X-Spam-Level:
X-Spam-Status: No, score=-2.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kQM8ScCJZkyh for <idr@ietfa.amsl.com>; Thu, 24 Aug 2017 08:14:50 -0700 (PDT)
Received: from 1.mo2.mail-out.ovh.net (1.mo2.mail-out.ovh.net [46.105.63.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99572132BCE for <idr@ietf.org>; Thu, 24 Aug 2017 08:14:50 -0700 (PDT)
Received: from player770.ha.ovh.net (b6.ovh.net [213.186.33.56]) by mo2.mail-out.ovh.net (Postfix) with ESMTP id BC2CFA96BA for <idr@ietf.org>; Thu, 24 Aug 2017 17:14:48 +0200 (CEST)
Received: from matthieu-laptop-2.home (LFbn-1-12338-186.w90-91.abo.wanadoo.fr [90.91.142.186]) (Authenticated sender: matthieu@texier.tv) by player770.ha.ovh.net (Postfix) with ESMTPSA id 8A0023C0072; Thu, 24 Aug 2017 17:14:45 +0200 (CEST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Matthieu Texier <matthieu@texier.tv>
In-Reply-To: <CA+b+ERkTqBjt1XL9m86H8MbJYYHGy_vf7_=oJ4jsKrXQk8C44w@mail.gmail.com>
Date: Thu, 24 Aug 2017 17:14:44 +0200
Cc: "John G. Scudder" <jgs@juniper.net>, idr wg <idr@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <A9B2774A-D1D2-4B6F-A210-1725B40DCF46@texier.tv>
References: <36E285C0-C716-437A-806D-A453273146DD@juniper.net> <4CD58B23-6137-4604-968C-83A2F218FF79@texier.tv> <CA+b+ERkTqBjt1XL9m86H8MbJYYHGy_vf7_=oJ4jsKrXQk8C44w@mail.gmail.com>
To: Robert Raszuk <robert@raszuk.net>
X-Mailer: Apple Mail (2.3273)
X-Ovh-Tracer-Id: 17106923184959605379
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: -100
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrfeelledrtdeggdekjecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/DKFFjwBu5LPZQFEWHBtnROK0U48>
Subject: Re: [Idr] WG adoption call for draft-hr-idr-rfc5575bis-02 "Dissemination of Flow Specification Rules"
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Aug 2017 15:14:55 -0000

Hi Robert,

Thanks for your prompt reply: yes makes sense.

I tend to believe that for this particular type 12 fragment nlri, it could make sense, from an implementation point of view, to allow only certain combinations that doesn’t exclude each other.

Thanks for helping me to come to a conclusion on this !

Matthieu.




> On 24 Aug 2017, at 16:26, Robert Raszuk <robert@raszuk.net> wrote:
> 
> Hi Matthieu,
> 
> IMO the RFC is quite clear that "A specific packet is considered to match the flow specification when it matches the intersection (AND) of all the components present in the specification." 
> 
> That effectively means to me that to match packets which will be last fragment or first fragment one would need to inject two separate NLRIs. At this is guarantee to work. 
> 
> Making assumption that implementation does OR among type 12 bitmask values would actually remove ability to match on broken packets on the wire which may actually have messed up IP headers and both bits set in the respect of fragmentation - don't you think ? 
> 
> Kind regards,
> R.
> 
> 
> On Thu, Aug 24, 2017 at 4:00 PM, Matthieu Texier <matthieu@texier.tv> wrote:
> Hi John and All,
> 
> I would like to apologise re-opening this quite old mail thread but as I am working on a development, I am questioning myself on a very specific aspect of flowspec filtering.
> 
> I would like to discuss nlri filtering type 12 - Fragment. This discussion is valid for both the existing RFC and this proposed draft.
> 
> In all filtering nlri that requires bitmask (tcp flags, DSCP), the RFC 5575 is defining the encoding of the nlri value as the exact same way as it is encoded in the IP header itself.
> 
> For the bitmask type 12, the RFC rather propose to use “pre-defined” values like IsF, FF, DF, LF.
> 
> There are two observations I would like to highlight:
> 
> 1) This approach creates a sort of inconsistency between filters: I tend to believe that the approach of Flowspec filters was to filter according to a header pattern (just like with DSCP and TCP flags flowspec nlri). If we follow the same approach for fragments, we should normally propose a nlri value made of the fragment flags (3 bits) and eventually 1 bit to specify if fragment offset have to null or not.
> 
> 2) The bitmask of nlri type 12 as define could create odd router behavior or misalignment between implementations:
> 
> Assuming that routers identifies the first fragment by checking that MF bit is set to 1 and that the offset set to 0. How a router could consider a nlri with a bitmask having Isf and FF set to one ? Does it have to do an implicit OR between the Isf and FF ?
> 
> Considering my first observation and following the same logic as with DSCP and TCP flags, if I want to filter packets that are fragments or first fragments, I should normally send two values with an explicit OR operator between the two.
> 
> It might be implemented that way in certain OS but I am afraid that RFC is not perfectly clear on this particular situation.
> 
> Does it make sense to other people of the group or it is only me torturing myself ?
> 
> Thanks,
> Matthieu.
> 
> 
> 
> 
> > On 21 Jan 2017, at 16:03, John G. Scudder <jgs@juniper.net> wrote:
> >
> > Hi All,
> >
> > The authors have requested IDR working group adoption of draft-hr-idr-rfc5575bis-02 "Dissemination of Flow Specification Rules". Please send your comments to the list.
> >
> > This adoption call will conclude on Monday, February 6.
> >
> > Thanks,
> >
> > —John
> > _______________________________________________
> > Idr mailing list
> > Idr@ietf.org
> > https://www.ietf.org/mailman/listinfo/idr
> 
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>