Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06
"Juan Alcaide (jalcaide)" <jalcaide@cisco.com> Fri, 11 May 2018 19:52 UTC
Return-Path: <jalcaide@cisco.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FF6D12D86A; Fri, 11 May 2018 12:52:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TFc6VzTWVfE1; Fri, 11 May 2018 12:52:40 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 547B71270AB; Fri, 11 May 2018 12:52:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=48985; q=dns/txt; s=iport; t=1526068360; x=1527277960; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to; bh=/vVeuR3VfSzIJcx3F9IxJCqgR5IKsdLYleyoEeYd+a0=; b=Nmg6oVnyX/s7dkk0P9XbVaMnF51fwdj0elocCfP+mabDmHrWUgYWghjc TcGGvyedJaT/grbX7cTKfkyn1bT1LCR6+s5ZTIv0Aq8lTTLdr3EmxxAHe wZoiscPLYb0MQ9aS6S9NfgmeCcSxQeahDEeNlPuLS0DapuBUNxOcYLlpj 8=;
X-IronPort-AV: E=Sophos;i="5.49,390,1520899200"; d="scan'208,217";a="394147018"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 May 2018 19:52:39 +0000
Received: from [10.82.208.50] (rtp-vpn4-50.cisco.com [10.82.208.50]) (authenticated bits=0) by alln-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id w4BJqaNO012947 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Fri, 11 May 2018 19:52:37 GMT
To: "Jakob Heitz (jheitz)" <jheitz@cisco.com>, "Smith, Donald" <Donald.Smith@CenturyLink.com>, John Scudder <jgs@juniper.net>, "idr@ietf. org" <idr@ietf.org>
Cc: "nl7942@att.com" <nl7942@att.com>, "Schiel, John" <John.Schiel@centurylink.com>, "draft-ietf-idr-bgp-flowspec-oid@ietf.org" <draft-ietf-idr-bgp-flowspec-oid@ietf.org>
References: <DB4DB79D-22DD-45A7-980A-B33C5E58C1C7@juniper.net> <2997BE5D-F4C6-4AC2-9B00-126436FC5141@juniper.net> <68EFACB32CF4464298EA2779B058889D53DB49B4@PDDCWMBXEX503.ctl.intranet> <e0e1857b46104431be4f655fe8d1e0b1@XCH-ALN-014.cisco.com> <68EFACB32CF4464298EA2779B058889D53DB4D80@PDDCWMBXEX503.ctl.intranet> <7cc92070-d480-cd91-e572-36dc36836732@cisco.com> <68EFACB32CF4464298EA2779B058889D53DB50BF@PDDCWMBXEX503.ctl.intranet> <a5c07854cdba4e09b7fd6c3751acfbf2@XCH-ALN-014.cisco.com>
From: "Juan Alcaide (jalcaide)" <jalcaide@cisco.com>
Message-ID: <e6fadbc8-cb02-f378-d59b-19737eee01ee@cisco.com>
Date: Fri, 11 May 2018 21:52:35 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <a5c07854cdba4e09b7fd6c3751acfbf2@XCH-ALN-014.cisco.com>
Content-Type: multipart/alternative; boundary="------------625B5E15175E21F3893F38AC"
Content-Language: en-US
X-Authenticated-User: jalcaide
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/EZGP6_Uqex67Auf-4SVZmOViCBo>
Subject: Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 May 2018 19:52:44 -0000
Yes.. also, I'd say we can keep the wording simple and open. So implementation/configuration can decide -J On 5/11/2018 9:39 PM, Jakob Heitz (jheitz) wrote: > > Sorry Donald, Can you draw a diagram or reword your scenario? > > Thanks, > > Jakob > > *From:*Smith, Donald <Donald.Smith@CenturyLink.com> > *Sent:* Friday, May 11, 2018 12:30 PM > *To:* Juan Alcaide (jalcaide) <jalcaide@cisco.com>; Jakob Heitz > (jheitz) <jheitz@cisco.com>; John Scudder <jgs@juniper.net>; idr@ietf. > org <idr@ietf.org> > *Cc:* nl7942@att.com; Schiel, John <John.Schiel@centurylink.com>; > draft-ietf-idr-bgp-flowspec-oid@ietf.org > *Subject:* RE: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06 > > I am not entirely sure if that works here or not. > > But I think with that you could show some AS as the last AS in the > past (far left) and maybe not show the original customer AS? > > As long as your advertising that space to me, and I don't have a > better path it should work. > > Now what happens when a customer is a customer of ISP A and ISP B both > have routes to it, if A advertises flowspec to B for that network > wouldn't it be blocked as the best path to the customer inside of B is > B's path. > > This is actually a different problem, or subset of the original issue. > > What should happen in that case? I might want to take action, I might > not be seeing a huge flood, while the original announcer (A) is and > wants us to take action as they expect we will be seeing that traffic > soon? > > Metric System < +000 > -000 > > Extra People's Terribly Good Meals Kept mY uNCLE Ned Purring For > Ages > > Exa Peta Tera Giga Mega Kilo milli Micro(u) Nano Pico > Femto Atto > > Donald.Smith@centurylink.com <mailto:Donald.Smith@centurylink.com> > > ------------------------------------------------------------------------ > > *From:*Juan Alcaide (jalcaide) [jalcaide@cisco.com] > *Sent:* Friday, May 11, 2018 12:57 PM > *To:* Smith, Donald; Jakob Heitz (jheitz); John Scudder; idr@ietf. org > *Cc:* nl7942@att.com <mailto:nl7942@att.com>; Schiel, John; > draft-ietf-idr-bgp-flowspec-oid@ietf.org > <mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org> > *Subject:* Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06 > > Don, > > (just to be clear, this has nothing to directly with the redirect > extended-community draft) > > We already thought about it and added a 'clause' in the last revision. > > "Optionally, an implementation > could be configured to allow only flow specification NLRIs containing > only a subset of ASes. This could be useful, for example, with > networks that consist of multiple ASes that operate under the same > administrative domain." > > This is not what you want? > > -J > > On 5/11/2018 4:50 PM, Smith, Donald wrote: > > That would work of course MAY would be caps :) But that should > cover the case I was describing. > > All the other BGP security issues would still apply. > > Cc'ing the two architects that have been working on this concept > with me, in case they have anything to add. > > Metric System < +000 > -000 > > Extra People's Terribly Good Meals Kept mY uNCLE Ned Purring > For Ages > > Exa Peta Tera Giga Mega Kilo milli Micro(u) Nano Pico > Femto Atto > > Donald.Smith@centurylink.com <mailto:Donald.Smith@centurylink.com> > > ------------------------------------------------------------------------ > > *From:*Jakob Heitz (jheitz) [jheitz@cisco.com > <mailto:jheitz@cisco.com>] > *Sent:* Thursday, May 10, 2018 11:39 PM > *To:* Smith, Donald; John Scudder; idr@ietf. org > *Cc:* draft-ietf-idr-bgp-flowspec-oid@ietf.org > <mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org> > *Subject:* RE: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06 > > I support the draft. > > Donald, are you saying that AS1 should accept a flowspec rule from > AS2 for traffic going to AS3? > > If AS1 can trust the flowspec from AS2, then I don't see why not. > > Maybe we can add text to the effect of: > > The rules stated here are for default behavior. > > Local policy may allow flow specifications from other EBGP > neighbors to be accepted. > > Thanks, > > Jakob > > *From:*Idr <idr-bounces@ietf.org> <mailto:idr-bounces@ietf.org> > *On Behalf Of *Smith, Donald > *Sent:* Thursday, May 10, 2018 11:58 AM > *To:* John Scudder <jgs@juniper.net> <mailto:jgs@juniper.net>; > idr@ietf. org <idr@ietf..org> <mailto:idr@ietf..org> > *Cc:* draft-ietf-idr-bgp-flowspec-oid@ietf.org > <mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org> > *Subject:* Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06 > > This supports some of the bi-lateral, ddos-peering work we want to > do, so support. > > https://pc.nanog.org/static/published/meetings/NANOG71/1447/20171003_Levy_Operationalizing_Isp_v2.pdf > > That is almost always going to be between some set of systems not > one hop away, not directly in the forwarding plane, probably not > really IBGP peers. > > " It thus becomes necessary to modify step (a) of the RFC 5575 > <https://tools.ietf.org/html/rfc5575> > validation procedure such that an IBGP peer that is not within the > data forwarding plane may originate flow specification NLRIs." > > While you could have the IBGP peer directly in the forwarding > plane, forward it like a route reflector, requiring it to seems > counter intuitive as it is more likely to come from some BGP > speaking tool in ISP requesting the filter. > > Next lots of references to IBGP and a few to EBGP, when I think of > IBGP, IBGP is internal to a single AS (yes I know there are > exceptions) but that is kind of the meaning, while this is mostly > between peers (whom could do IBGP between them but is that > required? Can't we validate without IBGP direct connections?) > > Metric System < +000 > -000 > > Extra People's Terribly Good Meals Kept mY uNCLE Ned Purring > For Ages > > Exa Peta Tera Giga Mega Kilo milli Micro(u) Nano Pico > Femto Atto > > Donald.Smith@centurylink.com <mailto:Donald.Smith@centurylink.com> > > ------------------------------------------------------------------------ > > *From:*Idr [idr-bounces@ietf.org <mailto:idr-bounces@ietf.org>] on > behalf of John Scudder [jgs@juniper.net <mailto:jgs@juniper.net>] > *Sent:* Thursday, May 10, 2018 12:28 PM > *To:* idr@ietf. org > *Cc:* draft-ietf-idr-bgp-flowspec-oid@ietf.org > <mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org> > *Subject:* Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06 > > Hi All, > > On Apr 26, 2018, at 3:58 PM, John Scudder <jgs@juniper.net > <mailto:jgs@juniper.net>> wrote: > > The authors have requested a working group last call for > draft-ietf-idr-bgp-flowspec-oid-06. Please respond with your > comments before Friday, May 11. > > A quick update on the status of this WGLC: > > - All the authors have responded about IPR (thank you!). > > - Three people who are not authors (Acee, Shyam, Keyur) have > responded supporting publication. > > - Nobody has responded with other comments or opposition. > > Three respondents is not a very large number; it would be helpful > if others would chime in. > > The WGLC period is scheduled to end tomorrow. > > Thanks, > > --John > > This communication is the property of CenturyLink and may contain > confidential or privileged information. Unauthorized use of this > communication is strictly prohibited and may be unlawful. If you > have received this communication in error, please immediately > notify the sender by reply e-mail and destroy all copies of the > communication and any attachments. > > This communication is the property of CenturyLink and may contain > confidential or privileged information. Unauthorized use of this > communication is strictly prohibited and may be unlawful. If you > have received this communication in error, please immediately > notify the sender by reply e-mail and destroy all copies of the > communication and any attachments. > > > > _______________________________________________ > > Idr mailing list > > Idr@ietf.org <mailto:Idr@ietf.org> > > https://www.ietf.org/mailman/listinfo/idr > > This communication is the property of CenturyLink and may contain > confidential or privileged information. Unauthorized use of this > communication is strictly prohibited and may be unlawful. If you have > received this communication in error, please immediately notify the > sender by reply e-mail and destroy all copies of the communication and > any attachments. >
- [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06 John Scudder
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Acee Lindem (acee)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… David Smith (djsmith)
- Re: [Idr] FW: WGLC for draft-ietf-idr-bgp-flowspe… Clarence Filsfils (cfilsfil)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… UTTARO, JAMES
- Re: [Idr] FW: WGLC for draft-ietf-idr-bgp-flowspe… Juan Alcaide (jalcaide)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Shyam Sethuram
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Keyur Patel
- Re: [Idr] FW: WGLC for draft-ietf-idr-bgp-flowspe… Pradosh Mohapatra
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… John Scudder
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Smith, Donald
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Jakob Heitz (jheitz)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Kasavchenko, Kirill
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Smith, Donald
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Juan Alcaide (jalcaide)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Smith, Donald
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Jakob Heitz (jheitz)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Juan Alcaide (jalcaide)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Smith, Donald
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Jakob Heitz (jheitz)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… John Schiel
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Juan Alcaide (jalcaide)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… LINGALA, AVINASH
- [Idr] FW: FW: WGLC for draft-ietf-idr-bgp-flowspe… Susan Hares