Re: [Idr] update proposal to draft-ietf-idr-rfc5575bis-14
Robert Raszuk <robert@raszuk.net> Fri, 10 May 2019 08:41 UTC
Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BB9F120113 for <idr@ietfa.amsl.com>; Fri, 10 May 2019 01:41:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Level:
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 52q_ryAQNbmA for <idr@ietfa.amsl.com>; Fri, 10 May 2019 01:40:56 -0700 (PDT)
Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1779D1201D7 for <idr@ietf.org>; Fri, 10 May 2019 01:40:56 -0700 (PDT)
Received: by mail-qt1-x834.google.com with SMTP id o7so5700197qtp.4 for <idr@ietf.org>; Fri, 10 May 2019 01:40:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=F2pQ1omsPRzTS91eu+l/M6BVKYAZhMeHFcUhSHapcwA=; b=LTFXfd1lVdUpsftiRScX+xLpkXlvL6N8ZtD6QutXhgFvmefs9YF9N11qonBVQmswnC yqUFVwDnLcHVtqR8cK4TqSS1IwDXQzDC28uWKeBe9ISl44AmmeF9eoiCeVCfinVCD/hA 6dPB/wbzRvh9oQKIakAnjHOTec0W5vnNgz6QDFHLiM9lS0SWm3jRfFTrGSbr3E7zx5g0 QF1K5nhBqvsmxn7C6V3RFU9t8qKOIzgfFZuqynZlbjJ+305wkXRAHtkZhUf3vLmI15B7 hSDs4ZfkiU55ghQNEALEFcbnEJfqU2DytE1Cw2bMVTRzpoesfCsTXLGZFSB7ZvHkMFhB T53w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=F2pQ1omsPRzTS91eu+l/M6BVKYAZhMeHFcUhSHapcwA=; b=i9OE4HvZFWFzf8mZewfkzVY+5d0KeoOBW1rIl/f12oxCfeSmoEhoH8ubYMMvFKNsg6 9iSO90pM2z8cD+WPHaWYDb3OsaKxAXz793pARZnUHB9YXOnUmyNa/iWJF0UjgKPeyRl+ IhV9oKFx8K62g4tO4wIEvzvJNfpQYq12yhxsJJFSIO31/Ny6Kq8+he3Yh9uVjemyZ1LY sS60bYFmaemRlizryHlZYeK5UMZQ/de1Y4fc8qs7y1Jhj8fwwXl5fNjjmYQ0acLnhp6K 50Vxc/xU9O4YvytMAjs9CBzL7SZV5XqrG7JMtOVddWRVLmLZGl36VccmFuY68IqVKdHj iNNw==
X-Gm-Message-State: APjAAAXwoy+HXyXVhy06uA3iXo74ymULoME7w/EKvgzLCHkShakAKmxY uEQnvhJyUDzlvCgLSZivXqMBlhQIEHzBM9+SfqgGEw==
X-Google-Smtp-Source: APXvYqxXASZnnfWPHpZOgxufynE8w5vNaZE0v7L/prqgmn8dnUl+JbnOOhpXuVDCUtymVXJPL60UGzDcVZfTA6kj/UY=
X-Received: by 2002:ac8:2899:: with SMTP id i25mr8371331qti.361.1557477655027; Fri, 10 May 2019 01:40:55 -0700 (PDT)
MIME-Version: 1.0
References: <d0255cf9976644d7a29b11f2fc68fa98@turkcell.com.tr> <CAOj+MMEeAW+cp3+nbo1UvZvg=zhmoYuRAooLpoCwUtM=c3qYew@mail.gmail.com> <BYAPR11MB3751AD010F84D24B84591A32C0330@BYAPR11MB3751.namprd11.prod.outlook.com> <CAOj+MMFC=ow7hjtDkFn=ZVOyVHDEuAD8GJQ1nNkOHFxAZPo_Ug@mail.gmail.com> <45903917-F08E-47ED-BCA0-46530D63ED16@tix.at> <1355fad118884baaa5ee6a15ea865179@turkcell.com.tr>
In-Reply-To: <1355fad118884baaa5ee6a15ea865179@turkcell.com.tr>
From: Robert Raszuk <robert@raszuk.net>
Date: Fri, 10 May 2019 10:40:43 +0200
Message-ID: <CAOj+MMFM7ruRnFg06tqMqae9rhLMK4KT-QDJcLLpUonCiiSXXA@mail.gmail.com>
To: ERCIN TORUN <ercin.torun@turkcell.com.tr>
Cc: Christoph Loibl <c@tix.at>, "Jakob Heitz (jheitz)" <jheitz@cisco.com>, "idr@ietf.org" <idr@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005fb67f058884866e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/F8NMk5mCqRQN8SqEDAmlA9EadWs>
Subject: Re: [Idr] update proposal to draft-ietf-idr-rfc5575bis-14
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 May 2019 08:41:01 -0000
Thx for clarification. So your use case is to use BGP as targeted config push. You seems not worried that 600+ routers and RRs will get FS updates only for 599+ to drop them. I do think that BGP should *not* be used for config push regardless if this is ACLs or SIDs or XYZ. The idea of original 5575 leverages BGP for real p2mp filter push and that along with unicast validation are the only two reasons why we used BGP for it to start with. In your use case neither of those two reasons apply Cheers, R. On Fri, May 10, 2019 at 9:22 AM ERCIN TORUN <ercin.torun@turkcell.com.tr> wrote: > Hello Christoph, Jakob, Robert, > > > > We wanted to filter DDOS attacks happening inside our AS , attacks from > customers to customers, so my idea is not related to MPLS VPN or filtering > a DDOS attack coming from a transit provider. Customers layer3 connections > are terminated on around 600 routers today, which will increase when we > push down layer3 terminations further into the edge. > > > > As Christoph mentioned solution eases the configuration by taking out > manual configuration (assuming a DDOS analyzer could analyze the origin > interface/router of the attack and insert BGP router id into FS routes) > and lessens the filter load on routers. We are not using FS today for > attacks happening inside our AS, i came up with the idea what if we start > using it. > > > > I found a use case for BGP FS, might be useful for other SAFIs as well as > Robert wrote. But yes it is also possible having such a functionality with > local enhancement (hopefully on major router vendors). > > > > Regards > > Erçin TORUN > > *From:* Christoph Loibl <c@tix.at> > *Sent:* Friday, May 10, 2019 1:58 AM > *To:* ERCIN TORUN <ercin.torun@turkcell.com.tr> > *Cc:* Jakob Heitz (jheitz) <jheitz@cisco.com>; Robert Raszuk < > robert@raszuk.net>; idr@ietf.org > *Subject:* Re: [Idr] update proposal to draft-ietf-idr-rfc5575bis-14 > > > > Hi Erçin, Robert, Jakob, > > > > From Erçin’s mail I understand that he wants his routers to accept FS > routes only if the receiving router_id is encoded in the RT (MPLS is > mentioned in the mail but I think what Erçin suggests has nothing to do > with MPLS VPN). Erçin also points out that the same functionality can > already be achieved by tagging the FS-prefix with a specific community (or > whatever available) and have the router's bgp policy-framework > select/filter the (non-)appropriate FS filters (or even have the > route-reflectors do the filtering. btw. when it comes to RRs the suggested > solution also seems a litte more tricky). > > > > The suggested solution eases the configuration in your specific use-case > since you do not need to manually (I doubt that you are doing that manually > anyway - given the scale of the deployment that you describe) those > policies anymore. > > > > However, I agree with what Robert wrote in his last mail: > > > > This is *not* a problem to solve specifically for FS. For example you may > want to have a router import an IP unicast route only in case the router_id > matches some extended community - why does it need to go into FS? It could > be useful for other SAFIs as well! It may need additional considerations > because of BGP route propagation and scaling (route reflection, but also > propagation over multiple routing domains). On the other hand, since it can > be achieved with configuration already: Does this really need to go into > BGP? > > > > Cheers Christoph > > > > -- > Christoph Loibl > c@tix.at | CL8-RIPE | PGP-Key-ID: 0x4B2C0055 | http://www.nextlayer.at > > > > > > > > On 09.05.2019, at 21:10, Robert Raszuk <robert@raszuk.net> wrote: > > > > Hey Jakob, > > > > I am assuming he is using MPLS fabric for a reason ... One most likely > reason could be L3VPN :) Otherwise what would be the point to use MPLS to > start with ? Basic hierarchical routing ? And even for L3VPN MPLS in > transport layer. It is also not needed for isolating underlay from overlay > tenants routes. > > > > Regardless as you know RTs do apply for any SAFI not just 128. > > > > The only point is sort of automation to router_id filtering ... I guess an > implementation can support it for any SAFI as well with an extra knob. That > would not be specific to flow-spec by just a vendor's local enhancement. > > > > As you know FlowSpec's main role was to prevent DDoS. With that you never > know on which ASBR your distributed attacks arrive so pushing filters to > only subset of them is a questionable. If you have 10s or 100s of ASBRs you > would need now to apply long list of matching RTs. > > > > The solution is not backwards compatible as current routers unless > upgraded with new knob would accept all filters anyway. I hope no one wants > this to be active by default as it would kill RFC5575 and turn FlowSpec to > NetConf. > > > > If you want to limit the filters only to ASBRs maybe some more generic RT > needs to be defined - say "apply only on EBGP speakers" ? > > > > Overall abuse of FlowSpec seems to continue. P2MP distributed nature of > BGP propagation keeps being used as P2P config push protocol. I am just not > sure when such use cases will stop popping up left and right. > > > > Best, > > R. > > > > > > On Thu, May 9, 2019 at 10:52 PM Jakob Heitz (jheitz) <jheitz@cisco.com> > wrote: > > Robert, > > > > Section 8 applies to VPNv4 flow spec. > > > > I see two differences in Ercin's proposal. > > First, it is for IP Flow Spec, rather than for VPN > > Second, the IPv4 address in the RT matches with the router-id. > > This avoids the requirement to allocate and manage another identifier to > match the RT. > > that is an operational advantage. > > > > I support Ercin's proposal. > > > > Regards, > > Jakob. > > > > *From:* Idr <idr-bounces@ietf.org> *On Behalf Of *Robert Raszuk > *Sent:* Thursday, May 9, 2019 9:38 AM > *To:* ERCIN TORUN <ercin.torun@turkcell.com.tr> > *Cc:* idr@ietf.org > *Subject:* Re: [Idr] update proposal to draft-ietf-idr-rfc5575bis-14 > > > > Hi Ercin, > > > > What you are asking/proposing has been standardized in the original > RFC5575 already many years ago. > > > > Please see section 8 specifically this paragraph: > > > > Propagation of this NLRI is controlled by matching Route Target > > extended communities associated with the BGP path advertisement with > > the VRF import policy, using the same mechanism as described in "BGP/ > > MPLS IP VPNs" [RFC4364 <https://tools.ietf.org/html/rfc4364>] .. > > > > Thx, > Robert. > > > > > > On Thu, May 9, 2019 at 2:04 PM ERCIN TORUN <ercin.torun@turkcell.com.tr> > wrote: > > Hello All, > > > > My name is Ercin TORUN <https://tr.linkedin.com/in/ercintorun> and I’m > working in Turkcell Turkey (35M-mobile/2M-fixed customer, +digital > services) as an IP/MPLS Network Planning Engineer. I would like to propose > an update to draft-ietf-idr-rfc5575bis-14 > <https://tools.ietf.org/html/draft-ietf-idr-rfc5575bis-14>. > > > > By default all flowspec entries (filters..) are applied to all routers, > and unnecessary application of many filters can easily owerwhelm the > capacity of routers resources (e.g. TCAM). We are pushing layer3 to the > edges with solutions like seamless-mpls or leaf-spine next-generation DC > topologies which widens the layer3 domain easily over thousands of devices. > It is best to filter “dirty” traffic where it first enters a network. There > are ways to accept BGP announcements only on the targeted router, like > defining a community for each router and configuring policies, but an > automated way would be much more easier and less error-prone. Our idea is > using a route-taget to match with BGP Identifier so that only the targeted > router might accept the announcement. > > > > All in all, I propose to add below text to draft-ietf-idr-rfc5575bis-14 > <https://tools.ietf.org/html/draft-ietf-idr-rfc5575bis-14> > > > > “ In a common use case, it is necessary to apply a filter to one or a > few > > routers and to apply many different filters to many different routers. > > By default, all filters are applied to all routers. In this use case, > > the unnecessary application of the many filters can easily overwhelm > > the capacity of the routers. To simplify this use case, > > route-targets may be used to apply the filters to only the needed > routers: > > > > If one or more IPv4-Address-Specific route-targets are present, then > > the IPv4 address of at least one route- > > target MUST match one of the BGP Identifiers of the receiver in order > > for the update to be accepted. > > “ > > > > Regards > > Erçin TORUN > > > > [image: http://www.turkcell.com.tr/downloads/bireysel/img/Tcelldis.gif] > <https://ddei3-0-ctp.trendmicro.com/wis/clicktime/v1/query?url=http%3a%2f%2fturkcell.li%2fiyaani&umid=5622DB31-887C-6405-8A8A-F4F39CC5B127&auth=54639621fcdd7e0f42d2a208112da27408386c06-40e6138ba459538902ecd8e663e8f2bd2fd3d7f4> > > Bu elektronik posta ve onunla iletilen butun dosyalar sadece gondericisi > tarafindan almasi amaclanan yetkili gercek ya da tuzel kisinin kullanimi > icindir. Eger soz konusu yetkili alici degilseniz bu elektronik postanin > icerigini aciklamaniz, kopyalamaniz, yonlendirmeniz ve kullanmaniz > kesinlikle yasaktir ve bu elektronik postayi derhal silmeniz gerekmektedir. > > TURKCELL bu mesajin icerdigi bilgilerin doğruluğu veya eksiksiz oldugu > konusunda herhangi bir garanti vermemektedir. Bu nedenle bu bilgilerin ne > sekilde olursa olsun iceriginden, iletilmesinden, alinmasindan ve > saklanmasindan sorumlu degildir. Bu mesajdaki gorusler yalnizca gonderen > kisiye aittir ve TURKCELLin goruslerini yansitmayabilir > > Bu e-posta bilinen butun bilgisayar viruslerine karsi taranmistir. > ------------------------------ > > This e-mail and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they are > addressed. If you are not the intended recipient you are hereby notified > that any dissemination, forwarding, copying or use of any of the > information is strictly prohibited, and the e-mail should immediately be > deleted. > > TURKCELL makes no warranty as to the accuracy or completeness of any > information contained in this message and hereby excludes any liability of > any kind for the information contained therein or for the information > transmission, reception, storage or use of such in any way whatsoever. The > opinions expressed in this message belong to sender alone and may not > necessarily reflect the opinions of TURKCELL.. > > This e-mail has been scanned for all known computer viruses. > > _______________________________________________ > Idr mailing list > Idr@ietf.org > https://www.ietf.org/mailman/listinfo/idr > > _______________________________________________ > Idr mailing list > Idr@ietf.org > https://www.ietf.org/mailman/listinfo/idr > > >
- [Idr] update proposal to draft-ietf-idr-rfc5575bi… ERCIN TORUN
- Re: [Idr] update proposal to draft-ietf-idr-rfc55… Robert Raszuk
- Re: [Idr] update proposal to draft-ietf-idr-rfc55… Jakob Heitz (jheitz)
- Re: [Idr] update proposal to draft-ietf-idr-rfc55… Robert Raszuk
- Re: [Idr] update proposal to draft-ietf-idr-rfc55… Christoph Loibl
- Re: [Idr] update proposal to draft-ietf-idr-rfc55… ERCIN TORUN
- Re: [Idr] update proposal to draft-ietf-idr-rfc55… Robert Raszuk
- Re: [Idr] update proposal to draft-ietf-idr-rfc55… Zhuangshunwan
- Re: [Idr] update proposal to draft-ietf-idr-rfc55… ERCIN TORUN
- Re: [Idr] update proposal to draft-ietf-idr-rfc55… Jeffrey Haas
- Re: [Idr] update proposal to draft-ietf-idr-rfc55… ERCIN TORUN