IETF Logo Mail Archive

Re: [Idr] draft-litkowski-idr-flowspec-interfaceset => NLRI vs EXTCT

"Hyojeong Kim (hyojekim)" <hyojekim@cisco.com> Thu, 26 March 2015 23:04 UTC

Return-Path: <hyojekim@cisco.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E56701A005D for <idr@ietfa.amsl.com>; Thu, 26 Mar 2015 16:04:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P4xqV2s1psNe for <idr@ietfa.amsl.com>; Thu, 26 Mar 2015 16:04:31 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49BEE1A0354 for <idr@ietf.org>; Thu, 26 Mar 2015 16:04:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=40635; q=dns/txt; s=iport; t=1427411071; x=1428620671; h=from:to:subject:date:message-id:in-reply-to:mime-version; bh=BntCj+DakN4hcsnTT4MDbBb1fx7hpw4kmMZ1E+s/lvE=; b=BTxvYBYcadBIajSVP1u/gE/b4fBPMayy58Y+Rtt+5B5NLtL+wsElBVqT 8ayBXStf7vqBuQxF+35So1gguA4CTwphCHV7tMJHswY6VVyGx62C7QLdF q0i3tV/GOmAHubWdQzyJqem5t+nhkB8xRZfVrc+jgfshRZ0kimdfGkY0c M=;
X-Files: image001.gif : 381
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BsBQCDjxRV/4gNJK1cgkNDUloEwl+CS4V4AoFFTAEBAQEBAX2EFAEBAQQFAR8IATYHHAQBCAcKAwEBAQYBAhgBBgkVAQMCCQwUCQgBAQQBEQEGCAaIBwMRDcYtA4VNAQEBAQEBAQEBAQEBAQEBAQEBAQEBFwSLJIQWCgEGASQRCgwBCgEGhCcFimmDWYFDS4FpgTIBU4Ikg1yBGzqCdowbg0cig25vAQEBAX4BCBcifwEBAQ
X-IronPort-AV: E=Sophos;i="5.11,475,1422921600"; d="gif'147?scan'147,208,217,147";a="407015833"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by rcdn-iport-3.cisco.com with ESMTP; 26 Mar 2015 23:04:30 +0000
Received: from xhc-aln-x09.cisco.com (xhc-aln-x09.cisco.com [173.36.12.83]) by alln-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id t2QN4UKE009933 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 26 Mar 2015 23:04:30 GMT
Received: from xmb-aln-x13.cisco.com ([169.254.15.15]) by xhc-aln-x09.cisco.com ([173.36.12.83]) with mapi id 14.03.0195.001; Thu, 26 Mar 2015 18:04:29 -0500
From: "Hyojeong Kim (hyojekim)" <hyojekim@cisco.com>
To: "stephane.litkowski@orange.com" <stephane.litkowski@orange.com>, "idr@ietf.org" <idr@ietf.org>
Thread-Topic: [Idr] draft-litkowski-idr-flowspec-interfaceset => NLRI vs EXTCT
Thread-Index: AdBnuaSDgu63pB1yQkunq1sfmjTzcwAQA00AAAdafGD//+KsgA==
Date: Thu, 26 Mar 2015 23:04:29 +0000
Message-ID: <D139DD32.324D2%hyojekim@cisco.com>
In-Reply-To: <2641_1427410446_55148E0E_2641_15689_1_9E32478DFA9976438E7A22F69B08FF921662BE12@OPEXCLILMA4.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.2.130206
x-originating-ip: [10.154.212.208]
Content-Type: multipart/mixed; boundary="_004_D139DD32324D2hyojekimciscocom_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/idr/GoTfx7Yb6s5-gNE1E8PrsqSLOlE>
Subject: Re: [Idr] draft-litkowski-idr-flowspec-interfaceset => NLRI vs EXTCT
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2015 23:04:35 -0000

Hi,

Please see the reply inline:

From: "stephane.litkowski@orange.com<mailto:stephane.litkowski@orange.com>" <stephane.litkowski@orange.com<mailto:stephane.litkowski@orange.com>>
Date: Thursday, March 26, 2015 3:54 PM
To: Hyojeong Kim <hyojekim@cisco.com<mailto:hyojekim@cisco.com>>, "idr@ietf.org<mailto:idr@ietf.org>" <idr@ietf.org<mailto:idr@ietf.org>>
Subject: RE: [Idr] draft-litkowski-idr-flowspec-interfaceset => NLRI vs EXTCT

Hi,

Inline comments

From: Hyojeong Kim (hyojekim) [mailto:hyojekim@cisco.com]
Sent: Thursday, March 26, 2015 16:19
To: LITKOWSKI Stephane SCE/IBNF; idr@ietf.org<mailto:idr@ietf.org>
Subject: Re: [Idr] draft-litkowski-idr-flowspec-interfaceset => NLRI vs EXTCT

First, I have a general comment. We cannot control the mapping of interface to group id for all upstream routers/ASes. At FS NLRI originator, group id 1 identifies all Internet customer interfaces, but we cannot assume the same at a far upstream router which belongs to a different AS.
[SLI] Agree, its similar to BGP community, an upstream AS may authorize you to use its own interface-group. But for sure group-id x in AS#1 may not exist or mean something else in AS#2.

Regarding this NLRI vs. EXTCT issue, as the interface group id is meaningful within a limited set of routers/ASes, we should not add it to NLRI. If it is implemented as EXTCT, we could consider a different AS border router might replace it into some other EXTCT which is meaningful within its domain.
[SLI] That’s a good point. But as pointed for interAS, you may be able to filter those NLRIs that apply only to your AS. It’s technically possible, now the question is : is it a good design ? may be not
In case we keep EXTCT, we must point that using ADD-PATH is mandatory.

Robert R. pointed me also that maybe using another AFI/SAFI and putting interface-group in NLRI of this new AFI/SAFI will permit to keep a level of isolation with the DDoS use case which is typically interAS.

[HK] I understand the point/concern about ADD-PATH becoming mandatory.

But, if we extend NLRI, we can filter out unwanted (or inapplicable) NLRIs at border routers, but we cannot modify the NLRIs so that it has different group id.

-Hyojeong


From: "stephane.litkowski@orange.com<mailto:stephane.litkowski@orange.com>" <stephane.litkowski@orange.com<mailto:stephane.litkowski@orange.com>>
Date: Thursday, March 26, 2015 4:41 AM
To: "idr@ietf.org<mailto:idr@ietf.org>" <idr@ietf.org<mailto:idr@ietf.org>>
Subject: [Idr] draft-litkowski-idr-flowspec-interfaceset => NLRI vs EXTCT

Hi IDR Folks,

During this week, I presented the updates of the flowspec interfaceset draft.
We are currently thinking on moving this interfaceset from extcommunity to NLRI and we require your feedback on this. Why such change ?

Consider that you may apply filters with the same “matching” but different actions to different interface-groups. For example:
Rule#1
Match : src-ip 10/8, dst-port 53
Action : rate-limit 10000

Rule#2
Match : src-ip 10/8, dst-port 53
Action : drop

I would like to apply Rule#1 on interfaceset #100 and Rule#2 on interfaceset #200.

As interfaceset is an extct and not part of NLRI, ADDPATH will be required in order to ensure propagation of both paths for the same NLRI.
In case we move interfaceset as part of the NLRI, we do not have this ADDPATH requirement anymore, as we would have two different NLRIs



Now Robert R. pointed me the need to control interAS advertisement, as interfaceset have only a local significance.
There’s two cases :

-          #1 : There is an agreement between myAS and myUpstreamAS to use some interface-set of myUpstreamAS and let myAS apply some filters on myUpstreamAS.

-          #2 : Such interfaceset information sharing is not authorized between both ASes, and only BGPFS rules with no interfaceset should be propagated to myUpstreamAS.
In #2, in case the interfaceset is extct, a BGP policy could be implemented to deny BGP paths containing interfaceset towards myUpstreamAS. In case the interfaceset is part of NLRI, policy is still doable but requires some fine grain NLRI matching in policy framework.

To summarize :
EXTCT approach :

-          Pros :

o   Permit easy filtering

o   Permit to use a common NLRI for multiple interfaceset if action is the same

-          Cons :

o   But requires ADDPATH as soon as action is different for each interfaceset

NLRI approach :

-          Pros :

o   Do not require ADDPATH, may be permit an easier reading. Interfaceset is more a “match-like”

-          Cons :

o   Filtering requires more advanced policy matching

o   Requires multiple NLRIs if we want to apply the same matching/actions to different interfaceset


These pros/cons may not be exhaustive, so please comment and raise your point regarding the approach we need to take.

Thanks a lot !


[Orange logo]<http://www.orange.com/>

Stephane Litkowski
Network Architect
Orange/SCE/EQUANT/IBNF/ENDD/NDE
Orange Expert Future Networks
phone: +33 2 23 28 49 83 <https://monsi.sso.francetelecom.fr/index.asp?target=http%3A%2F%2Fclicvoice.sso.francetelecom.fr%2FClicvoiceV2%2FToolBar.do%3Faction%3Ddefault%26rootservice%3DSIGNATURE%26to%3D+33%202%2023%2028%2049%2083%20>
mobile: +33 6 37 86 97 52 <https://monsi.sso.francetelecom.fr/index.asp?target=http%3A%2F%2Fclicvoice.sso.francetelecom.fr%2FClicvoiceV2%2FToolBar.do%3Faction%3Ddefault%26rootservice%3DSIGNATURE%26to%3D+33%206%2037%2086%2097%2052%20>
stephane.litkowski@orange.com<mailto:stephane.litkowski@orange.com>



_________________________________________________________________________________________________________________________



Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.



This message and its attachments may contain confidential or privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

v2.23.0 | Report a Bug | By Email