IETF Logo Mail Archive

Re: [Idr] flowspec enhancements

Haoweiguo <haoweiguo@huawei.com> Mon, 28 September 2015 11:15 UTC

Return-Path: <haoweiguo@huawei.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04C5B1A88F8 for <idr@ietfa.amsl.com>; Mon, 28 Sep 2015 04:15:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YLoeqML_RrYp for <idr@ietfa.amsl.com>; Mon, 28 Sep 2015 04:15:05 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C5591A88E4 for <idr@ietf.org>; Mon, 28 Sep 2015 04:15:04 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml404-hub.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CBU67970; Mon, 28 Sep 2015 11:15:02 +0000 (GMT)
Received: from NKGEML404-HUB.china.huawei.com (10.98.56.35) by lhreml404-hub.china.huawei.com (10.201.5.218) with Microsoft SMTP Server (TLS) id 14.3.235.1; Mon, 28 Sep 2015 12:14:59 +0100
Received: from NKGEML501-MBS.china.huawei.com ([169.254.2.75]) by nkgeml404-hub.china.huawei.com ([10.98.56.35]) with mapi id 14.03.0235.001; Mon, 28 Sep 2015 19:14:55 +0800
From: Haoweiguo <haoweiguo@huawei.com>
To: Wesley Eddy <wes@mti-systems.com>, "idr@ietf.org" <idr@ietf.org>
Thread-Topic: [Idr] flowspec enhancements
Thread-Index: AQHQ792JuMqSc18vvkuH4lzTINhorJ5JVVNBgAPhBgCABKGXEw==
Date: Mon, 28 Sep 2015 11:14:54 +0000
Message-ID: <DD5FC8DE455C3348B94340C0AB5517334F8CD483@nkgeml501-mbs.china.huawei.com>
References: <55F857D1.1020806@mti-systems.com> <DD5FC8DE455C3348B94340C0AB5517334F8CB8BE@nkgeml501-mbs.china.huawei.com>, <5605A9FE.5070505@mti-systems.com>
In-Reply-To: <5605A9FE.5070505@mti-systems.com>
Accept-Language: en-US, zh-CN
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.135.23.94]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <http://mailarchive.ietf.org/arch/msg/idr/HcjCqm8XeVsGlTwcxbkASvNOa1E>
Cc: Justin Dailey <Justin@mti-systems.com>
Subject: Re: [Idr] flowspec enhancements
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Sep 2015 11:15:12 -0000

Hi Wesley,
Glad to see both of us think that matching tunneled flow is necessary for BGP flowspec application.
In the draft of 'draft-hao-idr-flowspec-nvo3', classic BGP Flowspec matching method is used for overlay encap, the method is semantic dependant. The routers need to understand every field's meaning in BGP Flowspec message. 
However, in your draft, a new "Offset-Value-Mask" approach was proposed, the method is semantic agnostic. The routers don't need to understand the specific meaning for each field, so theoretically it has great scalability.  However, your solution will incur additional security issue, the security problem space will be totally different with current BGP flowspec mechanism. Also, your method can be used to replace all current BGP flowspec documents, because all current BGP flowspec documents assume the routers need to know the exact meaning of each field in BGP flowspec message.

I think you should ask IDR WG firstly if it suitable to use 'semantic agnostic' method for all BGP flowspec application.  If your solution has not been adopted by WG, we had better use current mechansim('semantic dependant') to design the solution for overlay tunneled flow matching.

Thanks,
weiguo

________________________________________
From: Wesley Eddy [wes@mti-systems.com]
Sent: Saturday, September 26, 2015 4:09
To: Haoweiguo; idr@ietf.org
Cc: Justin Dailey
Subject: Re: [Idr] flowspec enhancements

I agree that expressing ways to match tunneled flows is very useful.

I took a look at the draft-hao-idr-flowspec-nvo3 document and I
don't agree with the approach taken there, which identifies
specific encapsulations (e.g. VXLAN, NVGRE, and eventually others
such as GUE, as I understand the plans).

I don't think that's a reasonable approach in general for BGP/flowspec
to express tunneling, because we can't rely on the multitude of
encapsulations to be parse-able by routers in general.

That's why we proposed the "Offset-Value-Mask" approach for defining
components to be matched within a tunnel.  At the cost of being only
slightly more complex to express fields, it can be much more generally
implemented for the many current (and future) encapsulation types.




On 9/22/2015 9:05 PM, Haoweiguo wrote:
> Hi Wes, I have read through your draft, it's very useful and
> interesting. One comment about "add support for filtering of tunneled
> traffic" is as follows:
>
> I also think flow-spec should support nesting representation for
> overlay encapsulations. In my draft of
> "draft-hao-idr-flowspec-nvo3-01", the nesting problem and solution
> are raised, a new component type of "Delimiter type" is proposed. In
> your draft, the name is called "tunnel separator". I think both of us
> think it's an important problem that should be resolved.
>
> Thanks, weiguo


--
Wes Eddy
MTI Systems

v2.23.0 | Report a Bug | By Email