IETF Logo Mail Archive

Re: [Idr] draft-litkowski-idr-flowspec-interfaceset => NLRI vs EXTCT

"Hyojeong Kim (hyojekim)" <hyojekim@cisco.com> Thu, 26 March 2015 21:19 UTC

Return-Path: <hyojekim@cisco.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A84B1B2F2F for <idr@ietfa.amsl.com>; Thu, 26 Mar 2015 14:19:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qYuSzbk6dw-y for <idr@ietfa.amsl.com>; Thu, 26 Mar 2015 14:18:57 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96F4B1B2F27 for <idr@ietf.org>; Thu, 26 Mar 2015 14:18:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=28387; q=dns/txt; s=iport; t=1427404737; x=1428614337; h=from:to:subject:date:message-id:in-reply-to:mime-version; bh=cZCQ8lHtas+KGbhHCJcUKvI2ofgoFboPSTxpICUmacE=; b=lPT7dp6hmdAiZd4KYJAlUTMeP7hr8sT6NoyLNbMdG+mWPwiTwB5pKZ/p SwnilmUc+uSc3OSFG7TcolSFhijHoFcGZfj6bafr2I0SHtmd3Adm581gR LyZwLGcX3dPN6VWEWBpoX5RhGVc1Z3/4e0q29RxYFrEbMtcky1mkuAzbK 0=;
X-Files: image001.gif : 381
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BsBQDgdhRV/5FdJa1cgkNDUloEwl+CS4V4AoFZTAEBAQEBAX2EFAECBAUBHwgBNgccBAEIBwoDAQIGAQIYAQYJFQEDAgkMFAkIAQEEAREBBgiIDQMRDcZDA4VNAQEBAQEBAQEBAQEBAQEBAQEBAQEBFwSLJIQWCgEGASQRCgwBCgEGhCcFimmDWYFDS4FpgTIBU4Ikg1yBGzqCdowbg0cig25vAQEBAX4BCBcifwEBAQ
X-IronPort-AV: E=Sophos;i="5.11,475,1422921600"; d="gif'147?scan'147,208,217,147";a="135765843"
Received: from rcdn-core-9.cisco.com ([173.37.93.145]) by alln-iport-2.cisco.com with ESMTP; 26 Mar 2015 21:18:56 +0000
Received: from xhc-rcd-x14.cisco.com (xhc-rcd-x14.cisco.com [173.37.183.88]) by rcdn-core-9.cisco.com (8.14.5/8.14.5) with ESMTP id t2QLItZo019685 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 26 Mar 2015 21:18:55 GMT
Received: from xmb-aln-x13.cisco.com ([169.254.15.15]) by xhc-rcd-x14.cisco.com ([173.37.183.88]) with mapi id 14.03.0195.001; Thu, 26 Mar 2015 16:18:55 -0500
From: "Hyojeong Kim (hyojekim)" <hyojekim@cisco.com>
To: "stephane.litkowski@orange.com" <stephane.litkowski@orange.com>, "idr@ietf.org" <idr@ietf.org>
Thread-Topic: [Idr] draft-litkowski-idr-flowspec-interfaceset => NLRI vs EXTCT
Thread-Index: AdBnuaSDgu63pB1yQkunq1sfmjTzcwAQA00A
Date: Thu, 26 Mar 2015 21:18:55 +0000
Message-ID: <D139C38A.324B2%hyojekim@cisco.com>
In-Reply-To: <13392_1427370077_5513F05D_13392_2397_1_9E32478DFA9976438E7A22F69B08FF921662B61C@OPEXCLILMA4.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.2.130206
x-originating-ip: [10.154.212.208]
Content-Type: multipart/mixed; boundary="_004_D139C38A324B2hyojekimciscocom_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/idr/JPCjukWikgrtAzC-kH5HSme0XGk>
Subject: Re: [Idr] draft-litkowski-idr-flowspec-interfaceset => NLRI vs EXTCT
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2015 21:19:01 -0000

First, I have a general comment. We cannot control the mapping of interface to group id for all upstream routers/ASes. At FS NLRI originator, group id 1 identifies all Internet customer interfaces, but we cannot assume the same at a far upstream router which belongs to a different AS.

Regarding this NLRI vs. EXTCT issue, as the interface group id is meaningful within a limited set of routers/ASes, we should not add it to NLRI. If it is implemented as EXTCT, we could consider a different AS border router might replace it into some other EXTCT which is meaningful within its domain.

-Hyojeong


From: "stephane.litkowski@orange.com<mailto:stephane.litkowski@orange.com>" <stephane.litkowski@orange.com<mailto:stephane.litkowski@orange.com>>
Date: Thursday, March 26, 2015 4:41 AM
To: "idr@ietf.org<mailto:idr@ietf.org>" <idr@ietf.org<mailto:idr@ietf.org>>
Subject: [Idr] draft-litkowski-idr-flowspec-interfaceset => NLRI vs EXTCT

Hi IDR Folks,

During this week, I presented the updates of the flowspec interfaceset draft.
We are currently thinking on moving this interfaceset from extcommunity to NLRI and we require your feedback on this. Why such change ?

Consider that you may apply filters with the same “matching” but different actions to different interface-groups. For example:
Rule#1
Match : src-ip 10/8, dst-port 53
Action : rate-limit 10000

Rule#2
Match : src-ip 10/8, dst-port 53
Action : drop

I would like to apply Rule#1 on interfaceset #100 and Rule#2 on interfaceset #200.

As interfaceset is an extct and not part of NLRI, ADDPATH will be required in order to ensure propagation of both paths for the same NLRI.
In case we move interfaceset as part of the NLRI, we do not have this ADDPATH requirement anymore, as we would have two different NLRIs



Now Robert R. pointed me the need to control interAS advertisement, as interfaceset have only a local significance.
There’s two cases :

-          #1 : There is an agreement between myAS and myUpstreamAS to use some interface-set of myUpstreamAS and let myAS apply some filters on myUpstreamAS.

-          #2 : Such interfaceset information sharing is not authorized between both ASes, and only BGPFS rules with no interfaceset should be propagated to myUpstreamAS.
In #2, in case the interfaceset is extct, a BGP policy could be implemented to deny BGP paths containing interfaceset towards myUpstreamAS. In case the interfaceset is part of NLRI, policy is still doable but requires some fine grain NLRI matching in policy framework.

To summarize :
EXTCT approach :

-          Pros :

o   Permit easy filtering

o   Permit to use a common NLRI for multiple interfaceset if action is the same

-          Cons :

o   But requires ADDPATH as soon as action is different for each interfaceset

NLRI approach :

-          Pros :

o   Do not require ADDPATH, may be permit an easier reading. Interfaceset is more a “match-like”

-          Cons :

o   Filtering requires more advanced policy matching

o   Requires multiple NLRIs if we want to apply the same matching/actions to different interfaceset


These pros/cons may not be exhaustive, so please comment and raise your point regarding the approach we need to take.

Thanks a lot !


[Orange logo]<http://www.orange.com/>

Stephane Litkowski
Network Architect
Orange/SCE/EQUANT/IBNF/ENDD/NDE
Orange Expert Future Networks
phone: +33 2 23 28 49 83 <https://monsi.sso.francetelecom.fr/index.asp?target=http%3A%2F%2Fclicvoice.sso.francetelecom.fr%2FClicvoiceV2%2FToolBar.do%3Faction%3Ddefault%26rootservice%3DSIGNATURE%26to%3D+33%202%2023%2028%2049%2083%20>
mobile: +33 6 37 86 97 52 <https://monsi.sso.francetelecom.fr/index.asp?target=http%3A%2F%2Fclicvoice.sso.francetelecom.fr%2FClicvoiceV2%2FToolBar.do%3Faction%3Ddefault%26rootservice%3DSIGNATURE%26to%3D+33%206%2037%2086%2097%2052%20>
stephane.litkowski@orange.com<mailto:stephane.litkowski@orange.com>



_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

v2.23.0 | Report a Bug | By Email