[Idr] 答复: New Version Notification for draft-liang-idr-flowspec-orf-00.txt
Liangqiandeng <liangqiandeng@huawei.com> Tue, 02 June 2015 01:47 UTC
Return-Path: <liangqiandeng@huawei.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8883E1A882F for <idr@ietfa.amsl.com>; Mon, 1 Jun 2015 18:47:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.91
X-Spam-Level:
X-Spam-Status: No, score=-3.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vRIsBWJr6lY6 for <idr@ietfa.amsl.com>; Mon, 1 Jun 2015 18:47:12 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98CAC1A8835 for <idr@ietf.org>; Mon, 1 Jun 2015 18:47:11 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml406-hub.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BWV05037; Tue, 02 Jun 2015 01:47:10 +0000 (GMT)
Received: from NKGEML402-HUB.china.huawei.com (10.98.56.33) by lhreml406-hub.china.huawei.com (10.201.5.243) with Microsoft SMTP Server (TLS) id 14.3.158.1; Tue, 2 Jun 2015 02:47:08 +0100
Received: from NKGEML502-MBS.china.huawei.com ([169.254.4.78]) by nkgeml402-hub.china.huawei.com ([10.98.56.33]) with mapi id 14.03.0158.001; Tue, 2 Jun 2015 09:46:57 +0800
From: Liangqiandeng <liangqiandeng@huawei.com>
To: Robert Raszuk <robert@raszuk.net>
Thread-Topic: [Idr] New Version Notification for draft-liang-idr-flowspec-orf-00.txt
Thread-Index: AQHQmrqEJnpT9T8FmkyQj6jDNTAuEZ2Ydg2g
Date: Tue, 02 Jun 2015 01:46:57 +0000
Message-ID: <FCA9153F864C2646BE37F183391FCADDD3CB99@nkgeml502-mbs.china.huawei.com>
References: <20150530055345.15364.12184.idtracker@ietfa.amsl.com> <DD5FC8DE455C3348B94340C0AB5517334F86E8E4@nkgeml501-mbs.china.huawei.com> <CA+b+ER=oDMSkysWAXVO0z9_H-rM2di6irzVW8VQxD6NThWLmEw@mail.gmail.com>
In-Reply-To: <CA+b+ER=oDMSkysWAXVO0z9_H-rM2di6irzVW8VQxD6NThWLmEw@mail.gmail.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.135.113.180]
Content-Type: multipart/alternative; boundary="_000_FCA9153F864C2646BE37F183391FCADDD3CB99nkgeml502mbschina_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <http://mailarchive.ietf.org/arch/msg/idr/MMxPQ7WL5b3u7e0m34j5L_Dmt5o>
Cc: "idr@ietf.org" <idr@ietf.org>
Subject: [Idr] 答复: New Version Notification for draft-liang-idr-flowspec-orf-00.txt
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2015 01:47:15 -0000
Thanks for your comments. My replies are as follows: 1. While disseminating FlowSpec rules among different provider's networks, it's reasonable to do some defensive policy to limit installing or disseminating the injected FlowSpec rules for security consideration. Both dropping or transiting the illegal injected FlowSpec rules are acceptable choices. As in the Scenario 1 shown by Figure 1, if a customer hopes to disseminate a FlowSpec rule between its different sites, without any restriction of the provider network, maybe it' better to establish BGP session between the ASBRs from different sites for disseminating their FlowSpec rules to each other. 2.Actually,our draft doesn't oppose the validation procedures as described in section 6 of RFC5575, the RFC checks whether a FlowSpec rule is valid for installing in the local FIB, while the FlowSpec-ORF only checks whether a FlowSpec rule should be disseminated to a specific BGP Peer. In current FlowSpec deployment practice, there are only some small-scale deployments, single BGP router maybe supports no more than 64k FlowSpec rules. But the FlowSpec rule can be used as flow classifier and flow policy container for fine flow regulating, so there will be more than one million FlowSpec rules(for example flows described by source and destination ip prefix) that a single routing should support. In this case we think the FlowSpec-ORF is valuable. 发件人: Idr [mailto:idr-bounces@ietf.org] 代表 Robert Raszuk 发送时间: 2015年5月30日 17:25 收件人: Haoweiguo; Qiandeng Liang 抄送: idr@ietf.org 主题: Re: [Idr] New Version Notification for draft-liang-idr-flowspec-orf-00.txt Hello Weiguo, Hi All, A new draft of "BGP FlowSpec Outbound Route Filter" was proposed. Your comments and suggestions are appreciated. Thanks, weiguo Let me provide few comments why I think this work should be rather abandoned right at its -00 version: section 3.1 Figure 1 "Therefore, ASBR2 can send to ASBR1 a set of FlowSpec-ORF that can be used by ASBR1 to filter its outbound FlowSpec rules to ASBR2." - The above would result in dropping part of the flow descriptions between ASBR 1 and ASBR 2 such that neither ASBR 3 nor ASBR 4 would be able to ever receive it. Note that ASBR 2 may act only as transit and may not be willing to enable foregin filtering in their data plane at all. However it should have not limit it to carry BGP control plane SAFI 133 or 134 to the legitimate peers. So pushing Flow Spec ORF from ASBR 2 to ASBR 1 would be counterproductive. section 3.1 Figure 2 "Furthermore, ASBR2 and ASBR3 will distribute the FlowSpec rules to ASBR1 and ASBR4 respectively." - Sending FlowSpec information to ASBR1 would be acting against validation procedures as described in section 6 of RFC5575 which say: "A flow specification NLRI must be validated such that it is considered feasible if and only if: a) The originator of the flow specification matches the originator of the best-match unicast route for the destination prefix embedded in the flow specification." Summary: I think we should not suppress propagation of filtering rules in BGP control plane provided they are legitimate (ie. pass validation procedure) just based on cherry picking on the match or actions criteria they contain. Practically amount and churn of the amount of flow spec information would be rather in white noise levels compared to what BGP should be ready to carry. However if one would like to limit those other already available tools could be used: longer MRAI timer, dedicated BGP session for SAFI 133/134 with different input processing, FS NLRI dampening etc ... Regards, r.
- Re: [Idr] New Version Notification for draft-lian… Haoweiguo
- Re: [Idr] New Version Notification for draft-lian… Robert Raszuk
- [Idr] 答复: New Version Notification for draft-lian… Liangqiandeng
- Re: [Idr] 答复: New Version Notification for draft-… Robert Raszuk
- Re: [Idr] 答复: New Version Notification for draft-… Haoweiguo
- Re: [Idr] 答复: New Version Notification for draft-… Jeffrey Haas
- [Idr] 答复: 答复: New Version Notification for draft-… Liangqiandeng