IETF Logo Mail Archive

Re: [Idr] update proposal to draft-ietf-idr-rfc5575bis-14

ERCIN TORUN <ercin.torun@turkcell.com.tr> Fri, 10 May 2019 07:23 UTC

Return-Path: <ercin.torun@turkcell.com.tr>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1A76120178 for <idr@ietfa.amsl.com>; Fri, 10 May 2019 00:23:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.587
X-Spam-Level:
X-Spam-Status: No, score=-2.587 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NO_DNS_FOR_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1NQ_jJfxJ2vP for <idr@ietfa.amsl.com>; Fri, 10 May 2019 00:23:19 -0700 (PDT)
Received: from smtp1.turkcell.com.tr (smtp1.turkcell.com.tr [212.252.168.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6ED05120125 for <idr@ietf.org>; Fri, 10 May 2019 00:22:57 -0700 (PDT)
Received: from smtp1.turkcell.com.tr (unknown [10.218.130.47]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by Forcepoint Email with ESMTPS id E49BA2EACBB4658F52B3; Fri, 10 May 2019 10:22:39 +0300 (+03)
Received: from GXMB3.turkcell.entp.tgc (10.218.130.32) by GXED4.turkcell.com.tr (10.218.130.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1466.3; Fri, 10 May 2019 10:22:03 +0300
Received: from GXMB13.turkcell.entp.tgc (10.218.130.42) by GXMB3.turkcell.entp.tgc (10.218.130.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1713.5; Fri, 10 May 2019 10:22:39 +0300
Received: from GXMB13.turkcell.entp.tgc ([fe80::cc02:3f65:e073:e667]) by GXMB13.turkcell.entp.tgc ([fe80::cc02:3f65:e073:e667%28]) with mapi id 15.01.1713.004; Fri, 10 May 2019 10:22:39 +0300
From: ERCIN TORUN <ercin.torun@turkcell.com.tr>
To: Christoph Loibl <c@tix.at>, "Jakob Heitz (jheitz)" <jheitz@cisco.com>, Robert Raszuk <robert@raszuk.net>
CC: "idr@ietf.org" <idr@ietf.org>
Thread-Topic: [Idr] update proposal to draft-ietf-idr-rfc5575bis-14
Thread-Index: AdUGXHTzplGDl0iZSU++Kkdbu+geogAD/MmAAAjnlIAAAJvegAADwWyAABY539A=
Date: Fri, 10 May 2019 07:22:39 +0000
Message-ID: <1355fad118884baaa5ee6a15ea865179@turkcell.com.tr>
References: <d0255cf9976644d7a29b11f2fc68fa98@turkcell.com.tr> <CAOj+MMEeAW+cp3+nbo1UvZvg=zhmoYuRAooLpoCwUtM=c3qYew@mail.gmail.com> <BYAPR11MB3751AD010F84D24B84591A32C0330@BYAPR11MB3751.namprd11.prod.outlook.com> <CAOj+MMFC=ow7hjtDkFn=ZVOyVHDEuAD8GJQ1nNkOHFxAZPo_Ug@mail.gmail.com> <45903917-F08E-47ED-BCA0-46530D63ED16@tix.at>
In-Reply-To: <45903917-F08E-47ED-BCA0-46530D63ED16@tix.at>
Accept-Language: tr-TR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.218.130.4]
Content-Type: multipart/alternative; boundary="_000_1355fad118884baaa5ee6a15ea865179turkcellcomtr_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/Miq1iQjCNKdMVXhMOmEoBfyi6pI>
Subject: Re: [Idr] update proposal to draft-ietf-idr-rfc5575bis-14
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 May 2019 07:23:49 -0000

Hello Christoph, Jakob, Robert,

We wanted to filter DDOS attacks happening inside our AS , attacks from customers to customers, so my idea is not related to MPLS VPN or filtering a DDOS attack coming from a transit provider. Customers layer3 connections are terminated on around 600 routers today, which will increase when we push down layer3 terminations further into the edge.

As Christoph mentioned solution eases the configuration by taking out manual configuration (assuming a DDOS analyzer could analyze the origin interface/router of the attack  and insert BGP router id into FS routes) and lessens the filter load on routers. We are not using FS today for attacks happening inside our AS, i came up with the idea what if we start using it.

I found a use case for BGP FS, might be useful for other SAFIs as well as Robert wrote. But yes it is also possible having such a functionality with local enhancement (hopefully on major router vendors).

Regards
Erçin TORUN
From: Christoph Loibl <c@tix.at>
Sent: Friday, May 10, 2019 1:58 AM
To: ERCIN TORUN <ercin.torun@turkcell.com.tr>
Cc: Jakob Heitz (jheitz) <jheitz@cisco.com>; Robert Raszuk <robert@raszuk.net>; idr@ietf.org
Subject: Re: [Idr] update proposal to draft-ietf-idr-rfc5575bis-14

Hi Erçin, Robert, Jakob,

From Erçin’s mail I understand that he wants his routers to accept FS routes only if the receiving router_id is encoded in the RT (MPLS is mentioned in the mail but I think what Erçin suggests has nothing to do with MPLS VPN). Erçin also points out that the same functionality can already be achieved by tagging the FS-prefix with a specific community (or whatever available) and have the router's bgp policy-framework select/filter the (non-)appropriate FS filters (or even have the route-reflectors do the filtering. btw. when it comes to RRs the suggested solution also seems a litte more tricky).

The suggested solution eases the configuration in your specific use-case since you do not need to manually (I doubt that you are doing that manually anyway - given the scale of the deployment that you describe) those policies anymore.

However, I agree with what Robert wrote in his last mail:

This is *not* a problem to solve specifically for FS. For example you may want to have a router import an IP unicast route only in case the router_id matches some extended community - why does it need to go into FS? It could be useful for other SAFIs as well! It may need additional considerations because of BGP route propagation and scaling (route reflection, but also propagation over multiple routing domains). On the other hand, since it can be achieved with configuration already: Does this really need to go into BGP?

Cheers Christoph

--
Christoph Loibl
c@tix.at<mailto:c@tix.at> | CL8-RIPE | PGP-Key-ID: 0x4B2C0055 | http://www.nextlayer.at



On 09.05.2019, at 21:10, Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>> wrote:

Hey Jakob,

I am assuming he is using MPLS fabric for a reason ... One most likely reason could be L3VPN :) Otherwise what would be the point to use MPLS to start with ? Basic hierarchical routing ? And even for L3VPN MPLS in transport layer. It is also not needed for isolating underlay from overlay tenants routes.

Regardless as you know RTs do apply for any SAFI not just 128.

The only point is sort of automation to router_id filtering ... I guess an implementation can support it for any SAFI as well with an extra knob. That would not be specific to flow-spec by just a vendor's local enhancement.

As you know FlowSpec's main role was to prevent DDoS. With that you never know on which ASBR your distributed attacks arrive so pushing filters to only subset of them is a questionable. If you have 10s or 100s of ASBRs you would need now to apply long list of matching RTs.

The solution is not backwards compatible as current routers unless upgraded with new knob would accept all filters anyway. I hope no one wants this to be active by default as it would kill RFC5575 and turn FlowSpec to NetConf.

If you want to limit the filters only to ASBRs maybe some more generic RT needs to be defined - say "apply only on EBGP speakers" ?

Overall abuse of FlowSpec seems to continue. P2MP distributed nature of BGP propagation keeps being used as P2P config push protocol. I am just not sure when such use cases will stop popping up left and right.

Best,
R.


On Thu, May 9, 2019 at 10:52 PM Jakob Heitz (jheitz) <jheitz@cisco.com<mailto:jheitz@cisco.com>> wrote:
Robert,

Section 8 applies to VPNv4 flow spec.

I see two differences in Ercin's proposal.
First, it is for IP Flow Spec, rather than for VPN
Second, the IPv4 address in the RT matches with the router-id.
This avoids the requirement to allocate and manage another identifier to match the RT.
that is an operational advantage.

I support Ercin's proposal.

Regards,
Jakob.

From: Idr <idr-bounces@ietf.org<mailto:idr-bounces@ietf.org>> On Behalf Of Robert Raszuk
Sent: Thursday, May 9, 2019 9:38 AM
To: ERCIN TORUN <ercin.torun@turkcell.com.tr<mailto:ercin.torun@turkcell.com.tr>>
Cc: idr@ietf.org<mailto:idr@ietf.org>
Subject: Re: [Idr] update proposal to draft-ietf-idr-rfc5575bis-14

Hi Ercin,

What you are asking/proposing has been standardized in the original RFC5575 already many years ago.

Please see section 8 specifically this paragraph:


   Propagation of this NLRI is controlled by matching Route Target

   extended communities associated with the BGP path advertisement with

   the VRF import policy, using the same mechanism as described in "BGP/

   MPLS IP VPNs" [RFC4364<https://tools.ietf.org/html/rfc4364>] ..

Thx,
Robert.


On Thu, May 9, 2019 at 2:04 PM ERCIN TORUN <ercin.torun@turkcell.com.tr<mailto:ercin.torun@turkcell.com.tr>> wrote:
Hello All,

My name is Ercin TORUN<https://tr.linkedin.com/in/ercintorun> and I’m working in Turkcell Turkey (35M-mobile/2M-fixed customer, +digital services) as an IP/MPLS Network Planning Engineer.  I would like to propose an update to draft-ietf-idr-rfc5575bis-14<https://tools.ietf.org/html/draft-ietf-idr-rfc5575bis-14>.

By default all flowspec entries (filters..) are applied to all routers, and unnecessary application of many filters can easily owerwhelm the capacity of routers resources (e.g. TCAM). We are pushing layer3 to the edges with solutions like seamless-mpls or leaf-spine next-generation DC topologies which widens the layer3 domain easily over thousands of devices. It is best to filter “dirty” traffic where it first enters a network. There are ways to accept BGP announcements only on the targeted router, like defining a community for each router and configuring policies, but an automated way would be much more easier and less error-prone. Our idea is using a route-taget to match with BGP Identifier so that only the targeted router might accept the announcement.

All in all, I propose to add below text to draft-ietf-idr-rfc5575bis-14<https://tools.ietf.org/html/draft-ietf-idr-rfc5575bis-14>

“   In a common use case, it is necessary to apply a filter to one or a few
   routers and to apply many different filters to many different routers.
   By default, all filters are applied to all routers. In this use case,
   the unnecessary application of the many filters can easily overwhelm
   the capacity of the routers. To simplify this use case,
   route-targets may be used to apply the filters to only the needed routers:

   If one or more IPv4-Address-Specific route-targets are present, then
   the IPv4 address of at least one route-
   target MUST match one of the BGP Identifiers of the receiver in order
   for the update to be accepted.
“

Regards
Erçin TORUN


[http://www.turkcell.com.tr/downloads/bireysel/img/Tcelldis.gif]<https://ddei3-0-ctp.trendmicro.com/wis/clicktime/v1/query?url=http%3a%2f%2fturkcell.li%2fiyaani&umid=5622DB31-887C-6405-8A8A-F4F39CC5B127&auth=54639621fcdd7e0f42d2a208112da27408386c06-40e6138ba459538902ecd8e663e8f2bd2fd3d7f4>
Bu elektronik posta ve onunla iletilen butun dosyalar sadece gondericisi tarafindan almasi amaclanan yetkili gercek ya da tuzel kisinin kullanimi icindir. Eger soz konusu yetkili alici degilseniz bu elektronik postanin icerigini aciklamaniz, kopyalamaniz, yonlendirmeniz ve kullanmaniz kesinlikle yasaktir ve bu elektronik postayi derhal silmeniz gerekmektedir.
TURKCELL bu mesajin icerdigi bilgilerin doğruluğu veya eksiksiz oldugu konusunda herhangi bir garanti vermemektedir. Bu nedenle bu bilgilerin ne sekilde olursa olsun iceriginden, iletilmesinden, alinmasindan ve saklanmasindan sorumlu degildir. Bu mesajdaki gorusler yalnizca gonderen kisiye aittir ve TURKCELLin goruslerini yansitmayabilir
Bu e-posta bilinen butun bilgisayar viruslerine karsi taranmistir.
________________________________
This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient you are hereby notified that any dissemination, forwarding, copying or use of any of the information is strictly prohibited, and the e-mail should immediately be deleted.
TURKCELL makes no warranty as to the accuracy or completeness of any information contained in this message and hereby excludes any liability of any kind for the information contained therein or for the information transmission, reception, storage or use of such in any way whatsoever. The opinions expressed in this message belong to sender alone and may not necessarily reflect the opinions of TURKCELL..
This e-mail has been scanned for all known computer viruses.
_______________________________________________
Idr mailing list
Idr@ietf.org<mailto:Idr@ietf.org>
https://www.ietf.org/mailman/listinfo/idr
_______________________________________________
Idr mailing list
Idr@ietf.org<mailto:Idr@ietf.org>
https://www.ietf.org/mailman/listinfo/idr

v2.23.0 | Report a Bug | By Email