Re: [Idr] 答复: New Version Notification for draft-liang-idr-flowspec-orf-00.txt
Robert Raszuk <robert@raszuk.net> Tue, 02 June 2015 09:18 UTC
Return-Path: <rraszuk@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B894E1B29D8 for <idr@ietfa.amsl.com>; Tue, 2 Jun 2015 02:18:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.977
X-Spam-Level:
X-Spam-Status: No, score=-0.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x3ADF5-b9THO for <idr@ietfa.amsl.com>; Tue, 2 Jun 2015 02:18:51 -0700 (PDT)
Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6098C1B29D3 for <idr@ietf.org>; Tue, 2 Jun 2015 02:18:51 -0700 (PDT)
Received: by wibut5 with SMTP id ut5so62677961wib.1 for <idr@ietf.org>; Tue, 02 Jun 2015 02:18:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=yhdRsSacub6GoI3DmJswGA6wI4l8ygmSYlgwvReFLkM=; b=UoIdn0rlHXpnOhQswcNyk1T65/hr4IpSqknBIJI3o+VkhhTu+xPXeU++FAxNYUW/cR yBoip1/VKBoXmcTpnpEZysojlXK4G3i1Jklb9SKBtA+Qtl53uVb2L55o9DMM629rLQQi zqVpO0tbCeakAmmkkM4kWCH6xb36L9E2E8Put7i1aXvAr3Ed4PhvzwEZR97PEWPcdEQW ZX3MLuzve0DTSIceMLjiU+QaMTuGn3dXFQ7iNv/ki3evJRuYzgPTyA6PmzCbLcPWoipy GZdWW5AZjgExPbtdQ1HXE1oMZwtS8YWMNv9aKq1TV55f3VIaShIczEGbtnliXBEtPbja RbfQ==
MIME-Version: 1.0
X-Received: by 10.180.91.107 with SMTP id cd11mr27937173wib.51.1433236730077; Tue, 02 Jun 2015 02:18:50 -0700 (PDT)
Sender: rraszuk@gmail.com
Received: by 10.28.4.81 with HTTP; Tue, 2 Jun 2015 02:18:49 -0700 (PDT)
In-Reply-To: <FCA9153F864C2646BE37F183391FCADDD3CB99@nkgeml502-mbs.china.huawei.com>
References: <20150530055345.15364.12184.idtracker@ietfa.amsl.com> <DD5FC8DE455C3348B94340C0AB5517334F86E8E4@nkgeml501-mbs.china.huawei.com> <CA+b+ER=oDMSkysWAXVO0z9_H-rM2di6irzVW8VQxD6NThWLmEw@mail.gmail.com> <FCA9153F864C2646BE37F183391FCADDD3CB99@nkgeml502-mbs.china.huawei.com>
Date: Tue, 02 Jun 2015 11:18:49 +0200
X-Google-Sender-Auth: _3cMo5S7s6t-goMc_J0XZLjfs1E
Message-ID: <CA+b+ER=EjDF9PENJKqYXwgxLZJtuWxMT+cwyj16KDnf24-okaQ@mail.gmail.com>
From: Robert Raszuk <robert@raszuk.net>
To: Liangqiandeng <liangqiandeng@huawei.com>
Content-Type: multipart/alternative; boundary="f46d043bdf742cfe660517856eed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/idr/Mn9EvMoesrgxbDgDnIP4FKCAd9g>
Cc: "idr@ietf.org" <idr@ietf.org>
Subject: Re: [Idr] 答复: New Version Notification for draft-liang-idr-flowspec-orf-00.txt
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2015 09:18:53 -0000
> > maybe it' better to establish BGP session between the ASBRs from different > sites for disseminating their FlowSpec rules to each other. > Maybe it is better though completely not practical to recommend web of eBGP multihop sessions between peers which do not know each other and have no peering agreements. Moreover notice that in such case for validation purposes unicast traffic would also need to be send over such direct peering what in turn means that it would have to be encapsulated. 2.Actually,our draft doesn't oppose the validation procedures as described > in section 6 of RFC5575, > I commented on your example where you say that flow would go to ASBR1. It would not if you validate it. should support. In this case we think the FlowSpec-ORF is valuable. > ORF in general is about pushing your inbound filter to a peer. Here we are talking about installing inbound filters for flow spec routes and pushing it to a peer. How do you know what to reject if the flow information is dynamic by nature .. created upon detection of DDoS ? I am having problem envisioning a scenario that some of my peers push me ORF stating "I do not want to hear of flow spec routes from you which: - contain match on port XX - contain match on SRC/DST address x.x.x.x - contain action drop etc" That way flow spec effectiveness for DDoS is reduced significantly. Best, r. > > > > > *发件人:* Idr [mailto:idr-bounces@ietf.org] *代表 *Robert Raszuk > *发送时间:* 2015年5月30日 17:25 > *收件人:* Haoweiguo; Qiandeng Liang > *抄送:* idr@ietf.org > *主题:* Re: [Idr] New Version Notification for > draft-liang-idr-flowspec-orf-00.txt > > > > Hello Weiguo, > > > > Hi All, > A new draft of "BGP FlowSpec Outbound Route Filter" was proposed. > Your comments and suggestions are appreciated. > > Thanks, > weiguo > > > > > > Let me provide few comments why I think this work should be rather > abandoned right at its -00 version: > > > > > > section 3.1 Figure 1 > > > > "Therefore, ASBR2 can send to ASBR1 a set of FlowSpec-ORF > > that can be used by ASBR1 to filter its outbound FlowSpec rules to > > ASBR2." > > > > - The above would result in dropping part of the flow descriptions between > ASBR 1 and ASBR 2 such that neither ASBR 3 nor ASBR 4 would be able to ever > receive it. Note that ASBR 2 may act only as transit and may not be willing > to enable foregin filtering in their data plane at all. However it should > have not limit it to carry BGP control plane SAFI 133 or 134 to the > legitimate peers. So pushing Flow Spec ORF from ASBR 2 to ASBR 1 would be > counterproductive. > > > > > > section 3.1 Figure 2 > > > > "Furthermore, ASBR2 and ASBR3 will distribute the FlowSpec rules to > > ASBR1 and ASBR4 respectively." > > > > > > - Sending FlowSpec information to ASBR1 would be acting against validation > procedures as described in section 6 of RFC5575 which say: > > > > "A flow specification NLRI must be validated such that it is > > considered feasible if and only if: > > > > a) The originator of the flow specification matches the originator of > > the best-match unicast route for the destination prefix embedded > > in the flow specification." > > > > > > Summary: > > > > I think we should not suppress propagation of filtering rules in BGP > control plane provided they are legitimate (ie. pass validation procedure) > just based on cherry picking on the match or actions criteria they contain. > > > > Practically amount and churn of the amount of flow spec information would > be rather in white noise levels compared to what BGP should be ready to > carry. > > > > However if one would like to limit those other already available tools > could be used: longer MRAI timer, dedicated BGP session for SAFI 133/134 > with different input processing, FS NLRI dampening etc ... > > > > > > Regards, > > r. > > >
- Re: [Idr] New Version Notification for draft-lian… Haoweiguo
- Re: [Idr] New Version Notification for draft-lian… Robert Raszuk
- [Idr] 答复: New Version Notification for draft-lian… Liangqiandeng
- Re: [Idr] 答复: New Version Notification for draft-… Robert Raszuk
- Re: [Idr] 答复: New Version Notification for draft-… Haoweiguo
- Re: [Idr] 答复: New Version Notification for draft-… Jeffrey Haas
- [Idr] 答复: 答复: New Version Notification for draft-… Liangqiandeng