Re: [Idr] New draft submitted: draft-loibl-bacher-idr-flowspec-clarification
Robert Raszuk <robert@raszuk.net> Tue, 23 August 2016 12:54 UTC
Return-Path: <rraszuk@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEC9A12D0C2 for <idr@ietfa.amsl.com>; Tue, 23 Aug 2016 05:54:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C6TWz3eehh9u for <idr@ietfa.amsl.com>; Tue, 23 Aug 2016 05:54:02 -0700 (PDT)
Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com [IPv6:2607:f8b0:400d:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9303612B065 for <idr@ietf.org>; Tue, 23 Aug 2016 05:54:02 -0700 (PDT)
Received: by mail-qk0-x235.google.com with SMTP id z190so105173515qkc.0 for <idr@ietf.org>; Tue, 23 Aug 2016 05:54:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=lJGoase+T/yMLyYU6CwBuTgcA5JNIJrzlY+/2UMigTk=; b=N/q+V0jmGQ9gqa7c7uAnfnhVJiXWBOZwvLNLXSgudJo2NdixptqeH6c4ndWgLz/eG+ YAvJtDz9C3ZB4crlkns7wrlZBulEgyfJHk7d0TaZWgY4NpaTqDXkmxaBsrNrzGq3t4+O SmfvpanQZyKB/MvRVcDkY9iM1dRYdff2a58nuAUczpZU7nx2CFgEuJHf6s68iuUT4xPY IJkYw0rLMOplOmpj7u5I0u0KGUQi1WlG/+AAanDXhapT0nsX1LRVaOh5RkvwOMAWNXwy oTiqega4zH1y+vzTSis/2VCR0CgZ33EmB5GTTCOMiaXmAfbpSLu7SR3Sus3tt6K3ck+Y EctQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=lJGoase+T/yMLyYU6CwBuTgcA5JNIJrzlY+/2UMigTk=; b=dXCgkisNSGDOqR3XJZOjm8a5SQVa3I7dbjKXLoG8mP57/a/jhPG4n7yBM1GEY9v4ct YQr1Rr2Y8QnmW5bmCRTSCy09jG76ohzNI8itrNu/O5zHVvF1adTTVpUZ6RZs/7+2rwXB zBK3kGfth4S9DpBZ2kYrRGi6ZZe26MelUSZpcTSeT4/zXerxj/aJDzmsITxSOFleOqjX TFZOoFpljH7mqTV3JUgnlpG3UIlNjjyFoiEfgdKlMpC3aEjfvcE1l6ZBHZlSzH5kzQ3B Xvc0j5ZGUGgoqzx3IDZc2q7lT4wBjXGf21vJC3G/SNw8H9Se1d4T40UXhBn3XvTiYDkq 7h0A==
X-Gm-Message-State: AE9vXwPlR+qYn8IKnYcxc5pX5Ql2sSDVxl33FtTHa1gB1BV1xBiFhGxeZZXiYx+OA6POJ8f/cPTwI7rLl3rRFQ==
X-Received: by 10.55.140.135 with SMTP id o129mr7448489qkd.2.1471956841610; Tue, 23 Aug 2016 05:54:01 -0700 (PDT)
MIME-Version: 1.0
Sender: rraszuk@gmail.com
Received: by 10.140.30.130 with HTTP; Tue, 23 Aug 2016 05:54:00 -0700 (PDT)
In-Reply-To: <65345B6C-D24F-4F32-BF3C-E9343A7C61E1@tix.at>
References: <65345B6C-D24F-4F32-BF3C-E9343A7C61E1@tix.at>
From: Robert Raszuk <robert@raszuk.net>
Date: Tue, 23 Aug 2016 14:54:00 +0200
X-Google-Sender-Auth: V8m3cQgPRv1xauiMnPewlA-VTKU
Message-ID: <CA+b+ERk+N6Cgu-wOrHU9JPyAGrqRgfDTGJwb3BaP+yKrKeBm=g@mail.gmail.com>
To: Christoph Loibl <c@tix.at>, martin.bacher@t-mobile.at
Content-Type: multipart/alternative; boundary="001a114eafecab48e8053abca8e1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/NP2rO85YSLAM_hfmhumXyePnHhg>
Cc: idr wg <idr@ietf.org>
Subject: Re: [Idr] New draft submitted: draft-loibl-bacher-idr-flowspec-clarification
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Aug 2016 12:54:05 -0000
Dear Christoph and Martin, Thank you very much for coming up with this document. Indeed it may help avoid some misinterpretation the intention of RFC5575 by implementors. I agree with all comments provided perhaps excluding those proposed in section 5. The overall intention of validation was to make sure that originator of given unicast prefix (and here it means at any point of time) is authorized to inject a filter for it. There are few cases of course to consider ... and really it also depends how strong an ISP implements say origin validation or other forms of BGP Sec. If I can trust that all paths for a given prefix are valid it should be sufficient to only validate flow spec NLRI against any path present in the BGP table for it matching say the left most value of AS_PATH attribute or originator are the same in unicast and flow spec routes. While I realize that 5575 says "best-match" while we are at clarifying it maybe we should discuss this more. Similarly many operators use flow-spec only within their own ASes and by default first thing they do is disable validation all together. If we want to promote use of flow spec inter-as maybe we should also account that local use case and by spec relax the validation all together for it. Another debate is if this should be enforced only at the EBGP boundary or also at IBGP ... Bottom line we want to prevent ACL churn on the router in the events of best path changes. To summarize if you ever will ask for WG acceptance I am in full support of this work. Cheers, Robert. On Tue, Aug 23, 2016 at 2:08 PM, Christoph Loibl <c@tix.at> wrote: > Hi, > > We submitted a new draft and are happy to receive feedback: > > Since interoperability is key to an flowspec Internet deployment we tried > to clarify the ambiguous parts of the flowspec RFC 5575 in order to allow a > consistent implementation by equipment vendors. > > Title: draft-loibl-bacher-idr-flowspec-clarification > > https://datatracker.ietf.org/doc/draft-loibl-bacher-idr- > flowspec-clarification/ > > The reason for this draft submission is, that we recently performed a > rather large flowspec interop test (the main goal was to evaluate possible > inter-AS flowspec scenarios in a multi vendor environment) and discovered > many bugs and vendor interop problems that we want to solve. > > Unfortunately we currently cannot share all our findings in a test report, > because we hit some serious bugs that have (under circumstances) potential > to remotely melt down entire networks and are working with the vendors to > get bugs fixed. > > Christoph > > -- > Christoph Loibl > c@tix.at | CL8-RIPE | PGP-Key-ID: 0x4B2C0055 | http://www.nextlayer.at > > > _______________________________________________ > Idr mailing list > Idr@ietf.org > https://www.ietf.org/mailman/listinfo/idr > >
- [Idr] New draft submitted: draft-loibl-bacher-idr… Christoph Loibl
- Re: [Idr] New draft submitted: draft-loibl-bacher… Robert Raszuk
- Re: [Idr] New draft submitted: draft-loibl-bacher… UTTARO, JAMES
- Re: [Idr] New draft submitted: draft-loibl-bacher… Robert Raszuk
- Re: [Idr] New draft submitted: draft-loibl-bacher… UTTARO, JAMES
- Re: [Idr] New draft submitted: draft-loibl-bacher… Christoph Loibl
- Re: [Idr] New draft submitted: draft-loibl-bacher… Robert Raszuk