Re: [Idr] I-D Action: draft-ietf-idr-flowspec-l2vpn-09.txt

Donald Eastlake <d3e3e3@gmail.com> Tue, 01 October 2019 15:37 UTC

Return-Path: <d3e3e3@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A414012095D for <idr@ietfa.amsl.com>; Tue, 1 Oct 2019 08:37:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kp-qeW165Dfl for <idr@ietfa.amsl.com>; Tue, 1 Oct 2019 08:37:27 -0700 (PDT)
Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9293912095C for <idr@ietf.org>; Tue, 1 Oct 2019 08:37:27 -0700 (PDT)
Received: by mail-io1-xd35.google.com with SMTP id v2so48988869iob.10 for <idr@ietf.org>; Tue, 01 Oct 2019 08:37:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=DVUh6t8auvytWrxUp9JX7J2okZcGgycmbrlRkuMpfmE=; b=gbYp6Cq5SXKTLV9oehlul5XPq3FePZjkHaa4fdJ7z/4yD9DqF5dmgEAZTlgSvsRIE8 Bcr8UlFFJ6aUnLb60fIoyAFnqR+cvCyXreA2qlsHnSJWd9Zfow7FWd+1czkDdQMUXjjS NzSI6x7LdMjiN01Se2VDUQ5u8I9v+nS053zm37crznsE+3RIjzZi2yT8UkxQT71fb/Hs d5ysH1VwLMoOIOz3YiHbFHWYtZUjPWPOhHlH1TvB52IGfW1OoaA5p2lkCQpvIcmsgBxg uvU33Zs0f6X0WPm6r1vfhrszXVc+NCs+f/ejZ2yuGLAqE6fZABNAV4K9PoMUlejIT0At kcSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=DVUh6t8auvytWrxUp9JX7J2okZcGgycmbrlRkuMpfmE=; b=ayfNkJAhoh08W/D0PhB4KwGZ2SStu8JgLdVFQuopU6mtbrDcyiQUTi+hD1dKxigVUP t5zlP8CZ86IJvKi6fKtyPad4WIFtCl2VEXv+Fa6csD6GN1FtUyi/xPRpiWTyC3tit2+f 6NJNbwFqUVsMmrdLO9BWha3fQmhmU9K2dcfVfdcyhaukd1shXh8FONC04SPI/9me71ee 69ffV5IPRl4yRMcGLwJj73h95S7HHVDpIlRCqsNnDrkYMzfxdl6JLOkruSUtIMFU/VXL r796IExLAwt/WQeQIOwH+CSj8I45DwJX1xlXKtzme8C0h8tdFvm5Lu3VSdxTzeJvim4Y SDKw==
X-Gm-Message-State: APjAAAXM5Gld8AsuVdfWPe/eFIDf2443obdt63o4duJy7Wal42WQjg/x 0b5wb6Q2wlpzAn3HYzeD3Qx6XctPp7QPGvoCOKYx+P4GDAM=
X-Google-Smtp-Source: APXvYqztfqXfv7cWkoQ66itibqrMEai6nBFufkigp2ItjZ6adS01zyUt/kT1s+cNZgJX0HBLEa+Z9SLrlFelmx152NA=
X-Received: by 2002:a6b:6d08:: with SMTP id a8mr26029138iod.40.1569944246749; Tue, 01 Oct 2019 08:37:26 -0700 (PDT)
MIME-Version: 1.0
References: <154650798507.29744.11843661823190688795@ietfa.amsl.com> <CAOj+MMGPmUs4fAzDEwhq4z47r=TK78Kk-6Tp+KMHS0K4O=VdGg@mail.gmail.com> <CAF4+nEHwwPNL4cmXH-TMhL3xnT3LGiP-hWov-YCf=h4B-+N7QQ@mail.gmail.com> <CAOj+MMFQbY3WY9jYSLVXMUvOVMGzOCd1LsFKJupPM0W_3oFJDQ@mail.gmail.com> <CAF4+nEG4=0ew=ZzjaxT9ignbKeA3CgLBwhLp2mteQLfaBLh7VQ@mail.gmail.com> <CAOj+MMGwpUhspjxNiUiqoMnrpVnyyFTwGLTdPzpJNpzjL-vURA@mail.gmail.com>
In-Reply-To: <CAOj+MMGwpUhspjxNiUiqoMnrpVnyyFTwGLTdPzpJNpzjL-vURA@mail.gmail.com>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Tue, 1 Oct 2019 11:37:08 -0400
Message-ID: <CAF4+nEE04GbuHHdKerS8PnX_RiBSGf5NQcdL=HvY8AFBObpMDA@mail.gmail.com>
To: Robert Raszuk <robert@raszuk.net>
Cc: "idr@ietf. org" <idr@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/NQdGaEZQl2bh7YTdXEIZvVeFGkc>
Subject: Re: [Idr] I-D Action: draft-ietf-idr-flowspec-l2vpn-09.txt
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Oct 2019 15:37:30 -0000

Hi Robert,

On Mon, Sep 30, 2019 at 5:16 AM Robert Raszuk <robert@raszuk.net> wrote:
>
> Hi Donald,
>
> > You have expressed your opinion very clearly but I don't see
> > why it is so bad to replace "VPNv4" with "VPN" rather than "L3VPN"
> > given that the IANA registry has to change anyway.
>
> The difference is (well at least to me) fundamental. Match criteria which are more or less the same for IP L3 layer are completely different for L2 layer so IMO it makes sense to keep them separate.

I agree that L3 and L2 are different :-)

I also agree the different kinds of flowspec should be kept separate.
But I think they are separated by AFI/SAFI pair. I don't see what
AFI=25/SAFI=134 could possibly mean but L2VPN flowspec -- it's quite
clear and unambiguous. And SAFIs are at least a somewhat limited
resource. So I still don't understand why it is worthwhile to burn a
new SAFI for L2VPN flowspec that will then only ever be used with
AFI=25. Of course, if there is working group consensus to make that
change, then I guess I don't need to understand it...

Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 1424 Pro Shop Court, Davenport, FL 33896 USA
 d3e3e3@gmail.com

> Also I am not stating that the work should not move on if there is real requirement to extend flow spec for filtering L2 VPNs. Asking for new SAFI is easy if proposal is worth it.
>
> Please remember that flow spec original goal was to automate filtering for DDoS which to the best of my knowledge is L3 type of attack. But of course since then many people pulled FS left and right :).
>
> Thank you,
> R.
>
>
> On Mon, Sep 30, 2019 at 2:58 AM Donald Eastlake <d3e3e3@gmail.com> wrote:
>>
>> Hi Robert,
>>
>> On Sun, Sep 29, 2019 at 6:00 AM Robert Raszuk <robert@raszuk.net> wrote:
>> >
>> > Hi Donald,
>> >
>> > The draft says:
>> >
>> > The following changes are defined:
>> >
>> >    "SAFI 134 for dissemination of L3VPN flow specification rules" to now
>> >    be defined as "SAFI 134 for dissemination of VPN flow specification
>> >    rules"
>> >
>> >    For SAFI 134 the indication to which address family it is referring
>> >    to will be recognized by AFI value (AFI=1 for VPNv4, AFI=2 VPNv6 and
>> >    AFI=25 for L2VPN).  Such modification is fully backwards compatible
>> >    with existing implementation and production deployments.
>> >
>> >    For SAFI 134 the indication to which address family it is referring
>> >    to will be recognized by AFI value (AFI=1 for VPNv4, AFI=2 VPNv6 and
>> >    AFI=25 for L2VPN).  Such modification is fully backwards compatible
>> >    with existing implementation and production deployments.
>> >
>> >
>> > Which at least to me clearly gives the impression that newly defined NLRI elements and format are targeted to all AFIs listed 1, 2 & 25.
>>
>> As far as I know, that impression is wrong, which is why I said, after
>> saying that the draft applies to AFI=25/SAFI=134, that "The draft
>> should be clarified" to say that.
>>
>> > If you do not intend to ever use them with AFI 1 or 2 then the draft must state this very clearly that they are only applicable to AFI 25.
>> >
>> > On the topic of renaming IANA registry to extend  L3VPN SAFI 134 to also cover L2VPN my personal view is that we should not do it. We should define a new SAFI for L2VPN and clearly separate those two.
>> >
>> > You either match on L2 or L3 and not both in a given packet. Of course you can send both SAFIs and match on both against traffic on a given interface. Changing SAFI 134 now will require not only adjustment to IANA registry ... Just imagine the effort required to change all vendor's documentation.
>>
>> Well, isn't it also true that you either match on IPv4 or IPv6?
>>
>> The current IANA registry entry for SAFI 134 says "VPNv4 dissemination
>> of flow specification rules". It has to be changed anyway to encompass
>> IPv6... You have expressed your opinion very clearly but I don't see
>> why it is so bad to replace "VPNv4" with "VPN" rather than "L3VPN"
>> given that the IANA registry has to change anyway. As for vendor
>> documentation, if a vendor organized their documentation by the
>> capabilities they support, that is the AFI/SAFI pairs, then I'm not
>> sure why any change at all would be required unless they actually
>> supported L2VPN flowspec.
>>
>> in any case, I'll do what the consensus of the WG is.
>>
>> Thanks,
>> Donald
>> ===============================
>>  Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
>>  1424 Pro Shop Court, Davenport, FL 33896 USA
>>  d3e3e3@gmail.com
>>
>> > Many thx,
>> > Robert
>> >
>> > On Sun, Sep 29, 2019 at 6:05 AM Donald Eastlake <d3e3e3@gmail.com> wrote:
>> >>
>> >> Hi Robert,
>> >>
>> >> Thanks for your review. Apologies for the delay in response.
>> >>
>> >> On Thu, Jan 3, 2019 at 6:04 AM Robert Raszuk <robert@raszuk.net> wrote:
>> >> >
>> >> > Hi,
>> >> >
>> >> > Two observations:
>> >> >
>> >> > 1.
>> >> >
>> >> > The current draft extends exisiting SAFI 134 with new NLRI types.
>> >> > That means that now we have new giant NLRI in SAFI 134.
>> >> >
>> >> > Have any consideration been made to just define a new flow spec SAFI
>> >> > instead for L2 filtering ? I am quite skeptical from implementation,
>> >> > operational and deployment points of view to extend the existing
>> >> > SAFI and it makes a gradual deployment a nightmare if not mission
>> >> > impossible.
>> >> >
>> >> > Any change to NLRI format without signalling it with new capability is
>> >> > far from good practice.
>> >>
>> >> My understanding is that flow spec capabilities are signalled by an
>> >> AFI/SAFI pair as specified in RFC 2858. So I think that
>> >> AFI=25/SAFI=134 already is a new capability. The draft should be
>> >> clarified to present things in those terms.
>> >>
>> >> It would be easy, from the IANA Considerations point of view, to get a
>> >> new SAFI that could be used with AFI=25 for L2VPN flowspec. But I
>> >> don't really see the benefit of burning a new SAFI value, say xyz, and
>> >> using AFI=25/SAFI=xyz instead of ARI=25/SAFI=134.
>> >>
>> >> In my opinion, the general format for the NLRI in this draft ia
>> >> similar to the flow specs for IPv4 and IPv6.  The components that are
>> >> added by this draft differ from the IPv4 and IPv6 components in the
>> >> generally the same way that the IPv4 and IPv6 components differ from
>> >> each other.
>> >>
>> >> > 2.
>> >> >
>> >> > The draft is pretty silent on adjusting validation procedures to make sure only
>> >> > senders of the original L2 information may inject the L2 flow routes..
>> >> >
>> >> > I would hope that this is basic omission and will be consider for addition into
>> >> > next version of he draft.
>> >>
>> >> That is an excellent point and the next version should have adjusted
>> >> validation procedures in it.
>> >>
>> >> Thanks,
>> >> Donald
>> >> =============================
>> >>  Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
>> >>  1424 Pro Shop Court, Davenport, FL 33896 USA
>> >>  d3e3e3@gmail.com
>> >>
>> >> > Thx,
>> >> > R.
>> >> >
>> >> >
>> >> >
>> >> > On Thu, Jan 3, 2019 at 10:33 AM <internet-drafts@ietf.org> wrote:
>> >> >>
>> >> >> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>> >> >> This draft is a work item of the Inter-Domain Routing WG of the IETF.
>> >> >>
>> >> >>         Title           : BGP Dissemination of L2VPN Flow Specification Rules
>> >> >>         Authors         : Weiguo Hao
>> >> >>                           Donald E. Eastlake, 3rd
>> >> >>                           James Uttaro
>> >> >>                           Stephane Litkowski
>> >> >>                           Shunwan Zhuang
>> >> >>         Filename        : draft-ietf-idr-flowspec-l2vpn-09.txt
>> >> >>         Pages           : 13
>> >> >>         Date            : 2019-01-03
>> >> >>
>> >> >> Abstract:
>> >> >>    This document defines a BGP flow-spec extension to disseminate L2 VPN
>> >> >>    Ethernet traffic filtering rules.  SAFI=134 in [RFC5575] is redefined
>> >> >>    for this purpose.  A new subset of component types and extended
>> >> >>    community also are defined.  A new subset of component types and new
>> >> >>    extended community also are defined.
>> >> >>
>> >> >>
>> >> >>
>> >> >> The IETF datatracker status page for this draft is:
>> >> >> https://datatracker.ietf.org/doc/draft-ietf-idr-flowspec-l2vpn/
>> >> >>
>> >> >> There are also htmlized versions available at:
>> >> >> https://tools.ietf.org/html/draft-ietf-idr-flowspec-l2vpn-09
>> >> >> https://datatracker.ietf.org/doc/html/draft-ietf-idr-flowspec-l2vpn-09
>> >> >>
>> >> >> A diff from the previous version is available at:
>> >> >> https://www.ietf.org/rfcdiff?url2=draft-ietf-idr-flowspec-l2vpn-09
>> >> >>
>> >> >>
>> >> >> Please note that it may take a couple of minutes from the time of submission
>> >> >> until the htmlized version and diff are available at tools.ietf.org.
>> >> >>
>> >> >> Internet-Drafts are also available by anonymous FTP at:
>> >> >> ftp://ftp.ietf.org/internet-drafts/