IETF Logo Mail Archive

Re: [Idr] BGP Flowspec rules precedence order (RFC 5575)

PVLR Pavana Murthy <pvlrpm@gmail.com> Thu, 15 February 2018 09:05 UTC

Return-Path: <pvlrpm@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 578F812D885 for <idr@ietfa.amsl.com>; Thu, 15 Feb 2018 01:05:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HK_RANDOM_ENVFROM=0.001, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q6pcKyocBTtx for <idr@ietfa.amsl.com>; Thu, 15 Feb 2018 01:05:52 -0800 (PST)
Received: from mail-wr0-x229.google.com (mail-wr0-x229.google.com [IPv6:2a00:1450:400c:c0c::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAF93126C19 for <idr@ietf.org>; Thu, 15 Feb 2018 01:05:51 -0800 (PST)
Received: by mail-wr0-x229.google.com with SMTP id w77so2549385wrc.6 for <idr@ietf.org>; Thu, 15 Feb 2018 01:05:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=FIt/D/6Rtkje8xnZ0HglOkiYW79G0rY+jM1gOj1oElU=; b=L9dQNLEuOvFHgV+Zg+kG8d1Bi2cRb9MPf9be0wE/7mJW8MtyCM2HKHMmSHpiD2ox8f /kGMbfVF0oBHfjK3ecKFG3VF0ZRGy0pMK0ZwgH86UoNxzJe1qZ9BHxE1y3YJosh+URxx 4nsaYiiaHOJdCpC8GIsqLOX29ttUjn4QNenD0v15TIXvpvvPgRfIuczo0rIjUFqFt5Ug AT474NB3thcMH7jVAfqIvysUDuagf1UqoaeT2vUVk4BHHFcnoWCqxqzD0ss2MUOhojzK YK/AeH6IQ7h8j/ObesVYhoUw/1ejHEpCOyF87+JALEQGizEIUnHKelX/q7hri3K7YCTb uheA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=FIt/D/6Rtkje8xnZ0HglOkiYW79G0rY+jM1gOj1oElU=; b=adQpGEHP41iXLm5tCiHIg9dohPTrBPyC6NCgx8MK32hL7Mjal0KYl4hVewSZcKccoO Q2Tcs91E2NwnsEjTjxnByuhwHqFml3V2hq4VsY9NGN5rZ/Xi73XWEGqVgV3NVI1r/lQc G1EC/v83r2Nt+POcx38nc1siUliDUELmvx1gSxGN6sxLPHISWMGNSw8hKSiNgnRBtlGR MlVLlo76Hm1xE8SlBEZu5vO9ozwrweUPuPYLoB75XQxYB8X8OALr70pCyof+GAkVQpQL uQhbTCpvBix8r3PpQq6c3rg/Zv8sYh6XBBwno9LSugDuvidKbhbGy5t+7un39tbphvkC zVPw==
X-Gm-Message-State: APf1xPDeF09StXtqfWJUAjGgCZp8eIjFAGNAW4Fa8NyD1SJOeI9ZzxqV KcZ3j/uAl2o9SaxrUNAUBvv8U/UPDshXAvTgUBQ=
X-Google-Smtp-Source: AH8x224AqhgyREB7xXwgnZhVcloL1gTz/14Zw1lUy5BzASFCu7gCraM2XFOYavdUJJXtdzHgCSdgfpcPJI6f8WkBCQQ=
X-Received: by 10.223.173.18 with SMTP id p18mr1869725wrc.29.1518685550006; Thu, 15 Feb 2018 01:05:50 -0800 (PST)
MIME-Version: 1.0
Received: by 10.223.195.200 with HTTP; Thu, 15 Feb 2018 01:05:49 -0800 (PST)
In-Reply-To: <9A8127C2-BADC-4E09-BE54-EBB5D07C994B@tix.at>
References: <CAN-MQG6xnsP28Xn3d7-PECkJrDSk-+QuKZawmAgJs6c-j536=w@mail.gmail.com> <372B554B-47F1-49AC-8D66-37A7ED69E57F@tix.at> <CAN-MQG59aTOKYVULVscfK_Mx3L8xcaXhny=1q4E5yi2+7rc2kQ@mail.gmail.com> <9A8127C2-BADC-4E09-BE54-EBB5D07C994B@tix.at>
From: PVLR Pavana Murthy <pvlrpm@gmail.com>
Date: Thu, 15 Feb 2018 14:35:49 +0530
Message-ID: <CAN-MQG6gyZnO0_hTLYp7g09fph7X3sX+jHDYHEn=6oephS4jQQ@mail.gmail.com>
To: Christoph Loibl <c@tix.at>
Cc: idr wg <idr@ietf.org>
Content-Type: multipart/alternative; boundary="f403045cf650bbd72405653c8886"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/NYCw2s6Or4VNZ0EwIzXcXtCwwCQ>
Subject: Re: [Idr] BGP Flowspec rules precedence order (RFC 5575)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Feb 2018 09:05:54 -0000

Hi Christoph,
   Thanks a lot for the detailed explanation. That answers my question
completely :-).



On Thu, Feb 15, 2018 at 1:07 PM, Christoph Loibl <c@tix.at> wrote:

> Hi Pavana,
>
> You can rather easily test the behaviour when you feed your case into the
> python function:
>
> def main():
>     fs1 = FS_nlri(components=[
>         FS_component(component_type=IP_DESTINATION,
> value=ipaddress.ip_network('88.88.88.0/24')),
>         FS_component(component_type=4, value=bytearray([0x01, 0x46, 0x81,
> 0x50]))
>     ])
>
>     fs2 = FS_nlri(components=[
>         FS_component(component_type=IP_DESTINATION,
> value=ipaddress.ip_network('88.88.88.0/24')),
>         FS_component(component_type=4, value=bytearray([0x03, 0x5a, 0xc5,
> 0x6e]))
>     ])
>     print(flow_rule_cmp(fs1, fs2))
>
> What happens is (I refer to line numbers of the code in the github repo
> https://github.com/stoffi92/flowspec-cmp/blob/master/flow_cmp.py :
>
> *) The IP components are compared and as you mentioned: no decision can be
> made since the ip components are equal. (we reach line 74 for the equal ip
> components and continue with the next iteration)
>
> *) The second component _types_ are equal but not IP (we end up in the
> branch in line 80 since the components are type=4 and not 1 or 2)
>
> *) The length of the second components is compared and equal, so we
> continue in line 82
>
> ** See below: this is basically where the compare that you asked for
> happens **
>
> *) Now we come to the point where we compare the string of bytes one by
> one. As long as they are equal. (this is basically what memcmp does - this
> is not very explicit in the python code, since it is done by the <, >
> operators for the bytearray implicitly)
>
> In your case what it does is, that it compares 0x01 to 0x03 and figures
> out that 0x01 is the lower value so it takes the branch in line 84 and
> returns with A_HAS_PRECEDENCE from line 85 (if both of your components
> would start with 0x01 it would continue to the second byte and so on).
>
> Your first FS nlri has precedence because of the “lower” value.
>
> 01 *18 58 58 58* 04 *01 46 81 50  ----> Dst.Prefix: 88.88.88.0/24
>> <http://88.88.88.0/24>  Port: 70 | 80*
>>
>>
> Discamer: I assumed that you encoded the components themselfs correctly
> (the 01 46 81 50 and 03 5a c5 6e)
>
> Does this answer your question?
>
> Christoph
>
> --
> Christoph Loibl
> c@tix.at | CL8-RIPE | PGP-Key-ID: 0x4B2C0055 | http://www.nextlayer.at
>
>
>
> On 15.02.2018, at 05:08, PVLR Pavana Murthy <pvlrpm@gmail.com> wrote:
>
> Hi Christoph,
>   Even in the  RFC5575bis,  the following is given  for comparing
> non-prefix type components.
>
>  else:
>                # assuming comp_a.value, comp_b.value of type bytearray
>                if len(comp_a.value) == len(comp_b.value):
>                    if comp_a.value > comp_b.value:
>                        return B_HAS_PRECEDENCE
>                    if comp_a.value < comp_b.value:
>                        return A_HAS_PRECEDENCE
>                    # components equal -> continue with next component
>                else:
>                    common = min(len(comp_a.value), len(comp_b.value))
>                    if comp_a.value[:common] > comp_b.value[:common]:
>                        return B_HAS_PRECEDENCE
>                    elif comp_a.value[:common] < comp_b.value[:common]:
>                        return A_HAS_PRECEDENCE
>                    # the first common bytes match
>                    elif len(comp_a.value) > len(comp_b.value):
>                        return A_HAS_PRECEDENCE
>                    else:
>                        return B_HAS_PRECEDENCE
>
>
> *What is  comp_a.value here ? Is it the binary sting of [op, value]/[op,bitmask] or only value/bitmask ?*
>
>
> Thanks,
>
> Pavana.
>
>
> On Thu, Feb 15, 2018 at 3:11 AM, Christoph Loibl <c@tix.at> wrote:
>
>> Hi Pavana,
>>
>> Did you have a look into the actual code (thanks to Job’s comment) that
>> is contained in the RFC5575bis draft which should be identical from the
>> behaviour:
>>
>> https://tools.ietf.org/html/draft-ietf-idr-rfc5575bis-06
>>
>> Christoph
>>
>> --
>> Christoph Loibl
>> c@tix.at | CL8-RIPE | PGP-Key-ID: 0x4B2C0055 | http://www.nextlayer.at
>>
>>
>>
>> On 12.02.2018, at 12:03, PVLR Pavana Murthy <pvlrpm@gmail.com> wrote:
>>
>> Hello,
>>   In the RFC 5575, the following is given for the comparing the Flowspec
>> components of types other then prefix.
>>
>> } else {
>> common =
>> MIN(component_length(comp1), component_length(comp2));
>> cmp = memcmp(data(comp1), data(comp2), common);
>> // not equal, lowest value has precedence
>> // equal, longest string has precedence
>> }
>>
>>
>> Here, what does *data* refrer to  ?
>>
>> Is it the binary form of 1) [op, value]> / [op, bitmask]  or 2) Just
>> [value] / [bitmask]
>>
>> eg:
>>
>>
>> 1)  01 *18 58 58 58* 04 *01 46 81 50  ----> Dst.Prefix: 88.88.88.0/24
>> <http://88.88.88.0/24>  Port: 70 | 80*
>>
>> 2)  01* 18 58 58 58 *04* 03 5a c5 6e    ---->   Dst.Prefix:
>> 88.88.88.0/24 <http://88.88.88.0/24>  Port: >=90 & <= 110*
>>
>> *In the above FS rules,  Dst. Prefix is same in both, so we need to
>> compare the data of next type 4 (Port). *
>> *So do we need to do memcmp of  (01 46 81 50) and  (03 5a c5 6e) ?*
>>
>> Thanks,
>> Pavana*.*
>>
>>
>>
>> _______________________________________________
>> Idr mailing list
>> Idr@ietf.org
>> https://www.ietf.org/mailman/listinfo/idr
>>
>>
>>
>
>

v2.23.0 | Report a Bug | By Email