Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06
"Juan Alcaide (jalcaide)" <jalcaide@cisco.com> Fri, 11 May 2018 23:14 UTC
Return-Path: <jalcaide@cisco.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BEAB12D574; Fri, 11 May 2018 16:14:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5mhFhXKO_sZb; Fri, 11 May 2018 16:14:12 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C97B126DED; Fri, 11 May 2018 16:14:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=80748; q=dns/txt; s=iport; t=1526080452; x=1527290052; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to; bh=oCAv4IuvBhUVJhelbfkz0/yqGdBmtZZ7ZjkZp4FgvOo=; b=U1mXFOlbjEsHGzz5Y5BS5FArslF/eUbV4B6EYGOBnhG8xHULwhwiP2km Opo8ifpunL27dcb1kXqU4kK0oHK+O0lBCFhPaN1e8N9gvgK27L/LyzoWX 9UCw1Ouo/SnHQNqlj8BaObKZ1YrOjfP8QM4OvL2zZJ3SjqlWC3F9+OJWM A=;
X-IronPort-AV: E=Sophos;i="5.49,390,1520899200"; d="scan'208,217";a="112771991"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 May 2018 23:14:12 +0000
Received: from [10.82.208.50] (rtp-vpn4-50.cisco.com [10.82.208.50]) (authenticated bits=0) by alln-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id w4BNE7eR011710 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Fri, 11 May 2018 23:14:09 GMT
To: John Schiel <jschiel@flowtools.net>, "Jakob Heitz (jheitz)" <jheitz@cisco.com>
Cc: "Smith, Donald" <Donald.Smith@centurylink.com>, John Scudder <jgs@juniper.net>, "idr@ietf. org" <idr@ietf.org>, "nl7942@att.com" <nl7942@att.com>, "Schiel, John" <John.Schiel@centurylink.com>, "draft-ietf-idr-bgp-flowspec-oid@ietf.org" <draft-ietf-idr-bgp-flowspec-oid@ietf.org>
References: <DB4DB79D-22DD-45A7-980A-B33C5E58C1C7@juniper.net> <2997BE5D-F4C6-4AC2-9B00-126436FC5141@juniper.net> <68EFACB32CF4464298EA2779B058889D53DB49B4@PDDCWMBXEX503.ctl.intranet> <e0e1857b46104431be4f655fe8d1e0b1@XCH-ALN-014.cisco.com> <68EFACB32CF4464298EA2779B058889D53DB4D80@PDDCWMBXEX503.ctl.intranet> <7cc92070-d480-cd91-e572-36dc36836732@cisco.com> <68EFACB32CF4464298EA2779B058889D53DB50BF@PDDCWMBXEX503.ctl.intranet> <a5c07854cdba4e09b7fd6c3751acfbf2@XCH-ALN-014.cisco.com> <68EFACB32CF4464298EA2779B058889D53DB514E@PDDCWMBXEX503.ctl.intranet> <d7cb371119f54c41bf2fb17281d3d85c@XCH-ALN-014.cisco.com> <CABmZaCMZf9i33EuStxgboELi4Ap_UsGFQoRdaJNfn4yTY3YK4A@mail.gmail.com>
From: "Juan Alcaide (jalcaide)" <jalcaide@cisco.com>
Message-ID: <088a2b21-3199-8edb-c775-3f3efc7a6db5@cisco.com>
Date: Sat, 12 May 2018 01:14:07 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <CABmZaCMZf9i33EuStxgboELi4Ap_UsGFQoRdaJNfn4yTY3YK4A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------1640EFB98D37BDF4985C2998"
Content-Language: en-US
X-Authenticated-User: jalcaide
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/OdeG_U2b6B8TFH_ONLfHWZESQVI>
Subject: Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 May 2018 23:14:15 -0000
If trafic goes ISPB->ISPA->Customer M, then ISPB will accept the FS rule from ISPA (this is just RFC5575) If traffic goes ISPB->Customer M, then ISPB needs to trust the FS rule from ISPA. This is what ISPB needs to configure and this is the wording we are discussing -J On 5/11/2018 11:44 PM, John Schiel wrote: > Don's example makes sense to me. Ideally CustM is getting traffic both > from ISPA and ISPB. If ISPA identifies and stops the traffic from > going to CustM, then sends a rule to B, ISPB may or may not accept the > rule and the attack would still go over the connection from ISPB to > CustM based on preferred path regardless of rule acceptance. If the > metrics are different and the preferred path is now from ISPB to ISPA > and then to CustM, then the importance of accepting the rule becomes > more important. > > I don't see any current issues with this WG. > > --John > > > On Fri, May 11, 2018 at 2:42 PM, Jakob Heitz (jheitz) > <jheitz@cisco.com <mailto:jheitz@cisco.com>> wrote: > > This is the case that we all intend to work (I think), but only if > ISPB explicitly > > allows that flowspec rule from ISPA. It would not happen by default. > > Now to find the words... > > Thanks, > > Jakob > > *From:*Smith, Donald <Donald.Smith@CenturyLink.com> > *Sent:* Friday, May 11, 2018 1:36 PM > *To:* Jakob Heitz (jheitz) <jheitz@cisco.com > <mailto:jheitz@cisco.com>>; Juan Alcaide (jalcaide) > <jalcaide@cisco.com <mailto:jalcaide@cisco.com>>; John Scudder > <jgs@juniper.net <mailto:jgs@juniper.net>>; idr@ietf. org > <idr@ietf.org <mailto:idr@ietf.org>> > > > *Cc:* nl7942@att.com <mailto:nl7942@att.com>; Schiel, John > <John.Schiel@centurylink.com > <mailto:John.Schiel@centurylink.com>>; > draft-ietf-idr-bgp-flowspec-oid@ietf.org > <mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org> > *Subject:* RE: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06 > > Customer M > > | | > > | | > > | | > > ISPA------ISPB > > ISPA sees a large DDoS attack against customer M and triggers a > flowspec rule internally and to ISPB. > > But ISPB has customer M connections too (one or more) and receives > BGP announcements from them (or has a static or ... but has routes > that would be preferred internally), thus the flowspec check would > fail right? > > Metric System < +000 > -000 > > Extra People's Terribly Good Meals Kept mY uNCLE Ned Purring > For Ages > > Exa Peta Tera Giga Mega Kilo milli Micro(u) Nano Pico > Femto Atto > > Donald.Smith@centurylink.com <mailto:Donald.Smith@centurylink.com> > > ------------------------------------------------------------------------ > > *From:*Jakob Heitz (jheitz) [jheitz@cisco.com > <mailto:jheitz@cisco.com>] > *Sent:* Friday, May 11, 2018 1:39 PM > *To:* Smith, Donald; Juan Alcaide (jalcaide); John Scudder; > idr@ietf. org > *Cc:* nl7942@att.com <mailto:nl7942@att.com>; Schiel, John; > draft-ietf-idr-bgp-flowspec-oid@ietf.org > <mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org> > *Subject:* RE: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06 > > Sorry Donald, Can you draw a diagram or reword your scenario? > > Thanks, > > Jakob > > *From:*Smith, Donald <Donald.Smith@CenturyLink.com > <mailto:Donald.Smith@CenturyLink.com>> > *Sent:* Friday, May 11, 2018 12:30 PM > *To:* Juan Alcaide (jalcaide) <jalcaide@cisco.com > <mailto:jalcaide@cisco.com>>; Jakob Heitz (jheitz) > <jheitz@cisco.com <mailto:jheitz@cisco.com>>; John Scudder > <jgs@juniper.net <mailto:jgs@juniper.net>>; idr@ietf. org > <idr@ietf.org <mailto:idr@ietf.org>> > *Cc:* nl7942@att.com <mailto:nl7942@att.com>; Schiel, John > <John.Schiel@centurylink.com > <mailto:John.Schiel@centurylink.com>>; > draft-ietf-idr-bgp-flowspec-oid@ietf.org > <mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org> > *Subject:* RE: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06 > > I am not entirely sure if that works here or not. > > But I think with that you could show some AS as the last AS in the > past (far left) and maybe not show the original customer AS? > > As long as your advertising that space to me, and I don't have a > better path it should work. > > Now what happens when a customer is a customer of ISP A and ISP B > both have routes to it, if A advertises flowspec to B for that > network wouldn't it be blocked as the best path to the customer > inside of B is B's path. > > This is actually a different problem, or subset of the original issue. > > What should happen in that case? I might want to take action, I > might not be seeing a huge flood, while the original announcer (A) > is and wants us to take action as they expect we will be seeing > that traffic soon? > > Metric System < +000 > -000 > > Extra People's Terribly Good Meals Kept mY uNCLE Ned Purring > For Ages > > Exa Peta Tera Giga Mega Kilo milli Micro(u) Nano > Pico Femto Atto > > Donald.Smith@centurylink.com <mailto:Donald.Smith@centurylink.com> > > ------------------------------------------------------------------------ > > *From:*Juan Alcaide (jalcaide) [jalcaide@cisco.com > <mailto:jalcaide@cisco.com>] > *Sent:* Friday, May 11, 2018 12:57 PM > *To:* Smith, Donald; Jakob Heitz (jheitz); John Scudder; idr@ietf. org > *Cc:* nl7942@att.com <mailto:nl7942@att.com>; Schiel, John; > draft-ietf-idr-bgp-flowspec-oid@ietf.org > <mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org> > *Subject:* Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06 > > Don, > > (just to be clear, this has nothing to directly with the redirect > extended-community draft) > > We already thought about it and added a 'clause' in the last revision. > > "Optionally, an implementation > could be configured to allow only flow specification NLRIs > containing > only a subset of ASes. This could be useful, for example, with > networks that consist of multiple ASes that operate under the same > administrative domain." > > This is not what you want? > > -J > > On 5/11/2018 4:50 PM, Smith, Donald wrote: > > That would work of course MAY would be caps :) But that should > cover the case I was describing. > > All the other BGP security issues would still apply. > > Cc'ing the two architects that have been working on this > concept with me, in case they have anything to add. > > Metric System < +000 > -000 > > Extra People's Terribly Good Meals Kept mY uNCLE Ned Purring > For Ages > > Exa Peta Tera Giga Mega Kilo milli Micro(u) Nano > Pico Femto Atto > > Donald.Smith@centurylink.com <mailto:Donald.Smith@centurylink.com> > > ------------------------------------------------------------------------ > > *From:*Jakob Heitz (jheitz) [jheitz@cisco.com > <mailto:jheitz@cisco..com>] > *Sent:* Thursday, May 10, 2018 11:39 PM > *To:* Smith, Donald; John Scudder; idr@ietf. org > *Cc:* draft-ietf-idr-bgp-flowspec-oid@ietf.org > <mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org> > *Subject:* RE: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06 > > I support the draft. > > Donald, are you saying that AS1 should accept a flowspec rule > from AS2 for traffic going to AS3? > > If AS1 can trust the flowspec from AS2, then I don't see why not. > > Maybe we can add text to the effect of: > > The rules stated here are for default behavior. > > Local policy may allow flow specifications from other EBGP > neighbors to be accepted. > > Thanks, > > Jakob > > *From:*Idr <idr-bounces@ietf.org> > <mailto:idr-bounces@ietf.org> *On Behalf Of *Smith, Donald > *Sent:* Thursday, May 10, 2018 11:58 AM > *To:* John Scudder <jgs@juniper.net> <mailto:jgs@juniper.net>; > idr@ietf. org <idr@ietf..org> <mailto:idr@ietf..org> > *Cc:* draft-ietf-idr-bgp-flowspec-oid@ietf.org > <mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org> > *Subject:* Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06 > > This supports some of the bi-lateral, ddos-peering work we > want to do, so support. > > https://pc.nanog.org/static/published/meetings/NANOG71/1447/20171003_Levy_Operationalizing_Isp_v2.pdf > <https://pc.nanog.org/static/published/meetings/NANOG71/1447/20171003_Levy_Operationalizing_Isp_v2.pdf> > > That is almost always going to be between some set of systems > not one hop away, not directly in the forwarding plane, > probably not really IBGP peers. > > " It thus becomes necessary to modify step (a) of the RFC 5575 > <https://tools.ietf.org/html/rfc5575> > validation procedure such that an IBGP peer that is not > within the > data forwarding plane may originate flow specification NLRIs." > > While you could have the IBGP peer directly in the forwarding > plane, forward it like a route reflector, requiring it to > seems counter intuitive as it is more likely to come from some > BGP speaking tool in ISP requesting the filter. > > Next lots of references to IBGP and a few to EBGP, when I > think of IBGP, IBGP is internal to a single AS (yes I know > there are exceptions) but that is kind of the meaning, while > this is mostly between peers (whom could do IBGP between them > but is that required? Can't we validate without IBGP direct > connections?) > > Metric System < +000 > -000 > > Extra People's Terribly Good Meals Kept mY uNCLE Ned Purring > For Ages > > Exa Peta Tera Giga Mega Kilo milli > Micro(u) Nano Pico Femto Atto > > Donald.Smith@centurylink.com <mailto:Donald.Smith@centurylink.com> > > ------------------------------------------------------------------------ > > *From:*Idr [idr-bounces@ietf.org > <mailto:idr-bounces@ietf.org>] on behalf of John Scudder > [jgs@juniper.net <mailto:jgs@juniper.net>] > *Sent:* Thursday, May 10, 2018 12:28 PM > *To:* idr@ietf. org > *Cc:* draft-ietf-idr-bgp-flowspec-oid@ietf.org > <mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org> > *Subject:* Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06 > > Hi All, > > On Apr 26, 2018, at 3:58 PM, John Scudder <jgs@juniper.net > <mailto:jgs@juniper.net>> wrote: > > The authors have requested a working group last call for > draft-ietf-idr-bgp-flowspec-oid-06. Please respond with > your comments before Friday, May 11. > > A quick update on the status of this WGLC: > > - All the authors have responded about IPR (thank you!). > > - Three people who are not authors (Acee, Shyam, Keyur) have > responded supporting publication. > > - Nobody has responded with other comments or opposition. > > Three respondents is not a very large number; it would be > helpful if others would chime in. > > The WGLC period is scheduled to end tomorrow. > > Thanks, > > --John > > This communication is the property of CenturyLink and may > contain confidential or privileged information. Unauthorized > use of this communication is strictly prohibited and may be > unlawful. If you have received this communication in error, > please immediately notify the sender by reply e-mail and > destroy all copies of the communication and any attachments. > > This communication is the property of CenturyLink and may > contain confidential or privileged information. Unauthorized > use of this communication is strictly prohibited and may be > unlawful. If you have received this communication in error, > please immediately notify the sender by reply e-mail and > destroy all copies of the communication and any attachments. > > _______________________________________________ > > Idr mailing list > > Idr@ietf.org <mailto:Idr@ietf.org> > > https://www.ietf.org/mailman/listinfo/idr > <https://www.ietf.org/mailman/listinfo/idr> > > This communication is the property of CenturyLink and may contain > confidential or privileged information. Unauthorized use of this > communication is strictly prohibited and may be unlawful. If you > have received this communication in error, please immediately > notify the sender by reply e-mail and destroy all copies of the > communication and any attachments. > > This communication is the property of CenturyLink and may contain > confidential or privileged information. Unauthorized use of this > communication is strictly prohibited and may be unlawful. If you > have received this communication in error, please immediately > notify the sender by reply e-mail and destroy all copies of the > communication and any attachments. > > > _______________________________________________ > Idr mailing list > Idr@ietf.org <mailto:Idr@ietf.org> > https://www.ietf.org/mailman/listinfo/idr > <https://www.ietf.org/mailman/listinfo/idr> > >
- [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06 John Scudder
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Acee Lindem (acee)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… David Smith (djsmith)
- Re: [Idr] FW: WGLC for draft-ietf-idr-bgp-flowspe… Clarence Filsfils (cfilsfil)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… UTTARO, JAMES
- Re: [Idr] FW: WGLC for draft-ietf-idr-bgp-flowspe… Juan Alcaide (jalcaide)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Shyam Sethuram
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Keyur Patel
- Re: [Idr] FW: WGLC for draft-ietf-idr-bgp-flowspe… Pradosh Mohapatra
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… John Scudder
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Smith, Donald
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Jakob Heitz (jheitz)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Kasavchenko, Kirill
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Smith, Donald
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Juan Alcaide (jalcaide)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Smith, Donald
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Jakob Heitz (jheitz)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Juan Alcaide (jalcaide)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Smith, Donald
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Jakob Heitz (jheitz)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… John Schiel
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Juan Alcaide (jalcaide)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… LINGALA, AVINASH
- [Idr] FW: FW: WGLC for draft-ietf-idr-bgp-flowspe… Susan Hares