Re: [Idr] I-D Action: draft-ietf-idr-flowspec-l2vpn-09.txt

"UTTARO, JAMES" <ju1738@att.com> Mon, 30 September 2019 13:16 UTC

Return-Path: <ju1738@att.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A49A91200B5 for <idr@ietfa.amsl.com>; Mon, 30 Sep 2019 06:16:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.5
X-Spam-Level:
X-Spam-Status: No, score=-2.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4oVjhVlIAjnI for <idr@ietfa.amsl.com>; Mon, 30 Sep 2019 06:16:51 -0700 (PDT)
Received: from mx0a-00191d01.pphosted.com (mx0a-00191d01.pphosted.com [67.231.149.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A79A5120090 for <idr@ietf.org>; Mon, 30 Sep 2019 06:16:51 -0700 (PDT)
Received: from pps.filterd (m0049297.ppops.net [127.0.0.1]) by m0049297.ppops.net-00191d01. (8.16.0.42/8.16.0.42) with SMTP id x8UDG08E025592; Mon, 30 Sep 2019 09:16:50 -0400
Received: from alpi155.enaf.aldc.att.com (sbcsmtp7.sbc.com [144.160.229.24]) by m0049297.ppops.net-00191d01. with ESMTP id 2vbg33veqs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 30 Sep 2019 09:16:50 -0400
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id x8UDGlGh021105; Mon, 30 Sep 2019 09:16:47 -0400
Received: from zlp27128.vci.att.com (zlp27128.vci.att.com [135.66.87.50]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id x8UDGhL5021009 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 30 Sep 2019 09:16:43 -0400
Received: from zlp27128.vci.att.com (zlp27128.vci.att.com [127.0.0.1]) by zlp27128.vci.att.com (Service) with ESMTP id 1F0124039341; Mon, 30 Sep 2019 13:16:43 +0000 (GMT)
Received: from MISOUT7MSGHUBAG.ITServices.sbc.com (unknown [130.9.129.151]) by zlp27128.vci.att.com (Service) with ESMTPS id 007B44039340; Mon, 30 Sep 2019 13:16:43 +0000 (GMT)
Received: from MISOUT7MSGUSRCD.ITServices.sbc.com ([169.254.4.241]) by MISOUT7MSGHUBAG.ITServices.sbc.com ([130.9.129.151]) with mapi id 14.03.0468.000; Mon, 30 Sep 2019 09:16:42 -0400
From: "UTTARO, JAMES" <ju1738@att.com>
To: Robert Raszuk <robert@raszuk.net>, Donald Eastlake <d3e3e3@gmail.com>
CC: "idr@ietf. org" <idr@ietf.org>
Thread-Topic: [Idr] I-D Action: draft-ietf-idr-flowspec-l2vpn-09.txt
Thread-Index: AQHVdnzmHSbkQhweZ0SVwCgpFrWeXqdCr2YAgAD7DYCAAIruAIAAABRA
Date: Mon, 30 Sep 2019 13:16:42 +0000
Message-ID: <B17A6910EEDD1F45980687268941550F4DA05189@MISOUT7MSGUSRCD.ITServices.sbc.com>
References: <154650798507.29744.11843661823190688795@ietfa.amsl.com> <CAOj+MMGPmUs4fAzDEwhq4z47r=TK78Kk-6Tp+KMHS0K4O=VdGg@mail.gmail.com> <CAF4+nEHwwPNL4cmXH-TMhL3xnT3LGiP-hWov-YCf=h4B-+N7QQ@mail.gmail.com> <CAOj+MMFQbY3WY9jYSLVXMUvOVMGzOCd1LsFKJupPM0W_3oFJDQ@mail.gmail.com> <CAF4+nEG4=0ew=ZzjaxT9ignbKeA3CgLBwhLp2mteQLfaBLh7VQ@mail.gmail.com> <CAOj+MMGwpUhspjxNiUiqoMnrpVnyyFTwGLTdPzpJNpzjL-vURA@mail.gmail.com>
In-Reply-To: <CAOj+MMGwpUhspjxNiUiqoMnrpVnyyFTwGLTdPzpJNpzjL-vURA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.65.151.163]
Content-Type: multipart/alternative; boundary="_000_B17A6910EEDD1F45980687268941550F4DA05189MISOUT7MSGUSRCD_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-09-30_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-1909300138
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/QJPvHWVZxb3si7i8ER5R4L7b5pw>
Subject: Re: [Idr] I-D Action: draft-ietf-idr-flowspec-l2vpn-09.txt
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Sep 2019 13:16:55 -0000

Comments In-Line..

Thanks,
              Jim Uttaro

From: Idr <idr-bounces@ietf.org> On Behalf Of Robert Raszuk
Sent: Monday, September 30, 2019 5:16 AM
To: Donald Eastlake <d3e3e3@gmail.com>
Cc: idr@ietf. org <idr@ietf.org>
Subject: Re: [Idr] I-D Action: draft-ietf-idr-flowspec-l2vpn-09.txt

Hi Donald,

> You have expressed your opinion very clearly but I don't see
> why it is so bad to replace "VPNv4" with "VPN" rather than "L3VPN"
> given that the IANA registry has to change anyway.

The difference is (well at least to me) fundamental. Match criteria which are more or less the same for IP L3 layer are completely different for L2 layer so IMO it makes sense to keep them separate.

Also I am not stating that the work should not move on if there is real requirement to extend flow spec for filtering L2 VPNs. Asking for new SAFI is easy if proposal is worth it.

Please remember that flow spec original goal was to automate filtering for DDoS which to the best of my knowledge is L3 type of attack. But of course since then many people pulled FS left and right :).
[Jim U>] Also Up & Down.

Thank you,
R.


On Mon, Sep 30, 2019 at 2:58 AM Donald Eastlake <d3e3e3@gmail.com<mailto:d3e3e3@gmail.com>> wrote:
Hi Robert,

On Sun, Sep 29, 2019 at 6:00 AM Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>> wrote:
>
> Hi Donald,
>
> The draft says:
>
> The following changes are defined:
>
>    "SAFI 134 for dissemination of L3VPN flow specification rules" to now
>    be defined as "SAFI 134 for dissemination of VPN flow specification
>    rules"
>
>    For SAFI 134 the indication to which address family it is referring
>    to will be recognized by AFI value (AFI=1 for VPNv4, AFI=2 VPNv6 and
>    AFI=25 for L2VPN).  Such modification is fully backwards compatible
>    with existing implementation and production deployments.
>
>    For SAFI 134 the indication to which address family it is referring
>    to will be recognized by AFI value (AFI=1 for VPNv4, AFI=2 VPNv6 and
>    AFI=25 for L2VPN).  Such modification is fully backwards compatible
>    with existing implementation and production deployments.
>
>
> Which at least to me clearly gives the impression that newly defined NLRI elements and format are targeted to all AFIs listed 1, 2 & 25.

As far as I know, that impression is wrong, which is why I said, after
saying that the draft applies to AFI=25/SAFI=134, that "The draft
should be clarified" to say that.

> If you do not intend to ever use them with AFI 1 or 2 then the draft must state this very clearly that they are only applicable to AFI 25.
>
> On the topic of renaming IANA registry to extend  L3VPN SAFI 134 to also cover L2VPN my personal view is that we should not do it. We should define a new SAFI for L2VPN and clearly separate those two.
>
> You either match on L2 or L3 and not both in a given packet. Of course you can send both SAFIs and match on both against traffic on a given interface. Changing SAFI 134 now will require not only adjustment to IANA registry ... Just imagine the effort required to change all vendor's documentation.

Well, isn't it also true that you either match on IPv4 or IPv6?

The current IANA registry entry for SAFI 134 says "VPNv4 dissemination
of flow specification rules". It has to be changed anyway to encompass
IPv6... You have expressed your opinion very clearly but I don't see
why it is so bad to replace "VPNv4" with "VPN" rather than "L3VPN"
given that the IANA registry has to change anyway. As for vendor
documentation, if a vendor organized their documentation by the
capabilities they support, that is the AFI/SAFI pairs, then I'm not
sure why any change at all would be required unless they actually
supported L2VPN flowspec.

in any case, I'll do what the consensus of the WG is.

Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 1424 Pro Shop Court, Davenport, FL 33896 USA
 d3e3e3@gmail.com<mailto:d3e3e3@gmail.com>

> Many thx,
> Robert
>
> On Sun, Sep 29, 2019 at 6:05 AM Donald Eastlake <d3e3e3@gmail.com<mailto:d3e3e3@gmail.com>> wrote:
>>
>> Hi Robert,
>>
>> Thanks for your review. Apologies for the delay in response.
>>
>> On Thu, Jan 3, 2019 at 6:04 AM Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>> wrote:
>> >
>> > Hi,
>> >
>> > Two observations:
>> >
>> > 1.
>> >
>> > The current draft extends exisiting SAFI 134 with new NLRI types.
>> > That means that now we have new giant NLRI in SAFI 134.
>> >
>> > Have any consideration been made to just define a new flow spec SAFI
>> > instead for L2 filtering ? I am quite skeptical from implementation,
>> > operational and deployment points of view to extend the existing
>> > SAFI and it makes a gradual deployment a nightmare if not mission
>> > impossible.
>> >
>> > Any change to NLRI format without signalling it with new capability is
>> > far from good practice.
>>
>> My understanding is that flow spec capabilities are signalled by an
>> AFI/SAFI pair as specified in RFC 2858. So I think that
>> AFI=25/SAFI=134 already is a new capability. The draft should be
>> clarified to present things in those terms.
>>
>> It would be easy, from the IANA Considerations point of view, to get a
>> new SAFI that could be used with AFI=25 for L2VPN flowspec. But I
>> don't really see the benefit of burning a new SAFI value, say xyz, and
>> using AFI=25/SAFI=xyz instead of ARI=25/SAFI=134.
>>
>> In my opinion, the general format for the NLRI in this draft ia
>> similar to the flow specs for IPv4 and IPv6.  The components that are
>> added by this draft differ from the IPv4 and IPv6 components in the
>> generally the same way that the IPv4 and IPv6 components differ from
>> each other.
>>
>> > 2.
>> >
>> > The draft is pretty silent on adjusting validation procedures to make sure only
>> > senders of the original L2 information may inject the L2 flow routes..
>> >
>> > I would hope that this is basic omission and will be consider for addition into
>> > next version of he draft.
>>
>> That is an excellent point and the next version should have adjusted
>> validation procedures in it.
>>
>> Thanks,
>> Donald
>> =============================
>>  Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
>>  1424 Pro Shop Court, Davenport, FL 33896 USA
>>  d3e3e3@gmail.com<mailto:d3e3e3@gmail.com>
>>
>> > Thx,
>> > R.
>> >
>> >
>> >
>> > On Thu, Jan 3, 2019 at 10:33 AM <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>> wrote:
>> >>
>> >> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>> >> This draft is a work item of the Inter-Domain Routing WG of the IETF.
>> >>
>> >>         Title           : BGP Dissemination of L2VPN Flow Specification Rules
>> >>         Authors         : Weiguo Hao
>> >>                           Donald E. Eastlake, 3rd
>> >>                           James Uttaro
>> >>                           Stephane Litkowski
>> >>                           Shunwan Zhuang
>> >>         Filename        : draft-ietf-idr-flowspec-l2vpn-09.txt
>> >>         Pages           : 13
>> >>         Date            : 2019-01-03
>> >>
>> >> Abstract:
>> >>    This document defines a BGP flow-spec extension to disseminate L2 VPN
>> >>    Ethernet traffic filtering rules.  SAFI=134 in [RFC5575] is redefined
>> >>    for this purpose.  A new subset of component types and extended
>> >>    community also are defined.  A new subset of component types and new
>> >>    extended community also are defined.
>> >>
>> >>
>> >>
>> >> The IETF datatracker status page for this draft is:
>> >> https://datatracker..ietf.org/doc/draft-ietf-idr-flowspec-l2vpn/<https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dietf-2Didr-2Dflowspec-2Dl2vpn_&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=s7ZzB4JbPv3nYuoSx5Gy8Q&m=tPoh_FXsoOQtz9jTQF7hM5jfuaq0FY-dT7AsSdy_h_s&s=NPclkHDnpRkR9XXTjLDgzDWdhHU-11XvveaSMLds1Xo&e=>
>> >>
>> >> There are also htmlized versions available at:
>> >> https://tools.ietf.org/html/draft-ietf-idr-flowspec-l2vpn-09<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Didr-2Dflowspec-2Dl2vpn-2D09&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=s7ZzB4JbPv3nYuoSx5Gy8Q&m=tPoh_FXsoOQtz9jTQF7hM5jfuaq0FY-dT7AsSdy_h_s&s=GnngPuAUoeL8_7PSJggcItjS5i9wNeHtBJa2_tKsGvY&e=>
>> >> https://datatracker.ietf.org/doc/html/draft-ietf-idr-flowspec-l2vpn-09<https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_html_draft-2Dietf-2Didr-2Dflowspec-2Dl2vpn-2D09&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=s7ZzB4JbPv3nYuoSx5Gy8Q&m=tPoh_FXsoOQtz9jTQF7hM5jfuaq0FY-dT7AsSdy_h_s&s=7T730HnqX-SCqo4SuwTv50VZoZfXhprZnXvIeV9AkbM&e=>
>> >>
>> >> A diff from the previous version is available at:
>> >> https://www.ietf.org/rfcdiff?url2=draft-ietf-idr-flowspec-l2vpn-09<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_rfcdiff-3Furl2-3Ddraft-2Dietf-2Didr-2Dflowspec-2Dl2vpn-2D09&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=s7ZzB4JbPv3nYuoSx5Gy8Q&m=tPoh_FXsoOQtz9jTQF7hM5jfuaq0FY-dT7AsSdy_h_s&s=CWPqqdYNWBLGeQOAx6a2Sw7k1FrpNOesaMRFZi8Cl50&e=>
>> >>
>> >>
>> >> Please note that it may take a couple of minutes from the time of submission
>> >> until the htmlized version and diff are available at tools.ietf.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__tools.ietf.org&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=s7ZzB4JbPv3nYuoSx5Gy8Q&m=tPoh_FXsoOQtz9jTQF7hM5jfuaq0FY-dT7AsSdy_h_s&s=ebA8ZpqpKhrktglZsa8k5PZA9c4S7GG4Up3VZAgLzRM&e=>9c4S7GG4Up3VZAgLzRM&e=>.
>> >>
>> >> Internet-Drafts are also available by anonymous FTP at:
>> >> ftp://ftp.ietf.org/internet-drafts/<https://urldefense.proofpoint.com/v2/url?u=ftp-3A__ftp.ietf.org_internet-2Ddrafts_&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=s7ZzB4JbPv3nYuoSx5Gy8Q&m=tPoh_FXsoOQtz9jTQF7hM5jfuaq0FY-dT7AsSdy_h_s&s=vGxnLi--8AHbzxJebU3XN_bvddzCKbjRjvk78EqiUs0&e=>