Re: [Idr] WG adoption call - draft-li-idr-flowspec-srv6-05,txt

Huaimo Chen <huaimo.chen@futurewei.com> Tue, 03 August 2021 20:58 UTC

Return-Path: <huaimo.chen@futurewei.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A39013A3294; Tue, 3 Aug 2021 13:58:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.089
X-Spam-Level:
X-Spam-Status: No, score=-2.089 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=futurewei.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xz-pbevhlLMy; Tue, 3 Aug 2021 13:58:36 -0700 (PDT)
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2138.outbound.protection.outlook.com [40.107.93.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9509E3A3293; Tue, 3 Aug 2021 13:58:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UDiZSuV15scOajR1JVBMkofeJPfL63Vpr8JpcxBl1ZKfg+8nBNPYDvGqwnUmGH2yZXKhHT7IUjeiC6yaNcpSGIt2+ah7XUFgjhh0e9ELrMf6gtNF2yMC4MiGCVrXOpEY9llLSN1D6bww7EqixDA5c9tATmfpUUS6Az+ju2GJT4gr9p7CdqwOPlivipAz4So/eVZqAX35+Mlbq5amNwrqXE9+NApYoR6C6FaJY/tLIpC9N0jvJ0JYpBkGNKexCo8RZ6F6S7hwOK06dVdQJyj2DkTLf0uyBMFnGyoZXaDk0c3uUuTuJMLDRpJMt0V60eg+lGNnV+n9mRCBbQ/oE3AH2g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MS8HhgfuJf/f32+TpSDBwtc6kciuuXaxrg076HwTYhY=; b=n0BGoglmq1FezOYb3PcaNQF77hyLmZjpVZq8MR9qOByQiPfLmFobVaouTHrDciClWxGO1Hx+avaObNlpJtcYyv4d+Q9lTemVTDyvFeN/97ahBLCWwQhEw/TA+C+0Ws/CNKaZBKjOPd7jHDzkY/dUvH8TBeXVjVuiZPZd/8WJLaOxLEDt8wLDbfzyJVbRnM5BAHsoH8J4esVNUDPm333Z+7WWn1uchGUd5QF3Vc0j7Os68erAIZfXQ5AOYjKUOZDHTb+lyslanXiN0/9xJPqdeEoZ6rWDPoaCd6ChP9jP4RZNX467DxCIIbWYs7Q+ijAeAOJGQvzipJgO9IgFMuhnrQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=futurewei.com; dmarc=pass action=none header.from=futurewei.com; dkim=pass header.d=futurewei.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Futurewei.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MS8HhgfuJf/f32+TpSDBwtc6kciuuXaxrg076HwTYhY=; b=gZouNd0vZXN+BLpRjBn9scJiX9avNyI5FlyAHCYu/TmB6jlzr8XxKF/QH88LZMC5M2ivmhSSmlImh/oLciTZZLdAd1dV7sVHPFDjnx3S6+YUk5aH0GwfDxupfjdT3OTqWqeZK+uobys9qObCmpb2d3asxnkPokYqvVErZ+XaWpA=
Received: from BY3PR13MB5044.namprd13.prod.outlook.com (2603:10b6:a03:362::22) by BY5PR13MB3873.namprd13.prod.outlook.com (2603:10b6:a03:229::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.12; Tue, 3 Aug 2021 20:58:34 +0000
Received: from BY3PR13MB5044.namprd13.prod.outlook.com ([fe80::8892:9918:1d4f:e5ca]) by BY3PR13MB5044.namprd13.prod.outlook.com ([fe80::8892:9918:1d4f:e5ca%4]) with mapi id 15.20.4394.015; Tue, 3 Aug 2021 20:58:34 +0000
From: Huaimo Chen <huaimo.chen@futurewei.com>
To: "Ketan Talaulikar (ketant)" <ketant@cisco.com>, Susan Hares <shares@ndzh.com>, "idr@ietf.org" <idr@ietf.org>, "draft-li-idr-flowspec-srv6@ietf.org" <draft-li-idr-flowspec-srv6@ietf.org>
Thread-Topic: [Idr] WG adoption call - draft-li-idr-flowspec-srv6-05,txt
Thread-Index: Add/4sY1y/C0DGrlTPWyZq9XeRllcQFV5TdAANvSyDE=
Date: Tue, 3 Aug 2021 20:58:33 +0000
Message-ID: <BY3PR13MB5044A581C1D75FB80F46C2DFF2F09@BY3PR13MB5044.namprd13.prod.outlook.com>
References: <022201d77fe3$eb9ba9b0$c2d2fd10$@ndzh.com>, <MW3PR11MB4570125E6DCFC74FAE544041C1EC9@MW3PR11MB4570.namprd11.prod.outlook.com>
In-Reply-To: <MW3PR11MB4570125E6DCFC74FAE544041C1EC9@MW3PR11MB4570.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: cisco.com; dkim=none (message not signed) header.d=none;cisco.com; dmarc=none action=none header.from=futurewei.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0f129778-f835-4ba3-7622-08d956c1750c
x-ms-traffictypediagnostic: BY5PR13MB3873:
x-microsoft-antispam-prvs: <BY5PR13MB3873F0620079A485633ADB09F2F09@BY5PR13MB3873.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: dyUqDphhvDlrVkFBSnonc0DYP4tFz5Rk3t4BQgLRDKqNkRR3Gj3hJmfKQE6pKT/sV3AbcUiVpkwl6nyXxqmPQzrDbxV8jhoV9jIe5Rdka2d9YCIYV4nJYTvHzYh0oyopNjKnd90caCCLyEZ0EVITHcXlPZyyUWhOrnMjx8p8/yyFNdiKXtgKORaQAm2Ha4FN+d9Ktum6lz/qEUPqk4NK4amwj8pBKwZyi/40V2ej4uz/xkXEp9o6X9mGeCASlfqSvZRoMOu+P3B9eLHpJ2xyaFDaCLBiiFDpm/pqHg/3sMNlJMkb7LrYe6lZcE5WDzJNodQ2huCEzqyXHl0u4nsAqMeKLEQvj6JFv2QjcPZkgNSk+/Vt+S8XcTrNAAO8kH4S7uWpgYZ4taDBbSNT4a36pFPZI4F7Iw5FW+FLyebQhMdGvkQuhQvu8C1wNbBvUwZMuGgZ0I2gDw7E6GPY2PbGmTJzoUdXeZC5bK4JfG8nZc5zeMgUdkhepbvBxjBzAa88wik8llo+PSm5+XWup5w3XK9DZFCZ0FZ7eIxZj54sKu29TXS7IaFypS0nKd7IlAx394MF/I7H4ngP9BWPvk0JheND4AmjpZoRQOPtnS4r50DjEt6M5hnSV1/JTte2SxBIIRYptrhgLKgDDGz3lzZh34oRcrjjEwa2q/GxlKYWEyQIG7MKsmckcxVbd/Yd5CAlhMSJpj284Okw00rDqkf/jAOH0roJPB/1nyML+tacif6fxYQdfPyCsT0UMG+hu8cvwp9x6NCz0uVaAlyzG8gM2/AIRWy4LAOAYC9l0E/02j4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY3PR13MB5044.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(136003)(346002)(39840400004)(396003)(366004)(71200400001)(966005)(83380400001)(478600001)(166002)(2906002)(5660300002)(45080400002)(86362001)(8676002)(19627405001)(55016002)(110136005)(66574015)(9686003)(64756008)(66476007)(91956017)(33656002)(66946007)(76116006)(44832011)(53546011)(66556008)(66446008)(186003)(6506007)(316002)(38070700005)(38100700002)(52536014)(122000001)(7696005)(8936002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?Q?j9bj08FDgwxOWYIlX5zF8DJCpKjYheCItgU8Xkfj7r4fERnXpL9BrJIKsS?= =?iso-8859-1?Q?JS/3bg/DQxh1Hj98Cr4oa+EqsxKOixB1TKVgfEjVykV9zJdq6HFmhadF+m?= =?iso-8859-1?Q?dPkjnMAdxKSc8rLaapO7s9XwKCv8S0fbDg0cvGRMQeoNQeEsk4yhqqcnUc?= =?iso-8859-1?Q?VxgCkVFoM2aHbeBkAu+Hvr6negmGAfsxZevGSCnTL/ubpYASl0AINXs3Ge?= =?iso-8859-1?Q?UAd8ZC+t4JTWhwrq5EFQxiuMO+UMFb1TkdIp1PqS3YPpR9p0LI6J9FZikG?= =?iso-8859-1?Q?pJMVIVDoLb685WiFRw6cE9PgPfYSoakY+S1mzKt8GABE8d+N1QrX9Za24a?= =?iso-8859-1?Q?7uGMEhzGC+e/8FJ4hLPPUd6Y4nT4rjNqVLpyn4Rstwkayd4FoeBKdp9dnK?= =?iso-8859-1?Q?p/Jw0dnViB093/4dDQDJgIuizcQDMIVfE0eklkCexkaHF6fmDN+ub2M8pJ?= =?iso-8859-1?Q?Al0bFUzblflfmrmGRRxTcwPdt+g0XdSGwivGiY+Jqi6QrgzzquoU3qkjht?= =?iso-8859-1?Q?LU3jSxRg4Dths3GnvOhOXaZfTXlwU9fNyaDvRQQDeAmEkQX+S2YxXfLCnZ?= =?iso-8859-1?Q?meQTALj/omcDtuXUMGjZ2Lowcl9ja9Z2YQSfuTSXmboUREhsuqY++4EZwh?= =?iso-8859-1?Q?tlEeEPW5E4CZLDRvjeAMrTrE604QDFSq81lNPqYs138fcLDBNZbzQCiFs3?= =?iso-8859-1?Q?fylEhSK0+PHx9vVWk99loJoYZP3BalKjJfoHg/PudyCirsCvDMen0ovJwY?= =?iso-8859-1?Q?WWWtYLd6pSwonPDN56nQ+UkZNSXW/qu2OdYpg7M55FlFp8HgtzYQcFhIbU?= =?iso-8859-1?Q?Ywz3vDLqyEPTGEblYmCvXMjcsxPmnkb4OZXhsuFT5GSr9jY15iiyj6MUbR?= =?iso-8859-1?Q?gSjAc/CwwYShs73cTNfL+qZKRjq8ylSr+AINaxvWLObAtzX5ZGtEI0okQ6?= =?iso-8859-1?Q?mCEOH3Cl3XsHuySi0tA97J52usq/K/L/YVgKcHmqrboV54znSJ7LTFRWaI?= =?iso-8859-1?Q?IJCAgYVtOvdmWzmTyxOyXBT/J7PCbULGa1veBTjkWMPyRWZPtObEX7OKLA?= =?iso-8859-1?Q?X4vgQHZ47qbh9ERTDEYSU80YvRWJcfrxYLplOk0Eq+NeuVullmS3kKPZdx?= =?iso-8859-1?Q?l/xFPF2KoGYUaekHIqf7yREwBI/y4Qdsg3VDHVZsUTWvkg+Jl7EVfVyvVf?= =?iso-8859-1?Q?ZxC2jvYotd7du6nLs8uh0Tl89aVBtUyo/B6jPOUnf+wAv94zXUg4e3P6Ur?= =?iso-8859-1?Q?j1IXSf1WgT8A2PTf3IJ/iAQT1XOinwMpoJrVqMyCUr37ZXav5U2b2ihYfl?= =?iso-8859-1?Q?EINhFDlDiMlr1TrBqIB2AsvAEanfghZrT1AfDZqXl9HV6loInC+X4Mt1Cq?= =?iso-8859-1?Q?W6d+lZBsUwAND5YcD0NgZGQcj5TtrlpV++Bz0fJC6OdeI2stWoEjKtK+2f?= =?iso-8859-1?Q?evfZ4vgdXHSDL8md?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BY3PR13MB5044A581C1D75FB80F46C2DFF2F09BY3PR13MB5044namp_"
MIME-Version: 1.0
X-OriginatorOrg: Futurewei.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY3PR13MB5044.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0f129778-f835-4ba3-7622-08d956c1750c
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Aug 2021 20:58:34.0062 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0fee8ff2-a3b2-4018-9c75-3a1d5591fedc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ThKKGrMO2auavKzDzIozTtLDZXm6egUpgQc8Gp0PNhPBNaCEiTLqfoNVUtCND4mjZpya55u0r+3L9JfEe6uQ0A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR13MB3873
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/QWztUyr9V_HqOx9wS7d3LrfpPec>
Subject: Re: [Idr] WG adoption call - draft-li-idr-flowspec-srv6-05,txt
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Aug 2021 20:58:43 -0000

Hi Ketan,

    Thank you very much for your review and 6 specific comments.
    My responses are inline below with [HC].

  1.  FlowSpec v1 is supposed to be focussed on the DDOS use-case.
I don't find any text in the draft that clarifies how/why this is
related to DDOS use-case. To me, this seems like something for
FlowSpec v2. Per (what I understood to be) WG consensus, this work
is then perhaps deferred to v2.
[HC]: This draft is for FlowSpec v2.

  2.  The draft proposes a new type "Whole SID". My understanding
from the text is that this rule applies to the IPv6 DA and not the
segments within the SRH. If so, then:
     *   What distinguishes a SID from any other IPv6 address in the
DA field?
[HC]: It is a kind of post processing SRv6 PGM that we are matching
on the DA after the SID has been copied from the SRH header to the
DA and SL decremented SL=SL-1.

     *   Why isn't the existing IPv6 DA type not sufficient?
[HC]: It is sufficient but it is the post SRv6 processing after the
SID is copied from SRH to DA when the next hop steering occurs. The
new type can provide some SID specific operations.

  3.  The draft proposes a new type "Some bits of SID (SBoS)".
Again, I believe this applies to the IPv6 DA again - so the same two Qs
above apply to this type to. What prevents a router (mistakenly)
applying this rule to packets with non-SRv6 SID in their DA.
[HC]: Refer to the answers above to the same questions.
A router MUST determine the IPv6 DA is a SID first and then
applies this rule only when the IPv6 DA is a SID.
This can be achieved by applying the rule as a post processing SRv6 PGM.

  4.  When the SBoS type is used, the SRv6 SID structure MUST be
indicated as part of the rule. Then the parts of the SID of interest
that need to be matched are also given in the space for the SID.
Is my understanding correct? If so, the text was not very clear to me.
[HC]: You are right. We will add some descriptions to make it clear.

  5.  The question of why this SBoS type is required again crops us
since the base FlowSpec rule for DA does allow pattern matching on
the IPv6 DA as well? Perhaps I am mistaken, and if so the document
does not provide any text or justification for why these new types
are required.
[HC]: A SRv6 SID has a specific structure with different fields.
Some fields in a SID may have some specific values. For example,
VPN service labels are embedded into some fields such as Func/Arg
of the SRv6 SIDs in some cases. This SBoS type can provide some
specific operations on some fields in a SID. For example, the service
labels in Func/Arg of SRv6 SIDs are within a given range. We may
check the ranges of the values in the fields using SBoS type.
We will add some text for justification.

  6.  Finally, there is no text related to the specific applicability
scenarios for these extensions. Exactly why it is difficult to
determine whether this falls under v1 or v2 scope.
[HC]: We will add some examples using these extensions.

Best Regards,
Huaimo
on behalf of co-authors

________________________________
From: Ketan Talaulikar (ketant) <ketant@cisco.com>
Sent: Friday, July 30, 2021 8:18 AM
To: Susan Hares <shares@ndzh.com>om>; idr@ietf.org <idr@ietf.org>rg>; draft-li-idr-flowspec-srv6@ietf.org <draft-li-idr-flowspec-srv6@ietf.org>
Subject: RE: [Idr] WG adoption call - draft-li-idr-flowspec-srv6-05,txt

Hello,

I have reviewed https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-li-idr-flowspec-srv6-05&amp;data=04%7C01%7Chuaimo.chen%40futurewei.com%7C0b12565f359d468e7d8308d9535439c6%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C1%7C637632443513317218%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&amp;sdata=dFhw6e%2F%2BR0%2BkDcGsjOlf2A4MmbuB080PIoBqTi99%2Bt0%3D&amp;reserved=0 and have the following questions for the authors before we consider adoption.


  1.  FlowSpec v1 is supposed to be focussed on the DDOS use-case. I don't find any text in the draft that clarifies how/why this is related to DDOS use-case. To me, this seems like something for FlowSpec v2. Per (what I understood to be) WG consensus, this work is then perhaps deferred to v2.
  2.  The draft proposes a new type "Whole SID". My understanding from the text is that this rule applies to the IPv6 DA and not the segments within the SRH. If so, then:
     *   What distinguishes a SID from any other IPv6 address in the DA field?
     *   Why isn't the existing IPv6 DA type not sufficient?
  3.  The draft proposes a new type "Some bits of SID (SBoS)". Again, I believe this applies to the IPv6 DA again - so the same two Qs above apply to this type to. What prevents a router (mistakenly) applying this rule to packets with non-SRv6 SID in their DA.
  4.  When the SBoS type is used, the SRv6 SID structure MUST be indicated as part of the rule. Then the parts of the SID of interest that need to be matched are also given in the space for the SID. Is my understanding correct? If so, the text was not very clear to me.
  5.  The question of why this SBoS type is required again crops us since the base FlowSpec rule for DA does allow pattern matching on the IPv6 DA as well? Perhaps I am mistaken, and if so the document does not provide any text or justification for why these new types are required.
  6.  Finally, there is no text related to the specific applicability scenarios for these extensions. Exactly why it is difficult to determine whether this falls under v1 or v2 scope.

Thanks,
Ketan

From: Idr <idr-bounces@ietf.org> On Behalf Of Susan Hares
Sent: 23 July 2021 22:28
To: idr@ietf.org; draft-li-idr-flowspec-srv6@ietf.org
Subject: [Idr] WG adoption call - draft-li-idr-flowspec-srv6-05,txt

This begins a 2 week WG adoption call for draft-li-idr-flowspec-srv6-05.txt