Re: [Idr] Destination-IP-Origin-AS Filter for BGP Flow Specification

Jeffrey Haas <jhaas@pfrc.org> Thu, 07 November 2019 17:33 UTC

Return-Path: <jhaas@slice.pfrc.org>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C1F2120985 for <idr@ietfa.amsl.com>; Thu, 7 Nov 2019 09:33:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PfaBPGuhWV7G for <idr@ietfa.amsl.com>; Thu, 7 Nov 2019 09:33:51 -0800 (PST)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id 30E2E12090E for <idr@ietf.org>; Thu, 7 Nov 2019 09:33:50 -0800 (PST)
Received: by slice.pfrc.org (Postfix, from userid 1001) id 10C321E2F7; Thu, 7 Nov 2019 12:37:33 -0500 (EST)
Date: Thu, 7 Nov 2019 12:37:33 -0500
From: Jeffrey Haas <jhaas@pfrc.org>
To: "Wanghaibo (Rainsword)" <rainsword.wang@huawei.com>
Cc: Robert Raszuk <robert@raszuk.net>, "wangaj3@chinatelecom.cn" <wangaj3@chinatelecom.cn>, Zhuangshunwan <zhuangshunwan@huawei.com>, "idr@ietf. org" <idr@ietf.org>
Message-ID: <20191107173733.GR3277@pfrc.org>
References: <CAOj+MMHLFxe94chd1woN74KeJy3UQa2mfSjXjrE7uudPBDw6KQ@mail.gmail.com> <1E61161D6E31D849BEA887261DB609348C9A97E0@nkgeml514-mbx.china.huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1E61161D6E31D849BEA887261DB609348C9A97E0@nkgeml514-mbx.china.huawei.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/Qg0uNuS-8S8WO9igU2AcGXS9Bzc>
Subject: Re: [Idr] Destination-IP-Origin-AS Filter for BGP Flow Specification
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2019 17:33:53 -0000

Haibo,

On Tue, Nov 05, 2019 at 08:11:12AM +0000, Wanghaibo (Rainsword) wrote:
> PS: Netflow is already supporting statistical traffic based on Dest-IP-Origin-AS, it already download Dest-IP-Origin-AS to FIB entry, this prosess can be reused.

>From a forwarding perspective, this is the detail that bothers me.

Flowspec right now is currently independent of FIB state.  It functions on
the firewall layer, which is typically implemented prior to FIB.

What this feature implies is something roughly like:
Packet comes in, hits rule to check dst-as.
dst-as lookup needs to happen as one of:
- communicate to BGP routing process. (not likely to scale)
- trigger a FIB lookup, check returned dst-as.  Violates pipelining in many
  architectures.
- Have the entire FIB's dst-as-map pushed into memory for firewall,
  implement as a longest-match lookup on that collection.

-- Jeff