Re: [Idr] [internet-drafts@ietf.org: I-D Action: draft-haas-flowspec-capability-bits-02.txt]

Robert Raszuk <robert@raszuk.net> Thu, 15 April 2021 19:24 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A0733A2BCE for <idr@ietfa.amsl.com>; Thu, 15 Apr 2021 12:24:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uYpY-fv0nlZQ for <idr@ietfa.amsl.com>; Thu, 15 Apr 2021 12:24:24 -0700 (PDT)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DABB3A2BCD for <idr@ietf.org>; Thu, 15 Apr 2021 12:24:24 -0700 (PDT)
Received: by mail-lj1-x234.google.com with SMTP id r22so17698648ljc.5 for <idr@ietf.org>; Thu, 15 Apr 2021 12:24:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=T918JJYQ2JBfuWU6WJUJ4unQz9bNjSkPggp3zr0pF18=; b=HP0bri5sYKlp0bMiLD44YGHT1eDpjs0lMIE0YNoQnh0yBLIe6yA8RW+tkK9j3agPUR x5LkUzOOSqdzeaNMAWr1UfcQAJJVTUqhY0bJsQFsBC1AR691xq70GdHDwdSYVRz/rLVt qFNIBG1gjyCNAzqj7juzdASUYzfrPjirN1lLIRBXvYU47aoCvWwyxZXR5qfJ9FgG52ya XBS5cO/jtgGv/ShA3Dx6ygcgD0Yetw9nAHEFfZfZ1j7MN7dzbwoXysf3lP684wUL3TnW LtLsIq4OaEIkHJ7JPgRDxgydXbrFlzCMU/NoMc/VVhLjdzCMzlTEfRZf+S8fv0DZwEbA tUOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=T918JJYQ2JBfuWU6WJUJ4unQz9bNjSkPggp3zr0pF18=; b=VRZukNp59fMg1lQyN5hLRx7GfMQuPaIPM0bflgrzxzRfB4ALIlIBDCvPXrh8GIFOCw G/oP2Zym/GQktWnavBH7ml8Kr2Zq6vGgzl+3UZjncfXMNvvnJ/2dPWT/0eY+NXOoH8yU bQwYzQ8cxdF0Ob3qV3gd/UH4CMcLtLiQPXUL1ilt7n9MwLBNExwGvgLKDfroQnColPlK ngrWos7RPJrLRdyTgPHgW2B55csXnRItcaaKJQ0HNVMNDpSm2CIINCZD9f5NwMvhztlN s7+AP0iEZlu3Sl3SwKyDzk+Waqe1B12+zB/jBOLOdc1N5lXX2q9BCyi2A/dlMPevDMCj oqAw==
X-Gm-Message-State: AOAM531dbfr704n/VnT9vm+X6C7yRKaY0q+rQ4fXNtQYS0VGFExx/1pd 3L8+wazQlq2cgX8OLcAp1pmE+BXGnOvp4UVVFKqefQ==
X-Google-Smtp-Source: ABdhPJwi52FoXM3zNxuRTzA5tNX708BSOM11Kxe3bszByWp8q3AKJhw3/9RH1d94BLtW8DvQyE48CsYXuYgqPzFltDc=
X-Received: by 2002:a2e:900f:: with SMTP id h15mr416999ljg.37.1618514660778; Thu, 15 Apr 2021 12:24:20 -0700 (PDT)
MIME-Version: 1.0
References: <20210409201047.GA13742@pfrc.org> <4d862ff450b349e6bcdaf96bd4d09b99@huawei.com> <20210412175120.GA25856@pfrc.org> <8ab2391b8a8647d2a8319c71a140ccd5@huawei.com> <20210415004310.GA6652@pfrc.org> <BL0PR11MB3202A2A4CB44B853EC6BA0BEC04D9@BL0PR11MB3202.namprd11.prod.outlook.com> <CAOj+MMHjdLH9RQRHTWuOJ_+qLvrSrE8PyXL_fK-zwb8oj13-Fw@mail.gmail.com> <37ECDC72-A91F-4E26-9FCC-D95BBCE9A65D@cisco.com> <CAOj+MMFU6KNTykfk_VNoE=+tFCx_R3whiiiDW_BkwNEqxKZBuw@mail.gmail.com> <BYAPR11MB32077BDAA0385B7B49D2B1FDC04D9@BYAPR11MB3207.namprd11.prod.outlook.com>
In-Reply-To: <BYAPR11MB32077BDAA0385B7B49D2B1FDC04D9@BYAPR11MB3207.namprd11.prod.outlook.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Thu, 15 Apr 2021 21:24:12 +0200
Message-ID: <CAOj+MME9Q7mLskZUuLqb2O--DTHJnnMGC_WX_jMKZ9wRM5UQ6Q@mail.gmail.com>
To: "Jakob Heitz (jheitz)" <jheitz@cisco.com>
Cc: Jeffrey Haas <jhaas@pfrc.org>, "Dongjie (Jimmy)" <jie.dong@huawei.com>, "idr@ietf.org" <idr@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006b917f05c007cfec"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/RkwAC95mNAL76MNPYhMgR0bfxU0>
Subject: Re: [Idr] [internet-drafts@ietf.org: I-D Action: draft-haas-flowspec-capability-bits-02.txt]
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Apr 2021 19:24:30 -0000

>  It allows us to add new types to flowspec.

So does ORF without any side effects which come free with using bgp
capabilities.

In any case to restate adding new types to flowspec v1 is not something I
support.

Thx,
R.


On Thu, Apr 15, 2021 at 7:46 PM Jakob Heitz (jheitz) <jheitz@cisco.com>
wrote:

> Jeff's idea is even simpler.
>
> It allows us to add new types to flowspec.
>
>
>
> Regards,
>
> Jakob.
>
>
>
> *From:* Robert Raszuk <robert@raszuk.net>
> *Sent:* Thursday, April 15, 2021 6:34 AM
> *To:* Jakob Heitz (jheitz) <jheitz@cisco.com>
> *Cc:* Jeffrey Haas <jhaas@pfrc.org>rg>; Dongjie (Jimmy) <jie.dong@huawei.com>om>;
> idr@ietf.org
> *Subject:* Re: [Idr] [internet-drafts@ietf.org: I-D Action:
> draft-haas-flowspec-capability-bits-02.txt]
>
>
>
> Jakob,
>
>
>
> Pls see my last msg. It is not about originator assurance that something
> got installed. It is about operator basic understanding on what is going on
> in his network from BGP distribution point of view.
>
>
>
> Also pls observe that capabilities today require session reset. Dynamic
> capabilities is not there. So if I enable some filtering type on PE I need
> to reset my session to RR. If more SAFIs travel over this session this will
> get pretty ugly.
>
>
>
> Perhaps we should instead define FlowSpec ORF and single new capability
> "Wait for FS-ORF". FS ORF would signal to peer what types it supports.
> Simple, easy and non disruptive with pretty much the same end effect.
>
>
>
> Cheers,
>
> R.
>
>
>
> On Thu, Apr 15, 2021 at 3:24 PM Jakob Heitz (jheitz) <jheitz@cisco.com>
> wrote:
>
>
>
> Regards,
>
> Jakob.
>
>
>
>
>
> On Apr 15, 2021, at 2:43 AM, Robert Raszuk <robert@raszuk.net> wrote:
>
> 
>
> All,
>
>
>
> Yes what Jakob and now Jeff are saying makes sense. If we are to introduce
> this capability it should be only about what BGP peer understands as part
> of the NLRI. Nothing to do with data plane and filtering. Just observe that
> even if data plane supports it and even of operator enables it filter may
> still fail to get installed due to no space. So we never know at BGP level
> what got installed and what not.
>
>
>
> That's being just a little over dramatic. It's the case with all BGP. For
> any use case where it really matters and the originator must know exactly
> when and where its originated NLRI got installed, we don't use BGP.
>
>
>
>
>
> Now - I am still seriously concerned to add this to v1. Well unless we
> also add the notion of optional types. That means that when setting up a
> filter (manually or programmatically) types have an "Optional" flag - which
> means that if a peer does not support this type it is ok to drop it and
> sent all remaining types in NLRI instead of not sending the entire NLRI at
> all.
>
>
>
> That would provide some tools to make sure that v1 deployments are intact.
>
>
>
> Thx,
>
> R.
>
>
>
>
>
>
>
>
>
>
>
> On Thu, Apr 15, 2021 at 5:37 AM Jakob Heitz (jheitz) <jheitz=
> 40cisco.com@dmarc.ietf.org> wrote:
>
> I agree.
> The capability is exchanged only with neighbors and thus is
> not capable of informing the capabilities of all BGP speakers
> in the network. A more capable network management method
> is needed for that.
>
> The BGP capability is only useful to avoid sending a flowspec
> to a neighbor that it would consider as malformed.
>
> Regards,
> Jakob.
>
> -----Original Message-----
> From: Idr <idr-bounces@ietf.org> On Behalf Of Jeffrey Haas
> Sent: Wednesday, April 14, 2021 5:43 PM
> To: Dongjie (Jimmy) <jie.dong@huawei.com>
> Cc: idr@ietf.org
> Subject: Re: [Idr] [internet-drafts@ietf.org: I-D Action:
> draft-haas-flowspec-capability-bits-02.txt]
>
> Jie,
>
> On Wed, Apr 14, 2021 at 03:21:54PM +0000, Dongjie (Jimmy) wrote:
> > > On Mon, Apr 12, 2021 at 05:04:32PM +0000, Dongjie (Jimmy) wrote:
> > > > Hi Jeff, all,
> > > >
> > > > I've read the recent discussion and the updated version of this
> draft, here are
> > > some thoughts and comments:
> > > >
> > > > I fully agree that incremental deployment of new flowspec components
> is
> > > important, and it does not need to wait for Flowspec 2.0.
> > > >
> > > > Regarding a BGP flowspec component, there could be three different
> > > capabilities:
> > > >
> > > > 1.        The capability of parsing and implementing the component
> as a filter
> > > >
> > > > 2.        The capability of parsing and propagating the component,
> but not for
> > > local use
> > > >
> > > > 3.        The capability of propagating the component further even
> it is not parsed
> > > >
> > > > The first two capabilities are discussed in this thread and the
> updated draft,
> > > and to me it makes sense to distinguish these two capabilities.
> > >
> > > Operationally, how would you expect a BGP Speaker to differentiate
> these two
> > > cases?
> >
> > The assumption here is that not all the nodes are required to implement
> > the filters (or some just don't want to), while they may be on the path
> of
> > the flowspec rule propagation. If this is true, it may be useful for the
> > operator to know the set of nodes with the first capability and the set
> of
> > nodes with the second capability, although the capability of parsing and
> > propagating is more relevant to this document. These two capabilities may
> > be advertised using different mechanisms, as the first capability may be
> > needed by nodes not directly peered.
>
> Understood.  My question is what should a BGP Speaker that has been told
> that the adjacent BGP Speaker can parse a certain set of Flowspec
> components
> but not use some of them do about it?  Is it strictly advisory?
>
> If it's strictly advisory, I would advocate that we not worry about
> publishing that part in BGP.  One motivation is that capability space is
> still at somewhat of a premium without extended optional parameters.
>
> A second motivation is there may be better mechanisms to publish the
> network
> wide capabilities for using the filters.  I'll likely share a proposal in
> the upcoming weeks.
>
> > > The third case is unfortunately problematic right now.  Deployment
> > > experience has shown implementations aren't willing to deal with fully
> > > "opaque" NLRI.  We've had a number of outages resulting from parsing
> bugs
> > > as it is.
> >
> > I understand the problems with the "opaque" NLRI, while if the rule
> > specified in the NLRI is not required (or not capable) to be implemented
> > in data plane on a transit node, will it cause less harm to the network?
>
> My draft tries to make clear that any device that filters a rule, either
> because it doesn't receive it because of lack of capability of an upstream
> node, or lack of local ability, can have potential to result in
> mis-forwarding.  Whether it does so or not will depend on the independence
> of the rules.
>
> If my use of "independence" is unclear, I'll share an example next round.
>
> > > With flowspec v2, the primary obstacle toward opaque but still able to
> be
> > > checked for NLRI high level syntactic correctness can be done.  We
> know this
> > > is still problematic once you hit a node where the inner contents are
> validated
> > > and found to be problematic, but at least in this case "treat as
> withdraw"
> > > procedures are capable of being done.
> >
> > Agree flowspec v2 can help with the syntax validation to some extent.
> > While if the NLRI is considered malformed, the "treat as withdraw" error
> > handling may not always work.
>
> I think lengths in structured BGP NLRI will likely give us a hybrid
> situation.
>
> Consider an NLRI that has a known prefix length.
> Consider that it has components that have individual sub-lengths that are
> clear in the protocol.
>
> It is possible that the length of the individual components summed together
> are still a valid "length" from the top level (the prefix-length) from a
> high level syntactic level, but individual components may be of invalid
> length or syntax.  This is similar to the situation for path attributes.
>
> In such a case, the NLRI is malformed, but may be of enough integrity to
> properly handle as an ignore/discard.
>
> The BGP-CAR proposal and perhaps some of the evpn NLRI error handling
> cases have
> some similar overlap to this case.  (RFC 7606 tries to be too generic about
> "typed NLRI" and I think got it somewhat wrong.)
>
> -- Jeff
>
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>
>