Re: [Idr] [internet-drafts@ietf.org: I-D Action: draft-haas-flowspec-capability-bits-02.txt]

Jeffrey Haas <jhaas@pfrc.org> Mon, 12 April 2021 17:28 UTC

Return-Path: <jhaas@slice.pfrc.org>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D2A83A0DE2 for <idr@ietfa.amsl.com>; Mon, 12 Apr 2021 10:28:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d2kq57-bi2_6 for <idr@ietfa.amsl.com>; Mon, 12 Apr 2021 10:28:45 -0700 (PDT)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id 9C2003A0DDD for <idr@ietf.org>; Mon, 12 Apr 2021 10:28:45 -0700 (PDT)
Received: by slice.pfrc.org (Postfix, from userid 1001) id 55D091E45A; Mon, 12 Apr 2021 13:51:21 -0400 (EDT)
Date: Mon, 12 Apr 2021 13:51:21 -0400
From: Jeffrey Haas <jhaas@pfrc.org>
To: "Dongjie (Jimmy)" <jie.dong@huawei.com>
Cc: "idr@ietf.org" <idr@ietf.org>
Message-ID: <20210412175120.GA25856@pfrc.org>
References: <20210409201047.GA13742@pfrc.org> <4d862ff450b349e6bcdaf96bd4d09b99@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4d862ff450b349e6bcdaf96bd4d09b99@huawei.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/SAK1zKIE6rK9y7ewYr152wZeRSk>
Subject: Re: [Idr] [internet-drafts@ietf.org: I-D Action: draft-haas-flowspec-capability-bits-02.txt]
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Apr 2021 17:28:50 -0000

Jie,

Thanks for your feedback.

On Mon, Apr 12, 2021 at 05:04:32PM +0000, Dongjie (Jimmy) wrote:
> Hi Jeff, all, 
> 
> I've read the recent discussion and the updated version of this draft, here are some thoughts and comments: 
> 
> I fully agree that incremental deployment of new flowspec components is important, and it does not need to wait for Flowspec 2.0.
> 
> Regarding a BGP flowspec component, there could be three different capabilities: 
> 
> 1.	The capability of parsing and implementing the component as a filter
> 
> 2.	The capability of parsing and propagating the component, but not for local use
> 
> 3.	The capability of propagating the component further even it is not parsed
> 
> The first two capabilities are discussed in this thread and the updated draft, and to me it makes sense to distinguish these two capabilities. 

Operationally, how would you expect a BGP Speaker to differentiate these two cases?  

> As sometimes a flowspec rule only needs to be installed on a subset of nodes, a node which is not required to install it or even support it may be on the propagation path of the flowspec rule. If there is some mechanism to limit the propagation scope or indicate the target nodes of the flowspec, the third capability may further help the incremental deployment of new flowspec components.

The third case is unfortunately problematic right now.  Deployment
experience has shown implementations aren't willing to deal with fully
"opaque" NLRI.  We've had a number of outages resulting from parsing bugs as
it is.

With flowspec v2, the primary obstacle toward opaque but still able to be
checked for NLRI high level syntactic correctness can be done.  We know this
is still problematic once you hit a node where the inner contents are
validated and found to be problematic, but at least in this case "treat as
withdraw" procedures are capable of being done.

The underlying behavior you're discussing is the scope discussion that I
think we're in general need of, and a separate thread was forked for.
Perhaps once that's been discussed in more detail it makes sense to come
back to this third point?

> Then back to the encoding of the flowspec capability bits, if we want to consider the case that a node can propagate unknown flowspec components, one reserved bit in the bit-string may be used to indicate such capability, other mechanism is also possible. 

The encoding is the less exciting bit of the discussion. :-)  Let's revisit
this after you've clarified your first two points.

-- Jeff