Re: [Idr] Feedback from mike during IETF 119 (was Re: FW: New Version Notification for draft-wu-idr-flowspec-dip-community-filter-00.txt)
wutianhao <wutianhao10@huawei.com> Tue, 19 March 2024 07:18 UTC
Return-Path: <wutianhao10@huawei.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32475C14F696 for <idr@ietfa.amsl.com>; Tue, 19 Mar 2024 00:18:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.904
X-Spam-Level:
X-Spam-Status: No, score=-6.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VXGHE2tOKxuV for <idr@ietfa.amsl.com>; Tue, 19 Mar 2024 00:18:24 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 698B8C14F693 for <idr@ietf.org>; Tue, 19 Mar 2024 00:18:24 -0700 (PDT)
Received: from mail.maildlp.com (unknown [172.18.186.231]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4TzNN75Vs9z6D8g6; Tue, 19 Mar 2024 15:17:43 +0800 (CST)
Received: from lhrpeml500004.china.huawei.com (unknown [7.191.163.9]) by mail.maildlp.com (Postfix) with ESMTPS id 41B63140DF0; Tue, 19 Mar 2024 15:18:20 +0800 (CST)
Received: from dggpemm100007.china.huawei.com (7.185.36.116) by lhrpeml500004.china.huawei.com (7.191.163.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Tue, 19 Mar 2024 07:18:19 +0000
Received: from dggpemm500006.china.huawei.com (7.185.36.236) by dggpemm100007.china.huawei.com (7.185.36.116) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Tue, 19 Mar 2024 15:18:17 +0800
Received: from dggpemm500006.china.huawei.com ([7.185.36.236]) by dggpemm500006.china.huawei.com ([7.185.36.236]) with mapi id 15.01.2507.035; Tue, 19 Mar 2024 15:18:17 +0800
From: wutianhao <wutianhao10@huawei.com>
To: Ketan Talaulikar <ketant.ietf@gmail.com>
CC: Jeff Haas <jhaas@pfrc.org>, "idr@ietf. org" <idr@ietf.org>
Thread-Topic: Feedback from mike during IETF 119 (was Re: [Idr] FW: New Version Notification for draft-wu-idr-flowspec-dip-community-filter-00.txt)
Thread-Index: AQHaePCsE8GzCbP23kmEOeMXdeQEcLE+qNkg
Date: Tue, 19 Mar 2024 07:18:17 +0000
Message-ID: <be2866fb8d0143809a25b179a5097bab@huawei.com>
References: <1d8a9005350548acae681108370cb22d@huawei.com> <D405B3AE-2B9D-446E-AE39-4CD6FC9152C8@pfrc.org> <CAOj+MMFZLK4eEYqDZPaiyrayfTHEKkNLkjpCUQB=PTRR5E8dFg@mail.gmail.com> <CAH6gdPyYd-ERSRGz7dSygiQS=Pq_SgqOdEvyx3Eou=MXg58zPw@mail.gmail.com>
In-Reply-To: <CAH6gdPyYd-ERSRGz7dSygiQS=Pq_SgqOdEvyx3Eou=MXg58zPw@mail.gmail.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.108.153.48]
Content-Type: multipart/alternative; boundary="_000_be2866fb8d0143809a25b179a5097babhuaweicom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/SLej4DuB4cTYCGnd0PugK-izMJk>
Subject: Re: [Idr] Feedback from mike during IETF 119 (was Re: FW: New Version Notification for draft-wu-idr-flowspec-dip-community-filter-00.txt)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2024 07:18:30 -0000
Hi Ketan, Thank you for your comments. I want to first clarify the scenario where this extension is applied. This draft is not targeted to DDOS scenario, but to traffic redirections for imporving network performance. In this scenario, the network operators use Destination-IP-Community filters as follows. 1. identify which prefixes to be redirected 2. choose an unused BGP communities for generating FlowSpec rules 3. announce the BGP updates (destination prefixes are those prefixes) with this BGP community Thus, the prefixes and communities are planned in advance. Hope this answer can solve your problem. Please don't hesitate to contact us if you have any further questions. Best regards, Tianhao Wu From: Ketan Talaulikar <ketant.ietf@gmail.com> Sent: Monday, March 18, 2024 12:56 PM To: Robert Raszuk <robert@raszuk.net> Cc: Jeff Haas <jhaas@pfrc.org>; wutianhao <wutianhao10@huawei.com>; idr@ietf. org <idr@ietf.org> Subject: Feedback from mike during IETF 119 (was Re: [Idr] FW: New Version Notification for draft-wu-idr-flowspec-dip-community-filter-00.txt) Hello Authors, I am repeating my comments from the IDR session earlier today. For Flowspec the larger scale challenge is the resources in the hardware for the actual rule - something that this proposal does not alter. The FlowSpec route space in the BGP control plane is not really a big deal for routers (not when compared to the h/w resources). So, does this really solve a real/practical problem? By using this mechanism of matching community, both the router and the FlowSpec controller is losing control over the number of rules generated. Even if there was a cap, it is tricky on what prefixes are picked and what happens with there are issues with the setting of these communities. How does the FlowSpec controller know which specific destinations are being filtered? Is that not important for a deployment - e.g., for DDOS scenario? While this proposal sounds interesting, I would suggest to please consider the above aspects and at least update the draft to cover those considerations. Thanks, Ketan On Fri, Mar 15, 2024 at 2:39 PM Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>> wrote: Hi Jeff, So just to make sure we are on the same page. Are you saying that it is perfectly ok to turn BGP into a control plane filtering protocol pushing BGP configuration (here policies) around the network ? Cheers, R. On Fri, Mar 15, 2024 at 4:29 AM Jeff Haas <jhaas@pfrc.org<mailto:jhaas@pfrc.org>> wrote: Tianhao, While I don’t quite share the same concerns that Robert does, I do have concerns about these RIB properties-based filters in terms of filter stability and deployment. Section 6 procedures in RFC 8955 provide an example of RIB interaction, albeit only on the flowspec destination component and the RIB-in route covering that component. While there may be some instability of the route, there is some reasonable expectation that stability is the intent for that procedure. In the case of the AS filter, the origin as is usually stable. Communities can be very unstable, especially for the set of candidate routes for the loc-rib entry. Please consider discussing this point during your presentation. Jeff. Sent from my iPad > On Mar 4, 2024, at 05:55, wutianhao <wutianhao10=40huawei.com@dmarc.ietf.org<mailto:40huawei.com@dmarc.ietf.org>> wrote: > > Dear all, > > We've submitted a new draft: draft-wu-idr-flowspec-dip-community-filter. > > This draft specifies a new BGP Flowspec component type to support community-level filtering. Flowspec rules can be reduced by using the method defining in this draft. It saves a lot of entry spaces on the control plane and forwarding plane, and it would greatly simplify the operation of the control plane, and the more destination prefixes with the same community has, the more obvious the benefit. > > Review and comments are welcome. > > Best regards, > Tianhao > > -----Original Message----- > From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>> > Sent: 2024年2月29日 17:26 > To: Wanghaibo (Rainsword) <rainsword.wang@huawei.com<mailto:rainsword.wang@huawei.com>>; Gejun (Jack, BGP) <jack.gejun@huawei.com<mailto:jack.gejun@huawei.com>>; wutianhao <wutianhao10@huawei.com<mailto:wutianhao10@huawei.com>>; Dingxiangfeng <dingxiangfeng@huawei.com<mailto:dingxiangfeng@huawei.com>> > Subject: New Version Notification for draft-wu-idr-flowspec-dip-community-filter-00.txt > > A new version of Internet-Draft > draft-wu-idr-flowspec-dip-community-filter-00.txt has been successfully submitted by Tianhao Wu and posted to the IETF repository. > > Name: draft-wu-idr-flowspec-dip-community-filter > Revision: 00 > Title: Destination-IP-Community Filter for BGP Flow Specification > Date: 2024-02-28 > Group: Individual Submission > Pages: 7 > URL: https://www.ietf.org/archive/id/draft-wu-idr-flowspec-dip-community-filter-00.txt > Status: https://datatracker.ietf.org/doc/draft-wu-idr-flowspec-dip-community-filter/ > HTMLized: https://datatracker.ietf.org/doc/html/draft-wu-idr-flowspec-dip-community-filter > > > Abstract: > > BGP Flowspec mechanism (BGP-FS) propagates both traffic Flow > Specifications and Traffic Filtering Actions by making use of the BGP > NLRI and the BGP Extended Community encoding formats. This document > specifies a new BGP-FS component type to support community-level > filtering. The match field is the community of the destination IP > address that is encoded in the Flowspec NLRI. This function is > applied in a single administrative domain. > > > > The IETF Secretariat > > > _______________________________________________ > Idr mailing list > Idr@ietf.org<mailto:Idr@ietf.org> > https://www.ietf.org/mailman/listinfo/idr _______________________________________________ Idr mailing list Idr@ietf.org<mailto:Idr@ietf.org> https://www.ietf.org/mailman/listinfo/idr _______________________________________________ Idr mailing list Idr@ietf.org<mailto:Idr@ietf.org> https://www.ietf.org/mailman/listinfo/idr
- [Idr] FW: New Version Notification for draft-wu-i… wutianhao
- Re: [Idr] FW: New Version Notification for draft-… Robert Raszuk
- Re: [Idr] FW: New Version Notification for draft-… Robert Raszuk
- [Idr] 答复: FW: New Version Notification for draft-… wutianhao
- Re: [Idr] 答复: FW: New Version Notification for dr… Robert Raszuk
- Re: [Idr] FW: New Version Notification for draft-… Jeff Haas
- Re: [Idr] FW: New Version Notification for draft-… Robert Raszuk
- [Idr] Feedback from mike during IETF 119 (was Re:… Ketan Talaulikar
- Re: [Idr] Feedback from mike during IETF 119 (was… wutianhao
- Re: [Idr] Feedback from mike during IETF 119 (was… Ketan Talaulikar
- Re: [Idr] Feedback from mike during IETF 119 (was… Robert Raszuk