[Idr] Flowspec draft-ietf-idr-rfc5575bis last (known) issue that needs to be resolved

Christoph Loibl <c@tix.at> Thu, 27 December 2018 10:55 UTC

Return-Path: <c@tix.at>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id BE535127133 for <idr@ietfa.amsl.com>; Thu, 27 Dec 2018 02:55:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Xczx--gGtLiP for <idr@ietfa.amsl.com>; Thu, 27 Dec 2018 02:55:50 -0800 (PST)
Received: from mail.hated.at (mail.hated.at [IPv6:2001:858:2:8::235]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76932128CF3 for <idr@ietf.org>; Thu, 27 Dec 2018 02:55:50 -0800 (PST)
Received: from 089144223254.atnat0032.highway.bob.at ([] helo=[]) by mail.hated.at with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <c@tix.at>) id 1gcTIl-0003WE-0A for idr@ietf.org; Thu, 27 Dec 2018 11:54:07 +0100
From: Christoph Loibl <c@tix.at>
Content-Type: multipart/signed; boundary="Apple-Mail=_F5C7E181-063B-4EFF-B654-2B5D9A80A9F6"; protocol="application/pgp-signature"; micalg=pgp-sha1
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
Message-Id: <6FC8208F-DB08-4DE4-BFEB-518A806B11DB@tix.at>
Date: Thu, 27 Dec 2018 11:55:46 +0100
To: idr wg <idr@ietf.org>
X-Mailer: Apple Mail (2.3445.101.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/WuV4tbA9QrqK-_zkVtL36NsQ5VA>
Subject: [Idr] Flowspec draft-ietf-idr-rfc5575bis last (known) issue that needs to be resolved
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Dec 2018 10:55:54 -0000


During the interim we agreed on a procedure to resolve the last known issues of draft-ietf-idr-rfc5575bis. Since then I uploaded some changes (as posted on the list previously). The result is, that there is only one remaining issue that I want to address now.

The draft RFC5557bis contains a section on traffic action interference which is (as pointed out already on the list) very restrictive and may break current use-cases as pointed out by Jeffery. We had some discussion on this amongst the authors of the draft. I try to summarize and would love to get advice from the list:

*) Precondition - RFC5575:

RFC5575 completely ignores the fact that traffic actions may “interfere” with each other. (simplest example: 2 different rate-limits for a given flow - which rate-limit should be applied?) This makes the result unpredictable.

*) current status of draft RFC5575bis:

Draft RFC5575bis has a section on traffic action interference (Section 7.6.) which is *very* restrictive. It basically resolves all “interfering” traffic actions by treating such updates as withdraw. The problem here is, that some combinations that we defined as “interfering” (= treat as withdraw) may still make sense (for example: multiple redirect-rt actions may be useful. Some nodes in the network may import rt-A in a vrf and others may import rt-B into a vrf. So for some nodes redirect-rt-A is used while on others redirect-rt-B is used for traffic redirection).

*) Suggested solution A - make action predictable:

As pointed out above the current specification (RFC5575) is unpredictable while the draft RFC5575bis is too restrictive. Suggested solution A targets this problem by sorting the traffic action communities (while not restricting what is actually propagated):

+ For traffic rate communities: Use the lowest traffic rate (floating point number encoded in the ext-community)

+ For redirect-rt commuities: Sort them in ascending order and use the lowest feasible for traffic redirection (some RTs may not be feasible because there is on import statement for that particular RT in the configuration).

+ For the remaining actions: Always use the lowest encoded value (memcmp).

Using always the “lowest” is only for the sake of predictability, “highest” may be as good. (I remember that someone mentioned during the interim meeting that some sorting is already part of someones implementation).

While the above solution A has some limitations (and introduces a previously undocumented behaviour) suggested solution B (below) may still improve the behaviour:

*) Suggested solution B - only document the behaviour:

We can add to the operational consideration section that there may be interfering traffic actions. FS filters with interfering actions shall still be propagated but the actual selection of the appropriate actions is up to the implementation. If a network/fs-domain wide predictable behaviour is needed for an application this can still be achieved by using custom BGP communities and BGP policies (plus rewriting those to the appropriated actions).

This is very “lightweight” and I think that solution B may easily find consensus. However the benefit over RFC5575 is only very little.

Any preferences how we should proceed?



Christoph Loibl
c@tix.at | CL8-RIPE | PGP-Key-ID: 0x4B2C0055 | http://www.nextlayer.at