[Idr] A proposal to add sequencing to BGP Flowspec v1

Jeffrey Haas <jhaas@pfrc.org> Tue, 27 April 2021 18:11 UTC

Return-Path: <jhaas@slice.pfrc.org>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 95FF83A1A81 for <idr@ietfa.amsl.com>; Tue, 27 Apr 2021 11:11:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 4Bhp0A84pSdl for <idr@ietfa.amsl.com>; Tue, 27 Apr 2021 11:11:33 -0700 (PDT)
Received: from slice.pfrc.org (slice.pfrc.org []) by ietfa.amsl.com (Postfix) with ESMTP id 568F73A0CA2 for <idr@ietf.org>; Tue, 27 Apr 2021 11:11:33 -0700 (PDT)
Received: by slice.pfrc.org (Postfix, from userid 1001) id 5ED181E44B; Tue, 27 Apr 2021 14:34:49 -0400 (EDT)
Date: Tue, 27 Apr 2021 14:34:49 -0400
From: Jeffrey Haas <jhaas@pfrc.org>
To: idr@ietf.org
Message-ID: <20210427183448.GA10541@pfrc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/Wvw1mosxbT5LVY_1sK6GBNdZDjM>
Subject: [Idr] A proposal to add sequencing to BGP Flowspec v1
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Apr 2021 18:11:38 -0000

[Speaking as an individual contributor.]


As a Working Group, we set out to finish Flowspec v1's -bis document before
taking up the work for Flowspec v2.  We finished the -bis work in RFC 8955.

It's been several years since the conversations we had that motivated
Flowspec v2.  Sue had submitted a proposal that was intended to capture the
thinking of the Working Group at the time.  There were three high order
pieces of work to be done:

1. Address parsing issues by moving to an explicit length field.  (PCEP
adopted this idea when they embedded Flowspec in their protocol to leverage
our encodings.)

2. Provide for explicit sequencing of terms.  This was motivated by there
being a need for other firewall-like applications to have ordering different
than those provided by the default sort function.

3. Provide for a better way to manage Flowspec actions, especially when
they may have interactions based on ordering.

draft-haas-flowspec-capability-bits was submitted to try to address the
first issue incrementally for Flowspec v1.  It's gotten good discussion.

Below, please see a proposal that attempts to incrementally address the
explicit sequencing problem.

Why not wait to do this in Flowspec v2, you might ask?  It's certainly an
option.  I will offer two initial points of consideration why we might want
to consider this proposal:

- We now have multiple BGP Flowspec features that share more history in the
  format of v1 (especially after the -bis work) than they do with v2.  This
  includes extensions for nvo3, l2vpn.  If those features will want to
  leverage explicit sequencing, they either need to wait on v2, or update
  after v2 has come into being.
- This proposal is also compatible with those additional drafts.

We look forward to your feedback.

-- Jeff (for the authors)

----- Forwarded message from internet-drafts@ietf.org -----

Date: Tue, 27 Apr 2021 10:47:36 -0700
From: internet-drafts@ietf.org
To: i-d-announce@ietf.org
Subject: I-D Action: draft-haas-idr-flowspec-term-order-00.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories.

        Title           : BGP Flowspec Explicit Term Ordering
        Authors         : Jeffrey Haas
                          Susan Hares
                          Sven Maduschke
	Filename        : draft-haas-idr-flowspec-term-order-00.txt
	Pages           : 7
	Date            : 2021-04-27

   BGP Flowspec (RFC 8955) provides a mechanism for matching traffic
   flows.  The ordering of the Flow Specifications defined by that RFC
   is provided by a sorting function that uses the contents of the
   received BGP NLRI; that NLRI does not contain an explicit ordering
   component.  The RFC's sorting function permits for origination of
   Flowspec NLRI from multiple BGP Speakers and is generally appropriate
   for mitigating distributed denial-of-service (DDoS) attacks.

   There are circumstances where the implicit RFC 8955 sorting order is
   not appropriate.  This document defines a mechanism that permits
   individual Flowspec NLRI to influence their sort order.

The IETF datatracker status page for this draft is:

There are also htmlized versions available at:

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:

I-D-Announce mailing list
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt

----- End forwarded message -----