Re: [Idr] flowspec enhancements
Wesley Eddy <wes@mti-systems.com> Thu, 15 October 2015 00:21 UTC
Return-Path: <wes@mti-systems.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4990D1A90DE for <idr@ietfa.amsl.com>; Wed, 14 Oct 2015 17:21:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eVypaL_FeIUh for <idr@ietfa.amsl.com>; Wed, 14 Oct 2015 17:21:50 -0700 (PDT)
Received: from atl4mhob11.myregisteredsite.com (atl4mhob11.myregisteredsite.com [209.17.115.49]) by ietfa.amsl.com (Postfix) with ESMTP id E3ED71A90DD for <idr@ietf.org>; Wed, 14 Oct 2015 17:21:49 -0700 (PDT)
Received: from mailpod.hostingplatform.com ([10.30.71.203]) by atl4mhob11.myregisteredsite.com (8.14.4/8.14.4) with ESMTP id t9F0LmmS023587 for <idr@ietf.org>; Wed, 14 Oct 2015 20:21:48 -0400
Received: (qmail 32565 invoked by uid 0); 15 Oct 2015 00:21:48 -0000
X-TCPREMOTEIP: 50.241.159.113
X-Authenticated-UID: wes@mti-systems.com
Received: from unknown (HELO ?172.20.2.146?) (wes@mti-systems.com@50.241.159.113) by 0 with ESMTPA; 15 Oct 2015 00:21:48 -0000
To: Jeffrey Haas <jhaas@pfrc.org>
References: <55F857D1.1020806@mti-systems.com> <20151005191128.GU5754@pfrc.org>
From: Wesley Eddy <wes@mti-systems.com>
X-Enigmail-Draft-Status: N1110
Organization: MTI Systems
Message-ID: <561EF199.9050202@mti-systems.com>
Date: Wed, 14 Oct 2015 20:21:45 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <20151005191128.GU5754@pfrc.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/idr/YxYOUmOAbEg6KVCJ5xxLB_KUCf0>
Cc: idr@ietf.org, Justin Dailey <Justin@mti-systems.com>
Subject: Re: [Idr] flowspec enhancements
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Oct 2015 00:21:51 -0000
Hi Jeff, I had a couple comments to your message inline below: On 10/5/2015 3:11 PM, Jeffrey Haas wrote: > > This I-D serves as an interesting melange of ideas. I suspect at some later > point you might find it useful to separate the individual changes into > distinct I-Ds. > Splitting out any good ideas, and leaving the bad or more difficult ones behind, is definitely the plan. >> Specifically, the suggested enhancements include: >> - add packet rate limitations as an action (not just bitrate) > > This one is generally useful and would be a pretty trivial extension. Everyone that we've talked to has seemed to agree on this, so I think it looks like we should pull it out into its own document. We aren't an equipment vendor with an implementation that could do packet rate limiting, so I'd think it would be great if we could get a co-editor from some vendor who could actually implement this ... if you or someone else might be interested. >> - add support for filtering of tunneled traffic (unencrypted) > > This is problematic in several interesting ways, some of them implementation > specific. But perhaps that really suggests a widening of the deployment > domain. > > BGP Flowspec is typically deployed in scenarios to effectively program > firewall filtering on BGP speakers. Pragmatically, this has meant some > level of restricting the operations to filters that can be applied at near > wire-rate and thus we're not always getting a full set of potential > filtering operations that may be available on devices that work at different > scale. > > There's also the second issue in that such directly indexed forms of > filtering may limit the deployment to cases where flowspec routes are > directly advertised and not propagated to other BGP speakers. This is likey > because when tunneling technologies may change encap/decap on a hop-by-hop > basis, it becomes difficult to adjust the filters to be fully generic using > distribution via a Route Reflector - a common deployment scenario for > Flowspec. > > Of course, these constraints become different once we're talking about > non-traditional BGP speakers such as IPS systems, etc. Agreed on all counts. I think it motivates having a discussion "up one level" first, to see what the community believe the future of flowspec is, in terms of what types of devices in the near future are envisioned to be utilizing flowspec routes, whether everyone only intends to use them intra-domain or across one or more AS hops, etc. Maybe everyone already implicitly agrees on these, and I just haven't understood, but I think it would help to be explicit. -- Wes Eddy MTI Systems
- [Idr] flowspec enhancements Wesley Eddy
- Re: [Idr] flowspec enhancements Haoweiguo
- Re: [Idr] flowspec enhancements Wesley Eddy
- Re: [Idr] flowspec enhancements Haoweiguo
- Re: [Idr] flowspec enhancements Jeffrey Haas
- Re: [Idr] flowspec enhancements Wesley Eddy