IETF Logo Mail Archive

Re: [Idr] I-D Action: draft-ietf-idr-flowspec-interfaceset-01.txt

<stephane.litkowski@orange.com> Fri, 10 June 2016 09:23 UTC

Return-Path: <stephane.litkowski@orange.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9ED1812B03D for <idr@ietfa.amsl.com>; Fri, 10 Jun 2016 02:23:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.334
X-Spam-Level:
X-Spam-Status: No, score=-3.334 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QRo0OIAX84LC for <idr@ietfa.amsl.com>; Fri, 10 Jun 2016 02:23:29 -0700 (PDT)
Received: from relais-inet.orange.com (relais-nor35.orange.com [80.12.70.35]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AB2912D518 for <idr@ietf.org>; Fri, 10 Jun 2016 02:23:29 -0700 (PDT)
Received: from opfednr04.francetelecom.fr (unknown [xx.xx.xx.68]) by opfednr26.francetelecom.fr (ESMTP service) with ESMTP id 21224206FE; Fri, 10 Jun 2016 11:23:28 +0200 (CEST)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.2]) by opfednr04.francetelecom.fr (ESMTP service) with ESMTP id E5ACB4005B; Fri, 10 Jun 2016 11:23:27 +0200 (CEST)
Received: from OPEXCLILMA4.corporate.adroot.infra.ftgroup ([fe80::65de:2f08:41e6:ebbe]) by OPEXCLILM21.corporate.adroot.infra.ftgroup ([fe80::e92a:c932:907e:8f06%19]) with mapi id 14.03.0294.000; Fri, 10 Jun 2016 11:23:27 +0200
From: stephane.litkowski@orange.com
To: Lucy yong <lucy.yong@huawei.com>, "idr@ietf.org" <idr@ietf.org>
Thread-Topic: [Idr] I-D Action: draft-ietf-idr-flowspec-interfaceset-01.txt
Thread-Index: AQHRwYlWKLZD+NLIGEG6YM0mvKsgaJ/fj6NAgAA+7fCAAp8FAA==
Date: Fri, 10 Jun 2016 09:23:26 +0000
Message-ID: <3789_1465550608_575A8710_3789_7942_1_9E32478DFA9976438E7A22F69B08FF921BC4E487@OPEXCLILMA4.corporate.adroot.infra.ftgroup>
References: <20160608132609.19947.65371.idtracker@ietfa.amsl.com> <2211_1465392560_57581DB0_2211_5567_1_9E32478DFA9976438E7A22F69B08FF921BC4661E@OPEXCLILMA4.corporate.adroot.infra.ftgroup> <2691CE0099834E4A9C5044EEC662BB9D57296547@dfweml501-mbb>
In-Reply-To: <2691CE0099834E4A9C5044EEC662BB9D57296547@dfweml501-mbb>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.168.234.3]
Content-Type: multipart/alternative; boundary="_000_9E32478DFA9976438E7A22F69B08FF921BC4E487OPEXCLILMA4corp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/aF9a_7bOsZXJynXMcAybviSfLJU>
Subject: Re: [Idr] I-D Action: draft-ietf-idr-flowspec-interfaceset-01.txt
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jun 2016 09:23:32 -0000

Hi Lucy,

Pls find some comments inline.

Thanks,

Stephane

From: Lucy yong [mailto:lucy.yong@huawei.com]
Sent: Wednesday, June 08, 2016 21:21
To: LITKOWSKI Stephane OBS/OINIS; idr@ietf.org
Subject: RE: [Idr] I-D Action: draft-ietf-idr-flowspec-interfaceset-01.txt


Hi Stephane, et al,



I read this draft and have some comments.

*         I like this approach to treat interfaceset as FS scope, not as matching, nor as action.

*         Instead of using group-identifier to express interfaceset in the EC, IMO: it is better to use interface type to identify the interfaceset and have IANA registry for each interface type. This will make interworking/automation easier. Any thought on that?

[SLI] Bruno Decraene raised on similar comment at the beginning of the draft , proposing some "well-known" interface-set. There was not a strong support for it considering that having a group-id will enable any scenario. Now regarding your proposal of having a specific interface type defined, I think it's really restrictive. I'm not opposite that someone creates new scope for specific interface types later but I would like to keep the generic approach in this draft. Creating well known group-ids may also be reconsidered.



*         IMO: Content in Sn 6 is very useful, however it does not belong to this draft. These rules for processing permanent configured and BGP FS apply to all BGP FS. It should be documented in one draft and apply to all BGP FS drafts. FS ACL is just one type of BGP FS, there are others as well. The rules should be described in general term.

I agree that there may be more iteractions to describe like Policy Based routing. But I think that this draft is a good place to describe it. The base flowspec does not precise where the rules must be applied, so it becomes up to implementation to place the rule where it best fits and manage interaction with other mechanism.

Now with this draft, we know that the rules will be pushed on a pr interface basis interacting with well known interface features. We cannot describe all for sure. I will try in the next revision to be more generic and still giving examples.





*         I am not clear what first sentence means in Sn 7. Does it say that some interfaces may not be able to support the rules? Pls explain.

[SLI] That's a question of scaling. With the base FS, the rule is applied in a single place, while here it may be "duplicated" in the forwarding plane and implementations will need to look at optimizations to prevent to create unnecessary states in the forwarding plane. I will see how to reword it.





Thanks,

Lucy



-----Original Message-----
From: Idr [mailto:idr-bounces@ietf.org] On Behalf Of stephane.litkowski@orange.com
Sent: Wednesday, June 08, 2016 8:29 AM
To: idr@ietf.org
Subject: Re: [Idr] I-D Action: draft-ietf-idr-flowspec-interfaceset-01.txt



Hi IDR,



This is a new version of the interface-set flowspec extension.



As there was some misinterpretation of what the interface-set is (it is not a match (as not part of NLRI) and it is not an action), we defined the notion of traffic filtering scope. Interface-set would be the first traffic filtering scope defined, and nothing prevents to create new ones if required.



Best Regards,



Stephane





-----Original Message-----

From: Idr [mailto:idr-bounces@ietf.org] On Behalf Of internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>

Sent: Wednesday, June 08, 2016 15:26

To: i-d-announce@ietf.org<mailto:i-d-announce@ietf.org>

Cc: idr@ietf.org<mailto:idr@ietf.org>

Subject: [Idr] I-D Action: draft-ietf-idr-flowspec-interfaceset-01.txt





A New Internet-Draft is available from the on-line Internet-Drafts directories.

This draft is a work item of the Inter-Domain Routing of the IETF.



        Title           : Applying BGP flowspec rules on a specific interface set

        Authors         : Stephane Litkowski

                          Adam Simpson

                          Keyur Patel

                          Jeff Haas

      Filename        : draft-ietf-idr-flowspec-interfaceset-01.txt

      Pages           : 14

      Date            : 2016-06-08



Abstract:

   BGP Flow-spec is an extension to BGP that allows for the

   dissemination of traffic flow specification rules.  The primary

   application of this extension is DDoS mitigation where the flowspec

   rules are applied in most cases to all peering routers of the

   network.



   This document will present another use case of BGP Flow-spec where

   flow specifications are used to maintain some access control lists at

   network boundary.  BGP Flowspec is a very efficient distributing

   machinery that can help in saving OPEX while deploying/updating ACLs.

   This new application requires flow specification rules to be applied

   only on a specific subset of interfaces and in a specific direction.



   The current specification of BGP Flow-spec ([RFC5575]) introduces the

   notion of flow specification (which describes the matching criterion)

   and traffic filtering actions.  The flow specification is encoded as

   part of the NLRI while the traffic filtering actions are encoded as

   extended communities.  The combination of a flow specification and

   one or more actions is known as a flow specification rule.  [RFC5575]

   does not detail where the flow specification rules need to be

   applied.



   Besides the flow specification and traffic filtering actions, this

   document introduces the notion of traffic filtering scope in order to

   drive where a particular rule must be applied.  In particular, this

   document introduces the "interface-set" traffic filtering scope that

   could be used in parallel of traffic filtering actions (marking,

   rate-limiting ...).  The purpose of this extension is to inform

   remote routers about groups of interfaces where the rule must be

   applied.



   This extension can also be used in a DDoS mitigation context where a

   provider wants to apply the filtering only on specific peers.







The IETF datatracker status page for this draft is:

https://datatracker.ietf.org/doc/draft-ietf-idr-flowspec-interfaceset/



There's also a htmlized version available at:

https://tools.ietf.org/html/draft-ietf-idr-flowspec-interfaceset-01



A diff from the previous version is available at:

https://www.ietf.org/rfcdiff?url2=draft-ietf-idr-flowspec-interfaceset-01





Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org.



Internet-Drafts are also available by anonymous FTP at:

ftp://ftp.ietf.org/internet-drafts/



_______________________________________________

Idr mailing list

Idr@ietf.org<mailto:Idr@ietf.org>

https://www.ietf.org/mailman/listinfo/idr



_________________________________________________________________________________________________________________________



Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.



This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.



_______________________________________________

Idr mailing list

Idr@ietf.org<mailto:Idr@ietf.org>

https://www.ietf.org/mailman/listinfo/idr

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

v2.23.0 | Report a Bug | By Email