[Idr] Flowspec redirect-ip update
Jeffrey Haas <jhaas@pfrc.org> Sun, 08 September 2024 10:18 UTC
Return-Path: <jhaas@slice.pfrc.org>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E18EC14F713 for <idr@ietfa.amsl.com>; Sun, 8 Sep 2024 03:18:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f3aAHwpfG3n7 for <idr@ietfa.amsl.com>; Sun, 8 Sep 2024 03:18:28 -0700 (PDT)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id 60CC9C14CEFC for <idr@ietf.org>; Sun, 8 Sep 2024 03:18:27 -0700 (PDT)
Received: by slice.pfrc.org (Postfix, from userid 1001) id 081101E28C; Sun, 8 Sep 2024 06:18:26 -0400 (EDT)
Date: Sun, 08 Sep 2024 06:18:26 -0400
From: Jeffrey Haas <jhaas@pfrc.org>
To: idr@ietf.org
Message-ID: <20240908101826.GA6410@pfrc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Message-ID-Hash: HPBUCQ3AJVJTUIYGCOZQYJITF6JDOQWW
X-Message-ID-Hash: HPBUCQ3AJVJTUIYGCOZQYJITF6JDOQWW
X-MailFrom: jhaas@slice.pfrc.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-idr.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Idr] Flowspec redirect-ip update
List-Id: Inter-Domain Routing <idr.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/aZ7BsrmYuaE-cpp2H4yNd-wt4h8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Owner: <mailto:idr-owner@ietf.org>
List-Post: <mailto:idr@ietf.org>
List-Subscribe: <mailto:idr-join@ietf.org>
List-Unsubscribe: <mailto:idr-leave@ietf.org>
In support of closing out lingering work, plus addressing a dependent document MISSREF, here's an update to the flowspec redirect-to-ip work. Known lingering issues are covered in my github where this work was originally being tracked: https://github.com/jhaas-pfrc/draft-ietf-idr-flowspec-redirect-ip/issues Redirect-to-ip for flowspec is supported in various forms across multiple vendors at this point. The remaining work is addressing what the current inconsistencies and lingering operational security considerations will mean for the final form of this document. Summary of known issues: - The "C" bit for copy behavior is not believed to be implemented by anyone at this time. However, since most of the supporting implementations are with vendors that do support some form of traffic cloning, we perhaps have a desire to leave this bit defined in order to future-proof the protocol extension. - Since this feature has dire consequences for traffic interception if the redirection address is not strongly controlled, there is new text addressing validating the redirection address vs. the destination address in a fashion similar to existing inter-AS/eBGP flowspec. And very similar to that mechanism in the flowspec RFCs, it may be disabled by configuratino. - Compound actions in flowspec are known to be challenging, and already a discussion point for enhancement in flowspec v2. In this draft, the compound action of redirect-to-vrf present in the base flowspec RFCs may be augmented with a redirect-to-ip. At this time, this compound behavior is not believed to be implemented. However, the authors had been contacted about preserving this encoding to support future use cases. - ECMP traffic distribution is inconsistently implemented. It's not believed that this is a problem but is worth flagging to the working group. Please review the update to the draft and provide feedback, especially if you have an implementation of this feature. -- Jeff (for the authors) ----- Forwarded message from internet-drafts@ietf.org ----- Date: Sun, 08 Sep 2024 02:58:28 -0700 From: internet-drafts@ietf.org To: i-d-announce@ietf.org CC: idr@ietf.org Subject: [Idr] I-D Action: draft-ietf-idr-flowspec-redirect-ip-03.txt Internet-Draft draft-ietf-idr-flowspec-redirect-ip-03.txt is now available. It is a work item of the Inter-Domain Routing (IDR) WG of the IETF. Title: BGP Flow-Spec Redirect-to-IP Action Authors: James Uttaro Jeffrey Haas Andy Karch Saikat Ray Pradosh Mohapatra Wim Henderickx Adam Simpson Matthieu Texier Name: draft-ietf-idr-flowspec-redirect-ip-03.txt Pages: 9 Dates: 2024-09-08 Abstract: Flow-spec is an extension to BGP that allows for the dissemination of traffic flow specification rules. This has many possible applications, but the primary one for many network operators is the distribution of traffic filtering actions for distributed denial of service (DDoS) mitigation. The flow-spec standard [RFC5575] defines a redirect-to-VRF action for policy-based forwarding. This mechanism can be difficult to use, particularly in networks without L3 VPN infrastructure. This draft defines a new redirect-to-IP flow-spec action that provides a simpler method of policy-based forwarding. The details of the action, including the IPv4 or IPv6 target address, are encoded in newly defined BGP extended communities. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-idr-flowspec-redirect-ip/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-idr-flowspec-redirect-ip-03.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-idr-flowspec-redirect-ip-03 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts _______________________________________________ Idr mailing list -- idr@ietf.org To unsubscribe send an email to idr-leave@ietf.org ----- End forwarded message -----
- [Idr] Flowspec redirect-ip update Jeffrey Haas
- [Idr] Re: Flowspec redirect-ip update Robert Raszuk