[Idr] Flowspec redirect-ip update

Jeffrey Haas <jhaas@pfrc.org> Sun, 08 September 2024 10:18 UTC

Return-Path: <jhaas@slice.pfrc.org>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E18EC14F713 for <idr@ietfa.amsl.com>; Sun, 8 Sep 2024 03:18:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f3aAHwpfG3n7 for <idr@ietfa.amsl.com>; Sun, 8 Sep 2024 03:18:28 -0700 (PDT)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id 60CC9C14CEFC for <idr@ietf.org>; Sun, 8 Sep 2024 03:18:27 -0700 (PDT)
Received: by slice.pfrc.org (Postfix, from userid 1001) id 081101E28C; Sun, 8 Sep 2024 06:18:26 -0400 (EDT)
Date: Sun, 08 Sep 2024 06:18:26 -0400
From: Jeffrey Haas <jhaas@pfrc.org>
To: idr@ietf.org
Message-ID: <20240908101826.GA6410@pfrc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Message-ID-Hash: HPBUCQ3AJVJTUIYGCOZQYJITF6JDOQWW
X-Message-ID-Hash: HPBUCQ3AJVJTUIYGCOZQYJITF6JDOQWW
X-MailFrom: jhaas@slice.pfrc.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-idr.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Idr] Flowspec redirect-ip update
List-Id: Inter-Domain Routing <idr.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/aZ7BsrmYuaE-cpp2H4yNd-wt4h8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Owner: <mailto:idr-owner@ietf.org>
List-Post: <mailto:idr@ietf.org>
List-Subscribe: <mailto:idr-join@ietf.org>
List-Unsubscribe: <mailto:idr-leave@ietf.org>

In support of closing out lingering work, plus addressing a dependent
document MISSREF, here's an update to the flowspec redirect-to-ip work.

Known lingering issues are covered in my github where this work was
originally being tracked:

https://github.com/jhaas-pfrc/draft-ietf-idr-flowspec-redirect-ip/issues

Redirect-to-ip for flowspec is supported in various forms across multiple
vendors at this point.  The remaining work is addressing what the current
inconsistencies and lingering operational security considerations will mean
for the final form of this document.

Summary of known issues:
- The "C" bit for copy behavior is not believed to be implemented by anyone
  at this time.  However, since most of the supporting implementations are
  with vendors that do support some form of traffic cloning, we perhaps have a
  desire to leave this bit defined in order to future-proof the protocol
  extension.
- Since this feature has dire consequences for traffic interception if the
  redirection address is not strongly controlled, there is new text
  addressing validating the redirection address vs. the destination address in
  a fashion similar to existing inter-AS/eBGP flowspec.  And very similar to
  that mechanism in the flowspec RFCs, it may be disabled by configuratino.
- Compound actions in flowspec are known to be challenging, and already a
  discussion point for enhancement in flowspec v2.  In this draft, the
  compound action of redirect-to-vrf present in the base flowspec RFCs may be
  augmented with a redirect-to-ip.  At this time, this compound behavior is
  not believed to be implemented.  However, the authors had been contacted
  about preserving this encoding to support future use cases.
- ECMP traffic distribution is inconsistently implemented.  It's not
  believed that this is a problem but is worth flagging to the working
  group.

Please review the update to the draft and provide feedback, especially if
you have an implementation of this feature. 

-- Jeff (for the authors) 

----- Forwarded message from internet-drafts@ietf.org -----

Date: Sun, 08 Sep 2024 02:58:28 -0700
From: internet-drafts@ietf.org
To: i-d-announce@ietf.org
CC: idr@ietf.org
Subject: [Idr] I-D Action: draft-ietf-idr-flowspec-redirect-ip-03.txt

Internet-Draft draft-ietf-idr-flowspec-redirect-ip-03.txt is now available. It
is a work item of the Inter-Domain Routing (IDR) WG of the IETF.

   Title:   BGP Flow-Spec Redirect-to-IP Action
   Authors: James Uttaro
            Jeffrey Haas
            Andy Karch
            Saikat Ray
            Pradosh Mohapatra
            Wim Henderickx
            Adam Simpson
            Matthieu Texier
   Name:    draft-ietf-idr-flowspec-redirect-ip-03.txt
   Pages:   9
   Dates:   2024-09-08

Abstract:

   Flow-spec is an extension to BGP that allows for the dissemination of
   traffic flow specification rules.  This has many possible
   applications, but the primary one for many network operators is the
   distribution of traffic filtering actions for distributed denial of
   service (DDoS) mitigation.  The flow-spec standard [RFC5575] defines
   a redirect-to-VRF action for policy-based forwarding.  This mechanism
   can be difficult to use, particularly in networks without L3 VPN
   infrastructure.

   This draft defines a new redirect-to-IP flow-spec action that
   provides a simpler method of policy-based forwarding.  The details of
   the action, including the IPv4 or IPv6 target address, are encoded in
   newly defined BGP extended communities.

The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-idr-flowspec-redirect-ip/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-idr-flowspec-redirect-ip-03.html

A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-idr-flowspec-redirect-ip-03

Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts


_______________________________________________
Idr mailing list -- idr@ietf.org
To unsubscribe send an email to idr-leave@ietf.org

----- End forwarded message -----