Re: [Idr] flowspec enhancements
Haoweiguo <haoweiguo@huawei.com> Wed, 23 September 2015 01:05 UTC
Return-Path: <haoweiguo@huawei.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFB3C1B304A for <idr@ietfa.amsl.com>; Tue, 22 Sep 2015 18:05:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wlMTZU3jpZHF for <idr@ietfa.amsl.com>; Tue, 22 Sep 2015 18:05:36 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0779A1B3044 for <idr@ietf.org>; Tue, 22 Sep 2015 18:05:35 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml405-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BXX88324; Wed, 23 Sep 2015 01:05:33 +0000 (GMT)
Received: from NKGEML408-HUB.china.huawei.com (10.98.56.39) by lhreml405-hub.china.huawei.com (10.201.5.242) with Microsoft SMTP Server (TLS) id 14.3.235.1; Wed, 23 Sep 2015 02:05:33 +0100
Received: from NKGEML501-MBS.china.huawei.com ([169.254.2.75]) by nkgeml408-hub.china.huawei.com ([10.98.56.39]) with mapi id 14.03.0235.001; Wed, 23 Sep 2015 09:05:26 +0800
From: Haoweiguo <haoweiguo@huawei.com>
To: Wesley Eddy <wes@mti-systems.com>, "idr@ietf.org" <idr@ietf.org>
Thread-Topic: [Idr] flowspec enhancements
Thread-Index: AQHQ792JuMqSc18vvkuH4lzTINhorJ5JVVNB
Date: Wed, 23 Sep 2015 01:05:25 +0000
Message-ID: <DD5FC8DE455C3348B94340C0AB5517334F8CB8BE@nkgeml501-mbs.china.huawei.com>
References: <55F857D1.1020806@mti-systems.com>
In-Reply-To: <55F857D1.1020806@mti-systems.com>
Accept-Language: en-US, zh-CN
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.135.23.94]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <http://mailarchive.ietf.org/arch/msg/idr/aypA8NuwQu4rM8nWdkD-a6SAmcY>
Cc: Justin Dailey <Justin@mti-systems.com>
Subject: Re: [Idr] flowspec enhancements
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2015 01:05:39 -0000
Hi Wes, I have read through your draft, it's very useful and interesting. One comment about "add support for filtering of tunneled traffic" is as follows: I also think flow-spec should support nesting representation for overlay encapsulations. In my draft of "draft-hao-idr-flowspec-nvo3-01", the nesting problem and solution are raised, a new component type of "Delimiter type" is proposed. In your draft, the name is called "tunnel separator". I think both of us think it's an important problem that should be resolved. Thanks, weiguo ________________________________________ From: Idr [idr-bounces@ietf.org] on behalf of Wesley Eddy [wes@mti-systems.com] Sent: Wednesday, September 16, 2015 1:39 To: idr@ietf.org Cc: Justin Dailey Subject: [Idr] flowspec enhancements Hello, we've been working on a few enhancements to the BGP flowspec capabilities that may be of interest: https://tools.ietf.org/html/draft-eddy-idr-flowspec-exp-00 There are several ideas described in the document that could be factored out from one another, but the basic idea is to increase the power of flowspec, mainly for its DDoS mitigation purposes. Specifically, the suggested enhancements include: - add packet rate limitations as an action (not just bitrate) - add support for filtering of tunneled traffic (unencrypted) - identifying flow specifications for tracking and communication between providers - cryptographically signing flowspecs - supporting a more surgical re-route to scrubbing centers - providing feedback about flowspecs to the source If any of these are interesting to folks, we'll appreciate your feedback, comments, questions, etc. Some are more difficult than others. I'm assuming IDR is a reasonable list for this, though it also touches SIDR and OPSEC topics, but will appreciate the chairs' thoughts on this. It has been mentioned in the DOTS list, but is obviously out of scope for DOTS. -- Wes Eddy MTI Systems _______________________________________________ Idr mailing list Idr@ietf.org https://www.ietf.org/mailman/listinfo/idr
- [Idr] flowspec enhancements Wesley Eddy
- Re: [Idr] flowspec enhancements Haoweiguo
- Re: [Idr] flowspec enhancements Wesley Eddy
- Re: [Idr] flowspec enhancements Haoweiguo
- Re: [Idr] flowspec enhancements Jeffrey Haas
- Re: [Idr] flowspec enhancements Wesley Eddy