Re: [Idr] WG adoption for draft-haas-flowspec-capability-bits - 3/30 to 4/13

"UTTARO, JAMES" <ju1738@att.com> Wed, 07 April 2021 13:44 UTC

Return-Path: <ju1738@att.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AB0B3A194A for <idr@ietfa.amsl.com>; Wed, 7 Apr 2021 06:44:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.619
X-Spam-Level:
X-Spam-Status: No, score=-2.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=att.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FBsLUp63khB8 for <idr@ietfa.amsl.com>; Wed, 7 Apr 2021 06:44:17 -0700 (PDT)
Received: from mx0a-00191d01.pphosted.com (mx0a-00191d01.pphosted.com [67.231.149.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 850C63A1955 for <idr@ietf.org>; Wed, 7 Apr 2021 06:44:17 -0700 (PDT)
Received: from pps.filterd (m0049295.ppops.net [127.0.0.1]) by m0049295.ppops.net-00191d01. (8.16.0.43/8.16.0.43) with SMTP id 137DhtHc013080; Wed, 7 Apr 2021 09:44:17 -0400
Received: from alpi154.enaf.aldc.att.com (sbcsmtp6.sbc.com [144.160.229.23]) by m0049295.ppops.net-00191d01. with ESMTP id 37rvxf71ne-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 07 Apr 2021 09:44:16 -0400
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 137DiE5x002754; Wed, 7 Apr 2021 09:44:15 -0400
Received: from zlp30486.vci.att.com (zlp30486.vci.att.com [135.47.91.177]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 137DiA9f002627 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 7 Apr 2021 09:44:10 -0400
Received: from zlp30486.vci.att.com (zlp30486.vci.att.com [127.0.0.1]) by zlp30486.vci.att.com (Service) with ESMTP id 20B484005C19; Wed, 7 Apr 2021 13:44:10 +0000 (GMT)
Received: from GAALPA1MSGED2CC.ITServices.sbc.com (unknown [135.50.89.134]) by zlp30486.vci.att.com (Service) with ESMTP id A47B34005C1E; Wed, 7 Apr 2021 13:44:09 +0000 (GMT)
Received: from GAALPA1MSGED2BA.ITServices.sbc.com (135.50.89.126) by GAALPA1MSGED2CC.ITServices.sbc.com (135.50.89.134) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4; Wed, 7 Apr 2021 09:44:01 -0400
Received: from GAALPA1MSGETA02.tmg.ad.att.com (144.160.249.124) by GAALPA1MSGED2BA.ITServices.sbc.com (135.50.89.126) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4 via Frontend Transport; Wed, 7 Apr 2021 09:44:01 -0400
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (104.47.70.106) by edgeal2.exch.att.com (144.160.249.124) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.4; Wed, 7 Apr 2021 09:43:20 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=L2GgHbsL1T0sgu50V9JnO4+NhierMP4WR0QewD+lFMp6tTdEP7ZkC2f7PQnbqioR2jDpJ4qTC9mi2Nvf5KY+DpD8B7kjFVMnFhJMa2BvMTeCcxFd/cQjZXw7kaCsvuPJ8fw9cIk8/uxE/p97zA0WImEGejwuhnHl+7sIvBF7RMgw+pNbYni07fYaNTclpS3dGsmer4aqx37o3e+VcztiYV8hZX5+YTA415HO3BVE/VjwHML9d8gJUOSS7WIMziXF+cZ5jrEDR3XbR3mRw53F9yS4WtrOYiKZUofAlVwrXrZvbQxowPgsMB63J64OpbY4HQm9/NpQW7y1v0fRHRsq8A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=06s/M+FG2nJN/cThhhLRKwVprvJQCLkVD3exGwHomCw=; b=V8xGNr1dgIvnJBAFa0bDBmmMj0QtzeP77BWjjN77Tb1eLEGYdbAYTg9dP+4q+50auoK8eX2fv7To4nn85e6hJMq3esm9D/MOCIwFpmSEYhxMr6E9lCI8wtWXkZPOAdMtC81cAY5HRwjMUqAw5Nfbo/tXlX8dmQd2Fzqt6o3RDywQiq/UQ8JsBNtupxzXk9T9VY2A5Y44heGLohU2SdgVs9qmiy6uTrS2E9fIAkB4pFXr5+DzFEAp9I4l1PLxh6AkDUML3ZWr1GSpFWE6Qo09Salzaf4hCcr9tJiMR2VAr8XaB4aMGEuB8v9ZpV/Zr2e4jK8PqIKyoWA9SPnX8D/AtQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=att.com; dmarc=pass action=none header.from=att.com; dkim=pass header.d=att.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=att.onmicrosoft.com; s=selector2-att-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=06s/M+FG2nJN/cThhhLRKwVprvJQCLkVD3exGwHomCw=; b=kTo0wzfYfd9uAUfMaRo1eypOxIhGijrn53NFrS7ZMh67/DBI0Pu4acLpX+lqSb4fh+AT8dPJGcNKW73Yn4xwKKb7a/lKxvpCE3JB3yVhOY/vUpCFN+VqbOi5PB/lblB8ekcjouwKOfo5m8mlQgL87GpxvplZWq0zONxCHcO9fD4=
Received: from SA0PR02MB7401.namprd02.prod.outlook.com (2603:10b6:806:e1::9) by SN6PR02MB4575.namprd02.prod.outlook.com (2603:10b6:805:ad::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3999.27; Wed, 7 Apr 2021 13:43:19 +0000
Received: from SA0PR02MB7401.namprd02.prod.outlook.com ([fe80::1de0:908b:b67a:7312]) by SA0PR02MB7401.namprd02.prod.outlook.com ([fe80::1de0:908b:b67a:7312%5]) with mapi id 15.20.4020.016; Wed, 7 Apr 2021 13:43:19 +0000
From: "UTTARO, JAMES" <ju1738@att.com>
To: Jeffrey Haas <jhaas@pfrc.org>, Robert Raszuk <robert@raszuk.net>
CC: "idr@ietf. org" <idr@ietf.org>, Susan Hares <shares@ndzh.com>
Thread-Topic: [Idr] WG adoption for draft-haas-flowspec-capability-bits - 3/30 to 4/13
Thread-Index: AQHXK5jftgfbrYqq4kC7bDl9TDwSNKqpC6cAgAABKnA=
Date: Wed, 7 Apr 2021 13:43:19 +0000
Message-ID: <SA0PR02MB740163BB2293A43B49361517C6759@SA0PR02MB7401.namprd02.prod.outlook.com>
References: <000001d72569$3eace130$bc06a390$@ndzh.com> <CAOj+MMG0ONP5P4DxeaC4AEF8b_Ff43r5boQ6wL9EHHGAfVaK2w@mail.gmail.com> <20210407132506.GA7355@pfrc.org>
In-Reply-To: <20210407132506.GA7355@pfrc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: pfrc.org; dkim=none (message not signed) header.d=none;pfrc.org; dmarc=none action=none header.from=att.com;
x-originating-ip: [72.229.64.230]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 836abca1-9b43-4a38-76ac-08d8f9cb1a91
x-ms-traffictypediagnostic: SN6PR02MB4575:
x-microsoft-antispam-prvs: <SN6PR02MB4575BA10EB8110EB1CD851A2C6759@SN6PR02MB4575.namprd02.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6790;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: h5BwhuK44LeMilJwaWk4Q8VbWfNUFtd+gAFliIP2b6L8ftAl8YR4FbPnHouO/Qmiunc2P7Fjgt8XLAvqC6XNrsbLIFAqD8FvQ9PjiOKdSHkmpCKKdkN9GNevHnKysLhQyeqgsK9iNItSoasdJN9MH6gu7EETYdEHYbDvT9b0oI7Kd/k+voBwAVhMpVZp9ZNhLpiQQ8xasLAkPBtnUg8phSifCzaRCR+rrBqGteGrzNmRat7eQdakQlQWCYWaqDKCErnZlK43vGwav+W8oEhq9OpXw94GLMv8Elrn6xmC2daZWIyuOx7txRSsOLRqv9cpap4fnyudkfIYJE9kFVbRMxWChoAtbggHQ3TuNaGFDXVZgaBwdsbnL7IvKLqYx+dyG7Zu12XA6mmDyZ92gIFbz8jGsQ8ttC/J7vAyQX788ZgughL2YiCFdB/CHJUdymGR7J3JaEmF7C+XpCIelPT2FKYwKuXrSE2jFevHRPu/5weCF6IXUWep281NR5v1a510nuAMREQuaAq3apIm16GJVcZrvcQ+c6Nld/Htx+YtX9zCDB+wIcQMy66yQj3n/RvKvzSXuoBKhZ/4mdev0lykli6eoK3Kn26QaUL9DlRMIhPI0sj5POjGBEkoCiGdphaV8ibe71qwitL1JFwq5E4dRLlrBg+1i0Q4wescy2NofhMREfd/r3SPzB4YCAoLjos3E7OCdrSYFejEzjNkWMVkASTkwTb6rV/FiSFuNG7O/jlPdTHi0ygXXmIiJNFrXcrN
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA0PR02MB7401.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(136003)(39860400002)(346002)(366004)(396003)(76116006)(54906003)(7696005)(8936002)(66574015)(83380400001)(2906002)(966005)(66616009)(478600001)(6506007)(8676002)(33656002)(110136005)(5660300002)(82202003)(316002)(66556008)(38100700001)(66446008)(64756008)(186003)(52536014)(55016002)(9686003)(26005)(71200400001)(86362001)(66946007)(4326008)(99936003)(53546011)(66476007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?us-ascii?Q?D4XBYAjvGNmjoufAb38LJpKezWZYY3VkLCCglzpSwHgmv+IAqJLqAP/qhYCa?= =?us-ascii?Q?VlWTqjCdSPz9W/jU3SaGeNepxcpKsMN8tBx2ykDiS3LI86vDyznRoQINBi1U?= =?us-ascii?Q?bmKlgEwTMSu9MCURDQJt4hgPQSeFhIBBeC0SAklr3QIfWbJRttpK8SdDOou5?= =?us-ascii?Q?BCipyzSWUS8qqRIIoKj/Se9gY90y2xzFZqO7RU8rS0p1i97p2nMhiGoa6vPc?= =?us-ascii?Q?+QUZY5Jz5esezInpX0KswQKDmTWm9CfqdoXnBMJyzB2/82JHJffizffB0wf4?= =?us-ascii?Q?J1gcGu9+YMkMlnWjhTqUWLIIcJ9j7Zvlh/LDibalcA3C7P+/FKJnZ9ukM8As?= =?us-ascii?Q?O67kJXyqcqCCl/Ho8YwjNDnYhSTzQOAikRsWcKxxmskqKS96V/87ZtxNGQOv?= =?us-ascii?Q?n1kIYJG27nj/hHX0GYWHB52NU7jJkwJNUbO/WtJ3MsEthgR1w2KDp/T6AnKh?= =?us-ascii?Q?lnB5I7n7fsXS53nlLATo1SA8In7IvsD85FF8A120A9RhVE+DFdaGo7ufvhoC?= =?us-ascii?Q?R+MBUdIyjMCjERc8AnRXII/2lC1KWVU89vi1IrpkiL2yNHDKhiArYnyMMEpp?= =?us-ascii?Q?t15gYVv8j47Vj94i8sYrl+aW0X1S1c1t0oyzm56oiMWphv/4PojnrlMs6u0j?= =?us-ascii?Q?aH9pHTxaHmGOPw6+MzUjlFvU40qWcMwN9FSEeXB9PfiCfMTU5Mb/3neRLfn9?= =?us-ascii?Q?NQ/d/T686zjltlTpyYVH+nifxPgdCpEs+4wx/+Kcl0ROZMe1h+eQLdhSkaZ+?= =?us-ascii?Q?SkHsWPgr+XYuShXlZBDbzf0kN2T+iCmOW9bok58vqKPWltJIjq4BUY82kjYW?= =?us-ascii?Q?ZmI+85frDGt99I0cboJCgZ4Ibyj7IFzplEUdOfk/VjIZx+wdCl5JM7fmn2hO?= =?us-ascii?Q?O7rSn6ukdMWsoZ3AeJlYuftjQOcqvziZ0vVFPkyufofL5pKrMe/jfHZZBU2l?= =?us-ascii?Q?Ere6GDgb4MqobxWFWj7excyzGdbRC6XZyNuY5H4KJF0IV9zKJ91JRQxwHeci?= =?us-ascii?Q?fM/I4mf7yOMkdF8IrmUFBBkPhalMa5zfWookg3cm7fpUV96OWfyr5+r6yO55?= =?us-ascii?Q?OQq4VEuNyMs8WsQ/UNm6KZ1MM63ZFWYyTYq50pmSrP8UqGV15AR0FIiCFccM?= =?us-ascii?Q?8hwIoCvFHJ6QPbDqPYNZ2hML76ayp5xVcrV6te6lVeYVFRuDbkysCykLeRZU?= =?us-ascii?Q?+c/Ka11YmZmblrbCBOYkuZ6/rLs5EPFV7WeUz7rMTFKfV9qFE545w5op9J7y?= =?us-ascii?Q?oY2v7MOIrGD2eJ/yyzV55kgMgbqB1ERvf6mSslrwCcn8CeZJd/P8CR5bs0ze?= =?us-ascii?Q?tFHA4JNdpN01Gv/DXsOkjJUl?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/mixed; boundary="_002_SA0PR02MB740163BB2293A43B49361517C6759SA0PR02MB7401namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA0PR02MB7401.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 836abca1-9b43-4a38-76ac-08d8f9cb1a91
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Apr 2021 13:43:19.0919 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e741d71c-c6b6-47b0-803c-0f3b32b07556
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: XDKiyWMB/DIJYjcJCKWZ7qzFWOOIMV3fB8R0eSyAOBNdCsJra4Dsfwifk6ZC5ti0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR02MB4575
X-OriginatorOrg: att.com
X-TM-SNTS-SMTP: A43B55B77015F78F411B18D35F13D171B55C7460F1098818BEDC82266DD03F2C2
X-Proofpoint-ORIG-GUID: cjOuBTyDsgfRLyJ34ZCrsPhArhkaJLjs
X-Proofpoint-GUID: cjOuBTyDsgfRLyJ34ZCrsPhArhkaJLjs
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-04-07_08:2021-04-07, 2021-04-07 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 lowpriorityscore=0 bulkscore=0 mlxlogscore=999 adultscore=0 impostorscore=0 malwarescore=0 suspectscore=0 phishscore=0 clxscore=1011 spamscore=0 priorityscore=1501 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104060000 definitions=main-2104070096
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/cf3QwcNc4wDEGtqneEthww7ZkwE>
Subject: Re: [Idr] WG adoption for draft-haas-flowspec-capability-bits - 3/30 to 4/13
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Apr 2021 13:44:29 -0000

" I don't believe we're likely to come up with a simple answer to BGP
capability domains soon.  That said, operators in a single administrative
domain at least can figure this out themselves because they're the ones
configuring it"

This discussion illustrates that a single administrative domain spanning multiple ASes should be addressed. Pradosh, John Scudder and I began identifying how an OAD ( One Administrative Domain ) should behave in terms of an eBGP and OAD-eBGP learned paths. ( See Attached ). 

As an example if we offering RFC 1998 feature to a customer whose VPN spans multiple AS domains requires that the operator preserve or reset ( default ) the LP. The customer may want to scope LP to a given AS or have it apply across an OAD.  As operators we have figured out how to create a somewhat seamless reachability/forwarding domain upon which services can be overlaid. That being said it maybe time to re-look at the scope of an AS vis-a-vis Admin domain including capabilities on a router, AS and OAD level..

Thanks,
	Jim Uttaro





-----Original Message-----
From: Idr <idr-bounces@ietf.org> On Behalf Of Jeffrey Haas
Sent: Wednesday, April 07, 2021 9:25 AM
To: Robert Raszuk <robert@raszuk.net>
Cc: idr@ietf. org <idr@ietf.org>rg>; Susan Hares <shares@ndzh.com>
Subject: Re: [Idr] WG adoption for draft-haas-flowspec-capability-bits - 3/30 to 4/13

Robert,

I think you're mixing some of the points together.

On Wed, Apr 07, 2021 at 12:29:21PM +0200, Robert Raszuk wrote:
> I have a question on how practical this proposal is.
> 
> Fundamental problem with today's BGP capabilities is that the information
> is only known to the peer.
> 
> So if I inject flowspec rule from behind the RR the RR will suppress some
> updates but:
> 
> * sender will have no clue about it
> * any other flow spec BGP speaker which supports request filtering down the
> BGP path will never get the chance to receive and apply the filter.

This is explicitly acknowledged in section 5.

It's also indistinguishable from policy.

> Both are IMHO bad. The latter is in fact directly against flowspec spirit
> to apply filtering as close to the src even if hops on the way are not
> capable of doing so.
> 
> So I am yet to be convinced this proposal is useful.
> 
> Today as a general rule if a router does not support an extension received
> via flowspec it just does not apply it but still can happily propagate the
> update down the road.

Not a single BGP flowspec implementation implemented the "opaque" property
in RFC 5575.  Not one.  And it was the strong motivation to remove that text
in RFC 8955.

This may change in flowspec v2 where we likely will make the NLRI proper
type-length-value rather than implied length as it is currently done.

How well the argument to filter unsupported components stands once we're to
something like flowspec v2 will be the longer question.  For such scenarios,
once we're no longer concerned about propagation characteristics of the
NLRI, it's quite reasoanble for a route reflector to carry NLRI with
filtering components it doesn't understand - but edge devices may not want
it.  But in that scenario, perhaps it's simply better for edge devices to
accept it and simply not install it.

> I think what we have here on the table is an illustration about the growing
> need for domain wide (or set of domains under the same admin) capability
> distribution such that all BGP speakers could advertise their
> capabilities to interested parties. A bit broader than flowspec, but could
> be useful here.

At the day job, we talk about the "flooding domain" of new features that are
gated on their capabilities.  BGP doesn't provide an explicit concept for
this, but it's become a protocol intrinsic behavior.  Unless you configure a
capability between two devices, it does't gain the ability to use the
feature.  A contiguous set of devices using those capabilities becomes that
domain.  That domain may, or may not, have strong overlap with one or more
ASes under the control of one or more parties.

For many BGP features, knowing what those domain boundaries are isn't much
of a problem.  Flowspec implementations with disjoint capabilities is a
place where it could be problematic.  (Again, see section 5.)

---

I don't believe we're likely to come up with a simple answer to BGP
capability domains soon.  That said, operators in a single administrative
domain at least can figure this out themselves because they're the ones
configuring it.

Right now, we are unable to safely deploy new flowspec features. Even when
you have disjoint flooding domains, if your flowspec rules are independent,
you can gain benefit.  So, short term for flowspec v1, I think there's
benefit for this feature.

-- Jeff

_______________________________________________
Idr mailing list
Idr@ietf.org
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/idr__;!!BhdT!zKnvUXaBTauH415pLQgguhjbJ69dkTpI04OgwY3aoSSiPV4IGBB2u-MqG68$