Re: [Idr] Returning draft-ietf-idr-rfc5575bis to WG, new 2 week discussion period

Jeffrey Haas <jhaas@pfrc.org> Thu, 13 June 2019 20:47 UTC

Return-Path: <jhaas@slice.pfrc.org>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA2C91202ED; Thu, 13 Jun 2019 13:47:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2gn24obux8qP; Thu, 13 Jun 2019 13:47:27 -0700 (PDT)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id 1CB121207CF; Thu, 13 Jun 2019 13:47:27 -0700 (PDT)
Received: by slice.pfrc.org (Postfix, from userid 1001) id 9B9481E2F1; Thu, 13 Jun 2019 16:48:30 -0400 (EDT)
Date: Thu, 13 Jun 2019 16:48:30 -0400
From: Jeffrey Haas <jhaas@pfrc.org>
To: Robert Raszuk <robert@raszuk.net>
Cc: John Scudder <jgs@juniper.net>, "draft-ietf-idr-rfc5575bis@ietf.org" <draft-ietf-idr-rfc5575bis@ietf.org>, "idr@ietf. org" <idr@ietf.org>
Message-ID: <20190613204830.GH23231@pfrc.org>
References: <A68BF050-9846-4E14-918D-297548E078A2@juniper.net> <CAOj+MMGNuseO3ppFVugLhwKQs0LT-o_t1da2SGUQWAe=MkXzoA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAOj+MMGNuseO3ppFVugLhwKQs0LT-o_t1da2SGUQWAe=MkXzoA@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/e4l64Rm7DD2itCBCYo1bVy8oSuc>
Subject: Re: [Idr] Returning draft-ietf-idr-rfc5575bis to WG, new 2 week discussion period
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jun 2019 20:47:30 -0000

Robert (and 5575bis authors),

On Thu, Jun 13, 2019 at 08:26:28PM +0200, Robert Raszuk wrote:
> RFC5575 has been written as DDoS mitigation tool and 5575bis attempts to
> clarify various ambiguities of the base spec.
> 
> We as the WG have decided that numerous 5575 extensions (for example those
> injected by controllers or NMS) will be specified in different documents
> and not be embedded into base Flow Specification one.
> 
> With that if we agree that DDoS mitigation is still our target for the base
> spec I would tent to suggest that destination field to be made mandatory
> for real DDoS mitigation use case. Relaxing that could be done for other
> Flow Spec use cases in their separate documents, but outside of the base
> spec.
> 
> So the only change which may be needed would be add:
> 
> 4.2.  NLRI Value Encoding
> 
>    The Flow Specification NLRI-type consists of several optional
>    subcomponents (except Type 1 which is mandatory).

While I agree that DDoS mitigation is the core use case for flowspec in its
current form, your suggested change will likely have negative impacts on
implementations.  Destination-less filters exist and get deployed, and the
text you're suggesting makes them not-only non-compliant but arguably
mal-formed.

I think where we have some room for discussion is where we draw the line for
validation in the default case vs. the clarification:

https://tools.ietf.org/html/draft-ietf-idr-bgp-flowspec-oid-08

I believe the reason the discussion is needed in a 5575-bis context is that
we have an obvious hole in the core spec as to what we should do for what is
intended to be a compliant case.

Whether the text we converge on obviates the need for the -oid draft is an
open question.

-- Jeff