IETF Logo Mail Archive

Re: [Idr] New draft submitted: draft-loibl-bacher-idr-flowspec-clarification

Robert Raszuk <robert@raszuk.net> Wed, 24 August 2016 11:31 UTC

Return-Path: <rraszuk@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 760AC12D123 for <idr@ietfa.amsl.com>; Wed, 24 Aug 2016 04:31:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zuu6c20uRb9p for <idr@ietfa.amsl.com>; Wed, 24 Aug 2016 04:31:01 -0700 (PDT)
Received: from mail-qk0-x229.google.com (mail-qk0-x229.google.com [IPv6:2607:f8b0:400d:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C3E412D098 for <idr@ietf.org>; Wed, 24 Aug 2016 04:31:01 -0700 (PDT)
Received: by mail-qk0-x229.google.com with SMTP id z190so11399120qkc.0 for <idr@ietf.org>; Wed, 24 Aug 2016 04:31:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=qZZGSvbPtJtOkMx7TOZ4bkp5VWQxAHrVG7qVFGYD0O0=; b=dnkG9lJSW01pPYD0C/3VS/4EsY8su1iLcWefTkRA2j1H8mKYHj/kTDMxvhno3HD2GS RSpmg7my0G6nUL6zVO1EWS/yF9WsdC1IZtFP3ctm4ggYxF+t+N7omxIukf15cctPfI1o kCN8QCWnIhrxBqSHCk3Ro+fe/qr4tRauC0z9ie6l6W83M+qo9tVecoi9dK4dQZZetzEe 4JtLMKpUUIJeN6Yf4ODHc7axjQEtVoGDwIXb3zWOyDWWFWhdvebxZxdXGuonxfOc6po0 LhLAGph0lpYuOvyydgDY7fDGRHHlsWXVxxlTVNLbkh8riOGUmA6P1l9J57SJIHBX9Zis F0Uw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=qZZGSvbPtJtOkMx7TOZ4bkp5VWQxAHrVG7qVFGYD0O0=; b=f1zBcHGPr9Sgnx9xNH494KB9v+lvQyLXb4fMO69txdQNuPq0k1UaAcZb6JxiQuuqmh h2nurn+XCLj9a2poL3XDPNunKRc097QR+BjbbzmMsQV7xckP4HSHht33BBLmoDtOoSTC wgSiigEStJRiyk6pfV5kxLN7e9R5MhnweaO+SEpn07YpblDUJahsaKdZQHumPyEtznIm mecccM3hIg5WhGgcF5RId6X4iiq0QBKY4TKBZ07ec36V8JimNA9PCRXS9VzocRPpZPBl HH4lMznEv3dmfbgyaTKmKj0/QopyPKpwlqkpqOv90/8j4T5r5jJj6+e8ieYx+qPgVsWh xc8A==
X-Gm-Message-State: AE9vXwOfqZX1g/KN9GOpDS/n6M7c9gXPSn0lMI5Vt5aJhTI17xU+/rfrg77iHcmv9F4rwZ2LJBomTzzjAJnSzw==
X-Received: by 10.55.93.71 with SMTP id r68mr2842124qkb.131.1472038259968; Wed, 24 Aug 2016 04:30:59 -0700 (PDT)
MIME-Version: 1.0
Sender: rraszuk@gmail.com
Received: by 10.140.30.130 with HTTP; Wed, 24 Aug 2016 04:30:59 -0700 (PDT)
In-Reply-To: <E6D0AE02-C678-4420-9E19-AE26E705201E@tix.at>
References: <65345B6C-D24F-4F32-BF3C-E9343A7C61E1@tix.at> <CA+b+ERk+N6Cgu-wOrHU9JPyAGrqRgfDTGJwb3BaP+yKrKeBm=g@mail.gmail.com> <E6D0AE02-C678-4420-9E19-AE26E705201E@tix.at>
From: Robert Raszuk <robert@raszuk.net>
Date: Wed, 24 Aug 2016 13:30:59 +0200
X-Google-Sender-Auth: ADGkGvOf13lL09W8j7mk2g6bTj0
Message-ID: <CA+b+ERmt1KE-Rh8sa3wDCSYoPFd+5msTe2WBHDZ2gNsc1pNppg@mail.gmail.com>
To: Christoph Loibl <c@tix.at>
Content-Type: multipart/alternative; boundary="001a114d3e2a94d507053acf9d76"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/iTy84IYdBSoDJqGYV7jsiU7XQDg>
Cc: idr wg <idr@ietf.org>
Subject: Re: [Idr] New draft submitted: draft-loibl-bacher-idr-flowspec-clarification
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Aug 2016 11:31:03 -0000

Hi,

Well indeed the validation procedure or rather the decision may get quite
complex.

Just as an example - assume you are transit AS and you are peering towards
two transit ASes.

One of your peers sent you a flowspec route and the other did not. So my
point was that even if best path changes the other AS will still get the
attack as such will be rather part of the ACL towards the former AS.

If we have unicast best path changes often and flow-spec NLRI are not
withdrawn I would rather think more optimal is to keep the filter in the
ACL if it was ever valid till it get's withdrawn.

And for sure you or someone else may come with different scenario - say
where you are switching best path and origin AS is different as the end
victim is dual homed and has private AS. But even here maybe keeping the
filter in place may help to save the victim.

Lastly ... some folks may have already very heavy ACLs. Adding and removing
the entries frequently especially on distributed switching platforms may
constitute a problem.

But in any case I was just trying to shed a bit of different perspective on
it - that's all.

Your draft is at least to me a very good quality work !

Cheers,
R.








On Wed, Aug 24, 2016 at 12:11 PM, Christoph Loibl <c@tix.at> wrote:

> Dear Robert and James,
>
> Thank you for your comments and support on our document.
>
> I completely understand that the verification described in the RFC 5575 is
> has certain limitations. Most current installations (at least that I know
> of) are intra-AS _only_ and verification is completely disabled in that
> case. I think that a relaxed / different validation than defined in RFC
> 5575 makes perfectly sense in many ways.
>
> However, the primary intention of our draft is to clarify aspects that are
> somehow ambiguous in RFC 5575. We tried to introduce only minimal changes
> to the RFC (wherever possible) and fill gaps wherever clear definitions
> were missing to allow a consistent implementation.
>
> Section 5 (revalidation) actually does not really introduce any different
> behaviour to RFC 5575 it is basically a more verbose rewrite. The reason
> why we still put into the draft is the following:
>
> During DDoS mitigations it is perfectly feasible that announcements of
> prefixes change. Traffic steering/engineering may require to isolate
> traffic via more-specific routes on certain AS-borders, IPv4 routes may
> simply change during that process. For example: In our lab we saw routers
> announcing the flow-spec NLRI before announcing the actual IPv4 prefix
> during such route changes. So the flow-spec verification failed. However,
> just 10ms later the IPv4 prefix was announced to that particular neighbour
> (the flow-spec NLRI was still not taken into account, because no
> revalidation took place). If there is no revalidation of the flow-spec NLRI
> we end up with a completely unpredictable verification that is based on the
> arrival time of the two different NLRI announcements (IPv4 vs Flowspec)
> (some kind of race condition).
>
> We may still decide to have a different verification mechanism in place
> (as proposed by both of you) but the key here is, that it should always
> result in a consistent/predictable view over the entire participating
> networks. In my opinion the time of arrival of announcements should not
> have any impact on the verification state of the rules.
>
> Cheers,
> Christoph
>
> --
> Christoph Loibl
> c@tix.at | CL8-RIPE | PGP-Key-ID: 0x4B2C0055 | http://www.nextlayer.at
>
>

v2.23.0 | Report a Bug | By Email