IETF Logo Mail Archive

Re: [Idr] 答复: New Version Notification for draft-liang-idr-flowspec-orf-00.txt

Haoweiguo <haoweiguo@huawei.com> Wed, 03 June 2015 03:49 UTC

Return-Path: <haoweiguo@huawei.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EF631B33A1 for <idr@ietfa.amsl.com>; Tue, 2 Jun 2015 20:49:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.91
X-Spam-Level:
X-Spam-Status: No, score=-3.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jl3nkUgpP4MX for <idr@ietfa.amsl.com>; Tue, 2 Jun 2015 20:49:04 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3057E1B339C for <idr@ietf.org>; Tue, 2 Jun 2015 20:49:03 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml403-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BTH10386; Wed, 03 Jun 2015 03:49:01 +0000 (GMT)
Received: from nkgeml405-hub.china.huawei.com (10.98.56.36) by lhreml403-hub.china.huawei.com (10.201.5.217) with Microsoft SMTP Server (TLS) id 14.3.158.1; Wed, 3 Jun 2015 04:49:00 +0100
Received: from NKGEML501-MBS.china.huawei.com ([169.254.2.89]) by nkgeml405-hub.china.huawei.com ([10.98.56.36]) with mapi id 14.03.0158.001; Wed, 3 Jun 2015 11:48:49 +0800
From: Haoweiguo <haoweiguo@huawei.com>
To: Robert Raszuk <robert@raszuk.net>, Liangqiandeng <liangqiandeng@huawei.com>
Thread-Topic: 答复: [Idr] New Version Notification for draft-liang-idr-flowspec-orf-00.txt
Thread-Index: AQHQmp0IsigZuNG1YUCiCcmF2dIHIp2UBQQZ//+0kYCABDcZgIAAfkCAgAG5qU8=
Date: Wed, 03 Jun 2015 03:48:48 +0000
Message-ID: <DD5FC8DE455C3348B94340C0AB5517334F86F1E8@nkgeml501-mbs.china.huawei.com>
References: <20150530055345.15364.12184.idtracker@ietfa.amsl.com> <DD5FC8DE455C3348B94340C0AB5517334F86E8E4@nkgeml501-mbs.china.huawei.com> <CA+b+ER=oDMSkysWAXVO0z9_H-rM2di6irzVW8VQxD6NThWLmEw@mail.gmail.com> <FCA9153F864C2646BE37F183391FCADDD3CB99@nkgeml502-mbs.china.huawei.com>, <CA+b+ER=EjDF9PENJKqYXwgxLZJtuWxMT+cwyj16KDnf24-okaQ@mail.gmail.com>
In-Reply-To: <CA+b+ER=EjDF9PENJKqYXwgxLZJtuWxMT+cwyj16KDnf24-okaQ@mail.gmail.com>
Accept-Language: en-US, zh-CN
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.135.23.94]
Content-Type: multipart/alternative; boundary="_000_DD5FC8DE455C3348B94340C0AB5517334F86F1E8nkgeml501mbschi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <http://mailarchive.ietf.org/arch/msg/idr/kLuCX2w9--wqHvwmcHdASE1O4NQ>
Cc: "idr@ietf.org" <idr@ietf.org>
Subject: Re: [Idr] 答复: New Version Notification for draft-liang-idr-flowspec-orf-00.txt
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jun 2015 03:49:06 -0000

Thanks Robert for your good comments and suggestions. Pls see inline with [weiguo].

weiguo

________________________________
From: rraszuk@gmail.com [rraszuk@gmail.com] on behalf of Robert Raszuk [robert@raszuk.net]
Sent: Tuesday, June 02, 2015 17:18
To: Liangqiandeng
Cc: idr@ietf.org; Haoweiguo; Youjianjie
Subject: Re: 答复: [Idr] New Version Notification for draft-liang-idr-flowspec-orf-00.txt


maybe it' better to establish BGP session between the ASBRs from different sites for disseminating their FlowSpec rules to each other.

​Maybe it is better though completely not practical to recommend web of eBGP multihop sessions between peers ​which do not know each other and have no peering agreements.

Moreover notice that in such case for validation purposes unicast traffic would also need to be send over such direct peering what in turn means that it would have to be encapsulated.


2.Actually,our draft doesn't oppose the validation procedures as described in section 6 of RFC5575,

​I commented on your example where you say that flow would go to ASBR1. It would not if you validate it. ​


should support. In this case we think the FlowSpec-ORF is valuable.


​ORF in general is about pushing your inbound filter to a peer. Here we are talking about installing inbound filters for flow spec routes and pushing it to a peer.

How do you know what to reject if the flow information is dynamic by nature .. created upon detection of DDoS ?
[weiguo]: Yes, i agree. If the ingress PE doesn't know any flow information ahead of time, it can't generate any effective ORF.

I am having problem envisioning a scenario that some of my peers push me ORF stating

"I do not want to hear of flow spec routes from you which:

- contain match on port XX
- contain match on SRC/DST address x.x.x.x
- contain action drop
etc"
[weiguo]: Yes, these are useful cases for flowspec ORF. We can add these usecases in later version of this draft.


That way flow spec effectiveness for DDoS is reduced significantly.

Best,
r.




发件人: Idr [mailto:idr-bounces@ietf.org<mailto:idr-bounces@ietf.org>] 代表 Robert Raszuk
发送时间: 2015年5月30日 17:25
收件人: Haoweiguo; Qiandeng Liang
抄送: idr@ietf.org<mailto:idr@ietf.org>
主题: Re: [Idr] New Version Notification for draft-liang-idr-flowspec-orf-00.txt

Hello Weiguo,

Hi All,
A new draft of "BGP FlowSpec Outbound Route Filter" was proposed.
Your comments and suggestions are appreciated.

Thanks,
weiguo


​Let me provide few comments ​why I think this work should be rather abandoned right at its  -00 version:


section 3.1 Figure 1

   "Therefore, ASBR2 can send to ASBR1 a set of FlowSpec-ORF
   that can be used by ASBR1 to filter its outbound FlowSpec rules to
   ASBR2."

- The above would result in dropping part of the flow descriptions between ASBR 1 and ASBR 2 such that neither ASBR 3 nor ASBR 4 would be able to ever receive it. Note that ASBR 2 may act only as transit and may not be willing to enable foregin filtering in their data plane at all. However it should have not limit it to carry BGP control plane SAFI 133 or 134 to the legitimate peers. So pushing Flow Spec ORF from ASBR 2 to ASBR 1 would be counterproductive.


section 3.1 Figure 2

   "Furthermore, ASBR2 and ASBR3 will distribute the FlowSpec rules to
   ASBR1 and ASBR4 respectively."


- Sending FlowSpec information to ASBR1 would be acting against validation procedures as described in section 6 of RFC5575 which say:

"A flow specification NLRI must be validated such that it is
   considered feasible if and only if:

   a) The originator of the flow specification matches the originator of
      the best-match unicast route for the destination prefix embedded
      in the flow specification."


Summary:

I think we should not suppress propagation of filtering rules in BGP control plane provided they are legitimate (ie. pass validation procedure) just based on cherry picking on the match or actions criteria they contain.

Practically amount and  churn of the amount of flow spec information would be rather in white noise levels compared to what BGP should be ready to carry.

However if one would like to limit those other already available tools could be used: longer MRAI timer, dedicated BGP session for SAFI 133/134 with different input processing, FS NLRI dampening etc ...


​Regards,
r.​

v2.23.0 | Report a Bug | By Email