Re: [Idr] WG LC on draft-ietf-idr-rpd-05.txt (7/15 to 7/29/2020)

Robert Raszuk <robert@raszuk.net> Fri, 24 July 2020 21:23 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBE113A0C89 for <idr@ietfa.amsl.com>; Fri, 24 Jul 2020 14:23:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UWBRFWh4Xzpw for <idr@ietfa.amsl.com>; Fri, 24 Jul 2020 14:23:50 -0700 (PDT)
Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B87953A0C7F for <idr@ietf.org>; Fri, 24 Jul 2020 14:23:49 -0700 (PDT)
Received: by mail-ej1-x634.google.com with SMTP id ga4so11297341ejb.11 for <idr@ietf.org>; Fri, 24 Jul 2020 14:23:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=91zHlJu7UJRc5IEean2odRV+GtAxMEsP9BBWsStHmMs=; b=Oi25t3ZevRVZWWNkT+3mcpJCz5TZNjA+IhtKqJaUUWuCnZqw31y+CxOvY8/tQkI6nP VFZ0/sPSmfY8VEthQz1P6tB+75Cm5S1pJyEV9q3EI/1W1GM+ZeqOI1g1HoUG6zEsazSD icLxA4T8o1I+b8D/CfITRsMhDkViToy2EN/3x6A6u8F+mUCZmWWmCc5qJtZsbHXXccMH WqMAWwTBM5b4Fal9o9PNTgElnY1OsbwncbVHuIDkzGub+LPEwR8DxX8ut0S2cPF9d+1r KIOGsKTKKL2Bm9XpOYspds2LQpVqNlnD5z/+pyBOgShG6T9gys8rZ5FssyIKjLDi7nWy iqjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=91zHlJu7UJRc5IEean2odRV+GtAxMEsP9BBWsStHmMs=; b=bAkzOOt7mex84QCPMBMkPaTtGtQuo65xC8zLLRjcip35VDL7hWlj69SLgcxrr5U39e cirgwLrFwwIG40S3vLTOb3UH/EgpQSDhZqFHNACOeiD4yJ1wDQHJCKhMt+j/drkRh9m8 GVIFw5CVBKqIhV+qy/sJ4yOYUGVs6WsrXs5Za4fw+yDwuAQJjwjVFn7wTT9m4Zt8xDf6 qvyvF8uE2NPeart0qdXKu2EDMnhl/bNssjtU2xOIPp8gBNDi2OkJa8zq3ZOLLrJ0SD6w JZ0fm1SrmuxllIyY8cxOmLvpYQs3Bp5j6rW/jGhQISnXTOXC+fXEeEozW6byux9M5dLN ZRvg==
X-Gm-Message-State: AOAM531JwyhU5kmkfbllCiSfUXUC+00H7ZAlqIfVLz+81HAGUrGiW6M5 UdY6r2SHVp1QqajSvAitAxaPx9lkF7jIiNA5w0AMNQ==
X-Google-Smtp-Source: ABdhPJxdC8CoyWFCjLB0aoE0FjJk56JGSkuitfkB6uJmZLO2ZB9dtWr1YfmbbGJwJENr5MobPqEpFoaCZGWdbcWoasU=
X-Received: by 2002:a17:907:11dd:: with SMTP id va29mr9615838ejb.470.1595625828039; Fri, 24 Jul 2020 14:23:48 -0700 (PDT)
MIME-Version: 1.0
References: <003701d65aa9$689a64d0$39cf2e70$@ndzh.com> <BYAPR11MB32072C364496472F6BB8FBD4C07C0@BYAPR11MB3207.namprd11.prod.outlook.com> <MN2PR13MB3117DB85FAE31F34D6575B41F2780@MN2PR13MB3117.namprd13.prod.outlook.com> <BYAPR11MB3207711DF449A039CC57AA61C0780@BYAPR11MB3207.namprd11.prod.outlook.com> <9df696a9aeae4bb3a2fd3869e72480b7@huawei.com> <BYAPR11MB3207238C676086BC76C5BE17C0760@BYAPR11MB3207.namprd11.prod.outlook.com> <f652b595a463405fac626ffc1262ebbc@huawei.com> <BYAPR11MB3207AE073C769136E209224AC0770@BYAPR11MB3207.namprd11.prod.outlook.com>
In-Reply-To: <BYAPR11MB3207AE073C769136E209224AC0770@BYAPR11MB3207.namprd11.prod.outlook.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Fri, 24 Jul 2020 23:23:37 +0200
Message-ID: <CAOj+MMENq1dN2Mwwy0UMO_LTpBeqD8zNP65ZHmrHUCfHw8LbEA@mail.gmail.com>
To: "Jakob Heitz (jheitz)" <jheitz=40cisco.com@dmarc.ietf.org>
Cc: "Wanghaibo (Rainsword)" <rainsword.wang@huawei.com>, Huaimo Chen <huaimo.chen@futurewei.com>, Susan Hares <shares@ndzh.com>, "idr@ietf.org" <idr@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000acd7a505ab3696b7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/kyyUqSMoy1Wzbda_C4woeWNQOeQ>
Subject: Re: [Idr] WG LC on draft-ietf-idr-rpd-05.txt (7/15 to 7/29/2020)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jul 2020 21:23:53 -0000

In addition to points already mentioned let's examine what the draft
actually defines ... not sure if this is just the tip of the iceberg or
full set of match and set tools authors envision to have.

Match:

IPv4 prefix,
IPv6 prefix,
AS-PATH regex
Community

Set:

MED,
Arbitrary AS-PATH


- So first don't we see a need to match on Peer's ASN ?
- Don't we need to match on the peer ? (NLRI itself just matches on
the ASBR making it p2p)
- How about to match on link bandwidth to the specific peer ?
- The draft talks about outbound traffic engineering from local AS  ...
well that is done typically by setting local preference which is not even
mentioned in the document
- The defined community sub-TLV merely covers RFC1997. How about Extended
or Large Communities ? No use ? No need to match ?

Kind regards,
R.


On Fri, Jul 24, 2020 at 10:28 PM Jakob Heitz (jheitz) <jheitz=
40cisco.com@dmarc.ietf.org> wrote:

> Let me try a different way.
>
> Flowspec is designed to install a filter everywhere to mitigate DDoS.
>
> Even if the filter does not install in a few routers, the DDoS is still
> mitigated.
>
> It does not matter which nodes install it before other nodes.
>
> Therefore, the spray and pray of BGP is ok for Flowspec.
>
>
>
> Routing policy distribution could cause unpleasant routing transients if
>
> it is not installed or installed late on random nodes.
>
>
>
> Regards,
>
> Jakob.
>
>
>
> *From:* Wanghaibo (Rainsword) <rainsword.wang@huawei.com>
> *Sent:* Thursday, July 23, 2020 11:23 PM
> *To:* Jakob Heitz (jheitz) <jheitz@cisco.com>om>; Huaimo Chen <
> huaimo.chen@futurewei.com>gt;; Susan Hares <shares@ndzh.com>om>; idr@ietf..org
> *Subject:* RE: [Idr] WG LC on draft-ietf-idr-rpd-05.txt (7/15 to
> 7/29/2020)
>
>
>
> Hi Jakob,
>
>
>
> Can you give some more details about "the route and the flowspec spray to
> the same places“
>
>
>
> Regards,
>
> Haibo
>
>
>
> *From:* Jakob Heitz (jheitz) [mailto:jheitz@cisco.com <jheitz@cisco.com>]
> *Sent:* Friday, July 24, 2020 1:31 AM
> *To:* Wanghaibo (Rainsword) <rainsword.wang@huawei.com>om>; Huaimo Chen <
> huaimo.chen@futurewei.com>gt;; Susan Hares <shares@ndzh.com>om>; idr@ietf.org
> *Subject:* RE: [Idr] WG LC on draft-ietf-idr-rpd-05.txt (7/15 to
> 7/29/2020)
>
>
>
> You're missing the point.
>
>
>
> The fact that BGP is spray and pray doesn't matter, because the route and
> the
>
> flowspec spray to the same places.
>
>
>
> Regards,
>
> Jakob.
>
>
>
> *From:* Wanghaibo (Rainsword) <rainsword.wang@huawei.com>
> *Sent:* Thursday, July 23, 2020 12:02 AM
> *To:* Jakob Heitz (jheitz) <jheitz@cisco.com>om>; Huaimo Chen <
> huaimo.chen@futurewei.com>gt;; Susan Hares <shares@ndzh.com>om>; idr@ietf.org
> *Subject:* RE: [Idr] WG LC on draft-ietf-idr-rpd-05.txt (7/15 to
> 7/29/2020)
>
>
>
> Hi Jakob,
>
>
>
> 1.  Flowspec’s validation is used to check whether a device can learn the
> Flowspec routes from an EBGP peer, but the validation can be performed only
> for the component of the destination type.
>
>     In practice, the centralized server or controller is often used to
> send FlowSpec routes to devices.
>
> 2.  RPD and SR-Policy also have their own validation. That is, route
> targets are used to check whether information is sent to the expected node.
>
>
>
> Regards,
>
> Haibo
>
>
>
> *From:* Idr [mailto:idr-bounces@ietf.org <idr-bounces@ietf..org>] *On
> Behalf Of *Jakob Heitz (jheitz)
> *Sent:* Tuesday, July 21, 2020 12:52 PM
> *To:* Huaimo Chen <huaimo.chen@futurewei.com>om>; Susan Hares <
> shares@ndzh.com>gt;; idr@ietf.org
> *Subject:* Re: [Idr] WG LC on draft-ietf-idr-rpd-05.txt (7/15 to
> 7/29/2020)
>
>
>
> There is an important difference between RPD and Flowspec.
>
> https://tools.ietf.org/html/rfc5575#section-6
>
> states:
>
>    A flow specification NLRI must be validated such that it is
>
>    considered feasible if and only if:
>
>
>
>    a) The originator of the flow specification matches the originator of
>
>       the best-match unicast route for the destination prefix embedded
>
>       in the flow specification.
>
>
>
>    b) There are no more specific unicast routes, when compared with the
>
>       flow destination prefix, that have been received from a different
>
>       neighboring AS than the best-match unicast route, which has been
>
>       determined in step a).
>
>
>
> Effectively, the advertisement of the route takes the same vector as the
>
> advertisement of the matching flowspec. Therefore, if the flowspec did not
>
> reach a node, then the route likely didn't either, so it doesn't matter.
>
>
>
> The fact that BGP is spray and pray doesn't matter, because the route and
> the
>
> flowspec spray to the same places.
>
>
>
> RPD policy distribution has no such validation rule.
>
>
>
> SR policy distribution suffers from the same problem.
>
>
>
>
>
> Regards,
>
> Jakob.
>
>
>
> *From:* Huaimo Chen <huaimo.chen@futurewei.com>
> *Sent:* Monday, July 20, 2020 9:01 PM
> *To:* Jakob Heitz (jheitz) <jheitz@cisco.com>om>; Susan Hares <
> shares@ndzh.com>gt;; idr@ietf.org
> *Subject:* Re: [Idr] WG LC on draft-ietf-idr-rpd-05.txt (7/15 to
> 7/29/2020)
>
>
>
> Hi Jakob,
>
>
>
>     Thank you very much for your valuable comments.
>
>     Our answers/explanations are inline below with prefix [HC].
>
>
>
> Best Regards,
>
> Huaimo on behalf of co-authors
> ------------------------------
>
> *From:* Idr <idr-bounces@ietf.org> on behalf of Jakob Heitz (jheitz) <
> jheitz=40cisco.com@dmarc.ietf..org <jheitz=40cisco.com@dmarc..ietf.org>>
> *Sent:* Thursday, July 16, 2020 9:01 PM
> *To:* Susan Hares <shares@ndzh.com>om>; idr@ietf.org <idr@ietf.org>
> *Subject:* Re: [Idr] WG LC on draft-ietf-idr-rpd-05.txt (7/15 to
> 7/29/2020)
>
>
>
> BGP seems the wrong way to distribute routing policy.
>
>
>
> [HC]: It seems that BGP flow spec has been used widely to distribute
> policies for redirecting the traffic. It seems work well without some
> mechanisms in Netconf. BGP RPD should be similar to BGP flow spec.  BGP SR
> Policy is on the same train.
>
>
>
> IETF has already defined a way to distribute configuration: Netconf.
>
> Netconf provides needed features that BGP does not have:
>
> - Atomic Transactions:
>
>   If one configuration item fails, they all fail.
>
>   They all either succeed or all fail. There is no partial success.
>
>   Multiple configurations in one transaction are applied at the same time.
>
>    . This avoids non-deterministic transient behavior between application
> of the first policy and the last.
>
> - Feedback:
>
>   BGP is "spray and pray".
>
>   Netconf provides an acknowledgement that the config either failed or was
> applied,
>
>   which then allows the controller to take the next steps with
>
>   reliable information about what configuration exists in the network.
>
> - Persistence:
>
>   If the BGP session were to go down, all the configuration it sent will
> be implicitly withdrawn.
>
>
>
> If another AS would not allow a foreign AS to configure it with netconf,
>
> it would not allow it with RPD either.
>
>
>
> There are already ways in BGP for an AS to signal preference across AS
> boundaries:
>
> Med, AS-path length, communities.
>
>
>
> [HC]: Netconf can be used to distribute configurations from a controller
> to the devices in a network. BGP RPD as an alternative option, may have
> some advantages in some cases. For example, in the case where BGP as a
> controller, BGP RPD seems more suitable. Using BGP RPD to control/redirect
> the traffic dynamically in real time may be more effective.
>
>
>
> Regards,
>
> Jakob.
>
>
>
> *From:* Idr <idr-bounces@ietf.org> *On Behalf Of *Susan Hares
> *Sent:* Wednesday, July 15, 2020 6:11 AM
> *To:* idr@ietf.org
> *Subject:* [Idr] WG LC on draft-ietf-idr-rpd-05.txt (7/15 to 7/29/2020)
>
>
>
> This begins a 2 week WG LC on draft-ietf-idr-rpd
>
> from 7/15 to 7/29/2020.  You can obtain this draft at:
>
> https://datatracker.ietf.org/doc/draft-ietf-idr-rpd/
> <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-idr-rpd%2F&data=02%7C01%7Chuaimo.chen%40futurewei.com%7C12cf72daefe0446d5a7908d829ed0a36%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637305445341383523&sdata=3LvgG6xwElOv27jGetqpyk8ftRub%2B%2B4Ui31Yt8wN87A%3D&reserved=0>
>
>
>
> This draft defines a new AFI/SAFI and new atoms
>
> for the Wide Communities.  This WG LC has been delayed
>
> as I waited for a resubmission of the Wide Communities draft.
>
> I had hoped to do these 2 WG LC in parallel.
>
>
>
> I’ve not received the Wide Communities draft, but we will
>
> start this WGLC to provide feedback to the authors.
>
> We may have to run a short follow-up to this WG LC
>
> If there are changes to the Wide Communities draft during
>
> Its WG LC.
>
>
>
> There is an IPR statement on this draft.
>
>
>
> In your responses please answer the following questions:
>
>
>
> 1) Do you feel this draft has an solution that is acceptable
>
>    With the IPR as a WG RFC?
>
>
>
> 2) Do you feel this draft is ready to publish?
>
>
>
> 3) Do you know of implementations of this draft?
>
>
>
> 4) Do you know of deployments of this draft?
>
> If so, is this feature useful in the deploy ments.
>
>
>
> 5) Do you feel that Wide Communities is ready for
>
> Publication?
>
>
>
> Cheerily, Susan Hares
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>