IETF Logo Mail Archive

Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06

John Schiel <jschiel@flowtools.net> Fri, 11 May 2018 21:44 UTC

Return-Path: <jschiel@flowtools.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE95112D940 for <idr@ietfa.amsl.com>; Fri, 11 May 2018 14:44:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=flowtools-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WATu-W-oiifX for <idr@ietfa.amsl.com>; Fri, 11 May 2018 14:44:04 -0700 (PDT)
Received: from mail-wm0-x241.google.com (mail-wm0-x241.google.com [IPv6:2a00:1450:400c:c09::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DDEA12D892 for <idr@ietf.org>; Fri, 11 May 2018 14:44:03 -0700 (PDT)
Received: by mail-wm0-x241.google.com with SMTP id f8-v6so5531786wmc.4 for <idr@ietf.org>; Fri, 11 May 2018 14:44:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=flowtools-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=eJ3347BozmzL7xq+CtQDZ8jpDLr/iCmEF1rrOMqPzNg=; b=WsNq51fZ3LMY4rt2atnZHjirQaHETJqlJY5H6XLxeC5Hs6IKOiO3qeYRLtkYByCAz2 Qc2AuBDbC7xm+C3jK9EVJdL4ZZQXD7uKuqGrIRfLinLDUh2b2fSAGuMAaNY/K9MDbKQ2 IglYKnVCq3OarSnQlbbdv8W2NoCe/3TNiV8vgkJyWS4/3Bn2iTIGC/oKeOp3S3uJiHXq 45ALswics1SvRWg0o7jGJacp7sR0i9vmnYiPYVFtGH8rVJniS9uf1FsWI0z535z+nlDQ d170Yp55EmaN5z2OrfmfTBqKMAfxHeM+uwaZ+sItVA0PD6RWn2lnQ3phsIqSIGYgpht7 zd9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=eJ3347BozmzL7xq+CtQDZ8jpDLr/iCmEF1rrOMqPzNg=; b=ZqGWBKnfdMst4SsGG0vYyIXN0B8e+YiY6RNTzxytNJHpMQQfjf0Vqo1xmHcCWFFzPM KTovF1GJcNZ6vH8aklhp0fcr3AOFMrJKNgQww5Qcw+LS+klMkAjHZRRQB5UE5K9nF/t3 cCjDYbPyJCvLVMqRhnsViMIh0VJzHql3vvV91Fhc2zYWuLdySPDpvhe0AoV16qo5NaSY pqB0sVcTLorHFc5BaAX7OCsj8KvSvLH3YJGlV6+gR0IgzGJAz+6cCV4JUH6kH0+pAggL II8i1MencTlq4y81n9m050W6S/5cjpiG8zH50xKcErq6xL6Zc/J2S8UxjNiggiMaqmR9 /Ekw==
X-Gm-Message-State: ALKqPwcsDdlW36mJm2qO0BlA0tkXkkSMAuBsW90H4fKmYv6R5zq2CslD dnlqISG9za5uMC1IV68sHuCzzXqCVi+rbL5wM8GwNQ==
X-Google-Smtp-Source: AB8JxZrQEyUYQKAzPXcMYwKb57VvQWZQQx992GQaGx8wk+oF+Nfj6CrktcIzL47LKEKPRwZnyEI/Qv7oWCLhRF/bIhY=
X-Received: by 2002:a50:8227:: with SMTP id 36-v6mr458407edf.309.1526075042039; Fri, 11 May 2018 14:44:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.80.135.219 with HTTP; Fri, 11 May 2018 14:44:01 -0700 (PDT)
X-Originating-IP: [209.244.4.106]
In-Reply-To: <d7cb371119f54c41bf2fb17281d3d85c@XCH-ALN-014.cisco.com>
References: <DB4DB79D-22DD-45A7-980A-B33C5E58C1C7@juniper.net> <2997BE5D-F4C6-4AC2-9B00-126436FC5141@juniper.net> <68EFACB32CF4464298EA2779B058889D53DB49B4@PDDCWMBXEX503.ctl.intranet> <e0e1857b46104431be4f655fe8d1e0b1@XCH-ALN-014.cisco.com> <68EFACB32CF4464298EA2779B058889D53DB4D80@PDDCWMBXEX503.ctl.intranet> <7cc92070-d480-cd91-e572-36dc36836732@cisco.com> <68EFACB32CF4464298EA2779B058889D53DB50BF@PDDCWMBXEX503.ctl.intranet> <a5c07854cdba4e09b7fd6c3751acfbf2@XCH-ALN-014.cisco.com> <68EFACB32CF4464298EA2779B058889D53DB514E@PDDCWMBXEX503.ctl.intranet> <d7cb371119f54c41bf2fb17281d3d85c@XCH-ALN-014.cisco.com>
From: John Schiel <jschiel@flowtools.net>
Date: Fri, 11 May 2018 15:44:01 -0600
Message-ID: <CABmZaCMZf9i33EuStxgboELi4Ap_UsGFQoRdaJNfn4yTY3YK4A@mail.gmail.com>
To: "Jakob Heitz (jheitz)" <jheitz@cisco.com>
Cc: "Smith, Donald" <Donald.Smith@centurylink.com>, "Juan Alcaide (jalcaide)" <jalcaide@cisco.com>, John Scudder <jgs@juniper.net>, "idr@ietf. org" <idr@ietf.org>, "nl7942@att.com" <nl7942@att.com>, "Schiel, John" <John.Schiel@centurylink.com>, "draft-ietf-idr-bgp-flowspec-oid@ietf.org" <draft-ietf-idr-bgp-flowspec-oid@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c81a5f056bf50849"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/lPy7RmuQLezK1bdflPgWP1tu8s4>
Subject: Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 May 2018 21:44:09 -0000

Don's example makes sense to me. Ideally CustM is getting traffic both from
ISPA and ISPB. If ISPA identifies and stops the traffic from going to
CustM, then sends a rule to B, ISPB may or may not accept the rule and the
attack would still go over the connection from ISPB to CustM based on
preferred path regardless of rule acceptance. If the metrics are different
and the preferred path is now from ISPB to ISPA and then to CustM, then the
importance of accepting the rule becomes more important.

I don't see any current issues with this WG.

--John


On Fri, May 11, 2018 at 2:42 PM, Jakob Heitz (jheitz) <jheitz@cisco.com>
wrote:

> This is the case that we all intend to work (I think), but only if ISPB
> explicitly
>
> allows that flowspec rule from ISPA. It would not happen by default.
>
> Now to find the words...
>
>
>
> Thanks,
>
> Jakob
>
>
>
> *From:* Smith, Donald <Donald.Smith@CenturyLink.com>
> *Sent:* Friday, May 11, 2018 1:36 PM
> *To:* Jakob Heitz (jheitz) <jheitz@cisco.com>; Juan Alcaide (jalcaide) <
> jalcaide@cisco.com>; John Scudder <jgs@juniper.net>; idr@ietf. org <
> idr@ietf.org>
>
> *Cc:* nl7942@att.com; Schiel, John <John.Schiel@centurylink.com>;
> draft-ietf-idr-bgp-flowspec-oid@ietf.org
> *Subject:* RE: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06
>
>
>
>
>
>
>
>
>
> Customer M
>
> |              |
>
> |              |
>
> |              |
>
> ISPA------ISPB
>
>
>
> ISPA sees a large DDoS attack against customer M and triggers a flowspec
> rule internally and to ISPB.
>
> But ISPB has customer M connections too (one or more) and receives BGP
> announcements from them (or has a static or ... but has routes that would
> be preferred internally), thus the flowspec check would fail right?
>
>
>
>
>
>
>
>
>
> Metric System < +000 > -000
>
> Extra People's Terribly Good Meals Kept mY uNCLE    Ned   Purring For
> Ages
>
> Exa   Peta        Tera     Giga   Mega  Kilo milli Micro(u) Nano Pico
> Femto Atto
>
> Donald.Smith@centurylink.com
> ------------------------------
>
> *From:* Jakob Heitz (jheitz) [jheitz@cisco.com]
> *Sent:* Friday, May 11, 2018 1:39 PM
> *To:* Smith, Donald; Juan Alcaide (jalcaide); John Scudder; idr@ietf. org
> *Cc:* nl7942@att.com; Schiel, John; draft-ietf-idr-bgp-flowspec-
> oid@ietf.org
> *Subject:* RE: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06
>
> Sorry Donald, Can you draw a diagram or reword your scenario?
>
>
>
> Thanks,
>
> Jakob
>
>
>
> *From:* Smith, Donald <Donald.Smith@CenturyLink.com>
> *Sent:* Friday, May 11, 2018 12:30 PM
> *To:* Juan Alcaide (jalcaide) <jalcaide@cisco.com>; Jakob Heitz (jheitz) <
> jheitz@cisco.com>; John Scudder <jgs@juniper.net>; idr@ietf. org <
> idr@ietf.org>
> *Cc:* nl7942@att.com; Schiel, John <John.Schiel@centurylink.com>;
> draft-ietf-idr-bgp-flowspec-oid@ietf.org
> *Subject:* RE: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06
>
>
>
> I am not entirely sure if that works here or not.
>
> But I think with that you could show some AS as the last AS in the past
> (far left) and maybe not show the original customer AS?
>
> As long as your advertising that space to me, and I don't have a better
> path it should work.
>
>
>
> Now what happens when a customer is a customer of ISP A and ISP B both
> have routes to it, if A advertises flowspec to B for that network wouldn't
> it be blocked as the best path to the customer inside of B is B's path.
>
> This is actually a different problem, or subset of the original issue.
>
>
>
> What should happen in that case? I might want to take action, I might not
> be seeing a huge flood, while the original announcer (A) is and wants us to
> take action as they expect we will be seeing that traffic soon?
>
>
>
>
>
>
>
>
>
> Metric System < +000 > -000
>
> Extra People's Terribly Good Meals Kept mY uNCLE    Ned   Purring For
> Ages
>
> Exa   Peta        Tera     Giga   Mega  Kilo milli Micro(u) Nano Pico
> Femto Atto
>
> Donald.Smith@centurylink.com
> ------------------------------
>
> *From:* Juan Alcaide (jalcaide) [jalcaide@cisco.com]
> *Sent:* Friday, May 11, 2018 12:57 PM
> *To:* Smith, Donald; Jakob Heitz (jheitz); John Scudder; idr@ietf. org
> *Cc:* nl7942@att.com; Schiel, John; draft-ietf-idr-bgp-flowspec-
> oid@ietf.org
> *Subject:* Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06
>
> Don,
>
> (just to be clear, this has nothing to directly with the redirect
> extended-community draft)
>
> We already thought about it and added a 'clause' in the last revision.
>
> "Optionally, an implementation
>    could be configured to allow only flow specification NLRIs containing
>    only a subset of ASes.  This could be useful, for example, with
>    networks that consist of multiple ASes that operate under the same
>    administrative domain."
>
> This is not what you want?
>
> -J
>
> On 5/11/2018 4:50 PM, Smith, Donald wrote:
>
> That would work of course MAY would be caps :) But that should cover the
> case I was describing.
>
> All the other BGP security issues would still apply.
>
> Cc'ing the two architects that have been working on this concept with me,
> in case they have anything to add.
>
>
>
>
>
> Metric System < +000 > -000
>
> Extra People's Terribly Good Meals Kept mY uNCLE    Ned   Purring For
> Ages
>
> Exa   Peta        Tera     Giga   Mega  Kilo milli Micro(u) Nano Pico
> Femto Atto
>
> Donald.Smith@centurylink.com
> ------------------------------
>
> *From:* Jakob Heitz (jheitz) [jheitz@cisco.com <jheitz@cisco..com>]
> *Sent:* Thursday, May 10, 2018 11:39 PM
> *To:* Smith, Donald; John Scudder; idr@ietf. org
> *Cc:* draft-ietf-idr-bgp-flowspec-oid@ietf.org
> *Subject:* RE: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06
>
> I support the draft.
>
>
>
> Donald, are you saying that AS1 should accept a flowspec rule from AS2 for
> traffic going to AS3?
>
> If AS1 can trust the flowspec from AS2, then I don't see why not.
>
> Maybe we can add text to the effect of:
>
> The rules stated here are for default behavior.
>
> Local policy may allow flow specifications from other EBGP neighbors to be
> accepted.
>
>
>
> Thanks,
>
> Jakob
>
>
>
> *From:* Idr <idr-bounces@ietf.org> <idr-bounces@ietf.org> * On Behalf Of *Smith,
> Donald
> *Sent:* Thursday, May 10, 2018 11:58 AM
> *To:* John Scudder <jgs@juniper.net> <jgs@juniper.net>; idr@ietf. org
> <idr@ietf..org> <idr@ietf..org>
> *Cc:* draft-ietf-idr-bgp-flowspec-oid@ietf.org
> *Subject:* Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06
>
>
>
> This supports some of the bi-lateral, ddos-peering work we want to do, so
> support.
>
>
>
> https://pc.nanog.org/static/published/meetings/NANOG71/1447/20171003_Levy_
> Operationalizing_Isp_v2.pdf
>
>
>
> That is almost always going to be between some set of systems not one hop
> away, not directly in the forwarding plane, probably not really IBGP peers.
>
>
>
> " It thus becomes necessary to modify step (a) of the RFC 5575
> <https://tools.ietf.org/html/rfc5575>
>    validation procedure such that an IBGP peer that is not within the
>    data forwarding plane may originate flow specification NLRIs."
>
>
>
> While you could have the IBGP peer directly in the forwarding plane,
> forward it like a route reflector, requiring it to seems counter intuitive
> as it is more likely to come from some BGP speaking tool in ISP requesting
> the filter.
>
>
>
> Next lots of references to IBGP and a few to EBGP, when I think of
> IBGP, IBGP is internal to a single AS (yes I know there are exceptions) but
> that is kind of the meaning, while this is mostly between peers (whom could
> do IBGP between them but is that required? Can't we validate without IBGP
> direct connections?)
>
>
>
>
>
> Metric System < +000 > -000
>
> Extra People's Terribly Good Meals Kept mY uNCLE    Ned   Purring For
> Ages
>
> Exa   Peta        Tera     Giga   Mega  Kilo milli Micro(u) Nano Pico
> Femto Atto
>
> Donald.Smith@centurylink.com
> ------------------------------
>
> *From:* Idr [idr-bounces@ietf.org] on behalf of John Scudder [
> jgs@juniper.net]
> *Sent:* Thursday, May 10, 2018 12:28 PM
> *To:* idr@ietf. org
> *Cc:* draft-ietf-idr-bgp-flowspec-oid@ietf.org
> *Subject:* Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06
>
> Hi All,
>
>
>
> On Apr 26, 2018, at 3:58 PM, John Scudder <jgs@juniper.net> wrote:
>
>
>
> The authors have requested a working group last call for
> draft-ietf-idr-bgp-flowspec-oid-06. Please respond with your comments
> before Friday, May 11.
>
>
>
> A quick update on the status of this WGLC:
>
>
>
> - All the authors have responded about IPR (thank you!).
>
> - Three people who are not authors (Acee, Shyam, Keyur) have responded
> supporting publication.
>
> - Nobody has responded with other comments or opposition.
>
>
>
> Three respondents is not a very large number; it would be helpful if
> others would chime in.
>
>
>
> The WGLC period is scheduled to end tomorrow.
>
>
>
> Thanks,
>
>
>
> --John
>
> This communication is the property of CenturyLink and may contain
> confidential or privileged information. Unauthorized use of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please immediately notify the sender
> by reply e-mail and destroy all copies of the communication and any
> attachments.
>
> This communication is the property of CenturyLink and may contain
> confidential or privileged information. Unauthorized use of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please immediately notify the sender
> by reply e-mail and destroy all copies of the communication and any
> attachments.
>
>
>
> _______________________________________________
>
> Idr mailing list
>
> Idr@ietf.org
>
> https://www.ietf.org/mailman/listinfo/idr
>
>
>
> This communication is the property of CenturyLink and may contain
> confidential or privileged information. Unauthorized use of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please immediately notify the sender
> by reply e-mail and destroy all copies of the communication and any
> attachments.
>
> This communication is the property of CenturyLink and may contain
> confidential or privileged information. Unauthorized use of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please immediately notify the sender
> by reply e-mail and destroy all copies of the communication and any
> attachments.
>
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>
>

v2.23.0 | Report a Bug | By Email