Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redirect-10.txt [11/17/2019 to 12/2/2019]
Robert Raszuk <robert@raszuk.net> Fri, 29 November 2019 14:01 UTC
Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA062120800 for <idr@ietfa.amsl.com>; Fri, 29 Nov 2019 06:01:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vGjp9awcsWx9 for <idr@ietfa.amsl.com>; Fri, 29 Nov 2019 06:01:47 -0800 (PST)
Received: from mail-qv1-xf2d.google.com (mail-qv1-xf2d.google.com [IPv6:2607:f8b0:4864:20::f2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9DA41200E9 for <idr@ietf.org>; Fri, 29 Nov 2019 06:01:46 -0800 (PST)
Received: by mail-qv1-xf2d.google.com with SMTP id c2so4439657qvp.12 for <idr@ietf.org>; Fri, 29 Nov 2019 06:01:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sltgVsgNATSMyWUUa4foqh516D9goxgUjj5GU0akvWU=; b=EQRyU+KTSg5pEIANc/6JpPL1vUsIvgrP8Z5XRAHy+tbNdUmmIYItZlcXASnG3o2UiY Ui+tVhnIrfN+7eUZkHy/2Ma1k0rA+6ClgYM0DIw7nfmn16P1gHweqBNi5n91ck76hV36 Mf/4u+03TCpZmVEMz+F0Yb21W8AMoSHQ3nLvUjMS4u8QG04XdEbRscIXds72jxZc2+8Y cHnFATsnoXQ9rSUC6bMmdf0roAakdbyACG6HEZi3jaeWR3POnKzwj9IdbiekXyrD/U+f gUwmJ80tyus9rHmp0oEVTR847db/PuYM6B6e1m3asTtIpbulP7HiYU0sOXp/FXXi9cfH Ga+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sltgVsgNATSMyWUUa4foqh516D9goxgUjj5GU0akvWU=; b=rent3ufCDRE0gg6lE0Ypsz6Cg55LhJZz8A1br35XZaHXbxIffwt4u5hjkQQrz4Ah0O o7ucclc6Dqg/8SvYamQdRmQMiI9GSuN1wqG+cnp5gi6TC41EPoksDxbVPUcDY1I2kb3l BGMm8CFXlgMvP6sLuSRRSE5ah9Rp5yOZkPJJTTLCaFV707FxPfjaHVuHNP/jlgUmWW1E rUtlDiDU0jzNvl6A2icVdWdhKDKGFyl1Qx3+iV//dxRQif7eqAJlXw8wLtbZt75FoWw4 HUNrwHmOn+3AeTuHvRr1uijNxj0/JIWsoB6o+fI8nhsbVu5RhbzvTF6R141QMP9+uFUT fjzw==
X-Gm-Message-State: APjAAAWHQJ/EzMMpWkhVfm4JT6f+w7zSCmubWVJRO9RkN6BgN+/ss+Rb XvgUoHdCu6qkBD+pLJSy7VluVhdr/Mu4lJP3w+lkSA==
X-Google-Smtp-Source: APXvYqwZ140nHS8xnxLwrmdRwphUG1O0bad8Ais5zzji3OSojRKbO9LJHPrCnadJL9st//L8gf4T+URko7/Y7LggA+g=
X-Received: by 2002:a0c:893d:: with SMTP id 58mr6846832qvp.4.1575036105776; Fri, 29 Nov 2019 06:01:45 -0800 (PST)
MIME-Version: 1.0
References: <e31b9ee1-6c36-48ff-85e7-adb6273d4cad@me.com>
In-Reply-To: <e31b9ee1-6c36-48ff-85e7-adb6273d4cad@me.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Fri, 29 Nov 2019 15:01:30 +0100
Message-ID: <CAOj+MMG_6SAs3_Pay_=14s02euTCuQex+VXaOY1op4q2-H8o3A@mail.gmail.com>
To: Gunter Van De Velde <guntervandeveldecc@icloud.com>
Cc: "Van De Velde, Gunter (Nokia - BE/Antwerp)" <gunter.van_de_velde@nokia.com>, "idr@ietf.org" <idr@ietf.org>, Sue Hares <shares@ndzh.com>
Content-Type: multipart/alternative; boundary="00000000000097f6ff05987cab51"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/oKD6VweYfUpLTI3VvtBkNRwcT5g>
Subject: Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redirect-10.txt [11/17/2019 to 12/2/2019]
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Nov 2019 14:01:51 -0000
Gunter, What is there to validate ? You validate if the flow spec update is legitimate and at most comparing destination match against unicast src which in all of redirect use cases will be disabled anyway - you can not possibly consider valid rule to redirect coming from your eBGP peer :). Also pls observe that you never validate actual actions ... what I am suggesting is just a little add-on in actions. Thx, R. On Fri, Nov 29, 2019 at 11:13 AM Gunter Van De Velde < guntervandeveldecc@icloud.com> wrote: > Hi Robert, > > While understanding your point, it does feel like opening a potential can > of worms with respect to validation of all possible combinations humanly > possible. Is the use-case for this capability solid enough that we need > this complication? There seems nothing broken with keeping things simple. > > G/ > > Sent from iCloud > > On November 29, 2019 at 10:34 AM, Robert Raszuk <robert@raszuk.net> wrote: > > Gunter, > > To your and Jeff's point regarding multiple redirect rules I have a bit > different perspective. > > First let's observe that redirect could be realized in two forms (both are > valid and used in practice): > > -A- redirect of the original flow > -B- redirect of copy of the flow > > See while in -A- clearly one redirect must be used, in -B- on the > other hand multiple redirects should be supported. One span, one security > TAP, one TCP analyzer etc ... > > Your draft defines -A-. To add -B- all what is needed is just one bit > flag. > > Would you consider it ? > > Cheers, > R. > > > > > > On Fri, Nov 29, 2019 at 4:51 AM Van De Velde, Gunter (Nokia - BE/Antwerp) < > gunter.van_de_velde@nokia.com> wrote: > >> Hi Jeff, >> >> Thanks for the feedback and suggestions. >> >> See inline: *GV>* >> >> -----Original Message----- >> From: Idr <idr-bounces@ietf.org> On Behalf Of Jeffrey Haas >> Sent: Thursday, November 28, 2019 20:21 >> To: Sue Hares <shares@ndzh.com> >> Cc: idr@ietf.org >> Subject: Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redirect-10.txt >> [11/17/2019 to 12/2/2019] >> >> Sue, >> >> >> >> > On Nov 18, 2019, at 12:41 AM, Susan Hares <shares@ndzh.com> wrote: >> > >> > This begins a 2 week WG Last call on >> draft-idr-flowspec-path-redirect-10.txt from [11/17/2019 to 12/2/2019]. >> > >> > You can obtain the draft at: >> > >> > https://datatracker.ietf.org/doc/draft-ietf-idr-flowspec-path-redirect/ >> > >> > Consider in your review whether this draft: >> > >> > 1) Is compatible with draft-ietf-rfc5575bis-17.txt? >> >> Yes. (Close enough.) The current version of the draft is implementable. >> >> > 2) Whether the draft is useful for deployments of flow >> specification >> >> It can be useful. >> >> > 3) Is this technology ready for deployment? >> > 4) Is the write-up of this technology in >> draft-ietf-idr-flowspec-path-redirect clearly written and ready for >> publication? >> >> Ready with minor issues, IMO: >> >> Procedure-wise, there needs to be a bit more text covering cases about >> interactions with other traffic actions. This was a known headache for >> similar drafts such as redirect-to-ip. In particular, interaction with >> redirect-to-ip and redirect-to-vrf is needed. >> >> GV> Section “6. Validation Procedures” gives input on this. We discussed >> this with you long ago and hence this text was added. >> >> “ >> While it MUST NOT happen, and is seen as invalid combination, it is >> possible from a semantics perspective to have multiple clashing >> redirect actions defined within a single flowspec rule. For best and >> consistant compatibility with legacy implementations, the redirect >> functionality as documented by rfc5575bis MUST NOT be broken, and >> hence when a clash occurs, then rfc5575bis based redirect MUST take >> priority. >> “ >> >> This means that redirect-to-VRF will take absolute priority to not break >> rfc5575bis behavior. >> Having also redirect-to-ip will result in an invalid >> >> >> The text "A single flowspec rule MUST NOT have more as one indirection-id >> per S-ID. On a flowspec client the indirection-id with lowest S-ID MUST be >> imposed first for any given flowspec entry." There's no procedure for what >> happens in error handling when you do have more than one of the same S-ID. >> The text about the case for S-ID of 0 is also a bit ambiguous. It feels >> like it's reading "there is no sequence", but what do you do when you then >> have ones that do? >> >> *GV>* What about the following rewrite: >> >> Original: >> The 'S-ID' field identifies a 4 bit Sequence ID field. This field is >> used to provide a flowspec client an indication how and where to >> sequence the received indirection-ids. The Sequence ID value 0 >> indicates that Sequence ID field is NOT set and SHOULD be ignored. A >> single flowspec rule MUST NOT have more as one indirection-id per >> S-ID. On a flowspec client the indirection-id with lowest S-ID MUST >> be imposed first for any given flowspec entry. >> >> New: >> The 'S-ID' field identifies a 4 bit Sequence ID field. This field is >> used to provide a flowspec client an indication how and where to >> sequence the received indirection-ids. The Sequence ID value 0 >> indicates that Sequence ID field is NOT set and *****all** other >> sequence ID's*** >> SHOULD be ignored. A >> single flowspec rule MUST NOT have more as one indirection-id per >> S-ID. On a flowspec client the indirection-id with lowest S-ID MUST >> be imposed first for any given flowspec entry. >> >> *GV>* In section *6. Validation procedure" there is text to handle the >> error condition when the flowspec rule results in an invalid redirection, >> that prescribe what needs to happen when the “redirect to indirection-id” >> does not result in a valid redirection: >> >> " >> While it MUST NOT happen, and is seen as invalid combination, it is >> possible from a semantics perspective to have multiple clashing >> redirect actions defined within a single flowspec rule. For best and >> consistant compatibility with legacy implementations, the redirect >> * functionality as documented by rfc5575bis MUST NOT be broken*, and >> hence when a clash occurs, then *rfc5575bis based redirect MUST take* >> * priority*. Additionally, if the "Redirect to indirection-id" does >> not >> result in a valid redirection, then the flowspec rule MUST be >> processed as if the "Redirect to indirection-id" community was not >> attached to the flowspec route. >> " >> >> *GV>* Is there more to add to this? (We could add a line to detail that >> “redirect-to-ip” is incompatible with “redirect to indirection-id” and >> result in invalid redirection rule, however to me that is already implied >> with enough detail in the text above) >> >> A few IANA issues: >> I see the type registry is currently registered with IANA (code point >> 0x09). However, the sub-type registry is not established for some reason? >> The ID-Type field likely needs its own IANA registry. Values 1-5 are >> defined in this draft. >> >> *GV>* Correct. There is a reason for this. When we asked IANA the >> code-points they informed me that once the document get to RFC the sub-type >> registry will be established by IANA. >> >> The flags field (one octet) currently has 3 bits reserved. In the past, >> we've not done a registry for such cases (c.f. graceful restart) until we >> need to start carving out those reserved bits for future extensions. I >> leave it to the chairs' opinion whether we want this a priori or not. >> >> *G/* >> >> >> > >> > Thank you for considering this draft. >> > >> > Cheerily, Susan Hares >> > >> > _______________________________________________ >> > Idr mailing list >> > Idr@ietf.org >> > https://www..ietf.org/mailman/listinfo/idr >> <https://www.ietf.org/mailman/listinfo/idr> >> >> _______________________________________________ >> Idr mailing list >> Idr@ietf.org >> https://www.ietf..org/mailman/listinfo/idr >> <https://www.ietf.org/mailman/listinfo/idr> >> >> _______________________________________________ >> Idr mailing list >> Idr@ietf.org >> https://www.ietf.org/mailman/listinfo/idr >> > _______________________________________________ > Idr mailing list > Idr@ietf.org > https://www.ietf.org/mailman/listinfo/idr > >
- [Idr] WG LC draft-ietf-idr-flowspec-path-redirect… Susan Hares
- Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redi… Zhuangshunwan
- Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redi… Wanghaibo (Rainsword)
- Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redi… Van De Velde, Gunter (Nokia - BE/Antwerp)
- Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redi… Rabadan, Jorge (Nokia - US/Mountain View)
- Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redi… Lizhenbin
- Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redi… Jeffrey Haas
- Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redi… Aissaoui, Mustapha (Nokia - CA/Ottawa)
- Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redi… Bidgoli, Hooman (Nokia - CA/Ottawa)
- Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redi… Henderickx, Wim (Nokia - BE/Antwerp)
- Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redi… Van De Velde, Gunter (Nokia - BE/Antwerp)
- Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redi… Robert Raszuk
- Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redi… Gunter Van De Velde
- Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redi… Robert Raszuk
- Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redi… Keyur Patel
- Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redi… Chengli (Cheng Li)
- Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redi… Dongjie (Jimmy)
- Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redi… Jeffrey Haas
- Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redi… Jeffrey Haas
- Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redi… Robert Raszuk
- Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redi… Van De Velde, Gunter (Nokia - BE/Antwerp)
- Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redi… Van De Velde, Gunter (Nokia - BE/Antwerp)
- Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redi… Robert Raszuk
- Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redi… Jeffrey Haas