Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redirect-10.txt [11/17/2019 to 12/2/2019]

Robert Raszuk <robert@raszuk.net> Fri, 29 November 2019 14:01 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA062120800 for <idr@ietfa.amsl.com>; Fri, 29 Nov 2019 06:01:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vGjp9awcsWx9 for <idr@ietfa.amsl.com>; Fri, 29 Nov 2019 06:01:47 -0800 (PST)
Received: from mail-qv1-xf2d.google.com (mail-qv1-xf2d.google.com [IPv6:2607:f8b0:4864:20::f2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9DA41200E9 for <idr@ietf.org>; Fri, 29 Nov 2019 06:01:46 -0800 (PST)
Received: by mail-qv1-xf2d.google.com with SMTP id c2so4439657qvp.12 for <idr@ietf.org>; Fri, 29 Nov 2019 06:01:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sltgVsgNATSMyWUUa4foqh516D9goxgUjj5GU0akvWU=; b=EQRyU+KTSg5pEIANc/6JpPL1vUsIvgrP8Z5XRAHy+tbNdUmmIYItZlcXASnG3o2UiY Ui+tVhnIrfN+7eUZkHy/2Ma1k0rA+6ClgYM0DIw7nfmn16P1gHweqBNi5n91ck76hV36 Mf/4u+03TCpZmVEMz+F0Yb21W8AMoSHQ3nLvUjMS4u8QG04XdEbRscIXds72jxZc2+8Y cHnFATsnoXQ9rSUC6bMmdf0roAakdbyACG6HEZi3jaeWR3POnKzwj9IdbiekXyrD/U+f gUwmJ80tyus9rHmp0oEVTR847db/PuYM6B6e1m3asTtIpbulP7HiYU0sOXp/FXXi9cfH Ga+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sltgVsgNATSMyWUUa4foqh516D9goxgUjj5GU0akvWU=; b=rent3ufCDRE0gg6lE0Ypsz6Cg55LhJZz8A1br35XZaHXbxIffwt4u5hjkQQrz4Ah0O o7ucclc6Dqg/8SvYamQdRmQMiI9GSuN1wqG+cnp5gi6TC41EPoksDxbVPUcDY1I2kb3l BGMm8CFXlgMvP6sLuSRRSE5ah9Rp5yOZkPJJTTLCaFV707FxPfjaHVuHNP/jlgUmWW1E rUtlDiDU0jzNvl6A2icVdWdhKDKGFyl1Qx3+iV//dxRQif7eqAJlXw8wLtbZt75FoWw4 HUNrwHmOn+3AeTuHvRr1uijNxj0/JIWsoB6o+fI8nhsbVu5RhbzvTF6R141QMP9+uFUT fjzw==
X-Gm-Message-State: APjAAAWHQJ/EzMMpWkhVfm4JT6f+w7zSCmubWVJRO9RkN6BgN+/ss+Rb XvgUoHdCu6qkBD+pLJSy7VluVhdr/Mu4lJP3w+lkSA==
X-Google-Smtp-Source: APXvYqwZ140nHS8xnxLwrmdRwphUG1O0bad8Ais5zzji3OSojRKbO9LJHPrCnadJL9st//L8gf4T+URko7/Y7LggA+g=
X-Received: by 2002:a0c:893d:: with SMTP id 58mr6846832qvp.4.1575036105776; Fri, 29 Nov 2019 06:01:45 -0800 (PST)
MIME-Version: 1.0
References: <e31b9ee1-6c36-48ff-85e7-adb6273d4cad@me.com>
In-Reply-To: <e31b9ee1-6c36-48ff-85e7-adb6273d4cad@me.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Fri, 29 Nov 2019 15:01:30 +0100
Message-ID: <CAOj+MMG_6SAs3_Pay_=14s02euTCuQex+VXaOY1op4q2-H8o3A@mail.gmail.com>
To: Gunter Van De Velde <guntervandeveldecc@icloud.com>
Cc: "Van De Velde, Gunter (Nokia - BE/Antwerp)" <gunter.van_de_velde@nokia.com>, "idr@ietf.org" <idr@ietf.org>, Sue Hares <shares@ndzh.com>
Content-Type: multipart/alternative; boundary="00000000000097f6ff05987cab51"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/oKD6VweYfUpLTI3VvtBkNRwcT5g>
Subject: Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redirect-10.txt [11/17/2019 to 12/2/2019]
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Nov 2019 14:01:51 -0000

Gunter,

What is there to validate ? You validate if the flow spec update is
legitimate and at most comparing destination match against unicast src
which in all of redirect use cases will be disabled anyway - you can not
possibly consider valid rule to redirect coming from your eBGP peer :).

Also pls observe that you never validate actual actions ... what I am
suggesting is just a little add-on in actions.

Thx,
R.

On Fri, Nov 29, 2019 at 11:13 AM Gunter Van De Velde <
guntervandeveldecc@icloud.com> wrote:

> Hi Robert,
>
> While understanding your point, it does feel like opening a potential can
> of worms with respect to validation of all possible combinations humanly
> possible. Is the use-case for this capability solid enough that we need
> this complication? There seems nothing broken with keeping things simple.
>
> G/
>
> Sent from iCloud
>
> On November 29, 2019 at 10:34 AM, Robert Raszuk <robert@raszuk.net> wrote:
>
> Gunter,
>
> To your and Jeff's point regarding multiple redirect rules I have a bit
> different perspective.
>
> First let's observe that redirect could be realized in two forms (both are
> valid and used in practice):
>
> -A- redirect of the original flow
> -B- redirect of copy of the flow
>
> See while in -A- clearly one redirect must be used, in -B- on the
> other hand multiple redirects should be supported. One span, one security
> TAP, one TCP analyzer etc ...
>
> Your draft defines -A-. To add -B- all what is needed is just one bit
> flag.
>
> Would you consider it ?
>
> Cheers,
> R.
>
>
>
>
>
> On Fri, Nov 29, 2019 at 4:51 AM Van De Velde, Gunter (Nokia - BE/Antwerp) <
> gunter.van_de_velde@nokia.com> wrote:
>
>> Hi Jeff,
>>
>> Thanks for the feedback and suggestions.
>>
>> See inline: *GV>*
>>
>> -----Original Message-----
>> From: Idr <idr-bounces@ietf.org> On Behalf Of Jeffrey Haas
>> Sent: Thursday, November 28, 2019 20:21
>> To: Sue Hares <shares@ndzh.com>
>> Cc: idr@ietf.org
>> Subject: Re: [Idr] WG LC draft-ietf-idr-flowspec-path-redirect-10.txt
>> [11/17/2019 to 12/2/2019]
>>
>> Sue,
>>
>>
>>
>> > On Nov 18, 2019, at 12:41 AM, Susan Hares <shares@ndzh.com> wrote:
>> >
>> > This begins a 2 week WG Last call on
>> draft-idr-flowspec-path-redirect-10.txt from [11/17/2019 to 12/2/2019].
>> >
>> > You can obtain the draft at:
>> >
>> > https://datatracker.ietf.org/doc/draft-ietf-idr-flowspec-path-redirect/
>> >
>> > Consider in your review whether this draft:
>> >
>> > 1)      Is compatible with draft-ietf-rfc5575bis-17.txt?
>>
>> Yes.  (Close enough.)  The current version of the draft is implementable.
>>
>> > 2)      Whether the draft is useful for deployments of flow
>> specification
>>
>> It can be useful.
>>
>> > 3)      Is this technology ready for deployment?
>> > 4)      Is the write-up of this technology in
>> draft-ietf-idr-flowspec-path-redirect clearly written and ready for
>> publication?
>>
>> Ready with minor issues, IMO:
>>
>> Procedure-wise, there needs to be a bit more text covering cases about
>> interactions with other traffic actions.  This was a known headache for
>> similar drafts such as redirect-to-ip.  In particular, interaction with
>> redirect-to-ip and redirect-to-vrf is needed.
>>
>> GV> Section “6. Validation Procedures” gives input on this. We discussed
>> this with you long ago and hence this text was added.
>>
>> “
>>    While it MUST NOT happen, and is seen as invalid combination, it is
>>    possible from a semantics perspective to have multiple clashing
>>    redirect actions defined within a single flowspec rule.  For best and
>>    consistant compatibility with legacy implementations, the redirect
>>    functionality as documented by rfc5575bis MUST NOT be broken, and
>>    hence when a clash occurs, then rfc5575bis based redirect MUST take
>>    priority.
>> “
>>
>> This means that redirect-to-VRF will take absolute priority to not break
>> rfc5575bis behavior.
>> Having also redirect-to-ip will result in an invalid
>>
>>
>> The text "A single flowspec rule MUST NOT have more as one indirection-id
>> per S-ID.  On a flowspec client the indirection-id with lowest S-ID MUST be
>> imposed first for any given flowspec entry."  There's no procedure for what
>> happens in error handling when you do have more than one of the same S-ID.
>> The text about the case for S-ID of 0 is also a bit ambiguous.  It feels
>> like it's reading "there is no sequence", but what do you do when you then
>> have ones that do?
>>
>> *GV>* What about the following rewrite:
>>
>> Original:
>>    The 'S-ID' field identifies a 4 bit Sequence ID field.  This field is
>>    used to provide a flowspec client an indication how and where to
>>    sequence the received indirection-ids.  The Sequence ID value 0
>>    indicates that Sequence ID field is NOT set and SHOULD be ignored.  A
>>    single flowspec rule MUST NOT have more as one indirection-id per
>>    S-ID.  On a flowspec client the indirection-id with lowest S-ID MUST
>>    be imposed first for any given flowspec entry.
>>
>> New:
>>    The 'S-ID' field identifies a 4 bit Sequence ID field.  This field is
>>    used to provide a flowspec client an indication how and where to
>>    sequence the received indirection-ids.  The Sequence ID value 0
>>    indicates that Sequence ID field is NOT set and *****all** other
>> sequence ID's***
>>    SHOULD be ignored.  A
>>    single flowspec rule MUST NOT have more as one indirection-id per
>>    S-ID.  On a flowspec client the indirection-id with lowest S-ID MUST
>>    be imposed first for any given flowspec entry.
>>
>> *GV>* In section *6. Validation procedure" there is text to handle the
>> error condition when the flowspec rule results in an invalid redirection,
>> that prescribe what needs to happen when the “redirect to indirection-id”
>> does not result in a valid redirection:
>>
>> "
>>    While it MUST NOT happen, and is seen as invalid combination, it is
>>    possible from a semantics perspective to have multiple clashing
>>    redirect actions defined within a single flowspec rule.  For best and
>>    consistant compatibility with legacy implementations, the redirect
>> *   functionality as documented by rfc5575bis MUST NOT be broken*, and
>>    hence when a clash occurs, then *rfc5575bis based redirect MUST take*
>> *   priority*.  Additionally, if the "Redirect to indirection-id" does
>> not
>>    result in a valid redirection, then the flowspec rule MUST be
>>    processed as if the "Redirect to indirection-id" community was not
>>    attached to the flowspec route.
>> "
>>
>> *GV>* Is there more to add to this? (We could add a line to detail that
>> “redirect-to-ip” is incompatible with “redirect to indirection-id” and
>> result in invalid redirection rule, however to me that is already implied
>> with enough detail in the text above)
>>
>> A few IANA issues:
>> I see the type registry is currently registered with IANA (code point
>> 0x09).  However, the sub-type registry is not established for some reason?
>> The ID-Type field likely needs its own IANA registry.  Values 1-5 are
>> defined in this draft.
>>
>> *GV>* Correct. There is a reason for this. When we asked IANA the
>> code-points they informed me that once the document get to RFC the sub-type
>> registry will be established by IANA.
>>
>> The flags field (one octet) currently has 3 bits reserved.  In the past,
>> we've not done a registry for such cases (c.f. graceful restart) until we
>> need to start carving out those reserved bits for future extensions.  I
>> leave it to the chairs' opinion whether we want this a priori or not.
>>
>> *G/*
>>
>>
>> >
>> > Thank you for considering this draft.
>> >
>> > Cheerily, Susan Hares
>> >
>> > _______________________________________________
>> > Idr mailing list
>> > Idr@ietf.org
>> > https://www..ietf.org/mailman/listinfo/idr
>> <https://www.ietf.org/mailman/listinfo/idr>
>>
>> _______________________________________________
>> Idr mailing list
>> Idr@ietf.org
>> https://www.ietf..org/mailman/listinfo/idr
>> <https://www.ietf.org/mailman/listinfo/idr>
>>
>> _______________________________________________
>> Idr mailing list
>> Idr@ietf.org
>> https://www.ietf.org/mailman/listinfo/idr
>>
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>
>