IETF Logo Mail Archive

Re: [Idr] Question about draft-haas-flowspec-capability-bits-02

Robert Raszuk <robert@raszuk.net> Tue, 22 June 2021 21:09 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D29D93A19D7 for <idr@ietfa.amsl.com>; Tue, 22 Jun 2021 14:09:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G5O1Ya6SV-A9 for <idr@ietfa.amsl.com>; Tue, 22 Jun 2021 14:08:58 -0700 (PDT)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94E383A19D1 for <idr@ietf.org>; Tue, 22 Jun 2021 14:08:57 -0700 (PDT)
Received: by mail-lj1-x234.google.com with SMTP id k8so70729lja.4 for <idr@ietf.org>; Tue, 22 Jun 2021 14:08:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3A1f5srJRYkKDJ8D/94DOwYT+5Aa8yNwC6vzADFk2vY=; b=a7whRuzuKI/X/rt5GJaI6LOUgt3k9+zaF7BRtsTAEgmk+J53XXZp/xxyw8tZXJAH6P H9H2hsrqnBWHstKLiu5dCKd1O+p89pDuCAqsn/jPkU69+L7dPR1ygLOBsEDvyNcMgj0c uHM8Ahr7/SMOEpEFIxiEwp7006nfozfhoB+fAojuTjETkmZfitdJf+w1X97m0m3h0Uvi UNI5VQucdH9a/9rjAOW6NeHbzXjlRy59v+JNnEr8Auj4EB3Bk6x8rixTjhZFn9DIeg33 U8w/t94jbFOXSw6o88aUZM9yCc/DzjGqHVSyk+AvL5YUkQjbYhX8ttFutUOLrb2a+li+ cNGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3A1f5srJRYkKDJ8D/94DOwYT+5Aa8yNwC6vzADFk2vY=; b=oarkX+vM6QZPV7le6aJYKbJzNTxV2zwkQ4MTk7y33Jv80wDPYJpgDr0LkdwpffTvJk VuR0Uz01XEEO0VuA94Uj0UmhMZxoleFagbwLH3xnYqUSPsYQNZfCElb0JEHV9IoBO5UV 8bz/q/PY0nEWZXB6z70l7+0FOPU2PGjBn7YpDSw+mNx0nXP9dM55sjxy0o9NkcTUSPwx wnSvoey5Dhs+JrFZFf5Lo5lu6t2aMZHQveencHngY+YWB29eEvqZsjAp0ox0lqgD/dfr rBxLfQoboAnyRDjJWo+z9tch/Da8pFOEEj6Ga7u4THZL2SFSm9aGuXYsqMfElhJ+MFHe /ipQ==
X-Gm-Message-State: AOAM530E4ikLnQKt060IqvzJP8TzM727ha3TjS4HtFvKp2d45kdQfcoT v1mr3S+knIwRndzVbTPCNkamd3cKRDOOF7kFbha8aQ==
X-Google-Smtp-Source: ABdhPJwM1eJYUx4lIwozJ/IiUhilntpuEGpDpzo2LgZ938FBDjEqb0zv546lUABVhArXzardiwO4MAMcC+tBMhJsdes=
X-Received: by 2002:a2e:6c03:: with SMTP id h3mr5125413ljc.199.1624396134267; Tue, 22 Jun 2021 14:08:54 -0700 (PDT)
MIME-Version: 1.0
References: <CO1PR13MB4920AD5CA604B232E294B978A90A9@CO1PR13MB4920.namprd13.prod.outlook.com> <CO1PR13MB4920A5147F8441F1FD0FBD46A90A9@CO1PR13MB4920.namprd13.prod.outlook.com> <20210622123828.GB23751@pfrc.org> <CO1PR13MB4920075B30135CB1E679D879A9099@CO1PR13MB4920.namprd13.prod.outlook.com> <20210622183654.GA5863@pfrc.org> <CAOj+MMHwMhmQ1gfdANr6STFi8N2z7Ef_EzFwhB4L=h3iwWt56w@mail.gmail.com> <BYAPR11MB3207DBB18C96DD662FDB99ECC0099@BYAPR11MB3207.namprd11.prod.outlook.com> <CAOj+MMHGdqg23Q477WP0TwFwfiTwihGKDC084tB+QDeJBoGNzQ@mail.gmail.com> <BYAPR11MB32074AE1EEBEE7FDF91A5C59C0099@BYAPR11MB3207.namprd11.prod.outlook.com>
In-Reply-To: <BYAPR11MB32074AE1EEBEE7FDF91A5C59C0099@BYAPR11MB3207.namprd11.prod.outlook.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Tue, 22 Jun 2021 23:08:43 +0200
Message-ID: <CAOj+MMG7u09hUCkcQC-KBFWMMOr0pO3bepUKnQJtRb6EPcfrAg@mail.gmail.com>
To: "Jakob Heitz (jheitz)" <jheitz@cisco.com>
Cc: Jeffrey Haas <jhaas@pfrc.org>, "idr@ietf.org" <idr@ietf.org>, "draft-haas-flowspec-capability-bits@ietf.org" <draft-haas-flowspec-capability-bits@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008ed25705c561327c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/pMR1bpFq1lADdyqdK_JSH-NdaxY>
Subject: Re: [Idr] Question about draft-haas-flowspec-capability-bits-02
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jun 2021 21:09:04 -0000

Nope ... nothing to do with capabilities here.

DDoS is a real problem.  FSv1 is a tool to dynamically signal granular
filtering to mitigate it as close to the src as possible.

The moment you trash it with new capabilities (for example to push
configuration by BGP) you are killing its main use case which is DDoS
protection.

That in my books is a harm to a working BGP extension (FSv1).

Best,
R.

On Tue, Jun 22, 2021 at 11:03 PM Jakob Heitz (jheitz) <jheitz@cisco.com>
wrote:

> I hope you're not suggesting that adding capabilities causes harm.
>
> BGP was working fine before https://datatracker.ietf.org/doc/html/rfc2842
>
> And then we improved it.
>
>
>
> Regards,
>
> Jakob.
>
>
>
> *From:* Robert Raszuk <robert@raszuk.net>
> *Sent:* Tuesday, June 22, 2021 1:57 PM
> *To:* Jakob Heitz (jheitz) <jheitz@cisco.com>
> *Cc:* Jeffrey Haas <jhaas@pfrc.org>; idr@ietf.org;
> draft-haas-flowspec-capability-bits@ietf.org
> *Subject:* Re: [Idr] Question about draft-haas-flowspec-capability-bits-02
>
>
>
>
>
> Still no need for per type capability bits ...
>
>
>
> > but nowhere does it say it can prohibit development.
>
> > So, prohibiting development of FSv1 is overstepping the charter, IMO.
>
>
>
> That is a very interesting interpretation.
>
>
>
> "Do no harm to what is working fine" is to me much more important across
> entire IETF then any WG charter itself.
>
>
>
> Best,
> R.
>
>
>
>
>
>
>
>
>
> On Tue, Jun 22, 2021 at 10:50 PM Jakob Heitz (jheitz) <jheitz@cisco.com>
> wrote:
>
> This behavior would need a capability too.
>
> Else the session dies with malformed update.
>
>
>
> That is the entire issue. FS can't be extended without a new capability
>
> else the session dies with malformed update.
>
>
>
> Now that we need a capability, I think Jeff's draft hits the sweet spot.
>
>
>
> Oh and BTW, I see the IDR charter says:
>
> chartered to standardize,
> develop, and support
>
> but nowhere does it say it can prohibit development.
>
> So, prohibiting development of FSv1 is overstepping the charter, IMO.
>
>
>
> Regards,
>
> Jakob.
>
>
>
> *From:* Idr <idr-bounces@ietf.org> *On Behalf Of *Robert Raszuk
> *Sent:* Tuesday, June 22, 2021 11:25 AM
> *To:* Jeffrey Haas <jhaas@pfrc.org>
> *Cc:* idr@ietf.org; draft-haas-flowspec-capability-bits@ietf.org
> *Subject:* Re: [Idr] Question about draft-haas-flowspec-capability-bits-02
>
>
>
> Jeff,
>
>
>
> Thinking a bit more on this there could be yet another middle road
> solution .. not that I would advocate it, but perhaps would not oppose it.
>
>
>
> You may send (read spray in classic BGP way) new Type and mandate it as
> MUST that for such new Types MP_REACH would carry only single NLRI. Sure
> packing is gone but I am yet to see any study proving packing value with
> FSv1.
>
>
>
> That way you could in fact also not do any capabilities as the entire
> operation basis would be to just silently drop what you do not understand.
>
>
>
> Is this really bad ... Well if you ack that even understanding by BGP a
> new Type does not guarantee at all that this will end up in data plane
> maybe dropping it is not a big deal.
>
>
>
> And even if we go to FSv2, capabilities only get you and peer to
> understand each other. Any crowd behind the peer is still one big unknown
> in terms of new Types support.
>
>
>
> But please do not take this message as a change to my opinion that all new
> work should go to FSv2. It still stands ... This above is sort of a
> response to this thread between Linda and yourself.
>
>
>
> Many thx,
> R.
>
>
>
> On Tue, Jun 22, 2021 at 8:11 PM Jeffrey Haas <jhaas@pfrc.org> wrote:
>
> Linda,
>
> On Tue, Jun 22, 2021 at 02:15:24PM +0000, Linda Dunbar wrote:
> > Based on the TYPE, the receiver can get the "length" field properly. Why
> it is a problem?
>
> Because for a new component type, you don't know where length is for that
> type, nor how long.
>
> > Type 1 and Type 2 have Length Field. For the Types using "Numeric
> Operator" or "Bitmask Operator", there is "Length" field as well.
> >
> > If I introduce a new type, Type 14, can I just use the format as Type 1
> or Type 2?
>
> We can do anything we like as long as we have rules for it.  Right now,
> flowspec doesn't have consistent rules among the types.  We have two
> styles.
>
> If this were a normal TLV protocol, length wouldn't be arbitrarily
> specified.  That's one of the motivations for flowspec v2.  And, similarly,
> it's what PCEP decided to do when it leveraged flowspec encodings.
>
> The capability bits proposal attempts the middle road: An implementation
> must KNOW the rule for a component type.  This lets two implementations
> disclose to each other what types they understand.
>
> -- Jeff
>
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>
>

v2.23.0 | Report a Bug | By Email