Re: [Idr] The Use of 'm' and 'not' bits in bitmask Flowspec component.
PVLR Pavana Murthy <pvlrpm@gmail.com> Wed, 21 February 2018 06:52 UTC
Return-Path: <pvlrpm@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 438761270A7 for <idr@ietfa.amsl.com>; Tue, 20 Feb 2018 22:52:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.997
X-Spam-Level:
X-Spam-Status: No, score=-0.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HBqemvL1_BNh for <idr@ietfa.amsl.com>; Tue, 20 Feb 2018 22:52:03 -0800 (PST)
Received: from mail-wr0-x22e.google.com (mail-wr0-x22e.google.com [IPv6:2a00:1450:400c:c0c::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62DE01200C1 for <idr@ietf.org>; Tue, 20 Feb 2018 22:52:02 -0800 (PST)
Received: by mail-wr0-x22e.google.com with SMTP id u15so1341475wrg.3 for <idr@ietf.org>; Tue, 20 Feb 2018 22:52:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=dZUbCaYtUXM8lCC52s5wfsaa3vPhFBOOmFogZ4WzOMo=; b=mKi4/50x4c/DOn1dZ6F2Da27fP7by+Y/GyxToGE7MqfNL/yDgfd615+D7O70vW5dUs gwcorxME9dC1EwKoqXstMXcy6SXU0fryFPn79wJAx6Z/Ze0SV+eUXXovwOH3j3ztct6n YIenLSZo6gek6NKFUZ1gNb9QzEP914fIm+sMgJJEd2iIfZ3TjJHWSZNK0fSRBrsdmXs/ 4FH5K6wLE5f4S3ehX4ggNZHSnNOxkKdZUqPeLP+7P3pkMM0MTz+JaJKx/vLRvjyo6SkI 7iHUstYDZanTx17MY31ijbFlt7hn+ytabL1oUgmK4hOTVGl3dXCnq+/KPlCrIdNdddgM y4Rw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=dZUbCaYtUXM8lCC52s5wfsaa3vPhFBOOmFogZ4WzOMo=; b=B2SfLQYVf+wh+P170mPWXwIqE6d8NHX4Vv0uCTIQ+HkucQJLZWEJ7Xm5GDg0RXPcCX ubTpKTPP5LFBGcWo6OdS0FJCJuxZZEw8z/X/549dKJBBfqQj2/kacCoqjcsjVOkXcsMl Yw7LMfA7F/QAn9NccphxuxOTSxpr3uIhrZAdhxg5QqLnhVvsJccjadHtoay8r7qb7ApP RZ39QsJ7kdg5cPonAk1IYMqyCSiPDQx7qM12vdH+wKqPweeSxCnFJ0x+0rveWPNTCKC0 FFYbw9vzjeTPYn+4uyOTRaZhO5oOSLn0Ts6f0TgfKprz1fLgHcZYNLic1QAYBfgAEiti uH7A==
X-Gm-Message-State: APf1xPAjGNsi5QQrRps712/gjd8d2Wo+T93Zs/jNV2f8COQmU+arkgqu nLWafZlRAJ533AFbRZbXjZFOKCPK071eu61+PtQ=
X-Google-Smtp-Source: AH8x224/QFt4/L+zy518vHixO4qXfJ2vASk5WYgfz80Q9oBPv0hu/Oa+RrVX7hn48kH1CiebaoQ97fLU2H4T31zjIWY=
X-Received: by 10.223.153.51 with SMTP id x48mr1846368wrb.216.1519195920634; Tue, 20 Feb 2018 22:52:00 -0800 (PST)
MIME-Version: 1.0
Received: by 10.223.195.200 with HTTP; Tue, 20 Feb 2018 22:52:00 -0800 (PST)
From: PVLR Pavana Murthy <pvlrpm@gmail.com>
Date: Wed, 21 Feb 2018 12:22:00 +0530
Message-ID: <CAN-MQG4F38K6MzutAxirMxHyNcpFHqjuurzDr6gyWURcgFrE1A@mail.gmail.com>
To: Christoph Loibl <c@tix.at>
Cc: idr wg <idr@ietf.org>
Content-Type: multipart/alternative; boundary="f403045f525e3196760565b35de4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/s-hePv5j9fsBDk5AV5Rq-9JrEn8>
Subject: Re: [Idr] The Use of 'm' and 'not' bits in bitmask Flowspec component.
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2018 06:52:05 -0000
Hi Christoph, The following is given in the RFC. 0 1 2 3 4 5 6 7 +---+---+---+---+---+---+---+---+ | e | a | len | 0 | 0 |not| m | +---+---+---+---+---+---+---+---+ not - NOT bit. If set, logical negation of operation. m - Match bit. If set, this is a bitwise match operation defined as "(data & value) == value"; if unset, (data & value) evaluates to TRUE if any of the bits in the value mask are set in the data. I will try to use all the combinations of 'not' and 'm' bits. Please let me know if the following my understanding is correct. I will try to use the mask with SYN, ACK bits of TCP header for this. [CWR ECE URG ACK PSH RST SYN FIN] mask = 0x12 1. not-0, m-0 (data & mask) != 0 i.e. either SYN or ACK bits should have been set in TCP header. 2. not-0, m-1 (data & mask) == mask i.e. SYN and ACK bits both should be set in TCP header. 3. not-1,m-0 (data & mask) == 0 i.e. both SYN and ACK bits should not be set in TCP header. 4. not-1, m-1 (data & mask) != mask i.e. at least one of SYN or ACK bits should not be set in TCP header. Thanks, Pavana. On Thu, Feb 15, 2018 at 2:35 PM, PVLR Pavana Murthy <pvlrpm@gmail.com> wrote: > Hi Christoph, > Thanks a lot for the detailed explanation. That answers my question > completely :-). > > > > On Thu, Feb 15, 2018 at 1:07 PM, Christoph Loibl <c@tix.at> wrote: > >> Hi Pavana, >> >> You can rather easily test the behaviour when you feed your case into the >> python function: >> >> def main(): >> fs1 = FS_nlri(components=[ >> FS_component(component_type=IP_DESTINATION, >> value=ipaddress.ip_network('88.88.88.0/24')), >> FS_component(component_type=4, value=bytearray([0x01, 0x46, 0x81, >> 0x50])) >> ]) >> >> fs2 = FS_nlri(components=[ >> FS_component(component_type=IP_DESTINATION, >> value=ipaddress.ip_network('88.88.88.0/24')), >> FS_component(component_type=4, value=bytearray([0x03, 0x5a, 0xc5, >> 0x6e])) >> ]) >> print(flow_rule_cmp(fs1, fs2)) >> >> What happens is (I refer to line numbers of the code in the github repo >> https://github.com/stoffi92/flowspec-cmp/blob/master/flow_cmp.py : >> >> *) The IP components are compared and as you mentioned: no decision can >> be made since the ip components are equal. (we reach line 74 for the equal >> ip components and continue with the next iteration) >> >> *) The second component _types_ are equal but not IP (we end up in the >> branch in line 80 since the components are type=4 and not 1 or 2) >> >> *) The length of the second components is compared and equal, so we >> continue in line 82 >> >> ** See below: this is basically where the compare that you asked for >> happens ** >> >> *) Now we come to the point where we compare the string of bytes one by >> one. As long as they are equal. (this is basically what memcmp does - this >> is not very explicit in the python code, since it is done by the <, > >> operators for the bytearray implicitly) >> >> In your case what it does is, that it compares 0x01 to 0x03 and figures >> out that 0x01 is the lower value so it takes the branch in line 84 and >> returns with A_HAS_PRECEDENCE from line 85 (if both of your components >> would start with 0x01 it would continue to the second byte and so on). >> >> Your first FS nlri has precedence because of the “lower” value. >> >> 01 *18 58 58 58* 04 *01 46 81 50 ----> Dst.Prefix: 88.88.88.0/24 >>> <http://88.88.88.0/24> Port: 70 | 80* >>> >>> >> Discamer: I assumed that you encoded the components themselfs correctly >> (the 01 46 81 50 and 03 5a c5 6e) >> >> Does this answer your question? >> >> Christoph >> >> -- >> Christoph Loibl >> c@tix.at | CL8-RIPE | PGP-Key-ID: 0x4B2C0055 | http://www.nextlayer.at >> >> >> >> On 15.02.2018, at 05:08, PVLR Pavana Murthy <pvlrpm@gmail.com> wrote: >> >> Hi Christoph, >> Even in the RFC5575bis, the following is given for comparing >> non-prefix type components. >> >> else: >> # assuming comp_a.value, comp_b.value of type bytearray >> if len(comp_a.value) == len(comp_b.value): >> if comp_a.value > comp_b.value: >> return B_HAS_PRECEDENCE >> if comp_a.value < comp_b.value: >> return A_HAS_PRECEDENCE >> # components equal -> continue with next component >> else: >> common = min(len(comp_a.value), len(comp_b.value)) >> if comp_a.value[:common] > comp_b.value[:common]: >> return B_HAS_PRECEDENCE >> elif comp_a.value[:common] < comp_b.value[:common]: >> return A_HAS_PRECEDENCE >> # the first common bytes match >> elif len(comp_a.value) > len(comp_b.value): >> return A_HAS_PRECEDENCE >> else: >> return B_HAS_PRECEDENCE >> >> >> *What is comp_a.value here ? Is it the binary sting of [op, value]/[op,bitmask] or only value/bitmask ?* >> >> >> Thanks, >> >> Pavana. >> >> >> On Thu, Feb 15, 2018 at 3:11 AM, Christoph Loibl <c@tix.at> wrote: >> >>> Hi Pavana, >>> >>> Did you have a look into the actual code (thanks to Job’s comment) that >>> is contained in the RFC5575bis draft which should be identical from the >>> behaviour: >>> >>> https://tools.ietf.org/html/draft-ietf-idr-rfc5575bis-06 >>> >>> Christoph >>> >>> -- >>> Christoph Loibl >>> c@tix.at | CL8-RIPE | PGP-Key-ID: 0x4B2C0055 | http://www.nextlayer.at >>> >>> >>> >>> On 12.02.2018, at 12:03, PVLR Pavana Murthy <pvlrpm@gmail.com> wrote: >>> >>> Hello, >>> In the RFC 5575, the following is given for the comparing the Flowspec >>> components of types other then prefix. >>> >>> } else { >>> common = >>> MIN(component_length(comp1), component_length(comp2)); >>> cmp = memcmp(data(comp1), data(comp2), common); >>> // not equal, lowest value has precedence >>> // equal, longest string has precedence >>> } >>> >>> >>> Here, what does *data* refrer to ? >>> >>> Is it the binary form of 1) [op, value]> / [op, bitmask] or 2) Just >>> [value] / [bitmask] >>> >>> eg: >>> >>> >>> 1) 01 *18 58 58 58* 04 *01 46 81 50 ----> Dst.Prefix: 88.88.88.0/24 >>> <http://88.88.88.0/24> Port: 70 | 80* >>> >>> 2) 01* 18 58 58 58 *04* 03 5a c5 6e ----> Dst.Prefix: >>> 88.88.88.0/24 <http://88.88.88.0/24> Port: >=90 & <= 110* >>> >>> *In the above FS rules, Dst. Prefix is same in both, so we need to >>> compare the data of next type 4 (Port). * >>> *So do we need to do memcmp of (01 46 81 50) and (03 5a c5 6e) ?* >>> >>> Thanks, >>> Pavana*.* >>> >>> >>> >>> _______________________________________________ >>> Idr mailing list >>> Idr@ietf.org >>> https://www.ietf.org/mailman/listinfo/idr >>> >>> >>> >> >> >
- Re: [Idr] The Use of 'm' and 'not' bits in bitmas… PVLR Pavana Murthy