Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06
"Smith, Donald" <Donald.Smith@CenturyLink.com> Fri, 11 May 2018 20:36 UTC
Return-Path: <Donald.Smith@CenturyLink.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 560F212D879; Fri, 11 May 2018 13:36:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L8U5wTKAYwyo; Fri, 11 May 2018 13:36:23 -0700 (PDT)
Received: from lxdnp29m.centurylink.com (lxdnp29m.centurylink.com [155.70.32.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F099B127873; Fri, 11 May 2018 13:36:22 -0700 (PDT)
Received: from lxomp90v.corp.intranet (emailout.qintra.com [151.117.203.59]) by lxdnp29m.centurylink.com (8.14.8/8.14.8) with ESMTP id w4BKaKUc061280 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 11 May 2018 14:36:20 -0600
Received: from lxomp90v.corp.intranet (localhost [127.0.0.1]) by lxomp90v.corp.intranet (8.14.8/8.14.8) with ESMTP id w4BKaEJg047987; Fri, 11 May 2018 15:36:14 -0500
Received: from lxdnp31k.corp.intranet (lxomp81v.corp.intranet [151.117.18.14]) by lxomp90v.corp.intranet (8.14.8/8.14.8) with ESMTP id w4BKaEWW047980 (version=TLSv1/SSLv3 cipher=AES256-SHA256 bits=256 verify=NO); Fri, 11 May 2018 15:36:14 -0500
Received: from lxdnp31k.corp.intranet (localhost [127.0.0.1]) by lxdnp31k.corp.intranet (8.14.8/8.14.8) with ESMTP id w4BKaEpE018527; Fri, 11 May 2018 14:36:14 -0600
Received: from vddcwhubex502.ctl.intranet (vddcwhubex502.ctl.intranet [151.119.128.29]) by lxdnp31k.corp.intranet (8.14.8/8.14.8) with ESMTP id w4BKaEmr018523 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 11 May 2018 14:36:14 -0600
Received: from PDDCWMBXEX503.ctl.intranet ([fe80::9033:ef22:df02:32a9]) by vddcwhubex502.ctl.intranet ([151.119.128.29]) with mapi id 14.03.0339.000; Fri, 11 May 2018 14:36:13 -0600
From: "Smith, Donald" <Donald.Smith@CenturyLink.com>
To: "Jakob Heitz (jheitz)" <jheitz@cisco.com>, "Juan Alcaide (jalcaide)" <jalcaide@cisco.com>, John Scudder <jgs@juniper.net>, "idr@ietf. org" <idr@ietf.org>
CC: "nl7942@att.com" <nl7942@att.com>, "Schiel, John" <John.Schiel@centurylink.com>, "draft-ietf-idr-bgp-flowspec-oid@ietf.org" <draft-ietf-idr-bgp-flowspec-oid@ietf.org>
Thread-Topic: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06
Thread-Index: AQHT3ZkE/arcG/QefEmi41lu0QPjP6QpwroA//+fEJ6AARx2AIAANIT8gACqhwD//6L4TIAAaKGA//+pyVI=
Date: Fri, 11 May 2018 20:36:13 +0000
Message-ID: <68EFACB32CF4464298EA2779B058889D53DB514E@PDDCWMBXEX503.ctl.intranet>
References: <DB4DB79D-22DD-45A7-980A-B33C5E58C1C7@juniper.net> <2997BE5D-F4C6-4AC2-9B00-126436FC5141@juniper.net> <68EFACB32CF4464298EA2779B058889D53DB49B4@PDDCWMBXEX503.ctl.intranet> <e0e1857b46104431be4f655fe8d1e0b1@XCH-ALN-014.cisco.com> <68EFACB32CF4464298EA2779B058889D53DB4D80@PDDCWMBXEX503.ctl.intranet>, <7cc92070-d480-cd91-e572-36dc36836732@cisco.com> <68EFACB32CF4464298EA2779B058889D53DB50BF@PDDCWMBXEX503.ctl.intranet>, <a5c07854cdba4e09b7fd6c3751acfbf2@XCH-ALN-014.cisco.com>
In-Reply-To: <a5c07854cdba4e09b7fd6c3751acfbf2@XCH-ALN-014.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [151.119.128.7]
Content-Type: multipart/alternative; boundary="_000_68EFACB32CF4464298EA2779B058889D53DB514EPDDCWMBXEX503ct_"
MIME-Version: 1.0
X-TM-AS-MML: disable
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/v6Fllitt00_GjwkOiaPHY9SMgXY>
Subject: Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 May 2018 20:36:26 -0000
Customer M | | | | | | ISPA------ISPB ISPA sees a large DDoS attack against customer M and triggers a flowspec rule internally and to ISPB. But ISPB has customer M connections too (one or more) and receives BGP announcements from them (or has a static or ... but has routes that would be preferred internally), thus the flowspec check would fail right? Metric System < +000 > -000 Extra People's Terribly Good Meals Kept mY uNCLE Ned Purring For Ages Exa Peta Tera Giga Mega Kilo milli Micro(u) Nano Pico Femto Atto Donald.Smith@centurylink.com<mailto:Donald.Smith@centurylink.com> ________________________________ From: Jakob Heitz (jheitz) [jheitz@cisco.com] Sent: Friday, May 11, 2018 1:39 PM To: Smith, Donald; Juan Alcaide (jalcaide); John Scudder; idr@ietf. org Cc: nl7942@att.com; Schiel, John; draft-ietf-idr-bgp-flowspec-oid@ietf.org Subject: RE: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06 Sorry Donald, Can you draw a diagram or reword your scenario? Thanks, Jakob From: Smith, Donald <Donald.Smith@CenturyLink.com> Sent: Friday, May 11, 2018 12:30 PM To: Juan Alcaide (jalcaide) <jalcaide@cisco.com>; Jakob Heitz (jheitz) <jheitz@cisco.com>; John Scudder <jgs@juniper.net>; idr@ietf. org <idr@ietf.org> Cc: nl7942@att.com; Schiel, John <John.Schiel@centurylink.com>; draft-ietf-idr-bgp-flowspec-oid@ietf.org Subject: RE: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06 I am not entirely sure if that works here or not. But I think with that you could show some AS as the last AS in the past (far left) and maybe not show the original customer AS? As long as your advertising that space to me, and I don't have a better path it should work. Now what happens when a customer is a customer of ISP A and ISP B both have routes to it, if A advertises flowspec to B for that network wouldn't it be blocked as the best path to the customer inside of B is B's path. This is actually a different problem, or subset of the original issue. What should happen in that case? I might want to take action, I might not be seeing a huge flood, while the original announcer (A) is and wants us to take action as they expect we will be seeing that traffic soon? Metric System < +000 > -000 Extra People's Terribly Good Meals Kept mY uNCLE Ned Purring For Ages Exa Peta Tera Giga Mega Kilo milli Micro(u) Nano Pico Femto Atto Donald.Smith@centurylink.com<mailto:Donald.Smith@centurylink.com> ________________________________ From: Juan Alcaide (jalcaide) [jalcaide@cisco.com] Sent: Friday, May 11, 2018 12:57 PM To: Smith, Donald; Jakob Heitz (jheitz); John Scudder; idr@ietf. org Cc: nl7942@att.com<mailto:nl7942@att.com>; Schiel, John; draft-ietf-idr-bgp-flowspec-oid@ietf.org<mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org> Subject: Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06 Don, (just to be clear, this has nothing to directly with the redirect extended-community draft) We already thought about it and added a 'clause' in the last revision. "Optionally, an implementation could be configured to allow only flow specification NLRIs containing only a subset of ASes. This could be useful, for example, with networks that consist of multiple ASes that operate under the same administrative domain." This is not what you want? -J On 5/11/2018 4:50 PM, Smith, Donald wrote: That would work of course MAY would be caps :) But that should cover the case I was describing. All the other BGP security issues would still apply. Cc'ing the two architects that have been working on this concept with me, in case they have anything to add. Metric System < +000 > -000 Extra People's Terribly Good Meals Kept mY uNCLE Ned Purring For Ages Exa Peta Tera Giga Mega Kilo milli Micro(u) Nano Pico Femto Atto Donald.Smith@centurylink.com<mailto:Donald.Smith@centurylink.com> ________________________________ From: Jakob Heitz (jheitz) [jheitz@cisco.com<mailto:jheitz@cisco.com>] Sent: Thursday, May 10, 2018 11:39 PM To: Smith, Donald; John Scudder; idr@ietf. org Cc: draft-ietf-idr-bgp-flowspec-oid@ietf.org<mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org> Subject: RE: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06 I support the draft. Donald, are you saying that AS1 should accept a flowspec rule from AS2 for traffic going to AS3? If AS1 can trust the flowspec from AS2, then I don't see why not. Maybe we can add text to the effect of: The rules stated here are for default behavior. Local policy may allow flow specifications from other EBGP neighbors to be accepted. Thanks, Jakob From: Idr <idr-bounces@ietf.org><mailto:idr-bounces@ietf.org> On Behalf Of Smith, Donald Sent: Thursday, May 10, 2018 11:58 AM To: John Scudder <jgs@juniper.net><mailto:jgs@juniper.net>; idr@ietf. org <idr@ietf..org><mailto:idr@ietf..org> Cc: draft-ietf-idr-bgp-flowspec-oid@ietf.org<mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org> Subject: Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06 This supports some of the bi-lateral, ddos-peering work we want to do, so support. https://pc.nanog.org/static/published/meetings/NANOG71/1447/20171003_Levy_Operationalizing_Isp_v2.pdf That is almost always going to be between some set of systems not one hop away, not directly in the forwarding plane, probably not really IBGP peers. " It thus becomes necessary to modify step (a) of the RFC 5575<https://tools.ietf.org/html/rfc5575> validation procedure such that an IBGP peer that is not within the data forwarding plane may originate flow specification NLRIs." While you could have the IBGP peer directly in the forwarding plane, forward it like a route reflector, requiring it to seems counter intuitive as it is more likely to come from some BGP speaking tool in ISP requesting the filter. Next lots of references to IBGP and a few to EBGP, when I think of IBGP, IBGP is internal to a single AS (yes I know there are exceptions) but that is kind of the meaning, while this is mostly between peers (whom could do IBGP between them but is that required? Can't we validate without IBGP direct connections?) Metric System < +000 > -000 Extra People's Terribly Good Meals Kept mY uNCLE Ned Purring For Ages Exa Peta Tera Giga Mega Kilo milli Micro(u) Nano Pico Femto Atto Donald.Smith@centurylink.com<mailto:Donald.Smith@centurylink.com> ________________________________ From: Idr [idr-bounces@ietf.org<mailto:idr-bounces@ietf.org>] on behalf of John Scudder [jgs@juniper.net<mailto:jgs@juniper.net>] Sent: Thursday, May 10, 2018 12:28 PM To: idr@ietf. org Cc: draft-ietf-idr-bgp-flowspec-oid@ietf.org<mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org> Subject: Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06 Hi All, On Apr 26, 2018, at 3:58 PM, John Scudder <jgs@juniper.net<mailto:jgs@juniper.net>> wrote: The authors have requested a working group last call for draft-ietf-idr-bgp-flowspec-oid-06. Please respond with your comments before Friday, May 11. A quick update on the status of this WGLC: - All the authors have responded about IPR (thank you!). - Three people who are not authors (Acee, Shyam, Keyur) have responded supporting publication. - Nobody has responded with other comments or opposition. Three respondents is not a very large number; it would be helpful if others would chime in. The WGLC period is scheduled to end tomorrow. Thanks, --John This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. _______________________________________________ Idr mailing list Idr@ietf.org<mailto:Idr@ietf.org> https://www.ietf.org/mailman/listinfo/idr This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
- [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06 John Scudder
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Acee Lindem (acee)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… David Smith (djsmith)
- Re: [Idr] FW: WGLC for draft-ietf-idr-bgp-flowspe… Clarence Filsfils (cfilsfil)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… UTTARO, JAMES
- Re: [Idr] FW: WGLC for draft-ietf-idr-bgp-flowspe… Juan Alcaide (jalcaide)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Shyam Sethuram
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Keyur Patel
- Re: [Idr] FW: WGLC for draft-ietf-idr-bgp-flowspe… Pradosh Mohapatra
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… John Scudder
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Smith, Donald
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Jakob Heitz (jheitz)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Kasavchenko, Kirill
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Smith, Donald
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Juan Alcaide (jalcaide)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Smith, Donald
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Jakob Heitz (jheitz)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Juan Alcaide (jalcaide)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Smith, Donald
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Jakob Heitz (jheitz)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… John Schiel
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… Juan Alcaide (jalcaide)
- Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oi… LINGALA, AVINASH
- [Idr] FW: FW: WGLC for draft-ietf-idr-bgp-flowspe… Susan Hares