IETF Logo Mail Archive

Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06

"Smith, Donald" <Donald.Smith@CenturyLink.com> Fri, 11 May 2018 20:36 UTC

Return-Path: <Donald.Smith@CenturyLink.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 560F212D879; Fri, 11 May 2018 13:36:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L8U5wTKAYwyo; Fri, 11 May 2018 13:36:23 -0700 (PDT)
Received: from lxdnp29m.centurylink.com (lxdnp29m.centurylink.com [155.70.32.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F099B127873; Fri, 11 May 2018 13:36:22 -0700 (PDT)
Received: from lxomp90v.corp.intranet (emailout.qintra.com [151.117.203.59]) by lxdnp29m.centurylink.com (8.14.8/8.14.8) with ESMTP id w4BKaKUc061280 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 11 May 2018 14:36:20 -0600
Received: from lxomp90v.corp.intranet (localhost [127.0.0.1]) by lxomp90v.corp.intranet (8.14.8/8.14.8) with ESMTP id w4BKaEJg047987; Fri, 11 May 2018 15:36:14 -0500
Received: from lxdnp31k.corp.intranet (lxomp81v.corp.intranet [151.117.18.14]) by lxomp90v.corp.intranet (8.14.8/8.14.8) with ESMTP id w4BKaEWW047980 (version=TLSv1/SSLv3 cipher=AES256-SHA256 bits=256 verify=NO); Fri, 11 May 2018 15:36:14 -0500
Received: from lxdnp31k.corp.intranet (localhost [127.0.0.1]) by lxdnp31k.corp.intranet (8.14.8/8.14.8) with ESMTP id w4BKaEpE018527; Fri, 11 May 2018 14:36:14 -0600
Received: from vddcwhubex502.ctl.intranet (vddcwhubex502.ctl.intranet [151.119.128.29]) by lxdnp31k.corp.intranet (8.14.8/8.14.8) with ESMTP id w4BKaEmr018523 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 11 May 2018 14:36:14 -0600
Received: from PDDCWMBXEX503.ctl.intranet ([fe80::9033:ef22:df02:32a9]) by vddcwhubex502.ctl.intranet ([151.119.128.29]) with mapi id 14.03.0339.000; Fri, 11 May 2018 14:36:13 -0600
From: "Smith, Donald" <Donald.Smith@CenturyLink.com>
To: "Jakob Heitz (jheitz)" <jheitz@cisco.com>, "Juan Alcaide (jalcaide)" <jalcaide@cisco.com>, John Scudder <jgs@juniper.net>, "idr@ietf. org" <idr@ietf.org>
CC: "nl7942@att.com" <nl7942@att.com>, "Schiel, John" <John.Schiel@centurylink.com>, "draft-ietf-idr-bgp-flowspec-oid@ietf.org" <draft-ietf-idr-bgp-flowspec-oid@ietf.org>
Thread-Topic: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06
Thread-Index: AQHT3ZkE/arcG/QefEmi41lu0QPjP6QpwroA//+fEJ6AARx2AIAANIT8gACqhwD//6L4TIAAaKGA//+pyVI=
Date: Fri, 11 May 2018 20:36:13 +0000
Message-ID: <68EFACB32CF4464298EA2779B058889D53DB514E@PDDCWMBXEX503.ctl.intranet>
References: <DB4DB79D-22DD-45A7-980A-B33C5E58C1C7@juniper.net> <2997BE5D-F4C6-4AC2-9B00-126436FC5141@juniper.net> <68EFACB32CF4464298EA2779B058889D53DB49B4@PDDCWMBXEX503.ctl.intranet> <e0e1857b46104431be4f655fe8d1e0b1@XCH-ALN-014.cisco.com> <68EFACB32CF4464298EA2779B058889D53DB4D80@PDDCWMBXEX503.ctl.intranet>, <7cc92070-d480-cd91-e572-36dc36836732@cisco.com> <68EFACB32CF4464298EA2779B058889D53DB50BF@PDDCWMBXEX503.ctl.intranet>, <a5c07854cdba4e09b7fd6c3751acfbf2@XCH-ALN-014.cisco.com>
In-Reply-To: <a5c07854cdba4e09b7fd6c3751acfbf2@XCH-ALN-014.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [151.119.128.7]
Content-Type: multipart/alternative; boundary="_000_68EFACB32CF4464298EA2779B058889D53DB514EPDDCWMBXEX503ct_"
MIME-Version: 1.0
X-TM-AS-MML: disable
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/v6Fllitt00_GjwkOiaPHY9SMgXY>
Subject: Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 May 2018 20:36:26 -0000






Customer M

|              |

|              |

|              |

ISPA------ISPB



ISPA sees a large DDoS attack against customer M and triggers a flowspec rule internally and to ISPB.

But ISPB has customer M connections too (one or more) and receives BGP announcements from them (or has a static or ... but has routes that would be preferred internally), thus the flowspec check would fail right?









Metric System < +000 > -000
Extra People's Terribly Good Meals Kept mY uNCLE    Ned   Purring For     Ages
Exa   Peta        Tera     Giga   Mega  Kilo milli Micro(u) Nano Pico    Femto Atto
Donald.Smith@centurylink.com<mailto:Donald.Smith@centurylink.com>
________________________________
From: Jakob Heitz (jheitz) [jheitz@cisco.com]
Sent: Friday, May 11, 2018 1:39 PM
To: Smith, Donald; Juan Alcaide (jalcaide); John Scudder; idr@ietf. org
Cc: nl7942@att.com; Schiel, John; draft-ietf-idr-bgp-flowspec-oid@ietf.org
Subject: RE: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06

Sorry Donald, Can you draw a diagram or reword your scenario?

Thanks,
Jakob

From: Smith, Donald <Donald.Smith@CenturyLink.com>
Sent: Friday, May 11, 2018 12:30 PM
To: Juan Alcaide (jalcaide) <jalcaide@cisco.com>; Jakob Heitz (jheitz) <jheitz@cisco.com>; John Scudder <jgs@juniper.net>; idr@ietf. org <idr@ietf.org>
Cc: nl7942@att.com; Schiel, John <John.Schiel@centurylink.com>; draft-ietf-idr-bgp-flowspec-oid@ietf.org
Subject: RE: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06


I am not entirely sure if that works here or not.

But I think with that you could show some AS as the last AS in the past (far left) and maybe not show the original customer AS?

As long as your advertising that space to me, and I don't have a better path it should work.



Now what happens when a customer is a customer of ISP A and ISP B both have routes to it, if A advertises flowspec to B for that network wouldn't it be blocked as the best path to the customer inside of B is B's path.

This is actually a different problem, or subset of the original issue.



What should happen in that case? I might want to take action, I might not be seeing a huge flood, while the original announcer (A) is and wants us to take action as they expect we will be seeing that traffic soon?








Metric System < +000 > -000
Extra People's Terribly Good Meals Kept mY uNCLE    Ned   Purring For     Ages
Exa   Peta        Tera     Giga   Mega  Kilo milli Micro(u) Nano Pico    Femto Atto
Donald.Smith@centurylink.com<mailto:Donald.Smith@centurylink.com>
________________________________
From: Juan Alcaide (jalcaide) [jalcaide@cisco.com]
Sent: Friday, May 11, 2018 12:57 PM
To: Smith, Donald; Jakob Heitz (jheitz); John Scudder; idr@ietf. org
Cc: nl7942@att.com<mailto:nl7942@att.com>; Schiel, John; draft-ietf-idr-bgp-flowspec-oid@ietf.org<mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org>
Subject: Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06
Don,

(just to be clear, this has nothing to directly with the redirect extended-community draft)

We already thought about it and added a 'clause' in the last revision.

"Optionally, an implementation
   could be configured to allow only flow specification NLRIs containing
   only a subset of ASes.  This could be useful, for example, with
   networks that consist of multiple ASes that operate under the same
   administrative domain."

This is not what you want?

-J

On 5/11/2018 4:50 PM, Smith, Donald wrote:

That would work of course MAY would be caps :) But that should cover the case I was describing.

All the other BGP security issues would still apply.

Cc'ing the two architects that have been working on this concept with me, in case they have anything to add.




Metric System < +000 > -000
Extra People's Terribly Good Meals Kept mY uNCLE    Ned   Purring For     Ages
Exa   Peta        Tera     Giga   Mega  Kilo milli Micro(u) Nano Pico    Femto Atto
Donald.Smith@centurylink.com<mailto:Donald.Smith@centurylink.com>
________________________________
From: Jakob Heitz (jheitz) [jheitz@cisco.com<mailto:jheitz@cisco.com>]
Sent: Thursday, May 10, 2018 11:39 PM
To: Smith, Donald; John Scudder; idr@ietf. org
Cc: draft-ietf-idr-bgp-flowspec-oid@ietf.org<mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org>
Subject: RE: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06
I support the draft.

Donald, are you saying that AS1 should accept a flowspec rule from AS2 for traffic going to AS3?
If AS1 can trust the flowspec from AS2, then I don't see why not.
Maybe we can add text to the effect of:
The rules stated here are for default behavior.
Local policy may allow flow specifications from other EBGP neighbors to be accepted.

Thanks,
Jakob

From: Idr <idr-bounces@ietf.org><mailto:idr-bounces@ietf.org> On Behalf Of Smith, Donald
Sent: Thursday, May 10, 2018 11:58 AM
To: John Scudder <jgs@juniper.net><mailto:jgs@juniper.net>; idr@ietf. org <idr@ietf..org><mailto:idr@ietf..org>
Cc: draft-ietf-idr-bgp-flowspec-oid@ietf.org<mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org>
Subject: Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06


This supports some of the bi-lateral, ddos-peering work we want to do, so support.



https://pc.nanog.org/static/published/meetings/NANOG71/1447/20171003_Levy_Operationalizing_Isp_v2.pdf



That is almost always going to be between some set of systems not one hop away, not directly in the forwarding plane, probably not really IBGP peers.



" It thus becomes necessary to modify step (a) of the RFC 5575<https://tools.ietf.org/html/rfc5575>
   validation procedure such that an IBGP peer that is not within the
   data forwarding plane may originate flow specification NLRIs."



While you could have the IBGP peer directly in the forwarding plane, forward it like a route reflector, requiring it to seems counter intuitive as it is more likely to come from some BGP speaking tool in ISP requesting the filter.



Next lots of references to IBGP and a few to EBGP, when I think of IBGP, IBGP is internal to a single AS (yes I know there are exceptions) but that is kind of the meaning, while this is mostly between peers (whom could do IBGP between them but is that required? Can't we validate without IBGP direct connections?)




Metric System < +000 > -000
Extra People's Terribly Good Meals Kept mY uNCLE    Ned   Purring For     Ages
Exa   Peta        Tera     Giga   Mega  Kilo milli Micro(u) Nano Pico    Femto Atto
Donald.Smith@centurylink.com<mailto:Donald.Smith@centurylink.com>
________________________________
From: Idr [idr-bounces@ietf.org<mailto:idr-bounces@ietf.org>] on behalf of John Scudder [jgs@juniper.net<mailto:jgs@juniper.net>]
Sent: Thursday, May 10, 2018 12:28 PM
To: idr@ietf. org
Cc: draft-ietf-idr-bgp-flowspec-oid@ietf.org<mailto:draft-ietf-idr-bgp-flowspec-oid@ietf.org>
Subject: Re: [Idr] WGLC for draft-ietf-idr-bgp-flowspec-oid-06
Hi All,

On Apr 26, 2018, at 3:58 PM, John Scudder <jgs@juniper.net<mailto:jgs@juniper.net>> wrote:

The authors have requested a working group last call for draft-ietf-idr-bgp-flowspec-oid-06. Please respond with your comments before Friday, May 11.

A quick update on the status of this WGLC:

- All the authors have responded about IPR (thank you!).
- Three people who are not authors (Acee, Shyam, Keyur) have responded supporting publication.
- Nobody has responded with other comments or opposition.

Three respondents is not a very large number; it would be helpful if others would chime in.

The WGLC period is scheduled to end tomorrow.

Thanks,

--John
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.



_______________________________________________

Idr mailing list

Idr@ietf.org<mailto:Idr@ietf.org>

https://www.ietf.org/mailman/listinfo/idr


This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.

v2.23.0 | Report a Bug | By Email