IETF Logo Mail Archive

Re: [Idr] WG adoption call for draft-hr-idr-rfc5575bis-02 "Dissemination of Flow Specification Rules"

Robert Raszuk <robert@raszuk.net> Thu, 24 August 2017 14:26 UTC

Return-Path: <rraszuk@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8517F132940 for <idr@ietfa.amsl.com>; Thu, 24 Aug 2017 07:26:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Level:
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yblAGUI-FlbU for <idr@ietfa.amsl.com>; Thu, 24 Aug 2017 07:26:12 -0700 (PDT)
Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1973132351 for <idr@ietf.org>; Thu, 24 Aug 2017 07:26:11 -0700 (PDT)
Received: by mail-wm0-x22d.google.com with SMTP id p30so6746425wmi.0 for <idr@ietf.org>; Thu, 24 Aug 2017 07:26:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=SvvzcHv6go61ItFtvSjsa6DpJn5p9KR1kWsdJS+lBWQ=; b=URr1dj5Ejv66jLxgvojfN6qZJqckYHKO4sY9WTNenM46jUeNm8reeGX6PGTOzNF8Dw EyFnvCv7UjQsTM6igbYwtGlBskehNaBryWl0WaFmRp6EzeaGxUjZP00IV3oDmGMmhSYL 2WDYyAo1uNeJIU4xJzwqe1D1dBAmUkKrgl7jrSK2L5AhrI58w0rDpIF1RcmqaTcHAtmk dlMG5F4eIRO2LmtI7giZxWj7Yif/ALKRM9botqj9EHD0bTchq6biRTnJW8yGB6TUfemq n8JarcAEqxJPsjmMFfw0fiX4Yf7buTeRgkbIN4QbjXjv1myNQ1ad06cCV9oPx8ohnONo RshA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=SvvzcHv6go61ItFtvSjsa6DpJn5p9KR1kWsdJS+lBWQ=; b=uIjAOrvt1dHQdP3BAoNqjWKN06ZhJXF52nQSDQYB9iW4fnpc7u4iYkDlhbyuvo3Fys cEHO5p4JhtYW1PhlqHadK9u5QtnNPcnqq4e5Y+bkRnUFzQmrpjNvhiwHEiXtu/aQQ9kU sP5KizvOXoqpF7ZXts9U9RZrSdFLLlMod9TzQ8hzKJq1NsTitmtK+8scQTJqbNRLN3BX IrhVXkKouYwp/WhIl3BvSn3d5WGp/Dn0qjjSSVs1DbnGnIZ6rxoiKis8hYnFd3+5US6E kI09RB7iUxyY4bATqefMjk+MaP9jw0EpEMKbHq8R8TpSszrqNhZn1VFV8n3HTOk/3VqX U84g==
X-Gm-Message-State: AHYfb5hDN7SmuOTZTXSBJsJcW5NBzj9awbj1pHgBi5/H+EL74Nh1aUvY ipLmH/N1K9G8OzgXKc5TYfVJEBRhsTWn1sA=
X-Received: by 10.28.216.84 with SMTP id p81mr3576384wmg.32.1503584770285; Thu, 24 Aug 2017 07:26:10 -0700 (PDT)
MIME-Version: 1.0
Sender: rraszuk@gmail.com
Received: by 10.28.210.10 with HTTP; Thu, 24 Aug 2017 07:26:09 -0700 (PDT)
In-Reply-To: <4CD58B23-6137-4604-968C-83A2F218FF79@texier.tv>
References: <36E285C0-C716-437A-806D-A453273146DD@juniper.net> <4CD58B23-6137-4604-968C-83A2F218FF79@texier.tv>
From: Robert Raszuk <robert@raszuk.net>
Date: Thu, 24 Aug 2017 16:26:09 +0200
X-Google-Sender-Auth: KTLxfqlHpSPFcP-54Zsg5Vz-Ldk
Message-ID: <CA+b+ERkTqBjt1XL9m86H8MbJYYHGy_vf7_=oJ4jsKrXQk8C44w@mail.gmail.com>
To: Matthieu Texier <matthieu@texier.tv>
Cc: "John G. Scudder" <jgs@juniper.net>, idr wg <idr@ietf.org>
Content-Type: multipart/alternative; boundary="001a11470e481f67f40557809c6d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/vlOoZXJunbaSoaS2cB_R0ZqbBic>
Subject: Re: [Idr] WG adoption call for draft-hr-idr-rfc5575bis-02 "Dissemination of Flow Specification Rules"
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Aug 2017 14:26:14 -0000

Hi Matthieu,

IMO the RFC is quite clear that "A specific packet is considered to match
the flow specification when it matches the intersection (AND) of all the
components present in the specification."

That effectively means to me that to match packets which will be last
fragment or first fragment one would need to inject two separate NLRIs. At
this is guarantee to work.

Making assumption that implementation does OR among type 12 bitmask values
would actually remove ability to match on broken packets on the wire which
may actually have messed up IP headers and both bits set in the respect of
fragmentation - don't you think ?

Kind regards,
R.


On Thu, Aug 24, 2017 at 4:00 PM, Matthieu Texier <matthieu@texier.tv> wrote:

> Hi John and All,
>
> I would like to apologise re-opening this quite old mail thread but as I
> am working on a development, I am questioning myself on a very specific
> aspect of flowspec filtering.
>
> I would like to discuss nlri filtering type 12 - Fragment. This discussion
> is valid for both the existing RFC and this proposed draft.
>
> In all filtering nlri that requires bitmask (tcp flags, DSCP), the RFC
> 5575 is defining the encoding of the nlri value as the exact same way as it
> is encoded in the IP header itself.
>
> For the bitmask type 12, the RFC rather propose to use “pre-defined”
> values like IsF, FF, DF, LF.
>
> There are two observations I would like to highlight:
>
> 1) This approach creates a sort of inconsistency between filters: I tend
> to believe that the approach of Flowspec filters was to filter according to
> a header pattern (just like with DSCP and TCP flags flowspec nlri). If we
> follow the same approach for fragments, we should normally propose a nlri
> value made of the fragment flags (3 bits) and eventually 1 bit to specify
> if fragment offset have to null or not.
>
> 2) The bitmask of nlri type 12 as define could create odd router behavior
> or misalignment between implementations:
>
> Assuming that routers identifies the first fragment by checking that MF
> bit is set to 1 and that the offset set to 0. How a router could consider a
> nlri with a bitmask having Isf and FF set to one ? Does it have to do an
> implicit OR between the Isf and FF ?
>
> Considering my first observation and following the same logic as with DSCP
> and TCP flags, if I want to filter packets that are fragments or first
> fragments, I should normally send two values with an explicit OR operator
> between the two.
>
> It might be implemented that way in certain OS but I am afraid that RFC is
> not perfectly clear on this particular situation.
>
> Does it make sense to other people of the group or it is only me torturing
> myself ?
>
> Thanks,
> Matthieu.
>
>
>
>
> > On 21 Jan 2017, at 16:03, John G. Scudder <jgs@juniper.net> wrote:
> >
> > Hi All,
> >
> > The authors have requested IDR working group adoption of
> draft-hr-idr-rfc5575bis-02 "Dissemination of Flow Specification Rules".
> Please send your comments to the list.
> >
> > This adoption call will conclude on Monday, February 6.
> >
> > Thanks,
> >
> > —John
> > _______________________________________________
> > Idr mailing list
> > Idr@ietf.org
> > https://www.ietf.org/mailman/listinfo/idr
>
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>

v2.23.0 | Report a Bug | By Email