IETF Logo Mail Archive

Re: [Idr] New Version Notification for draft-liang-idr-bgp-flowspec-time-00.txt

Gunter Van De Velde <guntervandeveldecc@icloud.com> Fri, 23 October 2015 07:16 UTC

Return-Path: <guntervandeveldecc@icloud.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 894B91B2E14 for <idr@ietfa.amsl.com>; Fri, 23 Oct 2015 00:16:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tuDrUaRDAz6V for <idr@ietfa.amsl.com>; Fri, 23 Oct 2015 00:16:56 -0700 (PDT)
Received: from st13p11im-asmtp003.me.com (st13p11im-asmtp003.me.com [17.164.40.218]) (using TLSv1.2 with cipher DHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 040D61B2E13 for <idr@ietf.org>; Fri, 23 Oct 2015 00:16:56 -0700 (PDT)
Received: from [192.168.0.142] (d8D8705F8.access.telenet.be [141.135.5.248]) by st13p11im-asmtp003.me.com (Oracle Communications Messaging Server 7.0.5.35.0 64bit (built Mar 31 2015)) with ESMTPSA id <0NWN00KYAW84B500@st13p11im-asmtp003.me.com> for idr@ietf.org; Fri, 23 Oct 2015 07:16:55 +0000 (GMT)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2015-10-23_03:,, signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 kscore.is_bulkscore=0 kscore.compositescore=1 compositescore=0.9 suspectscore=0 phishscore=0 bulkscore=0 kscore.is_spamscore=0 rbsscore=0 spamscore=0 urlsuspectscore=0.9 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1510090000 definitions=main-1510230121
Content-type: multipart/alternative; boundary="Apple-Mail=_82C822EA-2E79-4500-BB16-B93F7F5819F8"
MIME-version: 1.0 (Mac OS X Mail 9.0 \(3094\))
From: Gunter Van De Velde <guntervandeveldecc@icloud.com>
In-reply-to: <F6C28B32DA084644BB6C8D0BD65B669D1FAB9D@nkgeml509-mbs.china.huawei.com>
Date: Fri, 23 Oct 2015 09:16:52 +0200
Message-id: <7DA0A712-F2B6-43F6-8270-6E677A9A4A2F@icloud.com>
References: <0fb08854-77ad-41fd-bc8e-49621e1e013f@me.com> <F6C28B32DA084644BB6C8D0BD65B669D1FAB9D@nkgeml509-mbs.china.huawei.com>
To: Youjianjie <youjianjie@huawei.com>
X-Mailer: Apple Mail (2.3094)
Archived-At: <http://mailarchive.ietf.org/arch/msg/idr/wcUuQqglYcpY2M2DN0T-5HHdD2g>
Cc: "idr@ietf.org" <idr@ietf.org>
Subject: Re: [Idr] New Version Notification for draft-liang-idr-bgp-flowspec-time-00.txt
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Oct 2015 07:16:58 -0000

Hi Jianjie,

I can understand the desire to have particular filter rules active on particular times of the day. I am not convinced that sending timing context along with a BGP NLRI is the way to achieve this.

A relevant difference between ACL and BGP is that ACL tends to be static and BGP is dynamic by nature.

By announcing and withdrawing a BGP NLRI you can make a rule dynamic, unless there is an absolute need to have activation/de-activation in msec sync’d.
Hence, we have a solution with BGP that is dynamic and provides relative network wide synchronised network behaviour (announce/withdraw), but it is indeed not synchronous to the msec.  

Making network control sync on msec is not easy and a valid question is if BGP should be part in such a goal? 
(There are also operational aspects to troubleshoot the network in case of unexpected behaviour … )

Brgds,
G/





> On 23 Oct 2015, at 08:35, Youjianjie <youjianjie@huawei.com> wrote:
> 
> Hi Gunter,
>  
> We collect the requirements from our customers. Actually traditional ACLs already support similar functions.
> For the last sentence, could you please explain a little more? Why do you think it is complex?
>  
> Thanks,
> Jianjie
>  
> 发件人: Gunter Van De Velde [mailto:guntervandeveldecc@icloud.com] 
> 发送时间: 2015年10月19日 15:32
> 收件人: Youjianjie
> 抄送: idr@ietf.org
> 主题: Re: [Idr] New Version Notification for draft-liang-idr-bgp-flowspec-time-00.txt
>  
> Hi Youjianjie,
>  
> I would expect a flow spec rule to be valid for consumption from the moment its originated from a flow spec controller until it is withdrawn by the controller. In the text proposed you relate to different forwarding delays for a router to receive the flow spec rule and hence justifies a need for new community to specify 'valid-time' for the flow spec route. This seems as a pretty light reason for such a complex proposed logical machine.
>  
> Be well,
> G/
> Sent from iCloud
> 
> On Oct 19, 2015, at 04:08 AM, Youjianjie <youjianjie@huawei.com <mailto:youjianjie@huawei.com>> wrote:
> 
> Dear all,
> 
> This document proposes a new BGP path attribute called "Flow Extended Attribute", which carries expected valid period information for a FlowSpec rule.
> Could you please review? Your comments are welcome.
> 
> Thanks,
> Jianjie
> 
> -----邮件原件-----
> 发件人: internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> [mailto:internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>] 
> 发送时间: 2015年10月19日 9:58
> 收件人: Liangqiandeng; Zhuangshunwan; Youjianjie; Zhuangshunwan; Youjianjie; Liangqiandeng
> 主题: New Version Notification for draft-liang-idr-bgp-flowspec-time-00.txt
> 
> 
> A new version of I-D, draft-liang-idr-bgp-flowspec-time-00.txt
> has been successfully submitted by Jianjie You and posted to the IETF repository.
> 
> Name:                draft-liang-idr-bgp-flowspec-time
> Revision:    00
> Title:                BGP FlowSpec with Time Constraints
> Document date:        2015-10-18
> Group:                Individual Submission
> Pages:      9
> URL: https://www.ietf.org/internet-drafts/draft-liang-idr-bgp-flowspec-time-00.txt <https://www.ietf.org/internet-drafts/draft-liang-idr-bgp-flowspec-time-00.txt>
> Status: https://datatracker.ietf.org/doc/draft-liang-idr-bgp-flowspec-time/ <https://datatracker.ietf.org/doc/draft-liang-idr-bgp-flowspec-time/>
> Htmlized: https://tools.ietf.org/html/draft-liang-idr-bgp-flowspec-time-00 <https://tools.ietf.org/html/draft-liang-idr-bgp-flowspec-time-00>
> 
> 
> Abstract:
> The BGP flow specification (FlowSpec) is an additional tool to
> mitigate the effects of Distributed Denial of Service (DDoS) attacks.
> Since DDoS attacks are dynamic, filtering of a flow may only be
> necessary for some specified time, and be undesirable at other times.
> This document proposes a new BGP path attribute called "Flow Extended
> Attribute", which carries expected valid period information for a
> FlowSpec rule. So network administrators can control certain types
> of traffic in a specified period.
> 
> 
> 
> 
> 
> Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org.
> 
> The IETF Secretariat
> 
> _______________________________________________
> Idr mailing list
> Idr@ietf.org <mailto:Idr@ietf.org>
> https://www.ietf.org/mailman/listinfo/idr <https://www.ietf.org/mailman/listinfo/idr>

v2.23.0 | Report a Bug | By Email