Re: [Idr] Feedback from mike during IETF 119 (was Re: FW: New Version Notification for draft-wu-idr-flowspec-dip-community-filter-00.txt)
Robert Raszuk <robert@raszuk.net> Tue, 19 March 2024 09:14 UTC
Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA23FC14F5FF for <idr@ietfa.amsl.com>; Tue, 19 Mar 2024 02:14:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DSuRNIoeCYNi for <idr@ietfa.amsl.com>; Tue, 19 Mar 2024 02:14:34 -0700 (PDT)
Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F693C14F70D for <idr@ietf.org>; Tue, 19 Mar 2024 02:14:34 -0700 (PDT)
Received: by mail-ed1-x52b.google.com with SMTP id 4fb4d7f45d1cf-56b9e5ed074so237437a12.3 for <idr@ietf.org>; Tue, 19 Mar 2024 02:14:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; t=1710839672; x=1711444472; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=vV1b4J58hiTIFI5jw7POIZHJj+DyLMSRYEVLmf/CTsI=; b=KLYyiY+Waqz+Gu8aN/1ytlByPogCGL8KKZJwDMM4cos2UXAo1V4P/2/lsdL/eVPbRc luiNWlYjGCdhWRCZcb1xDGmPb3BxFEbl+zraVaXj6K5cneGRX0G1jVgeEL/SLlqzJ6L+ phyiuZv4l02Fl5c8ANPAX7iUQx8fqKeeeo6HtGJUl4FIgGI+rNUzlgPha0cJAnVAPaFh LcBwZufB/qj09h9OZ3YBKKPOwHfEjgS1OXCRcntIRGHgDTtU+wBoxFcr99qY86FOH1X9 3vhfxuVvrnFqViBWYlLkZr+MRB/KzCe9NwcCRVTaq/b0NjHuyNAbuHolqoP072v/GrxF Xs3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710839672; x=1711444472; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=vV1b4J58hiTIFI5jw7POIZHJj+DyLMSRYEVLmf/CTsI=; b=AZF3CgPWRFaF3BdWF2gpN8neuq9qkQ0UAUE0EdVQlMyzQjDT61XbUCinfloWI+msbu bI5NJQT62wZzXIfrpZGwyfe+vxdhsCE7LZBJEjoJtxyAvzh7HOaSY8e5P4uyg2tVcXTD M29+ELbRzGb02XjDUAd/75P2T0Cl7BZ0XWuWzn0SsHBvJ/hZWtH/YcdJmIcvBLZSLpoZ M3Dta702e4ZWflBqaNmzWn6C1Ti21ZlNmaOV2JOUA+ckoRj2HNTga+jC/lGRsSEbD0e2 hJZgKcw7nQcmRjqPQaZJBtKQ+kuT8dSgs8zN8KUXwfcXKaiSdM270Mspw9UuVpTIzbr3 z7aw==
X-Forwarded-Encrypted: i=1; AJvYcCWNkwFDsSZf0ty5lWurZ/VlSFOjuA7Kq7IAhXSv+97iKnWPURSNUiMe6h+P54iIxEc+OpkbmfNnEOgNcWg=
X-Gm-Message-State: AOJu0YywKiV4pvmYFGwKSMPHdLnBUD+3DIo5rTGlv3TOmPEUe7eY6cAC nbBR6oqLTU/Lyw2nVD+xMP4x3eSm5Vs5/5/vJe7LNp/oR/l/0asRpX4uoUsSIWPVv5L/2f5dGFs dNp8Wf7aTcZTFuF+CO2z3/zh+NotCu49C8YkqTg==
X-Google-Smtp-Source: AGHT+IFDRtnyECqg60Lls+FjzK5wydxHjgmTA7D/nC9NQu7WpSUjJdS0cIZePAtYGIUxuJzhZUxEgcXm4n+yRIlmDOA=
X-Received: by 2002:a05:6402:500e:b0:567:e280:6411 with SMTP id p14-20020a056402500e00b00567e2806411mr1672964eda.15.1710839672152; Tue, 19 Mar 2024 02:14:32 -0700 (PDT)
MIME-Version: 1.0
References: <1d8a9005350548acae681108370cb22d@huawei.com> <D405B3AE-2B9D-446E-AE39-4CD6FC9152C8@pfrc.org> <CAOj+MMFZLK4eEYqDZPaiyrayfTHEKkNLkjpCUQB=PTRR5E8dFg@mail.gmail.com> <CAH6gdPyYd-ERSRGz7dSygiQS=Pq_SgqOdEvyx3Eou=MXg58zPw@mail.gmail.com> <be2866fb8d0143809a25b179a5097bab@huawei.com>
In-Reply-To: <be2866fb8d0143809a25b179a5097bab@huawei.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Tue, 19 Mar 2024 10:14:21 +0100
Message-ID: <CAOj+MMFmtr_F1PabGYJJ2G8o2QzJZP+SQAOPNA=0G0LuqL+60w@mail.gmail.com>
To: wutianhao <wutianhao10=40huawei.com@dmarc.ietf.org>
Cc: Ketan Talaulikar <ketant.ietf@gmail.com>, "idr@ietf. org" <idr@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ed3ba60613ffe648"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/xa_39GoA4EGF0jmDXmkdePfRPo0>
Subject: Re: [Idr] Feedback from mike during IETF 119 (was Re: FW: New Version Notification for draft-wu-idr-flowspec-dip-community-filter-00.txt)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2024 09:14:38 -0000
Hi Wutianhao, OK that is even more confusing now. Then you say: "This draft is not targeted to DDOS scenario, but to traffic redirections for improving network performance." Very interesting. So this is BGP-TE. Do you mean here that you inject into a BGP essentially an equivalent of a static route, spray it around your entire domain (and if not filtered beyond your domain) to mean that for all packets with IP destination X redirect them to node Y ? And here X will be dynamically installed for all routes where the BGP community matches the carried community ... Btw - How do you convey Y - the destination of the redirection ? How do you tunnel to Y (assuming it is some form of encapsulation to Y) ? This clearly overwrites all dynamic routing protocols as is expected to be executed as ACL Rule. And this is justified to "improve network performance". I think we do have few other ways to do TE in the networks today and what is proposed here IMHO is first very incomplete and not in any dimension better then already available alternatives. Thx, R. On Tue, Mar 19, 2024 at 8:18 AM wutianhao <wutianhao10= 40huawei.com@dmarc.ietf.org> wrote: > Hi Ketan, > > > > Thank you for your comments. > > > > I want to first clarify the scenario where this extension is applied. This > draft is not targeted to DDOS scenario, but to traffic redirections for > imporving network performance. > > > > In this scenario, the network operators use Destination-IP-Community > filters as follows. > > > > 1. identify which prefixes to be redirected > > 2. choose an unused BGP communities for generating FlowSpec rules > > 3. announce the BGP updates (destination prefixes are those prefixes) with > this BGP community > > > > Thus, the prefixes and communities are planned in advance. > > > > Hope this answer can solve your problem. Please don't hesitate to contact > us if you have any further questions. > > > > Best regards, > > > > Tianhao Wu > > > > *From:* Ketan Talaulikar <ketant.ietf@gmail.com> > *Sent:* Monday, March 18, 2024 12:56 PM > *To:* Robert Raszuk <robert@raszuk.net> > *Cc:* Jeff Haas <jhaas@pfrc.org>; wutianhao <wutianhao10@huawei.com>; > idr@ietf. org <idr@ietf.org> > *Subject:* Feedback from mike during IETF 119 (was Re: [Idr] FW: New > Version Notification for draft-wu-idr-flowspec-dip-community-filter-00.txt) > > > > Hello Authors, > > > > I am repeating my comments from the IDR session earlier today. > > > > For Flowspec the larger scale challenge is the resources in the hardware > for the actual rule - something that this proposal does not alter. The > FlowSpec route space in the BGP control plane is not really a big deal for > routers (not when compared to the h/w resources). So, does this really > solve a real/practical problem? > > > > By using this mechanism of matching community, both the router and the > FlowSpec controller is losing control over the number of rules generated. > Even if there was a cap, it is tricky on what prefixes are picked and what > happens with there are issues with the setting of these communities. How > does the FlowSpec controller know which specific destinations are being > filtered? Is that not important for a deployment - e.g., for DDOS scenario? > > > > While this proposal sounds interesting, I would suggest to please consider > the above aspects and at least update the draft to cover those > considerations. > > > > Thanks, > > Ketan > > > > On Fri, Mar 15, 2024 at 2:39 PM Robert Raszuk <robert@raszuk.net> wrote: > > Hi Jeff, > > > > So just to make sure we are on the same page. > > > > Are you saying that it is perfectly ok to turn BGP into a control plane > filtering protocol pushing BGP configuration (here policies) around the > network ? > > > > Cheers, > > R. > > > > > > > > > > > > On Fri, Mar 15, 2024 at 4:29 AM Jeff Haas <jhaas@pfrc.org> wrote: > > Tianhao, > > While I don’t quite share the same concerns that Robert does, I do have > concerns about these RIB properties-based filters in terms of filter > stability and deployment. > > Section 6 procedures in RFC 8955 provide an example of RIB interaction, > albeit only on the flowspec destination component and the RIB-in route > covering that component. While there may be some instability of the route, > there is some reasonable expectation that stability is the intent for that > procedure. > > In the case of the AS filter, the origin as is usually stable. > > Communities can be very unstable, especially for the set of candidate > routes for the loc-rib entry. > > Please consider discussing this point during your presentation. > > Jeff. > > > Sent from my iPad > > > On Mar 4, 2024, at 05:55, wutianhao <wutianhao10= > 40huawei.com@dmarc.ietf.org> wrote: > > > > Dear all, > > > > We've submitted a new draft: draft-wu-idr-flowspec-dip-community-filter. > > > > This draft specifies a new BGP Flowspec component type to support > community-level filtering. Flowspec rules can be reduced by using the > method defining in this draft. It saves a lot of entry spaces on the > control plane and forwarding plane, and it would greatly simplify the > operation of the control plane, and the more destination prefixes with the > same community has, the more obvious the benefit. > > > > Review and comments are welcome. > > > > Best regards, > > Tianhao > > > > -----Original Message----- > > From: internet-drafts@ietf.org <internet-drafts@ietf.org> > > Sent: 2024年2月29日 17:26 > > To: Wanghaibo (Rainsword) <rainsword.wang@huawei.com>; Gejun (Jack, > BGP) <jack.gejun@huawei.com>; wutianhao <wutianhao10@huawei.com>; > Dingxiangfeng <dingxiangfeng@huawei.com> > > Subject: New Version Notification for > draft-wu-idr-flowspec-dip-community-filter-00.txt > > > > A new version of Internet-Draft > > draft-wu-idr-flowspec-dip-community-filter-00.txt has been successfully > submitted by Tianhao Wu and posted to the IETF repository. > > > > Name: draft-wu-idr-flowspec-dip-community-filter > > Revision: 00 > > Title: Destination-IP-Community Filter for BGP Flow Specification > > Date: 2024-02-28 > > Group: Individual Submission > > Pages: 7 > > URL: > https://www.ietf.org/archive/id/draft-wu-idr-flowspec-dip-community-filter-00.txt > > Status: > https://datatracker.ietf.org/doc/draft-wu-idr-flowspec-dip-community-filter/ > > HTMLized: > https://datatracker.ietf.org/doc/html/draft-wu-idr-flowspec-dip-community-filter > > > > > > Abstract: > > > > BGP Flowspec mechanism (BGP-FS) propagates both traffic Flow > > Specifications and Traffic Filtering Actions by making use of the BGP > > NLRI and the BGP Extended Community encoding formats. This document > > specifies a new BGP-FS component type to support community-level > > filtering. The match field is the community of the destination IP > > address that is encoded in the Flowspec NLRI. This function is > > applied in a single administrative domain. > > > > > > > > The IETF Secretariat > > > > > > _______________________________________________ > > Idr mailing list > > Idr@ietf.org > > https://www.ietf.org/mailman/listinfo/idr > > _______________________________________________ > Idr mailing list > Idr@ietf.org > https://www.ietf.org/mailman/listinfo/idr > > _______________________________________________ > Idr mailing list > Idr@ietf.org > https://www.ietf.org/mailman/listinfo/idr > > _______________________________________________ > Idr mailing list > Idr@ietf.org > https://www.ietf.org/mailman/listinfo/idr >
- [Idr] FW: New Version Notification for draft-wu-i… wutianhao
- Re: [Idr] FW: New Version Notification for draft-… Robert Raszuk
- Re: [Idr] FW: New Version Notification for draft-… Robert Raszuk
- [Idr] 答复: FW: New Version Notification for draft-… wutianhao
- Re: [Idr] 答复: FW: New Version Notification for dr… Robert Raszuk
- Re: [Idr] FW: New Version Notification for draft-… Jeff Haas
- Re: [Idr] FW: New Version Notification for draft-… Robert Raszuk
- [Idr] Feedback from mike during IETF 119 (was Re:… Ketan Talaulikar
- Re: [Idr] Feedback from mike during IETF 119 (was… wutianhao
- Re: [Idr] Feedback from mike during IETF 119 (was… Ketan Talaulikar
- Re: [Idr] Feedback from mike during IETF 119 (was… Robert Raszuk