[Idr] Mohamed Boucadair's Yes on draft-ietf-idr-flowspec-redirect-ip-12: (with COMMENT)
Mohamed Boucadair via Datatracker <noreply@ietf.org> Mon, 18 May 2026 11:33 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: idr@ietf.org
Delivered-To: idr@mail2.ietf.org
Received: from [10.244.11.233] (unknown [4.156.85.76]) by mail2.ietf.org (Postfix) with ESMTP id 193A2F003A40; Mon, 18 May 2026 04:33:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1779104004; bh=8rjW9xYNZTivJ2J2ry7smQwT3jF2okFPCC4Y52HZIyk=; h=From:To:Cc:Subject:Reply-To:Date; b=m9M0VKnwkVEPopX6WoWLiMv3Cdwwct4TlZwoA2OhTtKRFXE/O3vkyhk06GZzEODCo D1q8t/tsKKp2eQuwNlf/7AIwrMogKCIMpBTm9Vgf7VRD7NHOAJzDlpPFmk0t8v+Cnd n5GN+Qh/Z8xFHfZ0W5aon1DxiYP1S9Cy+14O5gck=
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Mohamed Boucadair via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 12.65.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <177910400399.553654.10354099651191000857@dt-datatracker-7688897f84-l74h4>
Date: Mon, 18 May 2026 04:33:24 -0700
Message-ID-Hash: T55YURAQA5LJL7LP3W7UDMPTB6OH5TXZ
X-Message-ID-Hash: T55YURAQA5LJL7LP3W7UDMPTB6OH5TXZ
X-MailFrom: noreply@ietf.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-idr.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-idr-flowspec-redirect-ip@ietf.org, idr-chairs@ietf.org, idr@ietf.org, shares@ndzh.com
X-Mailman-Version: 3.3.9rc6
Reply-To: Mohamed Boucadair <mohamed.boucadair@orange.com>
Subject: [Idr] Mohamed Boucadair's Yes on draft-ietf-idr-flowspec-redirect-ip-12: (with COMMENT)
List-Id: Inter-Domain Routing <idr.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/z0EnWPGmvJ6YhD-IZChrUM6ClhA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Owner: <mailto:idr-owner@ietf.org>
List-Post: <mailto:idr@ietf.org>
List-Subscribe: <mailto:idr-join@ietf.org>
List-Unsubscribe: <mailto:idr-leave@ietf.org>
Mohamed Boucadair has entered the following ballot position for draft-ietf-idr-flowspec-redirect-ip-12: Yes When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-idr-flowspec-redirect-ip/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Hi Jeff, Wim, and Adam, Thank you for the work put into this useful piece of work. Thanks Linda Dunbar for the OPSDIR review and the authors for taking care of that review. Please find below some few comments. Feel free to ignore or grab whatever useful for you: # BGP Flowspec/DDoS Mitigation CURRENT: This has many possible applications, but the primary one for many network operators is the distribution of traffic filtering actions for distributed denial of service (DDoS) mitigation. You may consider adding an informative reference to RFC 9387 (or other better reference you may have) for an example of how BGP FS is used in the context of DDoS mitigation. # Copy: isn’t “mirror” better reflect how this action is referred to in practice? CURRENT: This document specifies a new redirect-to-IP flow-spec action that provides a method for policy-based forwarding to redirect or copy matching traffic toward a specific IP address. # Ambiguous “set” OLD: When the "C" bit is set the redirection applies to copies of the matching packets and not to the original traffic stream. NEW: When the "C" bit is set to 1 the redirection applies to copies of the matching packets and not to the original traffic stream. # By default Is there any reason why distinct levels are used for behavior with similar constructs: The validation check described in [RFC8955] and [RFC8956], and revised in [RFC9117], SHOULD be applied by default to received flow- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ spec routes with a "redirect-to-IP" extended community vs. BGP speakers that support the extended communities defined in this document MUST also, by default, apply additional validation rules ^^^^^^^^^^^^^^^^^^^^^^ # It is about routes OLD: When the best-match unicast route for the "target-address" is BGP, NEW: When the best-match unicast route for the "target-address" is a BGP route, # No characterization of invalid addresses CURRENT: If the "target address" is invalid or unreachable then the extended community MUST be ignored. However, there is no discussion about what is considered an invalid target address. # Is this “IGNORED” convention used in some flowspec documents? Why simply no using “ignored” or even “MUST be ignored”? CURRENT: Traffic Rate in bytes (Section 7.1 of [RFC8955]): … This traffic filtering action is thus IGNORED for traffic that is … Traffic Rate in packets (Section 7.2 of [RFC8955]): … This traffic filtering action is thus IGNORED for traffic that is … Terminal action (Section 7.3 of [RFC8955]): … and the non-terminal action (T == 1) is IGNORED. Copying of … Traffic marking (Section 7.5 of [RFC8955]): … This traffic filtering action is thus IGNORED for traffic that is … SFC classifier (Section 7.4 of [RFC9015]): … This traffic filtering action is thus IGNORED for traffic that is … Cheers, Med
- [Idr] Mohamed Boucadair's Yes on draft-ietf-idr-f… Mohamed Boucadair via Datatracker
- [Idr] Re: Mohamed Boucadair's Yes on draft-ietf-i… Jeffrey Haas