[Isis-wg] 答复: 答复: Call for WG Adoption for draft-you-isis-flowspec-extensions-04
Youjianjie <youjianjie@huawei.com> Fri, 11 March 2016 02:53 UTC
Return-Path: <youjianjie@huawei.com>
X-Original-To: isis-wg@ietfa.amsl.com
Delivered-To: isis-wg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC16212DD00 for <isis-wg@ietfa.amsl.com>; Thu, 10 Mar 2016 18:53:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.222
X-Spam-Level:
X-Spam-Status: No, score=-4.222 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YB4OWAxgog2u for <isis-wg@ietfa.amsl.com>; Thu, 10 Mar 2016 18:53:28 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74AE512DC5D for <isis-wg@ietf.org>; Thu, 10 Mar 2016 18:53:27 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml702-cah.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CKG06667; Fri, 11 Mar 2016 02:53:25 +0000 (GMT)
Received: from NKGEML401-HUB.china.huawei.com (10.98.56.32) by lhreml702-cah.china.huawei.com (10.201.5.99) with Microsoft SMTP Server (TLS) id 14.3.235.1; Fri, 11 Mar 2016 02:53:24 +0000
Received: from NKGEML515-MBS.china.huawei.com ([169.254.5.102]) by nkgeml401-hub.china.huawei.com ([10.98.56.32]) with mapi id 14.03.0235.001; Fri, 11 Mar 2016 10:53:20 +0800
From: Youjianjie <youjianjie@huawei.com>
To: Marc Binderberger <marc@sniff.de>
Thread-Topic: 答复: [Isis-wg] Call for WG Adoption for draft-you-isis-flowspec-extensions-04
Thread-Index: AQHRcMpxPQCvdUkolkuvVqTsvIyNPZ9B9YiAgAUM+MCABZ1/AIAG/vhg
Date: Fri, 11 Mar 2016 02:53:19 +0000
Message-ID: <F6C28B32DA084644BB6C8D0BD65B669DBD49AC@NKGEML515-MBS.china.huawei.com>
References: <87mvqncny2.fsf@tops.chopps.org> <E881D2D5-D9C1-4702-9A48-9D6A162C48EA@chopps.org> <20160228210405215520.c4a664fd@sniff.de> <F6C28B32DA084644BB6C8D0BD65B669DBCDD86@NKGEML515-MBX.china.huawei.com> <20160306155648496939.65266879@sniff.de>
In-Reply-To: <20160306155648496939.65266879@sniff.de>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.136.78.148]
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A090201.56E23326.001A, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.5.102, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 6ba1e19222f698151d4d0cf59eb44e07
Archived-At: <http://mailarchive.ietf.org/arch/msg/isis-wg/oFFl7vC2MG_0AjCveKxRmd7fFP8>
Cc: "Les Ginsberg (ginsberg)" <ginsberg@cisco.com>, Christian Hopps <chopps@chopps.org>, "isis-wg@ietf.org" <isis-wg@ietf.org>
Subject: [Isis-wg] 答复: 答复: Call for WG Adoption for draft-you-isis-flowspec-extensions-04
X-BeenThere: isis-wg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF IS-IS working group <isis-wg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/isis-wg/>
List-Post: <mailto:isis-wg@ietf.org>
List-Help: <mailto:isis-wg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Mar 2016 02:53:30 -0000
Hi Marc, Chris, and Les, Thank you all for your comments. We'll think about using FlowSpec YANG model in this case for a next step. Best Regards, Jianjie > -----邮件原件----- > 发件人: Marc Binderberger [mailto:marc@sniff.de] > 发送时间: 2016年3月7日 7:57 > 收件人: Youjianjie > 抄送: Christian Hopps; isis-wg@ietf.org > 主题: Re: 答复: [Isis-wg] Call for WG Adoption for > draft-you-isis-flowspec-extensions-04 > > Hello Jianjie, > > sorry for my delayed reply. > > > I'm not sure RFC6823 could be appropriate for supporting dissemination > > of FlowSpec rules. > > I guess your reply is based on another comment you made ... > > > "[...] we think FlowSpec is more like a n-tuple route." > > ... and I would disagree with the n-tuple _route_. What flowspec distributes is > a policy/filter, aiming to interrupt by dropping, rate-limiting, quarantining etc.. > > > > Can it be regarded as an example of application of RFC6823? > > well, everything can be treated as application :-) if it is not needed by IS-IS to > do it's main task and IS-IS internal data is not needed for the new task. In this > case I would say yes, we can. What you want from IS-IS is transporting > flowspec data through the domain. > > > > If it could, then we need to define FlowSpec under the framework of > RFC6823? > > yes, you would need to request an application ID and would move the > (sub-)TLVs you define in your draft into the TLV 251 framework. > > Separating the IS-IS main functionality from transporting flow-spec > information will have an impact on section 4.1.2. "Validation Procedure" in > your draft. This procedure seems a 1:1 copy from the original BGP work. For > IS-IS I don't see the point. And draft-ietf-idr-bgp-flowspec-oid actually modifies > the rules for BGP to accept any originator in your administrative domain, > which translated into IS-IS means "no check". > > I would propose to drop this validation check in your draft. > > > > Saying all this: I still think this is best done by a controller programming > flow-spec into network elements; YANG models help here. This is outside of > what routing protocols should be involved in. > > > Regards, Marc > > > > > > On Thu, 3 Mar 2016 02:48:11 +0000, Youjianjie wrote: > > Hi Marc, > > > >> -----邮件原件----- > >> 发件人: Isis-wg [mailto:isis-wg-bounces@ietf.org] 代表 Marc Binderberger > >> 发送时间: 2016年2月29日 13:04 > >> 收件人: Christian Hopps > >> 抄送: isis-wg@ietf.org > >> 主题: Re: [Isis-wg] Call for WG Adoption for > >> draft-you-isis-flowspec-extensions-04 > >> > >> Hello Christian & IS-IS experts, > >> > >> I agree with your comment. From my memory (the old ISP days ...): > >> > >> (1) a big issue when DDoS attacks became the new "normal" was the > >> coordinated fight. A private, operator-only mail list was used but > >> response time was always an issue. > >> > >> (2) thus signalling to your upstream or your peers was important. > >> Obviously this is eBGP and RFC5575 is exactly solving this problem. > >> > >> (3) inside your network you needed to distribute the information to > >> the peering and uplink routers, potentially to your access routers > >> too. You need routers that see the traffic without any label, i.e. > >> the edge. Again > >> RFC5575 > >> + iBGP came handy. > >> > >> (4) Tools like Arbor and Riverhead spoke (and speak) BGP. > >> > >> (5) problem (3) can be - and initially was - solved with ACLs, either > >> manually configured or with a configuration tool. > >> > >> > >> So (3) could be also addressed with an IGP like IS-IS. My personal > >> opinion is that only (1) was the main driver for RFC5575 and to > >> fiddle with a protocol. > >> For problems like (3) the ISPs had been always inventive enough to > >> use their OSS systems if nothing else was available. To be fair, in > >> these days CLI was king, so enabling the network operators to send > >> the attack to Null0 with a few BGP commands on one central router was > >> a good thing (tm). > >> > >> > >> If we really want to use IS-IS as a transport for configuration then what > >> about RFC6823 "Advertising Generic Information in IS-IS" ? That exists > >> already. > > > > I'm not sure RFC6823 could be appropriate for supporting dissemination of > > FlowSpec rules. If it could, then we need to define FlowSpec under the > > framework of RFC6823? Can it be regarded as an example of application of > > RFC6823? > > > > Thanks, > > Jianjie > > > >> Regards, Marc > >> > >> > >> > >> > >> On Fri, 26 Feb 2016 14:16:21 -0500, Christian Hopps wrote: > >>> > >>>> On Feb 26, 2016, at 1:43 PM, <chopps@chopps.org> > <chopps@chopps.org> > >> wrote: > >>>> > >>>> > >>>> Hi Folks, > >>>> > >>>> The authors have requested the IS-IS WG adopt: > >>>> > >>>> https://datatracker.ietf.org/doc/draft-you-isis-flowspec-extensions/ > >>>> > >>>> as a working group document. > >>>> > >>>> Please indicate your support or no-support for taking on this work. > >>> > >>> Speaking as a WG contributor and not as chair. > >>> > >>> I am having some trouble accepting this solution is needed. The one use > >>> that has been given is a single operator who does not run BGP. The reason > >>> this is important is that BGP already provides a similar solution. But I > >>> believe the BGP solution exists not simply as a new way to configure > >>> routers, but b/c BGP enables inter-domain communication, and allows one > >> AS > >>> to inform another AS about an attack. BGP is also better suited to > >>> carrying > >>> large amounts of data. Neither of these is true for IS-IS. > >>> > >>> For the intra-domain only case the operator already has mechanisms in > >>> place > >>> for configuring it's own routers. I've asked this before but not really > >>> gotten any answer as to how this proposal doesn't simply represent using > >>> IS-IS as a router configuration protocol. > >>> > >>> If this is the case why wouldn't the DDOS detecting device simply use an > >>> established configuration mechanism, perhaps netconf/yang, to add the > >>> required policy on the required routers? > >>> > >>> Thanks, > >>> Chris. > >>> > >>> _______________________________________________ > >>> Isis-wg mailing list > >>> Isis-wg@ietf.org > >>> https://www.ietf.org/mailman/listinfo/isis-wg > >> > >> _______________________________________________ > >> Isis-wg mailing list > >> Isis-wg@ietf.org > >> https://www.ietf.org/mailman/listinfo/isis-wg
- [Isis-wg] Call for WG Adoption for draft-you-isis… chopps
- Re: [Isis-wg] Call for WG Adoption for draft-you-… Christian Hopps
- Re: [Isis-wg] Call for WG Adoption for draft-you-… Marc Binderberger
- Re: [Isis-wg] Call for WG Adoption for draft-you-… chopps
- Re: [Isis-wg] Call for WG Adoption for draft-you-… Alia Atlas
- Re: [Isis-wg] Call for WG Adoption for draft-you-… chopps
- [Isis-wg] 答复: Call for WG Adoption for draft-you-… Youjianjie
- [Isis-wg] 回复: 答复: Call for WG Adoption for draft-… li_zhenqiang@hotmail.com
- [Isis-wg] 答复: Call for WG Adoption for draft-you-… Youjianjie
- [Isis-wg] 答复: Call for WG Adoption for draft-you-… Youjianjie
- [Isis-wg] 答复: Call for WG Adoption for draft-you-… Youjianjie
- [Isis-wg] 答复: 答复: Call for WG Adoption for draft-… Liangqiandeng
- Re: [Isis-wg] 答复: Call for WG Adoption for draft-… chopps
- Re: [Isis-wg] 答复: Call for WG Adoption for draft-… chopps
- Re: [Isis-wg] 答复: Call for WG Adoption for draft-… Les Ginsberg (ginsberg)
- Re: [Isis-wg] 答复: Call for WG Adoption for draft-… Marc Binderberger
- [Isis-wg] 答复: 答复: Call for WG Adoption for draft-… Youjianjie
- Re: [Isis-wg] Call for WG Adoption for draft-you-… chopps