Re: [Isis-wg] 答复: Call for WG Adoption for draft-you-isis-flowspec-extensions-04
Marc Binderberger <marc@sniff.de> Sun, 06 March 2016 23:56 UTC
Return-Path: <marc@sniff.de>
X-Original-To: isis-wg@ietfa.amsl.com
Delivered-To: isis-wg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB67D1A0060 for <isis-wg@ietfa.amsl.com>; Sun, 6 Mar 2016 15:56:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.738
X-Spam-Level: ****
X-Spam-Status: No, score=4.738 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, CHARSET_FARAWAY_HEADER=3.2, CN_BODY_35=0.339, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, MIME_CHARSET_FARAWAY=2.45, RP_MATCHES_RCVD=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SE8QyrcPTUmH for <isis-wg@ietfa.amsl.com>; Sun, 6 Mar 2016 15:56:52 -0800 (PST)
Received: from door.sniff.de (door.sniff.de [IPv6:2001:6f8:94f:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F3C81A004A for <isis-wg@ietf.org>; Sun, 6 Mar 2016 15:56:52 -0800 (PST)
Received: from [IPv6:::1] (localhost.sniff.de [127.0.0.1]) by door.sniff.de (Postfix) with ESMTP id 5FB802AA0F; Sun, 6 Mar 2016 23:56:49 +0000 (GMT)
Date: Sun, 06 Mar 2016 15:56:48 -0800
From: Marc Binderberger <marc@sniff.de>
To: Youjianjie <youjianjie@huawei.com>
Message-ID: <20160306155648496939.65266879@sniff.de>
In-Reply-To: <F6C28B32DA084644BB6C8D0BD65B669DBCDD86@NKGEML515-MBX.china.huawei.com>
References: <87mvqncny2.fsf@tops.chopps.org> <E881D2D5-D9C1-4702-9A48-9D6A162C48EA@chopps.org> <20160228210405215520.c4a664fd@sniff.de> <F6C28B32DA084644BB6C8D0BD65B669DBCDD86@NKGEML515-MBX.china.huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
X-Mailer: GyazMail version 1.5.17
Archived-At: <http://mailarchive.ietf.org/arch/msg/isis-wg/r6c5sMrcXFtcpsVLt_z_Hj9fZjg>
Cc: Christian Hopps <chopps@chopps.org>, "isis-wg@ietf.org" <isis-wg@ietf.org>
Subject: Re: [Isis-wg] 答复: Call for WG Adoption for draft-you-isis-flowspec-extensions-04
X-BeenThere: isis-wg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF IS-IS working group <isis-wg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/isis-wg/>
List-Post: <mailto:isis-wg@ietf.org>
List-Help: <mailto:isis-wg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Mar 2016 23:56:55 -0000
Hello Jianjie, sorry for my delayed reply. > I'm not sure RFC6823 could be appropriate for supporting dissemination of > FlowSpec rules. I guess your reply is based on another comment you made ... > "[...] we think FlowSpec is more like a n-tuple route." ... and I would disagree with the n-tuple _route_. What flowspec distributes is a policy/filter, aiming to interrupt by dropping, rate-limiting, quarantining etc.. > Can it be regarded as an example of application of RFC6823? well, everything can be treated as application :-) if it is not needed by IS-IS to do it's main task and IS-IS internal data is not needed for the new task. In this case I would say yes, we can. What you want from IS-IS is transporting flowspec data through the domain. > If it could, then we need to define FlowSpec under the framework of RFC6823? yes, you would need to request an application ID and would move the (sub-)TLVs you define in your draft into the TLV 251 framework. Separating the IS-IS main functionality from transporting flow-spec information will have an impact on section 4.1.2. "Validation Procedure" in your draft. This procedure seems a 1:1 copy from the original BGP work. For IS-IS I don't see the point. And draft-ietf-idr-bgp-flowspec-oid actually modifies the rules for BGP to accept any originator in your administrative domain, which translated into IS-IS means "no check". I would propose to drop this validation check in your draft. Saying all this: I still think this is best done by a controller programming flow-spec into network elements; YANG models help here. This is outside of what routing protocols should be involved in. Regards, Marc On Thu, 3 Mar 2016 02:48:11 +0000, Youjianjie wrote: > Hi Marc, > >> -----邮件原件----- >> 发件人: Isis-wg [mailto:isis-wg-bounces@ietf.org] 代表 Marc Binderberger >> 发送时间: 2016年2月29日 13:04 >> 收件人: Christian Hopps >> 抄送: isis-wg@ietf.org >> 主题: Re: [Isis-wg] Call for WG Adoption for >> draft-you-isis-flowspec-extensions-04 >> >> Hello Christian & IS-IS experts, >> >> I agree with your comment. From my memory (the old ISP days ...): >> >> (1) a big issue when DDoS attacks became the new "normal" was the >> coordinated fight. A private, operator-only mail list was used but response >> time was always an issue. >> >> (2) thus signalling to your upstream or your peers was important. Obviously >> this is eBGP and RFC5575 is exactly solving this problem. >> >> (3) inside your network you needed to distribute the information to the >> peering and uplink routers, potentially to your access routers too. You >> need >> routers that see the traffic without any label, i.e. the edge. Again >> RFC5575 >> + iBGP came handy. >> >> (4) Tools like Arbor and Riverhead spoke (and speak) BGP. >> >> (5) problem (3) can be - and initially was - solved with ACLs, either >> manually >> configured or with a configuration tool. >> >> >> So (3) could be also addressed with an IGP like IS-IS. My personal opinion >> is >> that only (1) was the main driver for RFC5575 and to fiddle with a >> protocol. >> For problems like (3) the ISPs had been always inventive enough to use >> their >> OSS systems if nothing else was available. To be fair, in these days CLI >> was >> king, so enabling the network operators to send the attack to Null0 with a >> few BGP commands on one central router was a good thing (tm). >> >> >> If we really want to use IS-IS as a transport for configuration then what >> about RFC6823 "Advertising Generic Information in IS-IS" ? That exists >> already. > > I'm not sure RFC6823 could be appropriate for supporting dissemination of > FlowSpec rules. If it could, then we need to define FlowSpec under the > framework of RFC6823? Can it be regarded as an example of application of > RFC6823? > > Thanks, > Jianjie > >> Regards, Marc >> >> >> >> >> On Fri, 26 Feb 2016 14:16:21 -0500, Christian Hopps wrote: >>> >>>> On Feb 26, 2016, at 1:43 PM, <chopps@chopps.org> <chopps@chopps.org> >> wrote: >>>> >>>> >>>> Hi Folks, >>>> >>>> The authors have requested the IS-IS WG adopt: >>>> >>>> https://datatracker.ietf.org/doc/draft-you-isis-flowspec-extensions/ >>>> >>>> as a working group document. >>>> >>>> Please indicate your support or no-support for taking on this work. >>> >>> Speaking as a WG contributor and not as chair. >>> >>> I am having some trouble accepting this solution is needed. The one use >>> that has been given is a single operator who does not run BGP. The reason >>> this is important is that BGP already provides a similar solution. But I >>> believe the BGP solution exists not simply as a new way to configure >>> routers, but b/c BGP enables inter-domain communication, and allows one >> AS >>> to inform another AS about an attack. BGP is also better suited to >>> carrying >>> large amounts of data. Neither of these is true for IS-IS. >>> >>> For the intra-domain only case the operator already has mechanisms in >>> place >>> for configuring it's own routers. I've asked this before but not really >>> gotten any answer as to how this proposal doesn't simply represent using >>> IS-IS as a router configuration protocol. >>> >>> If this is the case why wouldn't the DDOS detecting device simply use an >>> established configuration mechanism, perhaps netconf/yang, to add the >>> required policy on the required routers? >>> >>> Thanks, >>> Chris. >>> >>> _______________________________________________ >>> Isis-wg mailing list >>> Isis-wg@ietf.org >>> https://www.ietf.org/mailman/listinfo/isis-wg >> >> _______________________________________________ >> Isis-wg mailing list >> Isis-wg@ietf.org >> https://www.ietf.org/mailman/listinfo/isis-wg
- [Isis-wg] Call for WG Adoption for draft-you-isis… chopps
- Re: [Isis-wg] Call for WG Adoption for draft-you-… Christian Hopps
- Re: [Isis-wg] Call for WG Adoption for draft-you-… Marc Binderberger
- Re: [Isis-wg] Call for WG Adoption for draft-you-… chopps
- Re: [Isis-wg] Call for WG Adoption for draft-you-… Alia Atlas
- Re: [Isis-wg] Call for WG Adoption for draft-you-… chopps
- [Isis-wg] 答复: Call for WG Adoption for draft-you-… Youjianjie
- [Isis-wg] 回复: 答复: Call for WG Adoption for draft-… li_zhenqiang@hotmail.com
- [Isis-wg] 答复: Call for WG Adoption for draft-you-… Youjianjie
- [Isis-wg] 答复: Call for WG Adoption for draft-you-… Youjianjie
- [Isis-wg] 答复: Call for WG Adoption for draft-you-… Youjianjie
- [Isis-wg] 答复: 答复: Call for WG Adoption for draft-… Liangqiandeng
- Re: [Isis-wg] 答复: Call for WG Adoption for draft-… chopps
- Re: [Isis-wg] 答复: Call for WG Adoption for draft-… chopps
- Re: [Isis-wg] 答复: Call for WG Adoption for draft-… Les Ginsberg (ginsberg)
- Re: [Isis-wg] 答复: Call for WG Adoption for draft-… Marc Binderberger
- [Isis-wg] 答复: 答复: Call for WG Adoption for draft-… Youjianjie
- Re: [Isis-wg] Call for WG Adoption for draft-you-… chopps