IETF Logo Mail Archive

[Isis-wg] 答复: Call for WG Adoption for draft-you-isis-flowspec-extensions-04

Youjianjie <youjianjie@huawei.com> Thu, 03 March 2016 03:25 UTC

Return-Path: <youjianjie@huawei.com>
X-Original-To: isis-wg@ietfa.amsl.com
Delivered-To: isis-wg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCD4F1A8837 for <isis-wg@ietfa.amsl.com>; Wed, 2 Mar 2016 19:25:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.906
X-Spam-Level:
X-Spam-Status: No, score=-3.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cb-Pz2N8PhMz for <isis-wg@ietfa.amsl.com>; Wed, 2 Mar 2016 19:25:23 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC3E61A87D5 for <isis-wg@ietf.org>; Wed, 2 Mar 2016 19:25:22 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml402-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CFG30674; Thu, 03 Mar 2016 03:25:20 +0000 (GMT)
Received: from nkgeml409-hub.china.huawei.com (10.98.56.40) by lhreml402-hub.china.huawei.com (10.201.5.241) with Microsoft SMTP Server (TLS) id 14.3.235.1; Thu, 3 Mar 2016 03:25:17 +0000
Received: from NKGEML515-MBX.china.huawei.com ([fe80::a54a:89d2:c471:ff]) by nkgeml409-hub.china.huawei.com ([10.98.56.40]) with mapi id 14.03.0235.001; Thu, 3 Mar 2016 11:25:13 +0800
From: Youjianjie <youjianjie@huawei.com>
To: Alia Atlas <akatlas@gmail.com>, Christian Hopps <chopps@chopps.org>, Sue Hares <shares@ndzh.com>
Thread-Topic: [Isis-wg] Call for WG Adoption for draft-you-isis-flowspec-extensions-04
Thread-Index: AQHRcMpxPQCvdUkolkuvVqTsvIyNPZ9B9YiAgACq04CAAAYYAIAEZ4CA
Date: Thu, 03 Mar 2016 03:25:12 +0000
Message-ID: <F6C28B32DA084644BB6C8D0BD65B669DBCDDC3@NKGEML515-MBX.china.huawei.com>
References: <87mvqncny2.fsf@tops.chopps.org> <E881D2D5-D9C1-4702-9A48-9D6A162C48EA@chopps.org> <20160228210405215520.c4a664fd@sniff.de> <87y4a3lf8u.fsf@tops.chopps.org> <CAG4d1rd+q1+cBrvg2zD611PjZFS0xnGNetGT8PNGB4nyQtSXcg@mail.gmail.com>
In-Reply-To: <CAG4d1rd+q1+cBrvg2zD611PjZFS0xnGNetGT8PNGB4nyQtSXcg@mail.gmail.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.136.78.148]
Content-Type: multipart/alternative; boundary="_000_F6C28B32DA084644BB6C8D0BD65B669DBCDDC3NKGEML515MBXchina_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A0B0206.56D7AEA0.00FC, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: fcb9d638eb82d5f41dd3dfe96ea74cac
Archived-At: <http://mailarchive.ietf.org/arch/msg/isis-wg/wR42BgD9rRmfxKEvgtWFEhOaTFI>
Cc: Marc Binderberger <marc@sniff.de>, "isis-wg@ietf.org" <isis-wg@ietf.org>
Subject: [Isis-wg] 答复: Call for WG Adoption for draft-you-isis-flowspec-extensions-04
X-BeenThere: isis-wg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF IS-IS working group <isis-wg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/isis-wg/>
List-Post: <mailto:isis-wg@ietf.org>
List-Help: <mailto:isis-wg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2016 03:25:27 -0000

Hi Alia, Chris,

A Yang model based FlowSpec: https://tools.ietf.org/html/draft-wu-idr-flowspec-yang-cfg-02
Is this the draft that you may refer to? I think we still need to adapt it to IS-IS protocol if using Yang model?
The Yang model based FlowSpec does have some application scenarios, such as inject FlowSpec rules into specified routers by management system. In this document, we think FlowSpec is more like a n-tuple route. So we extend IS-IS.

Thanks,
Jianjie

发件人: Isis-wg [mailto:isis-wg-bounces@ietf.org] 代表 Alia Atlas
发送时间: 2016年2月29日 23:37
收件人: Christian Hopps; Sue Hares
抄送: Marc Binderberger; isis-wg@ietf.org
主题: Re: [Isis-wg] Call for WG Adoption for draft-you-isis-flowspec-extensions-04



On Mon, Feb 29, 2016 at 10:15 AM, <chopps@chopps.org<mailto:chopps@chopps.org>> wrote:

Marc Binderberger <marc@sniff.de<mailto:marc@sniff.de>> writes:

> Hello Christian & IS-IS experts,
>
> I agree with your comment. From my memory (the old ISP days ...):
>
> (1) a big issue when DDoS attacks became the new "normal" was the coordinated
> fight. A private, operator-only mail list was used but response time was
> always an issue.
>
> (2) thus signalling to your upstream or your peers was important. Obviously
> this is eBGP and RFC5575 is exactly solving this problem.
>
> (3) inside your network you needed to distribute the information to the
> peering and uplink routers, potentially to your access routers too. You need
> routers that see the traffic without any label, i.e. the edge. Again RFC5575
> + iBGP came handy.
>
> (4) Tools like Arbor and Riverhead spoke (and speak) BGP.
>
> (5) problem (3) can be - and initially was - solved with ACLs, either
> manually configured or with a configuration tool.
>
>
> So (3) could be also addressed with an IGP like IS-IS. My personal opinion is
> that only (1) was the main driver for RFC5575 and to fiddle with a protocol.
> For problems like (3) the ISPs had been always inventive enough to use their
> OSS systems if nothing else was available. To be fair, in these days CLI was
> king, so enabling the network operators to send the attack to Null0 with a
> few BGP commands on one central router was a good thing (tm).

And so here's the thing, we have IS-IS protocol modifications being
proposed here, OSPF has apparently accepted them, I just saw a new draft
to add similar changes to PCEP, will we also see the same changes for
RIP, Babel, EIGRP, ...?

I still don't understand why we don't define *1* yang model for flowspec,
and use the protocols already there to configure routers for configuring
routers.

I would strongly prefer to see one yang model for flowspec that can then be used by multiple protocols.  A question is how to carry the results  in each protocol?
Is it protocol-specific translation?  Is it extending a generic mechanism to carry a self-describing binary?

On the yang model for flowspec, please do also talk to Sue Hares (cc'd).  This is
something that she has been looking at in reference to BGP and the filter-specific
RIB model in I2RS.   One question that she raised is whether it is desirable to have exactly the same functionality via a yang model as via BGP flowspec.

I would strongly encourage discussion.  Part of this ties to what does it mean to have a model-based protocol?  Can we enhance our existing protocols?  Should we consider what a model-based protocol might look like if done from scratch?

Thanks for raising the question about the elephant in the room!

Regards,
Alia

> If we really want to use IS-IS as a transport for configuration then what
> about RFC6823 "Advertising Generic Information in IS-IS" ?  That exists
> already.

I agree if moving forward with this I think we need to look at GENAPP as
well..

Firs though I'd like to hear more on why intra-domain flowspec (or the
equivalent) can't simply be defined using a yang model.

Thanks,
Chris.

>
>
> Regards, Marc
>
>
>
>
> On Fri, 26 Feb 2016 14:16:21 -0500, Christian Hopps wrote:
>>
>>> On Feb 26, 2016, at 1:43 PM, <chopps@chopps.org<mailto:chopps@chopps.org>> <chopps@chopps.org<mailto:chopps@chopps.org>> wrote:
>>>
>>>
>>> Hi Folks,
>>>
>>> The authors have requested the IS-IS WG adopt:
>>>
>>>    https://datatracker.ietf.org/doc/draft-you-isis-flowspec-extensions/
>>>
>>> as a working group document.
>>>
>>> Please indicate your support or no-support for taking on this work.
>>
>> Speaking as a WG contributor and not as chair.
>>
>> I am having some trouble accepting this solution is needed. The one use
>> that has been given is a single operator who does not run BGP. The reason
>> this is important is that BGP already provides a similar solution. But I
>> believe the BGP solution exists not simply as a new way to configure
>> routers, but b/c BGP enables inter-domain communication, and allows one AS
>> to inform another AS about an attack. BGP is also better suited to carrying
>> large amounts of data. Neither of these is true for IS-IS.
>>
>> For the intra-domain only case the operator already has mechanisms in place
>> for configuring it's own routers. I've asked this before but not really
>> gotten any answer as to how this proposal doesn't simply represent using
>> IS-IS as a router configuration protocol.
>>
>> If this is the case why wouldn't the DDOS detecting device simply use an
>> established configuration mechanism, perhaps netconf/yang, to add the
>> required policy on the required routers?
>>
>> Thanks,
>> Chris.
>>
>> _______________________________________________
>> Isis-wg mailing list
>> Isis-wg@ietf.org<mailto:Isis-wg@ietf.org>
>> https://www.ietf.org/mailman/listinfo/isis-wg

_______________________________________________
Isis-wg mailing list
Isis-wg@ietf.org<mailto:Isis-wg@ietf.org>
https://www.ietf.org/mailman/listinfo/isis-wg

v2.23.0 | Report a Bug | By Email