IETF Logo Mail Archive

答复: New Version Notification for draft-hao-idr-flowspec-evpn-00.txt

Haoweiguo <haoweiguo@huawei.com> Tue, 02 September 2014 12:57 UTC

Return-Path: <haoweiguo@huawei.com>
X-Original-To: l2vpn@ietfa.amsl.com
Delivered-To: l2vpn@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71C3A1A030B; Tue, 2 Sep 2014 05:57:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.081
X-Spam-Level: *
X-Spam-Status: No, score=1.081 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, CHARSET_FARAWAY_HEADER=3.2, MIME_8BIT_HEADER=0.3, MIME_CHARSET_FARAWAY=2.45, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wm4CHU_ZpYxP; Tue, 2 Sep 2014 05:57:06 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 931061A02FC; Tue, 2 Sep 2014 05:57:05 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml403-hub.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BMA66191; Tue, 02 Sep 2014 12:57:04 +0000 (GMT)
Received: from NKGEML403-HUB.china.huawei.com (10.98.56.34) by lhreml403-hub.china.huawei.com (10.201.5.217) with Microsoft SMTP Server (TLS) id 14.3.158.1; Tue, 2 Sep 2014 13:57:03 +0100
Received: from NKGEML501-MBS.china.huawei.com ([169.254.2.209]) by nkgeml403-hub.china.huawei.com ([10.98.56.34]) with mapi id 14.03.0158.001; Tue, 2 Sep 2014 20:56:53 +0800
From: Haoweiguo <haoweiguo@huawei.com>
To: "stephane.litkowski@orange.com" <stephane.litkowski@orange.com>, "UTTARO, JAMES" <ju1738@att.com>, "'idr@ietf.org'" <idr@ietf.org>, "'l2vpn@ietf.org'" <l2vpn@ietf.org>
Subject: =?gb2312?B?tPC4tDogTmV3IFZlcnNpb24gTm90aWZpY2F0aW9uIGZvciBkcmFmdC1oYW8t?= =?gb2312?Q?idr-flowspec-evpn-00.txt?=
Thread-Topic: New Version Notification for draft-hao-idr-flowspec-evpn-00.txt
Thread-Index: AQHPvAyV6atOnhH9DE6j9dLImcRrM5vYoV9zgADsHqCAAMQoQIAB9eqQgAF7eR6ADczLAIAAqdxw//+4+oCAAeojsA==
Date: Tue, 2 Sep 2014 12:56:53 +0000
Message-ID: <DD5FC8DE455C3348B94340C0AB5517334F7F4516@nkgeml501-mbs.china.huawei.com>
References: <20140820002030.18902.50278.idtracker@ietfa.amsl.com> <DD5FC8DE455C3348B94340C0AB5517334F7F21D1@nkgeml501-mbs.china.huawei.com>, <B17A6910EEDD1F45980687268941550F06D74DB1@MISOUT7MSGUSRCD.ITServices.sbc.com> <DD5FC8DE455C3348B94340C0AB5517334F7F2339@nkgeml501-mbs.china.huawei.com>, <29476_1408695761_53F6FDD1_29476_12929_1_9E32478DFA9976438E7A22F69B08FF9207DB14@OPEXCLILM34.corporate.adroot.infra.ftgroup> <DD5FC8DE455C3348B94340C0AB5517334F7F3635@nkgeml501-mbs.china.huawei.com>, <28799_1409563679_54043C1F_28799_2589_1_9E32478DFA9976438E7A22F69B08FF92080C92@OPEXCLILM34.corporate.adroot.infra.ftgroup> <DD5FC8DE455C3348B94340C0AB5517334F7F4386@nkgeml501-mbs.china.huawei.com>, <25521_1409584904_54048F08_25521_750_1_9E32478DFA9976438E7A22F69B08FF920810A4@OPEXCLILM34.corporate.adroot.infra.ftgroup>
In-Reply-To: <25521_1409584904_54048F08_25521_750_1_9E32478DFA9976438E7A22F69B08FF920810A4@OPEXCLILM34.corporate.adroot.infra.ftgroup>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.135.23.94]
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: http://mailarchive.ietf.org/arch/msg/l2vpn/6Ey_1nUC1svy97syu3yFtpHpNfQ
Cc: liuweihang <liuweihang@huawei.com>
X-BeenThere: l2vpn@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Layer 2 Virtual Private Networks <l2vpn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/l2vpn>, <mailto:l2vpn-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/l2vpn/>
List-Post: <mailto:l2vpn@ietf.org>
List-Help: <mailto:l2vpn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/l2vpn>, <mailto:l2vpn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Sep 2014 12:57:09 -0000

Hi Stephane,
Pls see inline with [weiguo3].
Thanks
weiguo

________________________________________
发件人: stephane.litkowski@orange.com [stephane.litkowski@orange.com]
发送时间: 2014年9月1日 23:21
收件人: Haoweiguo; UTTARO, JAMES; 'idr@ietf.org'.org'; 'l2vpn@ietf.org'
抄送: liuweihang
主题: RE: New Version Notification for draft-hao-idr-flowspec-evpn-00.txt

[weiguo2]: I know what you said. Yes, In IRB scenario, not only ethernet header but also IP header can be used for traffic filtering.  I think our draft can cover this scenario. In the draft, component types include both IP and ethernet part, IP component types are inherited from RFC[5575], MAC componet types are newly defined. So only one address family is needed for IP and Ethernet traffic filtering.

[SLI] Right, that's one possibility, the other one could be to not create a new AF for MAC FS but just extend the current FS address-families (VPN and non VPN) with MAC component types and new actions.
The main question in term of protocol design is to we want to keep filtering AF agnostic (single FS AF for all type of flows) or do we need to keep separate FS AFs ?
The way taken for the moment is to have separate ones, we can see that IPv6 FS is currently defined as a new couple of AFI/SAFI but is it the good way to do ? I don't remember if this has been discussed or not when defining FS IPv6 ?
I'm wondering if we cannot make FlowSpec working as IPFIX for the flow definition.

[weiguo3]:Yes, if application RT like L2VPN and L3VPN RT don't overlap, theoretically single FS AF can be used for all type of flows.But if we keep separate FS AFs, it will more similar to traditonal BGP design style and no extra problems will be incurred. Whether using single AF or separate AFs, i would like to hear the WG's opinion.


-----Original Message-----
From: Haoweiguo [mailto:haoweiguo@huawei.com]
Sent: Monday, September 01, 2014 13:51
To: LITKOWSKI Stephane SCE/IBNF; UTTARO, JAMES; 'idr@ietf.org'.org'; 'l2vpn@ietf.org'
Cc: liuweihang
Subject: 答复: New Version Notification for draft-hao-idr-flowspec-evpn-00.txt

Hi Stephane,
Pls see my reply inline with [weiguo2] below.
Thanks
weiguo

________________________________________
发件人: stephane.litkowski@orange.com [stephane.litkowski@orange.com]
发送时间: 2014年9月1日 17:27
收件人: Haoweiguo; UTTARO, JAMES; 'idr@ietf.org'.org'; 'l2vpn@ietf.org'
抄送: liuweihang
主题: RE: New Version Notification for draft-hao-idr-flowspec-evpn-00.txt

[weiguo]: Thanks. But MAC filters maybe not applicable to IPV4 &VPNv4, because in this case, MAC information will be changed on different PE devices, a single ACL rule can't identify a consistant flow at different PE devices. So in IP network, flow-spec can only be defined using IP related information.
[SLI] I agree with your point but I was thinking about a future (hope it will happen :) when we will be able to offer L2 and L3 services on the same plug (including same VLAN, sort of concurrent routing & bridging interface). In this situation, is it good to use two address families to filter the different services ? Why not using only one ...

[weiguo2]: I know what you said. Yes, In IRB scenario, not only ethernet header but also IP header can be used for traffic filtering.  I think our draft can cover this scenario. In the draft, component types include both IP and ethernet part, IP component types are inherited from RFC[5575], MAC componet types are newly defined. So only one address family is needed for IP and Ethernet traffic filtering.

[weiguo]: RD usage has no difference with original BGP VPN definication. Can you give me some more clarifications?
[SLI] Right, but RFC5575 precises that RD is part of NLRI for VPN :
"The NLRI format for this address family consists of a fixed-length
   Route Distinguisher field (8 bytes) followed by a flow specification,
   following the encoding defined in this document.  The NLRI length
   field shall include both the 8 bytes of the Route Distinguisher as
   well as the subsequent flow specification.
"
In your document , I can't see this ... as you are defining a new NLRI, you need to precise the format.

[weiguo2]: OK. In our draft, the format is same with RFC5575, I can add the same description to make it more clear.


Stephane



-----Original Message-----
From: Haoweiguo [mailto:haoweiguo@huawei.com]
Sent: Saturday, August 23, 2014 09:08
To: LITKOWSKI Stephane SCE/IBNF; UTTARO, JAMES; 'idr@ietf.org'.org'; 'l2vpn@ietf.org'
Cc: liuweihang
Subject: 答复: New Version Notification for draft-hao-idr-flowspec-evpn-00.txt

Hi Stephane,
Thanks for your detail comments. Pls see my reply inline with [weiguo] below.
weiguo

________________________________________
发件人: stephane.litkowski@orange.com [stephane.litkowski@orange.com]
发送时间: 2014年8月22日 16:22
收件人: Haoweiguo; UTTARO, JAMES; 'idr@ietf.org'.org'; 'l2vpn@ietf.org'
抄送: liuweihang
主题: RE: New Version Notification for draft-hao-idr-flowspec-evpn-00.txt

Hi,

I think this is a valuable addition, but I would like to see these MAC filters being applicable also to IPv4 plugs (FS IPv4 & VPNv4)
[weiguo]: Thanks. But MAC filters maybe not applicable to IPV4 &VPNv4, because in this case, MAC information will be changed on different PE devices, a single ACL rule can't identify a consistant flow at different PE devices. So in IP network, flow-spec can only be defined using IP related information.

Moreover , the new AFI/SAFI should not be restricted to EVPN, any L2 interface may be interested by such filter (VPLS, basic L2 switching ...).
[weiguo]: Yes, I agree. Firstly i propose Ethernet flow-spec only in EVPN network, because flows-pec relies on BGP protocol and EVPN has BGP control plane, so it will be easy to deploy BGP flowspec in EVPN network. If we want to deploy the flow-spec in VPLS network, normally VPLS only relies on LDP protocol, additional protocol of BGP flow-spec should be deployed for MAC filtering.
If the community thinks it is necessary to introduce ethernet flow-spec for all L2 interface, i can update this part to let it not be restricted to EVPN.

Route distinguisher may be is missing ...
[weiguo]: RD usage has no difference with original BGP VPN definication. Can you give me some more clarifications?

Now more globally, may be it's time to think more globally about the evolution of FS. I pretty see FS evolution largely beyond DDoS domain. FS is a very good protocol for SDN applications. The question behind is do we really need to work with multiple address families for each type of "service"/"interface type" to filter or do we need to have a more global model where we would be able to put any type of filter any where and apply multiple actions (openflow like FS). Compared to openflow, FS has the magic to enable multipoint distribution of actions.

[weiguo]: Yes, BGP flow-spec can be applicable for some SDN applications. It has more potential to do more attactive things.

Best Regards,

Stephane


-----Original Message-----
From: Idr [mailto:idr-bounces@ietf.org] On Behalf Of Haoweiguo
Sent: Thursday, August 21, 2014 04:11
To: UTTARO, JAMES; 'idr@ietf.org'.org'; 'l2vpn@ietf.org'
Cc: liuweihang
Subject: [Idr] 答复: New Version Notification for draft-hao-idr-flowspec-evpn-00.txt

Hi Jim,
Thanks for your comments. The BGP Flowspec procedures is illustrated as following:

                                          EVPN FlowSpec Session                  EVPN FlowSpec Session
DDOS Detection Appliance--------------------------Egress PE-----------------------------Ingress PE------CE2
                                                                                         |
                                                                                      CE1 DDOS Detection Appliance establishes EVPN flowspec session with Egress PE, it detects DDOS attack traffic and generate ACL rule, the ACL rule is announced to Egress PE through EVPN flowspec protocol, then the egress PE announces it to ingress PE, finally ingress PE installs the ACL rule for traffic filtering.
DDOS Detection Appliance only needs to support EVPN flowspec function, it doesn't need to support basic EVPN function.
Thanks
weiguo
________________________________________
发件人: UTTARO, JAMES [ju1738@att.com]
发送时间: 2014年8月21日 0:29
收件人: Haoweiguo; 'idr@ietf.org'.org'; 'l2vpn@ietf.org'
抄送: liuweihang
主题: RE: New Version Notification for draft-hao-idr-flowspec-evpn-00.txt

Weiguo,

        I would like to better understand how a remote PE will "learn" that it needs to deliver a FS path to the ingress PE?? It cannot come from the CE as that is data plane learning. I would think that all FS paths have to be disseminated by a centralized controller.

Jim Uttaro

-----Original Message-----
From: Idr [mailto:idr-bounces@ietf.org] On Behalf Of Haoweiguo
Sent: Tuesday, August 19, 2014 8:31 PM
To: idr@ietf.org; l2vpn@ietf.org
Cc: liuweihang
Subject: [Idr] 答复: New Version Notification for draft-hao-idr-flowspec-evpn-00.txt

Hi All,
We have submitted a draft of " Dissemination of Flow Specification Rules for EVPN".  I will appriciate if you can give us some suggestions and comments.
Thanks
weiguo

________________________________________
发件人: internet-drafts@ietf.org [internet-drafts@ietf.org]
发送时间: 2014年8月20日 8:20
收件人: Zhuangshunwan; Haoweiguo; liuweihang; Zhuangshunwan; liuweihang; Haoweiguo
主题: New Version Notification for draft-hao-idr-flowspec-evpn-00.txt

A new version of I-D, draft-hao-idr-flowspec-evpn-00.txt
has been successfully submitted by Weiguo Hao and posted to the IETF repository.

Name:           draft-hao-idr-flowspec-evpn
Revision:       00
Title:          Dissemination of Flow Specification Rules for EVPN
Document date:  2014-08-20
Group:          Individual Submission
Pages:          7
URL:            http://www.ietf.org/internet-drafts/draft-hao-idr-flowspec-evpn-00.txt
Status:         https://datatracker.ietf.org/doc/draft-hao-idr-flowspec-evpn/
Htmlized:       http://tools.ietf.org/html/draft-hao-idr-flowspec-evpn-00


Abstract:
   This document defines BGP flow-spec extension for Ethernet traffic
   filtering in EVPN network. A new BGP NLRI type (AFI=25, SAFI=TBD)
   value is proposed to identify EVPN flow-spec application. A new
   subset of component types and extended community also are defined.




Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat
_______________________________________________
Idr mailing list
Idr@ietf.org
https://www.ietf.org/mailman/listinfo/idr
_______________________________________________
Idr mailing list
Idr@ietf.org
https://www.ietf.org/mailman/listinfo/idr

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

v2.8.7 | Report a Bug | By Email