Re: [OSPF] New Version Notification for draft-liang-ospf-flowspec-extensions-01.txt

"Acee Lindem (acee)" <> Sat, 11 October 2014 19:10 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id AECA21A872F for <>; Sat, 11 Oct 2014 12:10:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -15.287
X-Spam-Status: No, score=-15.287 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id U8KfC3KO8fzK for <>; Sat, 11 Oct 2014 12:10:52 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 30E3D1A8725 for <>; Sat, 11 Oct 2014 12:10:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=2062; q=dns/txt; s=iport; t=1413054652; x=1414264252; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=2NbiPKsR8fJRw5XIvxrPTwNqBZOoxepkBSnc65z5xXY=; b=T37PRQkaDUfSLMr+t1ufko2lN0dPo5CHaDPcVeqYvRRmFFVuskIGW9Bc EQgUcAE18OqkpZVLpZN5DsFVHSSmnlgyfpfHd0hmFgzSHyAZEHRKxLVAy WNfTsrL0YaMBNcPM6Flk0v0A5mC73bkEhqiYgtnj8+/Wo6502clowCzuQ M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.04,700,1406592000"; d="scan'208";a="86128553"
Received: from ([]) by with ESMTP; 11 Oct 2014 19:10:44 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id s9BJAiF3014081 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sat, 11 Oct 2014 19:10:44 GMT
Received: from ([]) by ([]) with mapi id 14.03.0195.001; Sat, 11 Oct 2014 14:10:44 -0500
From: "Acee Lindem (acee)" <>
To: Russ White <>, "'Osborne, Eric'" <>, "'Youjianjie'" <>, "'Hannes Gredler'" <>
Thread-Topic: [OSPF] New Version Notification for draft-liang-ospf-flowspec-extensions-01.txt
Thread-Index: AQHP2sRacNlB1LfkPUCKV4l1MfxdD5wX3ddwgA2jYQCAAOUi0P//fhsAgAGjdgCAADkxoIAAKSoAgANtcgD//8zaAIAASi+A///6mAA=
Date: Sat, 11 Oct 2014 19:10:43 +0000
Message-ID: <>
References: <> <> <20141008155350.GB34437@hannes-mba.local> <> <> <> <054c01cfe55c$b9075090$2b15f1b0$> <> <073b01cfe568$3dd93bc0$b98bb340$>
In-Reply-To: <073b01cfe568$3dd93bc0$b98bb340$>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="euc-kr"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [OSPF] New Version Notification for draft-liang-ospf-flowspec-extensions-01.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 11 Oct 2014 19:10:53 -0000

On 10/11/14, 11:30 AM, "Russ White" <> wrote:

>> OSPF is a good choice for quickly disseminating the same piece of
>> to multiple OSPF routers using the same policy and I believe that the
>> transport instance
>> instance-11.txt
>> facilitates this. However, I see flow-spec distribution in the general
>> case as being peer specific or even peer interface specific. Do you
>> The use case in question is mitigating attacks closer to the compromised
>> system by pushing the flow-spec to the customer sites using OSPF as a
>> protocol (RFC 4577). Are there any other instances where we¹d want to
>> the same flow-spec to the routers in an IGP domain using OSPF or ISIS?
>Why isn't this use case extendable to all edge OSPF routers, and not just
>CE's? I would think the same reasoning would apply...
>So -- if we are going to do this, we should specifically design it more
>a type 5, perhaps, or something with a very limited flooding scope to
>the specific use case in hand, rather than in a way that encourages
>Does this make sense?

It depends whether you want to send the flow-spec to every PE under your
administrative domain of only those PE close to the source of the attack.
If it is the latter, the current BGP mechanism Is better suited to the