IDR Schedule
Co-chairs: John Scudder and Susan Hares
IETF-95 on Tuesday, April 5 from 10 a.m. to 12:30 p.m
Meeting start.
0/1. Agenda Bash/Chair slides [10:00-10:10]
Potential Dates for IDR Interims before IETF96:
5/2/2016 6/6/2016, 6/27/2016
Interim topics: Flow Specification + Yang + Open topics
Existing Draft updates [10:10-10:25]
Sue described draft status
really important for this week is for you go to MPLS session on Wed.
summary of BGP flow specificaiton
- version 1 - adoption
- version 2 - do operators want it?
John talked about the IDR wiki
Stefano presentation:
2. draft-gredler-idr-bgp-ls-segment-routing-ext [9 minutes]
Major change:
improved structure
re-define the TLV for segment routing
draft-ietf-idr-bgpls-segment-routing-epe-02.txt
Major changes:
don't want to restrict egress process
- Just a way to model BGP peering.
draft-ietf-idr-te-lsp-distribution-04.txt
Major change:
change the structure for TE tunnel
- Restructured the content.
- we believe it is much more clear.
- draft-ietf-idr-te-pmp-bpg:
- define the common TLV
[Stefano Previdi]
Stefano presenting.
Siram Presenting
3. draft-ietf-idr-route-leak-detection-mitigation-02.txt [6 minutes]
[K. Siram]
BGP Flow Specification [40 minutes] [10:25-11:05]
it has been WG draft for over a year.
This work is meant for routing mitigation and avoidance.
It is better to specify what not to distribute.
highlight
Alexander Azimov: Route Leak Detection and filtering using roles in Update
route leak : easitest way for hacker to reroute the traffic to different place
showed the Route Leak Statistics: >30K prefixes each month
Neet Neighbor Roles:
- Open with Customer role, Open with peer role
Propose a Strict Mode: if you receive a request without a rile, a notification has to be sent.
Preventing route leaks:
Role can be customer or Peer
OTC attributes
Key Idea: BGP rules to control / help/check configuration of directly connected neighbors
Security considerations : OTC. There is problem when OTC is removed.
Randy Bush: ask operator to configure communitty seems senseable. The issue is that world is not full of friends. concern is business relationship
Jared Mauch/NTT: (NTT) : there is always complcated relationship . there are several BGP implementation that send full table , doesn't give you option.
Alexander: configuring the roles is mandatory for session to come up.
Jared Mauch/NTT: A big frustration I personally have, the implementation that refuse to the specification. the big challenge is that implementor doesn't do the right thing
Sriram: We had a good discussion one-on-one yesterday about the overlap between
the existing WG draft and this draft.
This draft has two parts: (1) Modification of BGPOpen to include BGP role and
(2) A proposal for route leak prevention/detection/mitigation.
Alex: 3 parts: roles, detection, prevention
Sriram: The detection/mitigation part significantly overlaps with the detailed
technical solution that has been described in the exisiting draft.
Your proposal lacks the per hop RLP attibute which is very important
and is part of the exisiting WG draft.
As we discussed yesterday between us, it would make sense to separate
the BGP role part of your proposal into a separate draft.
The rest can be used as inputs for the existing draft.
I welcome you to work with us and contribute to the existing WG draft.
Yesterday you expressed your willingness to do that.
Alex: Thank you.
Sandy: How do you meansure the route leak?
Alex: we use the business model to determine the leaks.
Sandy: you listed some reasons for route leak, is there any reason that people use OTC are not intentional ?
Alex: currently we don't have this problem.
Jeff Haas: my undertsnding that each side has a role set and each side tries to match it?
Alexander: yes.
Jeff: what about when roles are not supported on one side?
Alexander: strict mode would not allow that, and it is off by default. Roles represent my side configuration.
Jeff: If you do not negotitate the roles, then they can simply be assigned?
Alexander: Yes, see the open roles comments in draft.
MPLS Label
Jeff: How to support multiple routers w/in AS providing actions? Sequence number may not remain consistent.
Sue: Is your concern communities...
Jeff: (ref packet layout slide) Order number makes sense when only a single router is inserting community, but suppose a RR adds another one, or originates another filter?
4. BGP Flow Specification work (chair's slide) [10 minutes]
draft-hares-i2rs-flowspec-combo-01.txt
Status on WG call for V1 drafts
Status on WG Call for V2 Use cases
Sue: there is an open WG ado on multiple FS drafts, please read and comment.
Option 1: don't make any changes to existing method, which is used to prevent DDoS by expands filters + Actions with dfined order.
Keep the current security method.
Option 2:
will take some changes, so will use WIDE community
Need to define the ordered actions.
Common work:
if we need ROA?
conflict between actions
Two proposals for WIDE community
5. MPLS Match and action [10 minutes]
draft-yong-flowsspec-mpls-match
draft-liang-idr-flowspec-mpls-action-00
[Sue Hares]
[Sue presenting]
the (e, a, i flags ) in TLV are the same as RFC 5575
FlowSpec Label Action:
Added label
Questions:
Jeff Haas: hard issue: you have list of actions with certain order, but another box may have different order
Sue: are you concerned that the community might be lost
Jeff: you see the order. However, you may have a case where the RR adds a commmunity with the order.
Eric Osborne/Level3: Matching of MPLS label value - I do not see much value in this approach.
What I match on is the FEC.
Jeff Haas: if you are using some form of label distribution protocol then yes, label value is ephemeral. But in case of central control, label values have a more stable context.
Sue: We only allowed matching the LSP (static) or filters, or on the EXP.
Jeff: FEC matching can be set at each router - as filter, but it is not exposed in protocol)
Sue: Does the
6. Redirect to VPN
draft-yong-idr-flowspec-redirect-vpn-rd [10 minutes]
[Lucy Yong]
To promote alternative Flowspec
Propose a new Redirect VPN RD Extended community
when receive Flow Spec on re-direct VPN, the local decision to determine which VPN to re-direct. Using RT which identify exact which VPN instance
Example of DDoS traffic redirect;
question:
Robert: first of all, RD doesn't represnt VPN.
Robert Raszuk: RD allocation might be automatic, it is RT that controls what goes where. If RT is overloaded, then assign a new value.
Unnamed speaker: how would you handle the overlapping VPNs?
Lucy: (missed)
7. draft-vandevelde-idr-flowspec-path-redirect-02 [10 minutes]
[Gunter Van De Velde]
Lucy: that is already addressed by another draft. It is good to go towards the same direction.
Gunter: this is draft was the first to address this problem. Other drafts later descrbe the same problem.
Jeff Tantsura/Ericsson: it is good to have a container.
Sue Hares: Is your comment on generic applicability of containers, or specific to this document?
Jeff Tansura/Ericsson: Yes to all of these.
John Scudder: we will go through the usual WG adoption process.
Sue: it is already open.
New drafts: [11:05 - 12:30
8) draft-ymbk-idr-bgp-open-policy-00 [11:05 - 11:15]
[Alexander Azimov]
Alexander presenting (presented after route leak)
Randy Bush/IIJ: Asking to configure the communities seems sensible.
Jie Dong presenting:
9) draft-dong-idr-ls-ip-tunnel-00 [11:15-11:25]
[Jie Dong]
Propose new NLRI type for IP tunnel identifier
Should have one draft to describe different flavors of tunnels
Stefano Previdi/Cisco: segment-routing-te-policy-00.
Arjun Sreekantiah [11:25-11:35]
Should have one draft to describe different flavors of tunnels
10)draft-previdi-idr-segment-routing-te-policy-01
Improtant aspects of SR TE Policy:
granulrity is the policy, not hte endpoint
scalability / flexibility
not bound to the BGP next spe
no message size (BGP MTU ) issue.
Add a new TLV for the encoding structure
Cris
Chris Bowers/Juniper: This looks a lot like PCE with central controller. The first version of the draft assumes that only the edge nodes are involved. recommend you adding more to the draft.
Arjun: that is a good point.
Lucy Young/Huawei:
Robert Raszuk: this is a useful work but overlaps significantly with Flowspec v2.
Jeff (Ericsson):
11) draft-li-idr-congestion-status-extended-community-00.txt
Zhenqiang Li [10 minutes] [11:35-11:45]
using extended community to inform the congestion of remote segments/inter-connect links.
Joel (Ops AD): your security consideration is not really about securuty.
12) draft-keyupate-idr-bgp-attribute-announcement-00.txt
Keyur Patel [10 minutes] [11:45-11:55]
Sue: you are asking the capability
Keyur: we think the soluiton is so simple, but it requires architecture change, so we ask WG
Jie Dong: requirement is valid. What should we do for the existing attributes.
Keyur: we leave existing attributes as it is is. going forward,
Jie dong: Multi AS boundary
Keyur: we leave AS boundary to the operators. it is difficult for implementor to determine which one is in the boundary
Eric Grey (Ericsson): how do you deterine which one is Transit
13) draft-keyupate-idr-bgp-selective-add-paths
Acee Lindem [10 minutes] [11:55-12:05]
Jeff Hass: we have this implementation. it is useful thing.
Acee: we only think about AFI/SAFI,
Jeff:
John Mitchell (Google)? we have 3 implementations. The
Acee: (repeat of question ) rather than Add path, is better to modify the path? If you choose to
14) draft-lapukhov-bgp-opaque-signaling-01.txt
Petr Lapukhov <petr@fb.com> [12:05-12:15]
Implementation: new AFI
- "Opaque Dat" AF
- New SAFI named "Key-value binding "
Keyru: did you say that you are opensource your code?
Petr: there are some legal issues
Keyru: this is a fantisic proposal. One thing to consider: if you go down to take services by BGP, use IANA
Lucy Yong: interesting idea. if you rely on BGP to transport policy,
John (Chair): suggest the WG to consolidate all the propos
15) draft-lapukhov-bgp-ila-afi-00.txt
[12:15-12:25]
XX? : BGP keeps all the path. You end up keep all the copies. Is it IDR charter?
John (chair): I think we crossed the bridge long time ago.
Acee: first of all rename the draft to IDR. I have seen this implementation, but not sure if we need standardiztion.