Skip to Content.
Sympa Menu

rare-users - Re: [RARE-users] [freertr] flowspec divert-* features ---- was: Re: Fwd: New Version Notification - draft-ietf-idr-bgp-ct-04.txt

Subject: RARE user and assistance email list

List archive

Re: [RARE-users] [freertr] flowspec divert-* features ---- was: Re: Fwd: New Version Notification - draft-ietf-idr-bgp-ct-04.txt


Chronological Thread 
    < Chronological >      < Thread >
  • From: "David Schmitz" <>
  • To: mc36 <>
  • Cc: "" <>, Niall Donaghy <>, Mohácsi János <>
  • Subject: Re: [RARE-users] [freertr] flowspec divert-* features ---- was: Re: Fwd: New Version Notification - draft-ietf-idr-bgp-ct-04.txt
  • Date: Mon, 12 Jun 2023 13:14:09 +0200 (CEST)
  • List-id: <freertr.groups.io>
  • Mailing-list: list ; contact
Hi Csaba,

On Mon, 12 Jun 2023, mc36 wrote:

Date: Mon, 12 Jun 2023 11:55:08 +0200
From: mc36 <>
To: David Schmitz <>,
"" <>,
Niall Donaghy <>,
Mohácsi János <>
Subject: Re: [freertr] flowspec divert-* features ---- was: Re: Fwd: New
Version Notification - draft-ietf-idr-bgp-ct-04.txt

i see so 4 your use case you need redirect to vrf and ip or both?
I have no idea. I will have to ask this to the NeMo team.


does geant have cleanup capacity ~= ebgp capacity, already or in the upcoming years or whats the plan with thattt???
NeMo is working on a new solution here. But this is just work in progress.
I will have to ask them about this as well.


in other words, at that point most if not all of these cleaners could be used inline and then you can use them as is...

Unfortunately, I do not know the exact details.
But, roughly:

In the NeMo architecture, the FlowSpec filtering capabilities on the router are used as first-layer for coarse-grained filtering.

Based on that the cleaner VMs per router in the NeMo architecture
are meant as a second-layer for specific traffic to wash
which is more fine-grained than FlowSpec match filters.


even more fun, if geant somehow can make the in/out traffic symmetric then ip[46] inspect is already there in the dataplanes with tls/ssl logging....
Interesting idea.
Again, this will have to be discussed with the NeMo team.

Best Regards
David


thx,

cs

On 6/12/23 11:18, David Schmitz wrote:
Hi Csaba,

On Mon, 12 Jun 2023, mc36 wrote:

Date: Mon, 12 Jun 2023 11:08:31 +0200
From: mc36 <>
To: David Schmitz <>
Subject: Re: [freertr] flowspec divert-* features ---- was: Re: Fwd: New
Version Notification - draft-ietf-idr-bgp-ct-04.txt

u're welcome! :)
A short explanation:

FoD is up-to-now not concerned with redirection.

But NeMo is:
Basically NeMo can combine using FlowSpec for dropping or rate-limit-ing on the routers
together with redirection to local firewalls (e.g., one firewall per router) for cleaning.
These local Firewalls are developed by DFN itself based on linux iptables and so on.


So, as we are looking forward for a show-case for both, FoD and NeMo,
redirection might be interesting on the long-term.
The setup of these local Firewall (on VMs) might require help and support by
the NeMo team, which is currently busy with other things.

Anyway, NeMo can work also with dropping or rate-limit-ing on the routers alone
and so for the short-term this is definitely enough.


Best Regards
David


On 6/12/23 11:05, David Schmitz wrote:
Hi Csaba,

On Sun, 11 Jun 2023, mc36 wrote:

Date: Sun, 11 Jun 2023 09:30:09 +0200
From: mc36 <>
Reply-To: ,
To: Kaliraj Vairavakkalai <>
Cc: "" <>,
David Schmitz <>,
Niall Donaghy <>,
Moh csi J nos <>
Subject: [freertr] flowspec divert-* features ---- was: Re: Fwd: New Version
Notification - draft-ietf-idr-bgp-ct-04.txt

hmmmm... anyway as its written and sent/archived/virusscanned on both sides,

at this point imho let me cc the list on thiss tooo :)))



david, please read throughly the quoted/forwarded emails, it may interest u too....
Ok, will do that.


Many Thanks.

Best Regards
David


if u have a question, lemme ask and pls remove kaliraj & janos from that conversation... :)



kaliraj: david is preparing a geant firewall on demand (fod) demo pod to showcase: https://github.com/GEANT/FOD

map.geant.org is yet another boring jun1per shop as i see their boxes in my racks

and in their core isis; they assigned sids for each of their pes' /32 and /128 an

index already, and from the segment base i see what they purchased.... :)))



niall: you're here once again just because geant is mentioned as my fav. uplink

isp to "default route to", and you're my fav. contact there.... :))))



janos is my local trustworthy boss of a boss of a boss, rfc author, head of development at niif.hu, as far as i know.... :))



br,

cs



On 6/11/23 08:18, mc36 wrote:
hihi in p2p,

morning, etc! yess i know that flowspec redirect* features are here to detect from netflow and cleanup in an off-ramp vrf..

but, here we have 5+ secret services and tried not once to approach us with the idea to mirror/sniff the clearnet vrf... :(((

so thats why im from full heart against these redirect* things in flowspec.... and as i heard from other telco guys, basically

no a single box could be sold without the li "feature" butt, we're routers4academia&research so its a big no from the me and imho from the whole team!

(we wont let out shitloadz to get backdoored by a purpose, etc!)

but, if you have any good idea about the redirect-ip stuff, then let me know....

after 2nd tough on the topic is still that on an ebgp peering there is no reason to rewrite the later3 nexthops especially if we're in mpls encapped,

on ibgp, one should locpref on ingress ebgp and never play dirty tricks to alter an afi from an other afi...

ddos never lasted here more than 5-10 minutes or so, and policer/drop is fine for that: you usually have a magnitude higher ebgp capacity than cleanup capacity

aaand on the internet, the packet delivery is best effort! so if someone buys a permanent ddos on the darkweb then you can still fine-tune the flowspec/interface policers...

br,

cs


On 6/11/23 05:58, Kaliraj Vairavakkalai wrote:
I understand Csaba. No issues. It is an optional thing asper CT draft. So no issues.

One of the ways I have seen this Flowspec with redirect-ip feature been used is for

DDoS protection, to redirect a flow to a firewall device within an administrative domain.

In that way, it can be used to protect users against bad actors as-well.

But yes, any tool can be used in both good or bad ways.

So I understand if you don t want to implement flowspec redirect-to-ip feature. Totally fine with me. :)

Thanks

Kaliraj


Juniper Business Use Only

*From: *mc36 <>
*Date: *Saturday, June 10, 2023 at 5:30 PM
*To: *Kaliraj Vairavakkalai <>
*Subject: *Re: Fwd: New Version Notification - draft-ietf-idr-bgp-ct-04.txt

[External Email. Be cautious of content]


so it's a danger-danger-nooodle and i clearly wont let them to spy on "my" childs.... :)

On 6/11/23 02:29, mc36 wrote:
imho this is 4 the secret services (read spies, lawful intercept, etc) and thats why, but pls change my mind...









I understand Csaba. No issues. It is an optional thing asper CT draft. So no issues.

One of the ways I have seen this Flowspec with redirect-ip feature been used is for

DDoS protection, to redirect a flow to a firewall device within an administrative domain.

In that way, it can be used to protect users against bad actors as-well.

But yes, any tool can be used in both good or bad ways.

So I understand if you don t want to implement flowspec redirect-to-ip feature. Totally fine with me. :)

Thanks

Kaliraj


Juniper Business Use Only

*From: *mc36 <>
*Date: *Saturday, June 10, 2023 at 5:30 PM
*To: *Kaliraj Vairavakkalai <>
*Subject: *Re: Fwd: New Version Notification - draft-ietf-idr-bgp-ct-04.txt

[External Email. Be cautious of content]


so it's a danger-danger-nooodle and i clearly wont let them to spy on "my" childs.... :)




hihi in p2p chitty-chat...




fwd/quoted:

"
Flowspec redirect-to-ip with Mapping community

clearly red _NO_, we only support flowspec policer (or drop) and that propagates to the dataplanes....

regarding the flowspec divert (ip/vrf) features, its clearly _not_ and _wont_ happen on the todo.txt....

(tbh i have a strong opinion against this all but lemme not take this to a phylosophical discusssion:))

((tbh i even dont get the idea why the hell one would divert to a different ip on a p2p ethernet))

(((( regading the divert-vrf stuff, i fvkkkin just nooo never ever!!!!! srry 4 the language!!! ))))

"






imho this is 4 the secret services (read spies, lawful intercept, shell controll box, rdp recorder, tls intercept, etc) and thats why, but pls change my mind...


so it's a danger-danger-nooodle and i clearly wont let them to spy on "my" childs.... :)


we normally trust each others, it's just them who dont trust heir own sisters and brothers... :(


thx,

cs

















--

David Schmitz

Boltzmannstrasse 1, 85748 Garching
Telefon: +49 89 35831-8765
Leibniz-Rechenzentrum, Germany
Mail:




-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#1432): https://groups.io/g/freertr/message/1432
Mute This Topic: https://groups.io/mt/99460357/6413194
Group Owner:
Unsubscribe: https://groups.io/g/freertr/unsub []
-=-=-=-=-=-=-=-=-=-=-=-



Archive powered by MHonArc 2.6.24.

Top of Page