Re: [art] [bess] APPDIR Review of draft-ietf-l3vpn-end-system-05
Stuart Mackie <wsmackie@juniper.net> Mon, 13 March 2017 13:02 UTC
Return-Path: <wsmackie@juniper.net>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4240C1295DA for <art@ietfa.amsl.com>; Mon, 13 Mar 2017 06:02:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sy5HgNKFRQmZ for <art@ietfa.amsl.com>; Mon, 13 Mar 2017 06:02:46 -0700 (PDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0131.outbound.protection.outlook.com [104.47.34.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C64631295D8 for <apps-discuss@ietf.org>; Mon, 13 Mar 2017 06:02:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=junipernetworks.onmicrosoft.com; s=selector1-juniper-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=h/DK4/acJQbjC9kF61N5Ix4zmGe2OUmvZNFh0OV4mSM=; b=Fnw7gP9MYF0GMlBUaDWpS3hRFywvEZqjtRbQizHKyMKp+ROeOce4U18G+pBb/eZmygseIz2/UXNNpAyZDvooAXHpB7sTzlASxhMzJQHyxsJCBNK97ke+6Zvq+x2er/hYC9tm0A6Jrnj+PhoLOAcnFU36d55UrafMggODUXZfUzY=
Received: from BY2PR0501MB1703.namprd05.prod.outlook.com (10.163.154.156) by BY2PR0501MB1702.namprd05.prod.outlook.com (10.163.154.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.977.5; Mon, 13 Mar 2017 13:02:44 +0000
Received: from BY2PR0501MB1703.namprd05.prod.outlook.com ([10.163.154.156]) by BY2PR0501MB1703.namprd05.prod.outlook.com ([10.163.154.156]) with mapi id 15.01.0977.010; Mon, 13 Mar 2017 13:02:44 +0000
From: Stuart Mackie <wsmackie@juniper.net>
To: Matt Miller <mamille2@cisco.com>, "bess@ietf.com" <bess@ietf.com>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>
Thread-Topic: [bess] APPDIR Review of draft-ietf-l3vpn-end-system-05
Thread-Index: AQHSOTors9evukLEtUK6ZExvAWx8JqDNtxKAgD2OCYCAh/maAA==
Date: Mon, 13 Mar 2017 13:02:44 +0000
Message-ID: <8667BCED-2930-4655-BEC8-2E116FE26AD4@juniper.net>
References: <AB4F12B6-B9E2-494A-9704-0D12E007ADBF@juniper.net> <9B279855-F523-4650-A1E3-2428AF30FA30@juniper.net> <823aa4f5-fc64-a8ae-ecc1-1bc95b50bec9@cisco.com>
In-Reply-To: <823aa4f5-fc64-a8ae-ecc1-1bc95b50bec9@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1f.0.170216
authentication-results: cisco.com; dkim=none (message not signed) header.d=none;cisco.com; dmarc=none action=none header.from=juniper.net;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [66.129.239.15]
x-microsoft-exchange-diagnostics: 1; BY2PR0501MB1702; 7:q1w01eefze2kTEluFcDzKG9KtdHe5YWaa/86SWKKKRJwc2Bov4pGKU20DhCyT+Jx0/k687ddAL/h9BTFRhotYBrw8pg6T5r/ci3qPNqE6IjTJahY6PEV6f7XggYLfLJZQ1ckm1BOoc4We4haU0Ndi7mqfoy3XvBzmFF+6eGk+RlyyaHzYfebBSWopo1z+GLpfoiiXeg7Q1JFVmNE/sFeF3c7uMi/akVrr/Jrxb7YFBCElg4d/bUh6NnceoUMlCxC0OaJtKWewOpufE0zBOshOPWzQGBMnvcztyErQAhxgU58ZVCRw7IVKRYfJIizzknKDFDXMjuoUGTv1EOHS4c7bw==
x-ms-office365-filtering-correlation-id: 9426f092-b136-447f-dd5b-08d46a113d7b
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:BY2PR0501MB1702;
x-microsoft-antispam-prvs: <BY2PR0501MB17021AE559846A874941FECAD8250@BY2PR0501MB1702.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(60795455431006)(158342451672863)(278428928389397)(150554046322364)(95692535739014)(21532816269658);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(6041248)(20161123564025)(20161123558025)(20161123562025)(20161123555025)(20161123560025)(6072148); SRVR:BY2PR0501MB1702; BCL:0; PCL:0; RULEID:; SRVR:BY2PR0501MB1702;
x-forefront-prvs: 0245702D7B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39840400002)(39450400003)(39860400002)(39410400002)(39850400002)(24454002)(51914003)(377424004)(377454003)(36756003)(106116001)(2906002)(31430400001)(230783001)(3280700002)(3660700001)(2501003)(3846002)(2900100001)(33656002)(102836003)(1720100001)(66066001)(6116002)(305945005)(7736002)(86362001)(2201001)(53546006)(38730400002)(53376002)(77096006)(82746002)(6486002)(229853002)(19273905006)(83506001)(6506006)(6512007)(6306002)(83716003)(25786008)(5660300001)(122556002)(189998001)(6436002)(8936002)(81166006)(50986999)(8676002)(4001150100001)(4001350100001)(54356999)(76176999)(6246003)(966004)(2950100002)(53936002)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR0501MB1702; H:BY2PR0501MB1703.namprd05.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <F96CACE839220F4EB308E9CD8EC7D94A@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2017 13:02:44.3661 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR0501MB1702
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/IqtEO2VFaDqQ22GRv01DXKuau7E>
X-Mailman-Approved-At: Mon, 13 Mar 2017 08:06:03 -0700
Subject: Re: [art] [bess] APPDIR Review of draft-ietf-l3vpn-end-system-05
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2017 13:02:53 -0000
Matt Did you get a chance to look at the updates? Thanks Stuart -914 886 2534 On 12/16/16, 3:34 PM, "Matt Miller" <mamille2@cisco.com> wrote: Thanks for the update, Stuart. I'll take a read through and let you know. - m&m Matt Miller Cisco Systems, Inc. On 2016-12-15 15:13, Stuart Mackie wrote: > Matt, > > > > As you have probably realized from the lack of activity on this draft, > Pedro Marques has moved on and is no longer active in this area. I have > been asked to take ownership and move the draft through the IETF process. > > > > I just posted a new version of the draft which addresses the concerns > raised in your email. > > > > I have made quite a few changes for clarity in the draft, so I have > described the changes that specifically address your issues in this note. > > > > Please let me know if you have any further concerns. > > > > Thanks > > > > Stuart > > --------------------------------------- > > > > I have been selected as the Applications in ART Directorate reviewer for > > this draft (for background on appsdir, please see > > > http://trac.tools.ietf.org/area/app/trac/wiki/ApplicationsAreaDirectorate ). > > > > Please resolve these comments along with any other Last Call comments > > you may receive. Please wait for direction from your document shepherd > > or AD before posting a new version of the draft. > > > > > > Document: draft-ietf-l3vpn-end-system-05 > > Title: BGP-signaled end-system IP/VPNs > > Reviewer: Matt Miller > > Review Date: 2016-01-18 > > IETF Last Call Date: N/A > > IESG Telechat Date: N/A > > > > Summary: This draft is not ready for publication as a Proposed > > Standard. > > > > Comments: > > > > This draft is making assumptions and design decisions that are not really > > compatible with XMPP, and these should be resolved before publishing. > > > > It's important to note XMPP is an end-to-end application routing > > protocol. Clients are capable of sending data to other clients, > > possibly crossing multiple server boundaries. For example: > > > > 1) client-a@server-1.example --> > > 2) server-1.example --> > > 3) muc.example --> > > 4) server-2.example --> > > 5) client-b@server-2.example > > > > This document seems to make the assumption that routing is purely > > between a client and its sever, which I believe has lead to design > > decisions that are very problematic. > > > > Major Issues: (All of which apply to Section 6. XMPP Signaling > > Protocol) > > > > * The addressing scheme for End Systems connecting to the external VPN > > Forwarder is not explicitly documented anywhere -- the only instance I > > can deduce is from the external VPN forwarded subscription example, > > which seems to use a domain JID for the End System. Without a clear > > XMPP addressing scheme, properly routing stanzas across the XMPP > > network and mutually authenticating TLS according to RFC 6125 (and > > possibly [XEP-0178]) seem problematic to me. > > > > /SM> Modified as follows:/ > > /The VPN Forwarder SHOULD use its hostname as JID, when available, or a > unique IP address within the infrastructure network using its string > representation. The same naming convention SHOULD be used for an End > System which has an XMPP session with an external VPN Forwarder./ > > > > If End Systems are expected to communicate directly with the Route > > Server (e.g., End System addresses stanzas to the Route Server, which > > the VPN Forwarder is expected to relay), the addressing scheme for all > > components needs to be better defined. For instance, the VPN Forwarder > > address in XMPP could be a domain JID as it is, while the End System > > address could be a bare JID derived from that VPN Forwarder's JID > > (e.g., "end-system@forwarder.example"). This would disambiguate the > > XMPP routing across the XMPP network. > > > > /SM> It is not, in fact, intended that End Systems communicate with the > Route Server directly. There were some typos that indicated to the > contrary. Figure 1 in the -05 draft was misleading since it indicated > that End Systems have an XMPP session with Route Servers. The diagram > has been updated as follows/ > > > > +---------+ +--------+ > > | RS |--------| BGP | > > +---------+ +--------+ > > / \ / > > XMPP \ / > > / \ / > > +--------------------+ \ / > > | End | VPN | \/ > > | System | Forwarder | /\ > > +--------------------+ / \ > > \ / \ > > XMPP / \ > > \ / \ > > +---------+ +--------+ > > | RS |--------| BGP | > > +---------+ +--------+ > > > > > > > > However, if VPN Forwarders are to act as proxies for End Systems, then > > it should act as a proxy in all cases -- End Systems subscribe to > > pubsub nodes on the external VPN Forwarder (which could in turn trigger > > a subscribe of the VPN forwarder to the Route Server), and receive > > notifications from the VPN Forwarder (which in turn are first received > > by the VPN Forwarder from the Route Server). > > > > /SM> The text now reads:/ > > / When an external Forwarder is used, its control software MAY operate/ > > / as an XMPP server which processes requests from end-systems and SHALL/ > > / operate as a client of one or more End-System Route Servers. The/ > > / control software relays to the End-System Route Server(s) VPN/ > > / membership stanzas it receives from the end-system. VPN routing/ > > / information received from the Route Server(s) SHOULD NOT be/ > > / propagated to the end-system unless it specifically requests such/ > > / information. End systems MAY have sessions directly with the End-/ > > / System Route Servers, and in this case no XMPP sessions are required/ > > / with VPN Forwarders./ > > > > * Using a hard-coded JID for the Route Server can be a serious problem if > > there is ever a case where individual Route Servers oversee different > > routing information. If this is never the case, then a single JID for > > all Route Servers is probably OK, but I think there could be problems > > with properly authenticating the TLS session. Using a different JID > > for each Route Server can introduce some difficulties for End Systems > > utilizing external VPN Forwarders, but I think only in the case where > > the End System is expected to subscribe to the Route Server directly -- > > if the End System actually subscribes to the VPN Forwarder, then the > > End System already knows the VPN Forwarder's JID and would not need to > > determine the Route Server' JID. > > > > /SM> It is assumed that Route Servers contain identical routing > information, / > > /or that Routing Servers contain just the routing information required > for the / > > /VPN Forwarders that connect to them. In this second case, a Routing > Server / > > /can subscribe for routing information managed in a higher-order > management / > > /system that manages all the routing information for a domain of VPN / > > /Forwarders. The protocol between Route Servers and such a higher-level / > > /management could be XMPP or another convenient protocol that supports a / > > /publish and subscribe capability./ > > > > > > Minor Issues: (all apply to Section 6. XMPP Signaling Protocol) > > > > * The XEP-0060 PubSub subscription and unsubscription examples are > > incorrect. Specifically, the 'jid' attribute of the <subscribe/> > > element is the subscriber's JID not the pubsub service, and > > subscription options are encoded using Data Forms [XEP-0004]. > > > > The co-located example then is: > > > > <iq type='set' > > from='forwarder.example' > > to='route-server' > > id='sub1'> > > <pubsub xmlns='http://jabber.org/protocol/pubsub'> > > <subscribe node='vpn-customer-name' jid='forwarder.example'/> > > <options node='vpn-customer-name' jid='forwarder.example'> > > <x xmlns='jabber:x:data' type='submit'> > > <field var='vpn#instance-id'> > > <value>1</value> > > </field> > > </x> > > </options> > > </pubsub> > > </iq> > > > > /SM> This has been corrected/ > > > > The external example could be the following (if there is a single > > addressing scheme): > > > > <iq type='set' > > from='end-system@forwarder.example' > > to='route-server' > > id='sub1'> > > <pubsub xmlns='http://jabber.org/protocol/pubsub'> > > <subscribe node='vpn-customer-name' jid='end-system@forwarder.example'/> > > <options node='vpn-customer-name' jid='end-system@forwarder.example'> > > <x xmlns='jabber:x:data' type='submit'> > > <field var='vpn#vlan_id'><value>100</value></field> > > </x> > > </options> > > </pubsub> > > </iq> > > > > > > The unsubscribe example is then: > > > > <iq type='set' > > from='forwarder.example' > > to='route-server' > > id='unsub1'> > > <pubsub xmlns='http://jabber.org/protocol/pubsub'> > > <unsubscribe node='vpn-customer-name' > > jid='forwarder.example' /> > > </pubsub> > > </iq> > > > > /SM> In the external case, the VPN Forwarder has the session with the > Route Server, not / > > /the End-System, and the text has been changed to reflect this. / > > / / > > > > * Requiring pubsub notifications to always go from the Route Server to > > the VPN Forwarder regardless of what entity subscribed to the pubsub > > node is counter to how XEP-0060 works. The pubsub subscribe request > > specifies where the notifications are supposed to go, and the pubsub > > service is expected to honor that. See above in the addressing > > discussion for some ideas of how to deal with this. > > > > /SM> Within the context of this document, only VPN Forwarders are > subscribing / > > /to Route Servers./ > > > > > > Nits: > > > > * (Mostly in Section 6. XMPP Signaling Protocol) The document often > > uses the term "message" when discussing XMPP communications. The XMPP > > term of art is "stanza" not "message"; "message" has a specific > > meaning in XMPP that is not in use here, and can lead to confusion > > for readers of this document once they follow the references to > > RFC 6120 and the various XEPs. > > /SM> Changed “message” to “stanza”, except in the section that deals with / > > /notifications/ > > > > * In Section 1. Introduction, the use of the term XMPP should be > > followed by a reference to RFC 6120. > > > > /SM> Change made/ > > > > * In Section 6. XMPP Signaling Protocol, the seventh paragraph > > (immediately preceding Figure 1) has an extraneous period (.) at the > > end of the last sentence. > > > > SM> Fixed > > > > * In Section 6. XMPP Signaling Protocol, I understood the meaning of > > the following sentence: > > > > The VPN Forwarder SHOULD use as JID its hostname, when available, > > or an unique IP address within the infrastructure network win its > > string representation. > > > > Regardless of how my XMPP addressing concerns are finally resolved, > > please revisit this sentence. > > > > /SM> Changed to:/ > > /The VPN Forwarder SHOULD use as JID its hostname, when available, or a > unique / > > /IP address within the infrastructure network using it string > representation./ > > > > > > > > References: > > > > [XEP-0004]: Data Forms < http://xmpp.org/extensions/xep-0004.html > > > [XEP-0030]: Service Discovery < http://xmpp.org/extensions/xep-0030.html > > > [XEP-0178]: Best Practices for Use of SASL EXTERNAL with Certificates < > http://xmpp.org/extensions/xep-0178.html > > > > > > > -- > > - m&m > > > > Matt Miller > > Cisco Systems, Inc. > > > > > > *…………………………..* > > > > *Stuart Mackie* > > /SDN/NFV Architect/ > > / / > > +1 914 886 2534 > > > > cid:image001.png@01D23914.C41AB720 >
- Re: [art] [bess] APPDIR Review of draft-ietf-l3vp… Stuart Mackie
- Re: [art] [bess] APPDIR Review of draft-ietf-l3vp… Matt Miller
- Re: [art] [bess] APPDIR Review of draft-ietf-l3vp… Stuart Mackie