Re: [art] [bess] APPDIR Review of draft-ietf-l3vpn-end-system-05
Matt Miller <mamille2@cisco.com> Fri, 16 December 2016 20:34 UTC
Return-Path: <mamille2@cisco.com>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E98E71296CB for <art@ietfa.amsl.com>; Fri, 16 Dec 2016 12:34:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.418
X-Spam-Level:
X-Spam-Status: No, score=-17.418 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.896, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x0gSkLG62bez for <art@ietfa.amsl.com>; Fri, 16 Dec 2016 12:34:24 -0800 (PST)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8519129423 for <apps-discuss@ietf.org>; Fri, 16 Dec 2016 12:34:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=15423; q=dns/txt; s=iport; t=1481920464; x=1483130064; h=subject:to:references:from:message-id:date:mime-version: in-reply-to; bh=e96SAas/tWAvY8Keq6FWaanT0YfPuHTXDtgtdon7NIc=; b=fuPEwCaX/A0OB56nugeELWccX/n0/WQd5VvdDcrvXu6ls5o+7BuS+WvP ZqbkCKQPAWePTiZGPDh2Rf8IdiSRghgWfA0MtmCfyK+GJV99a3q5Zj28e Kbb/xgAIDjdu4no5phNFxTrCkojS42YiploWUuU5yt+5OAPaeHchLrg4q 0=;
X-Files: signature.asc : 496
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BIAwCcTlRY/49dJa1ZAxkBAQEBAQEBAQEBAQcBAQEBAYM3AQEBAQEfWjJUjU6VGggSBQGBGAEDjGOGG4IPggksgkCDNgKCGD8UAQIBAQEBAQEBYiiEaQEBBBIRBCc7CQIOBgQMAR0CAjEmBgEMCAEBGQEDAYhJDgOLHI9VAY12gWw8ixkBAQEBAQUBAQEBAQEBAQEQD4VzgkCBVIEIhBIRAQY2ASaCPYJdBYElAYc8hh99inACg2OBfHOCTkSHUIF0UYQygycjhgyHcIYphA8fN2MeN1uDDAUXgX0eNAGHFIIuAQEB
X-IronPort-AV: E=Sophos;i="5.33,359,1477958400"; d="asc'?scan'208";a="361974148"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Dec 2016 20:34:23 +0000
Received: from [10.129.24.86] ([10.129.24.86]) by rcdn-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id uBGKYM49029207; Fri, 16 Dec 2016 20:34:23 GMT
To: Stuart Mackie <wsmackie@juniper.net>, "bess@ietf.com" <bess@ietf.com>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>
References: <AB4F12B6-B9E2-494A-9704-0D12E007ADBF@juniper.net> <9B279855-F523-4650-A1E3-2428AF30FA30@juniper.net>
From: Matt Miller <mamille2@cisco.com>
Message-ID: <823aa4f5-fc64-a8ae-ecc1-1bc95b50bec9@cisco.com>
Date: Fri, 16 Dec 2016 13:34:21 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <9B279855-F523-4650-A1E3-2428AF30FA30@juniper.net>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="5o5I69faW5bnq6gFCX8F5mHw1kP00mSBU"
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/_8eyMcjhfKCFAVNgtPswcJFxsA0>
X-Mailman-Approved-At: Sat, 17 Dec 2016 08:00:43 -0800
Subject: Re: [art] [bess] APPDIR Review of draft-ietf-l3vpn-end-system-05
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Dec 2016 20:34:27 -0000
Thanks for the update, Stuart. I'll take a read through and let you know. - m&m Matt Miller Cisco Systems, Inc. On 2016-12-15 15:13, Stuart Mackie wrote: > Matt, > > > > As you have probably realized from the lack of activity on this draft, > Pedro Marques has moved on and is no longer active in this area. I have > been asked to take ownership and move the draft through the IETF process. > > > > I just posted a new version of the draft which addresses the concerns > raised in your email. > > > > I have made quite a few changes for clarity in the draft, so I have > described the changes that specifically address your issues in this note. > > > > Please let me know if you have any further concerns. > > > > Thanks > > > > Stuart > > --------------------------------------- > > > > I have been selected as the Applications in ART Directorate reviewer for > > this draft (for background on appsdir, please see > > > http://trac.tools.ietf.org/area/app/trac/wiki/ApplicationsAreaDirectorate ). > > > > Please resolve these comments along with any other Last Call comments > > you may receive. Please wait for direction from your document shepherd > > or AD before posting a new version of the draft. > > > > > > Document: draft-ietf-l3vpn-end-system-05 > > Title: BGP-signaled end-system IP/VPNs > > Reviewer: Matt Miller > > Review Date: 2016-01-18 > > IETF Last Call Date: N/A > > IESG Telechat Date: N/A > > > > Summary: This draft is not ready for publication as a Proposed > > Standard. > > > > Comments: > > > > This draft is making assumptions and design decisions that are not really > > compatible with XMPP, and these should be resolved before publishing. > > > > It's important to note XMPP is an end-to-end application routing > > protocol. Clients are capable of sending data to other clients, > > possibly crossing multiple server boundaries. For example: > > > > 1) client-a@server-1.example --> > > 2) server-1.example --> > > 3) muc.example --> > > 4) server-2.example --> > > 5) client-b@server-2.example > > > > This document seems to make the assumption that routing is purely > > between a client and its sever, which I believe has lead to design > > decisions that are very problematic. > > > > Major Issues: (All of which apply to Section 6. XMPP Signaling > > Protocol) > > > > * The addressing scheme for End Systems connecting to the external VPN > > Forwarder is not explicitly documented anywhere -- the only instance I > > can deduce is from the external VPN forwarded subscription example, > > which seems to use a domain JID for the End System. Without a clear > > XMPP addressing scheme, properly routing stanzas across the XMPP > > network and mutually authenticating TLS according to RFC 6125 (and > > possibly [XEP-0178]) seem problematic to me. > > > > /SM> Modified as follows:/ > > /The VPN Forwarder SHOULD use its hostname as JID, when available, or a > unique IP address within the infrastructure network using its string > representation. The same naming convention SHOULD be used for an End > System which has an XMPP session with an external VPN Forwarder./ > > > > If End Systems are expected to communicate directly with the Route > > Server (e.g., End System addresses stanzas to the Route Server, which > > the VPN Forwarder is expected to relay), the addressing scheme for all > > components needs to be better defined. For instance, the VPN Forwarder > > address in XMPP could be a domain JID as it is, while the End System > > address could be a bare JID derived from that VPN Forwarder's JID > > (e.g., "end-system@forwarder.example"). This would disambiguate the > > XMPP routing across the XMPP network. > > > > /SM> It is not, in fact, intended that End Systems communicate with the > Route Server directly. There were some typos that indicated to the > contrary. Figure 1 in the -05 draft was misleading since it indicated > that End Systems have an XMPP session with Route Servers. The diagram > has been updated as follows/ > > > > +---------+ +--------+ > > | RS |--------| BGP | > > +---------+ +--------+ > > / \ / > > XMPP \ / > > / \ / > > +--------------------+ \ / > > | End | VPN | \/ > > | System | Forwarder | /\ > > +--------------------+ / \ > > \ / \ > > XMPP / \ > > \ / \ > > +---------+ +--------+ > > | RS |--------| BGP | > > +---------+ +--------+ > > > > > > > > However, if VPN Forwarders are to act as proxies for End Systems, then > > it should act as a proxy in all cases -- End Systems subscribe to > > pubsub nodes on the external VPN Forwarder (which could in turn trigger > > a subscribe of the VPN forwarder to the Route Server), and receive > > notifications from the VPN Forwarder (which in turn are first received > > by the VPN Forwarder from the Route Server). > > > > /SM> The text now reads:/ > > / When an external Forwarder is used, its control software MAY operate/ > > / as an XMPP server which processes requests from end-systems and SHALL/ > > / operate as a client of one or more End-System Route Servers. The/ > > / control software relays to the End-System Route Server(s) VPN/ > > / membership stanzas it receives from the end-system. VPN routing/ > > / information received from the Route Server(s) SHOULD NOT be/ > > / propagated to the end-system unless it specifically requests such/ > > / information. End systems MAY have sessions directly with the End-/ > > / System Route Servers, and in this case no XMPP sessions are required/ > > / with VPN Forwarders./ > > > > * Using a hard-coded JID for the Route Server can be a serious problem if > > there is ever a case where individual Route Servers oversee different > > routing information. If this is never the case, then a single JID for > > all Route Servers is probably OK, but I think there could be problems > > with properly authenticating the TLS session. Using a different JID > > for each Route Server can introduce some difficulties for End Systems > > utilizing external VPN Forwarders, but I think only in the case where > > the End System is expected to subscribe to the Route Server directly -- > > if the End System actually subscribes to the VPN Forwarder, then the > > End System already knows the VPN Forwarder's JID and would not need to > > determine the Route Server' JID. > > > > /SM> It is assumed that Route Servers contain identical routing > information, / > > /or that Routing Servers contain just the routing information required > for the / > > /VPN Forwarders that connect to them. In this second case, a Routing > Server / > > /can subscribe for routing information managed in a higher-order > management / > > /system that manages all the routing information for a domain of VPN / > > /Forwarders. The protocol between Route Servers and such a higher-level / > > /management could be XMPP or another convenient protocol that supports a / > > /publish and subscribe capability./ > > > > > > Minor Issues: (all apply to Section 6. XMPP Signaling Protocol) > > > > * The XEP-0060 PubSub subscription and unsubscription examples are > > incorrect. Specifically, the 'jid' attribute of the <subscribe/> > > element is the subscriber's JID not the pubsub service, and > > subscription options are encoded using Data Forms [XEP-0004]. > > > > The co-located example then is: > > > > <iq type='set' > > from='forwarder.example' > > to='route-server' > > id='sub1'> > > <pubsub xmlns='http://jabber.org/protocol/pubsub'> > > <subscribe node='vpn-customer-name' jid='forwarder.example'/> > > <options node='vpn-customer-name' jid='forwarder.example'> > > <x xmlns='jabber:x:data' type='submit'> > > <field var='vpn#instance-id'> > > <value>1</value> > > </field> > > </x> > > </options> > > </pubsub> > > </iq> > > > > /SM> This has been corrected/ > > > > The external example could be the following (if there is a single > > addressing scheme): > > > > <iq type='set' > > from='end-system@forwarder.example' > > to='route-server' > > id='sub1'> > > <pubsub xmlns='http://jabber.org/protocol/pubsub'> > > <subscribe node='vpn-customer-name' jid='end-system@forwarder.example'/> > > <options node='vpn-customer-name' jid='end-system@forwarder.example'> > > <x xmlns='jabber:x:data' type='submit'> > > <field var='vpn#vlan_id'><value>100</value></field> > > </x> > > </options> > > </pubsub> > > </iq> > > > > > > The unsubscribe example is then: > > > > <iq type='set' > > from='forwarder.example' > > to='route-server' > > id='unsub1'> > > <pubsub xmlns='http://jabber.org/protocol/pubsub'> > > <unsubscribe node='vpn-customer-name' > > jid='forwarder.example' /> > > </pubsub> > > </iq> > > > > /SM> In the external case, the VPN Forwarder has the session with the > Route Server, not / > > /the End-System, and the text has been changed to reflect this. / > > / / > > > > * Requiring pubsub notifications to always go from the Route Server to > > the VPN Forwarder regardless of what entity subscribed to the pubsub > > node is counter to how XEP-0060 works. The pubsub subscribe request > > specifies where the notifications are supposed to go, and the pubsub > > service is expected to honor that. See above in the addressing > > discussion for some ideas of how to deal with this. > > > > /SM> Within the context of this document, only VPN Forwarders are > subscribing / > > /to Route Servers./ > > > > > > Nits: > > > > * (Mostly in Section 6. XMPP Signaling Protocol) The document often > > uses the term "message" when discussing XMPP communications. The XMPP > > term of art is "stanza" not "message"; "message" has a specific > > meaning in XMPP that is not in use here, and can lead to confusion > > for readers of this document once they follow the references to > > RFC 6120 and the various XEPs. > > /SM> Changed “message” to “stanza”, except in the section that deals with / > > /notifications/ > > > > * In Section 1. Introduction, the use of the term XMPP should be > > followed by a reference to RFC 6120. > > > > /SM> Change made/ > > > > * In Section 6. XMPP Signaling Protocol, the seventh paragraph > > (immediately preceding Figure 1) has an extraneous period (.) at the > > end of the last sentence. > > > > SM> Fixed > > > > * In Section 6. XMPP Signaling Protocol, I understood the meaning of > > the following sentence: > > > > The VPN Forwarder SHOULD use as JID its hostname, when available, > > or an unique IP address within the infrastructure network win its > > string representation. > > > > Regardless of how my XMPP addressing concerns are finally resolved, > > please revisit this sentence. > > > > /SM> Changed to:/ > > /The VPN Forwarder SHOULD use as JID its hostname, when available, or a > unique / > > /IP address within the infrastructure network using it string > representation./ > > > > > > > > References: > > > > [XEP-0004]: Data Forms < http://xmpp.org/extensions/xep-0004.html > > > [XEP-0030]: Service Discovery < http://xmpp.org/extensions/xep-0030.html > > > [XEP-0178]: Best Practices for Use of SASL EXTERNAL with Certificates < > http://xmpp.org/extensions/xep-0178.html > > > > > > > -- > > - m&m > > > > Matt Miller > > Cisco Systems, Inc. > > > > > > *…………………………..* > > > > *Stuart Mackie* > > /SDN/NFV Architect/ > > / / > > +1 914 886 2534 > > > > cid:image001.png@01D23914.C41AB720 >
- Re: [art] [bess] APPDIR Review of draft-ietf-l3vp… Stuart Mackie
- Re: [art] [bess] APPDIR Review of draft-ietf-l3vp… Matt Miller
- Re: [art] [bess] APPDIR Review of draft-ietf-l3vp… Stuart Mackie