Re: [bess] Comments on draft-dawra-idr-srv6-vpn-03
Robert Raszuk <robert@raszuk.net> Tue, 02 January 2018 15:29 UTC
Return-Path: <rraszuk@gmail.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16CBC12706D; Tue, 2 Jan 2018 07:29:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JFQfaCEcshGD; Tue, 2 Jan 2018 07:29:48 -0800 (PST)
Received: from mail-wr0-x231.google.com (mail-wr0-x231.google.com [IPv6:2a00:1450:400c:c0c::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CE3A124D68; Tue, 2 Jan 2018 07:29:48 -0800 (PST)
Received: by mail-wr0-x231.google.com with SMTP id l19so36479200wrc.2; Tue, 02 Jan 2018 07:29:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=KrTdslgPCuPig7J7U1kptSvC4t8wJsrHXpDoiaH/RX8=; b=qobHAVj+1Wtx2L6hJV8uUgw+BnThgtc5/I93tBCvLHchdNwuGq3zqILhxOuEUEYpqr pdr10oApdk4/wLgmqlKjA1BXwCzG0scXztr2VFtZY1RIe/b4YBdk9gPtZIe/NV7j87Dt kOrpDYAStExfHDk/k1/Hfin15XMUxrxcHDxUaz85z248lJwYYn94IabOfp/Ek8pbA2N+ eoXDgn4xk27QePEelC37gN53EQRqEQLL1svqGSZqOYLOrPHfRNZKWQxk7XFkWaMGfP54 f/o0LJPafl7U7OK+KJLZGUJ1tba8EMVxobf67VB+9v/2NAelvtBQN+J9ntfqP5dY7NR/ 60Jg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=KrTdslgPCuPig7J7U1kptSvC4t8wJsrHXpDoiaH/RX8=; b=fZOX1osOx+MRe+J74xHHrruqxfDBmeSHLTunn8R1tLrEZ1WJXvpDcRBVjLud2OsTBE Bz9Wxjlv3YjI5qy6ep4UHVJ0RYqQtRavzhwHOlq8fs0+WAWik+6rNoVXU55Q1vbmxbsE yiu+UfmK1oJw0wi5qXwi/yXUKDsh5SYkQnfctkAxG7ik1sSCXOpapxZbQ8KNuOeP/OZn 9gAQBLI3IC/0kqAREibdTs5XZzigBeDguE/1KvDsgmMFrHS0+GHaI8BZaBB3eQ6I016V OuHaBH3gebwoHOwYOEMCPfLOCXsYvuLM9RM6HLnLs8t3vDH7oyqon1heMcBjp6bagsSh lwjA==
X-Gm-Message-State: AKGB3mI/qUqqoKcP2YGvxt1dKkVVKqXgoFMADKqfdlhkyrCueFszrlg2 36Acxh7ZIwmY8cpSB4Svd8w7R3W2YbRTfxY6piz3fQ==
X-Google-Smtp-Source: ACJfBov6YEEZne8Msf+TWb6xIXqefauidP3DJkKchzJiuXDl3y/MRpbWBIVGd48m2c0o4dghFvvXhDqBELSY5PkuKPc=
X-Received: by 10.223.201.6 with SMTP id m6mr42382414wrh.107.1514906986198; Tue, 02 Jan 2018 07:29:46 -0800 (PST)
MIME-Version: 1.0
Sender: rraszuk@gmail.com
Received: by 10.28.54.217 with HTTP; Tue, 2 Jan 2018 07:29:45 -0800 (PST)
In-Reply-To: <7dd8f2db-72dd-da17-6dc7-39f6ab44f543@juniper.net>
References: <afb80dad-4f6a-332f-bb3a-4641a3c61a77@juniper.net> <CA+b+ERmbqc+HDrHnhdUMYqPanyV513acTWo8La9v2hWZ7eo6ng@mail.gmail.com> <7dd8f2db-72dd-da17-6dc7-39f6ab44f543@juniper.net>
From: Robert Raszuk <robert@raszuk.net>
Date: Tue, 02 Jan 2018 16:29:45 +0100
X-Google-Sender-Auth: 5SfXQQb8UJ2khQY4j3PGucUgKdo
Message-ID: <CA+b+ERkpn7d95X4grhBmfOP8fYmt=ACLLitAOMpKyRoqhAMB0Q@mail.gmail.com>
To: Eric C Rosen <erosen@juniper.net>
Cc: "bess@ietf.org" <bess@ietf.org>, draft-dawra-idr-srv6-vpn.authors@ietf.org, spring@ietf.org
Content-Type: multipart/alternative; boundary="089e082f9bbcc7bb120561ccc4ad"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/3Nyz21w78_3suSabJfolv7eSb1s>
Subject: Re: [bess] Comments on draft-dawra-idr-srv6-vpn-03
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jan 2018 15:29:51 -0000
Hi Eric, Being routable is not the same as having per VRF or per CE unique IPv6 address. Being routable to me means that lookup on first N bits of the address will result in forwarding action while the last N bits of the address can have local significance. The use of "dual purpose" is indeed a bit confusing in the draft however it is only MAY which one can also read as MAY NOT :) If operator wishes to have per VRF IPv6 SID implementation complaint with the draft allows that. However smart implementation may also provide mechanism not to require to have full IPv6 address per VRF or per CE. Cheers, R. On Tue, Jan 2, 2018 at 3:10 PM, Eric C Rosen <erosen@juniper.net> wrote: > On 12/28/2017 1:55 PM, Robert Raszuk wrote: > > Ok let's start all over :) > > > From the draft: > > The SRv6 VPN SID MAY be routable within the AS of the egress-PE and > serves the dual purpose of providing reachability between ingress-PE > and egress-PE while also encoding the VPN identifier. > > I took this to mean that a single IPv6 address could cause the backbone > to forward the packet to the egress-PE and cause the egress-PE to look up > the payload's IP address in a VRF which is identified by that same IPv6 > address. Did I misunderstand that? > > **** This suggests that an IPv6 address has to be assigned to each VRF (for >> **** per-VRF "labeling"), or even to each CE (for per-CE labeling). >> > > No one suggests that. VPN SID is not IPv6 address .. it is part of v6 SID > which when appended to IPv6 prefix forms a complete SRv6 SID. Semantics > does matter here. > > > Given the above quote from the draft, I'm not sure what is wrong with what > I said. > > > **** If those addresses are routable, doesn't this create a security issue >> **** as discussed in RFC 4023 Section 8.2? >> > > PE's loopback address say /64 being routable causes any security risk ? > > > Please see the reference. > > > **** The phrase "only has local significance" suggests that these SIDs are >> **** not routable. But later on there is a suggestion that they are >> **** routable, or at least that they might be. >> > > Again SIDs are not routable and they have only local significance - true. > They are prepended to say loopback address to form IPv6 SID. > > **** So there are a number of options: >> **** - not routable >> **** - globally routable >> **** - routable only within egress AS >> > > This is referring to routability of SID ... not right. SID does not need > to be routable. What prefix they are part of may be routable. > > > Just replace my use of the term "SID" with the longer term "the IPv6 > address of which the SID is a part". > > > >> and the BGP ingress device receiving this route >> MAY choose to encapsulate or insert an SRv6 SRH, second it indicates >> the value of the SID to include in the SRH encapsulation. For L3VPN, >> only a single SRv6-VPN SID MAY be necessary. >> >> **** I don't understand the phrase "only a single SRv6-VPN SID MAY be >> **** necessary". >> > > Analogy to basic L3VPN when you have VPN label and underlay LDP label. > > > Still don't understand what is being said. > > > > If the BGP speaker supports MPLS based >> L3VPN simultaneously, it MAY also populate the Label values in L3VPN >> route types and allow the BGP ingress device to decide which >> encapsulation to use. If the BGP speaker does not support MPLS based >> L3VPN services the MPLS Labels in L3VPN route types MUST be set to >> IMPLICIT-NULL. >> >> **** Please provide a reference that specifies how you set the Label field >> **** of a SAFI-4 or SAFI-128 route to "implicit null". I don't recall any >> **** such thing existing in RFC 3107, 4364, or 8277. >> > > > 4364 does not restrict what value of VPN label is used - does it ? I > think this draft now right here defines how to read implicit-null being > placed there :) It's not my idea though - so I will let real inventors to > comment on it more. > > >> **** If you mean "set to three" (the value defined in RFC 3032 to >> represent >> **** "implicit null"), I don't think the SAFI-4/SAFI-128 implementations >> **** generally interpret the value three in that manner. >> > > As mentioned I think it just is being defined here and now. > > > I didn't see any mention of the numeric value to put in the label field of > the NLRI. > > or to define a new special or reserved label for that embedded signalling. > > > Some discussion of why this won't cause any backwards compatibility > problems would be appropriate. > > > > >> **** I'm not really sure what you're trying to do here. There are at least >> **** four cases to consider: >> >> **** 1. For the case where the backbone doesn't have MPLS, there is no >> harm >> **** in saying "set the label to zero". >> > > Really ? What does the backbone having or not having MPLS has to do with > this ? Underlay forwarding does not matter and this is what I read as > "backbone". > > > What I meant is that if it is known a priori that SRv6 is being used > instead of MPLS, the label value obviously doesn't matter, because it will > never be used. > > > > **** 2. For the case where the backbone supports both MPLS and SRv6, and >> **** some PEs support L3VPN both ways, while others support only >> MPLS-based >> **** L3VPN, then a real label needs to be put in. >> > > OK. > > >> **** 3. For the case where the backbone supports both MPLS and SRv6, but a >> **** particular egress PE only supports SRv6, there needs to be some way >> to >> **** instruct the ingress PEs to use SRv6 and not MPLS. Perhaps the >> **** presence of the prefix-SID attribute with VPN-SID TLV is sufficient. >> > > Perhaps not ... and this is exactly the case trying to be addressed. > > > Why isn't the presence of the attribute sufficient in this case? > > > **** 4. For the case where the backbone supports both MPLS and SRv6, the >> **** egress PE supports both for transit, but the egress PE only supports >> **** SRv6 for L3VPN, the label in the SAFI-1/SAFI-128 routes should be a >> > > Label in SAFI 1 ? > > > Sorry, I meant SAFI-4. Actually, only SAFI-128 really matters in this > context, I think. > > >
- [bess] Comments on draft-dawra-idr-srv6-vpn-03 Eric C Rosen
- Re: [bess] Comments on draft-dawra-idr-srv6-vpn-03 Robert Raszuk
- Re: [bess] Comments on draft-dawra-idr-srv6-vpn-03 Eric C Rosen
- Re: [bess] Comments on draft-dawra-idr-srv6-vpn-03 Robert Raszuk
- Re: [bess] Comments on draft-dawra-idr-srv6-vpn-03 Eric C Rosen
- Re: [bess] Comments on draft-dawra-idr-srv6-vpn-03 Robert Raszuk