IETF Logo Mail Archive

Re: [bess] Benoit Claise's Discuss on draft-ietf-bess-mvpn-extranet-04: (with DISCUSS and COMMENT)

"Alvaro Retana (aretana)" <aretana@cisco.com> Thu, 21 April 2016 21:27 UTC

Return-Path: <aretana@cisco.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF80312E027; Thu, 21 Apr 2016 14:27:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.517
X-Spam-Level:
X-Spam-Status: No, score=-15.517 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NqBnonEfTajA; Thu, 21 Apr 2016 14:27:37 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC27F12DC46; Thu, 21 Apr 2016 14:27:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7689; q=dns/txt; s=iport; t=1461274055; x=1462483655; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=1TEzp/n/yI1lUGBli7x76rQVKqku8v8PwYibmLFrdMM=; b=H0hkCH3R4i/HrmJIfoNLEooFkqWPNc7PeP7awqjeKjHTAuRQe1tK8jwE BIuNJOTQ1SenCeDrQMaw8U1DwsTzdUmv0x2qI0TLv3FIPnmygXvO85DAi 1g2uHIdbWnCVA6IgmXXPAUVU5tZQWYi1SznbYPvn9zUd6VGJksBk7MnK1 c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ADAgCJRBlX/5BdJa1egziBUAa3aoIPAQ2BdIYOAoEtOBQBAQEBAQEBZSeEQQEBAQMBeRACAQgOAwQBAQEnBzIUCQgCBAENBRSIDgjAKAEBAQEBAQEBAQEBAQEBAQEBAQEBARWGIYRLhA8KBwEchVgBBId0hheFE4RxAY4TgWaETYMphTSPLQEeAQFCggQFFhWBNWyHOQkXH34BAQE
X-IronPort-AV: E=Sophos;i="5.24,514,1454976000"; d="scan'208";a="96278682"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 21 Apr 2016 21:27:34 +0000
Received: from XCH-ALN-009.cisco.com (xch-aln-009.cisco.com [173.36.7.19]) by rcdn-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id u3LLRY4i028976 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 21 Apr 2016 21:27:34 GMT
Received: from xch-aln-002.cisco.com (173.36.7.12) by XCH-ALN-009.cisco.com (173.36.7.19) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Thu, 21 Apr 2016 16:27:33 -0500
Received: from xch-aln-002.cisco.com ([173.36.7.12]) by XCH-ALN-002.cisco.com ([173.36.7.12]) with mapi id 15.00.1104.009; Thu, 21 Apr 2016 16:27:34 -0500
From: "Alvaro Retana (aretana)" <aretana@cisco.com>
To: Susan Hares <shares@ndzh.com>, "Benoit Claise (bclaise)" <bclaise@cisco.com>, "joelja@bogus.com" <joelja@bogus.com>
Thread-Topic: [bess] Benoit Claise's Discuss on draft-ietf-bess-mvpn-extranet-04: (with DISCUSS and COMMENT)
Thread-Index: AQHRnBSe1N/fnQv93UyfZpEd+XJ70g==
Date: Thu, 21 Apr 2016 21:27:34 +0000
Message-ID: <D33EBDE2.120D76%aretana@cisco.com>
References: <20151217133049.1038.44405.idtracker@ietfa.amsl.com> <56741869.5020505@juniper.net> <00af01d139c6$898fb720$9caf2560$@ndzh.com> <567859EC.6030103@juniper.net> <006101d13ce1$725cd650$571682f0$@ndzh.com> <56799F9F.4010907@juniper.net> <000d01d13d94$80868a10$81939e30$@ndzh.com> <570D4C8E.6040800@alcatel-lucent.com>
In-Reply-To: <570D4C8E.6040800@alcatel-lucent.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.2.160219
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.117.15.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <E3E63DEF8BF416468499F21A95B24286@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/bess/4v7-RA9XlWQkqAFDNxfJNP84j5E>
X-Mailman-Approved-At: Thu, 21 Apr 2016 22:24:25 -0700
Cc: "bess-chairs@ietf.org" <bess-chairs@ietf.org>, "draft-ietf-bess-mvpn-extranet@ietf.org" <draft-ietf-bess-mvpn-extranet@ietf.org>, 'Eric C Rosen' <erosen@juniper.net>, "'John G. Scudder'" <jgs@juniper.net>, Martin Vigoureux <martin.vigoureux@nokia.com>, "bess@ietf.org" <bess@ietf.org>, 'The IESG' <iesg@ietf.org>
Subject: Re: [bess] Benoit Claise's Discuss on draft-ietf-bess-mvpn-extranet-04: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Apr 2016 21:27:39 -0000

Sue:

Hi!  Can you please take a look at this?

Thanks!

Alvaro.

On 4/12/16, 3:29 PM, "Martin Vigoureux" <martin.vigoureux@nokia.com> wrote:

>Dear all,
>
>we took the opportunity of this IETF meeting to discuss with Sue, Joel
>and Benoit, and with Eric.
>
>Sue has had two requests:
>1/ to add some text clarifying the encoding and processing of the
>Extended Communities this document is defining.
>Eric had already integrated this text in the document (v06) and more
>specifically in Sections 4.4.1, 4.4.2 (for the Extranet Source Extended
>Community) and 4.5 (for the Extranet Separation Extended Community). The
>text on RR fitted more naturally in 4.4.2 than in 4.4.1, thus the split.
>
>We have reviewed that with Sue and my understanding of our discussion is
>that this is acceptable.
>
>2/ to add some text covering risks of mis-configurations
>Eric has added the paragraph quite soon in the document (the Overview
>section), such that the reader is aware. Following Thomas' suggestion to
>enhance that text with other cases of incorrect configurations, Eric has
>also added some text to the Security Considerations section.
>Since the document describes a tool-set, rather than trying to describe
>all the possible usages of these tools, the preferred approach was to
>give a form of warning on risks of misconf.
>
>Our understanding is that the addition of this paragraph would meet
>Sue's expectations.
>
>Version 07, which incorporates the above, is available.
>
>Sue, please review the changes and let us know if our understanding is
>correct or not, and thus if you consider your points addressed.
>
>Thank you all
>
>Best regards,
>Martin & Thomas
>
>Le 23/12/2015 16:13, Susan Hares a écrit :
>> Eric:
>>
>> *To clear my objection to this draft*, please add these sections to make
>> it clear what the content of the BGP values and their handling.    We
>> disagree on what the BGP registry document states, but that point is not
>> worth holding up this document.  People can find the type and sub-type
>> fields in the registry.  What is not in the registry is a clear
>> description of the restrictions of the value field and handling.
>>
>> Placing the BGP Extended communities within the rest of the rules is
>> just unclear. Please put these two sections in and give the details in
>> this sections.
>>
>> As to the deployment section, you did not consider the text I offer
>> below and the suggested insertion in the security section.  Perhaps you
>> can consider that text in your next email.  On whether this deployment
>> section is ³DISCUSS² worthy, I am still communicating with Benoit and
>>Joel.
>>
>> I wish you the peace and joy of the Christmas season,
>>
>> Sue Hares
>>
>> =============
>>
>> Sections which must be added to clear my concerns
>>
>> ----------------------------------------------------------------
>>
>> *4.4.1 Extranet Source Extended Community *
>>
>>     To facilitate this, we define a new Transitive Opaque Extended
>> Community, the "Extranet Source" Extended Community.
>>
>>     The value field of this extended community is all zeros.
>>
>> *Restrictions: *This value field MUST be set  to zero upon origination,
>>   MUST be ignored upon reception and MUST  be passed unchanged by
>> intermediate routers.
>>
>> *Additional Restrictions: *A Route Reflector MUST NOT add/remove the
>> Extranet Source Extended  Community from the VPN-IP routes reflected by
>> the Route Reflector,  including the case where VPN-IP routes received
>> via IBGP are reflected to EBGP peers (inter-AS option (c), see
>> [RFC6513]   Section 10).
>>
>> *4.4.2 Extranet Separation Extended community *
>>
>> **
>>
>> We define a new Transitive Opaque Extended Community, the "Extranet
>> Separation" Extended Community.  This Extended Community is used only
>> when extranet separation is being used.
>>
>> *Restrictions:*  Its value field MUST be set to zero upon origination,
>> MUST be ignored upon reception, and MUST be
>>
>>     passed unchanged by intermediate routers.
>>
>> *  Restrictions on Adding/deleting this community:*  ??  (Eric ­ please
>> add something here).
>>
>> *Comments that could be put in a Security section: *
>>
>> **
>>
>> Whenever a VPN is provisioned, there is a risk that provisioning errors
>> will result in an unintended cross-connection of VPNs, which would
>> create a security problem for the customers.  Extranet can be
>> particularly tricky, as it intentionally cross-connects VPNs, but in a
>> manner that is intended to be strictly limited by policy.  If one is
>> connecting two VPNs that have overlapping address spaces, one has to be
>> sure that the inter-VPN traffic isn't to/from the part of the address
>> space that is in the overlap.  The draft discusses a lot of the corner
>> cases, and a lot of the scenarios in which things can go wrong.
>>
>> *From:*BESS [mailto:bess-bounces@ietf.org] *On Behalf Of *Eric C Rosen
>> *Sent:* Tuesday, December 22, 2015 2:08 PM
>> *To:* Susan Hares; 'Benoit Claise'; 'The IESG'
>> *Cc:* draft-ietf-bess-mvpn-extranet@ietf.org; 'John G. Scudder';
>> aretana@cisco.com; bess-chairs@ietf.org;
>> martin.vigoureux@alcatel-lucent.com; bess@ietf.org
>> *Subject:* Re: [bess] Benoit Claise's Discuss on
>> draft-ietf-bess-mvpn-extranet-04: (with DISCUSS and COMMENT)
>>
>> On 12/22/2015 12:51 PM, Susan Hares wrote:
>>
>> Eric:
>>
>> Thank you for revisions in version -05 of your document.  Unfortunately
>> it does not resolve either of the two points I raised.
>>
>> 1)*On the BGP Extended Communities*, I feel your specification is
>> *unclear and warrants change on the DISCUSS* Criteria due to
>> interoperability issues.
>>
>>
>> I've explained why I don't think this is correct.  In particular, I
>> don't think it is wise to mention the value of the "Transitive Opaque
>> Extended Community Type" codepoint, as this can be found in the IANA
>> registry for Transitive Extended Community types, and implementers
>> should really be encouraged to consult the registries for the
>>codepoints.
>>
>>
>> 2)I¹ve given you 2 small sections to add to your document at the
>> beginning of section 4.4. to resolve this DISCUSS point.
>>
>>
>> Note that the codepoint you mention for Transitive Opaque Extended
>> Community Type is not correct.  Unnecessary last minute changes do tend
>> to introduce errors.
>>
>>
>> 3)You need to just fill in one part below on RR restrictions for
>> *Extranet Separation Extended community*.
>>
>>
>> I will add some text saying that RRs must not add or remove this EC.
>>
>>
>> 2) *On the deployment section:*  I given text and examples ­ but I think
>> you still misunderstand what I am looking for.
>>
>>
>> Perhaps.
>>
>>
>> Since you are an author of academic papers,
>>
>>
>> I am not.
>>
>>
>> consider I am looking for an operator-based ³abstract² that focuses the
>> reader on the key points.I am sure you can create one for this document,
>> but I not clear why you object to it the concept.
>>
>>
>> It seems to me that you are asking for something that could be titled
>> "An Operator's Guide to Provisioning Extranet MVPN".  While that might
>> be useful, it is not within the scope of the current document.  As I've
>> said, I am not aware of any IETF requirement that requires such a thing
>> to be included.
>>
>>
>> will you please let me know that you have read my suggested text
>> insertions on both these topics.
>>
>>
>> I have.
>>
>>
>>
>>
>>
>>
>>

v2.23.0 | Report a Bug | By Email