Re: [bess] Benoit Claise's Discuss on draft-ietf-bess-mvpn-extranet-04: (with DISCUSS and COMMENT)
"Alvaro Retana (aretana)" <aretana@cisco.com> Thu, 21 April 2016 21:27 UTC
Return-Path: <aretana@cisco.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF80312E027; Thu, 21 Apr 2016 14:27:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.517
X-Spam-Level:
X-Spam-Status: No, score=-15.517 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NqBnonEfTajA; Thu, 21 Apr 2016 14:27:37 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC27F12DC46; Thu, 21 Apr 2016 14:27:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7689; q=dns/txt; s=iport; t=1461274055; x=1462483655; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=1TEzp/n/yI1lUGBli7x76rQVKqku8v8PwYibmLFrdMM=; b=H0hkCH3R4i/HrmJIfoNLEooFkqWPNc7PeP7awqjeKjHTAuRQe1tK8jwE BIuNJOTQ1SenCeDrQMaw8U1DwsTzdUmv0x2qI0TLv3FIPnmygXvO85DAi 1g2uHIdbWnCVA6IgmXXPAUVU5tZQWYi1SznbYPvn9zUd6VGJksBk7MnK1 c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ADAgCJRBlX/5BdJa1egziBUAa3aoIPAQ2BdIYOAoEtOBQBAQEBAQEBZSeEQQEBAQMBeRACAQgOAwQBAQEnBzIUCQgCBAENBRSIDgjAKAEBAQEBAQEBAQEBAQEBAQEBAQEBARWGIYRLhA8KBwEchVgBBId0hheFE4RxAY4TgWaETYMphTSPLQEeAQFCggQFFhWBNWyHOQkXH34BAQE
X-IronPort-AV: E=Sophos;i="5.24,514,1454976000"; d="scan'208";a="96278682"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 21 Apr 2016 21:27:34 +0000
Received: from XCH-ALN-009.cisco.com (xch-aln-009.cisco.com [173.36.7.19]) by rcdn-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id u3LLRY4i028976 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 21 Apr 2016 21:27:34 GMT
Received: from xch-aln-002.cisco.com (173.36.7.12) by XCH-ALN-009.cisco.com (173.36.7.19) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Thu, 21 Apr 2016 16:27:33 -0500
Received: from xch-aln-002.cisco.com ([173.36.7.12]) by XCH-ALN-002.cisco.com ([173.36.7.12]) with mapi id 15.00.1104.009; Thu, 21 Apr 2016 16:27:34 -0500
From: "Alvaro Retana (aretana)" <aretana@cisco.com>
To: Susan Hares <shares@ndzh.com>, "Benoit Claise (bclaise)" <bclaise@cisco.com>, "joelja@bogus.com" <joelja@bogus.com>
Thread-Topic: [bess] Benoit Claise's Discuss on draft-ietf-bess-mvpn-extranet-04: (with DISCUSS and COMMENT)
Thread-Index: AQHRnBSe1N/fnQv93UyfZpEd+XJ70g==
Date: Thu, 21 Apr 2016 21:27:34 +0000
Message-ID: <D33EBDE2.120D76%aretana@cisco.com>
References: <20151217133049.1038.44405.idtracker@ietfa.amsl.com> <56741869.5020505@juniper.net> <00af01d139c6$898fb720$9caf2560$@ndzh.com> <567859EC.6030103@juniper.net> <006101d13ce1$725cd650$571682f0$@ndzh.com> <56799F9F.4010907@juniper.net> <000d01d13d94$80868a10$81939e30$@ndzh.com> <570D4C8E.6040800@alcatel-lucent.com>
In-Reply-To: <570D4C8E.6040800@alcatel-lucent.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.2.160219
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.117.15.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <E3E63DEF8BF416468499F21A95B24286@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/bess/4v7-RA9XlWQkqAFDNxfJNP84j5E>
X-Mailman-Approved-At: Thu, 21 Apr 2016 22:24:25 -0700
Cc: "bess-chairs@ietf.org" <bess-chairs@ietf.org>, "draft-ietf-bess-mvpn-extranet@ietf.org" <draft-ietf-bess-mvpn-extranet@ietf.org>, 'Eric C Rosen' <erosen@juniper.net>, "'John G. Scudder'" <jgs@juniper.net>, Martin Vigoureux <martin.vigoureux@nokia.com>, "bess@ietf.org" <bess@ietf.org>, 'The IESG' <iesg@ietf.org>
Subject: Re: [bess] Benoit Claise's Discuss on draft-ietf-bess-mvpn-extranet-04: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Apr 2016 21:27:39 -0000
Sue: Hi! Can you please take a look at this? Thanks! Alvaro. On 4/12/16, 3:29 PM, "Martin Vigoureux" <martin.vigoureux@nokia.com> wrote: >Dear all, > >we took the opportunity of this IETF meeting to discuss with Sue, Joel >and Benoit, and with Eric. > >Sue has had two requests: >1/ to add some text clarifying the encoding and processing of the >Extended Communities this document is defining. >Eric had already integrated this text in the document (v06) and more >specifically in Sections 4.4.1, 4.4.2 (for the Extranet Source Extended >Community) and 4.5 (for the Extranet Separation Extended Community). The >text on RR fitted more naturally in 4.4.2 than in 4.4.1, thus the split. > >We have reviewed that with Sue and my understanding of our discussion is >that this is acceptable. > >2/ to add some text covering risks of mis-configurations >Eric has added the paragraph quite soon in the document (the Overview >section), such that the reader is aware. Following Thomas' suggestion to >enhance that text with other cases of incorrect configurations, Eric has >also added some text to the Security Considerations section. >Since the document describes a tool-set, rather than trying to describe >all the possible usages of these tools, the preferred approach was to >give a form of warning on risks of misconf. > >Our understanding is that the addition of this paragraph would meet >Sue's expectations. > >Version 07, which incorporates the above, is available. > >Sue, please review the changes and let us know if our understanding is >correct or not, and thus if you consider your points addressed. > >Thank you all > >Best regards, >Martin & Thomas > >Le 23/12/2015 16:13, Susan Hares a écrit : >> Eric: >> >> *To clear my objection to this draft*, please add these sections to make >> it clear what the content of the BGP values and their handling. We >> disagree on what the BGP registry document states, but that point is not >> worth holding up this document. People can find the type and sub-type >> fields in the registry. What is not in the registry is a clear >> description of the restrictions of the value field and handling. >> >> Placing the BGP Extended communities within the rest of the rules is >> just unclear. Please put these two sections in and give the details in >> this sections. >> >> As to the deployment section, you did not consider the text I offer >> below and the suggested insertion in the security section. Perhaps you >> can consider that text in your next email. On whether this deployment >> section is ³DISCUSS² worthy, I am still communicating with Benoit and >>Joel. >> >> I wish you the peace and joy of the Christmas season, >> >> Sue Hares >> >> ============= >> >> Sections which must be added to clear my concerns >> >> ---------------------------------------------------------------- >> >> *4.4.1 Extranet Source Extended Community * >> >> To facilitate this, we define a new Transitive Opaque Extended >> Community, the "Extranet Source" Extended Community. >> >> The value field of this extended community is all zeros. >> >> *Restrictions: *This value field MUST be set to zero upon origination, >> MUST be ignored upon reception and MUST be passed unchanged by >> intermediate routers. >> >> *Additional Restrictions: *A Route Reflector MUST NOT add/remove the >> Extranet Source Extended Community from the VPN-IP routes reflected by >> the Route Reflector, including the case where VPN-IP routes received >> via IBGP are reflected to EBGP peers (inter-AS option (c), see >> [RFC6513] Section 10). >> >> *4.4.2 Extranet Separation Extended community * >> >> ** >> >> We define a new Transitive Opaque Extended Community, the "Extranet >> Separation" Extended Community. This Extended Community is used only >> when extranet separation is being used. >> >> *Restrictions:* Its value field MUST be set to zero upon origination, >> MUST be ignored upon reception, and MUST be >> >> passed unchanged by intermediate routers. >> >> * Restrictions on Adding/deleting this community:* ?? (Eric please >> add something here). >> >> *Comments that could be put in a Security section: * >> >> ** >> >> Whenever a VPN is provisioned, there is a risk that provisioning errors >> will result in an unintended cross-connection of VPNs, which would >> create a security problem for the customers. Extranet can be >> particularly tricky, as it intentionally cross-connects VPNs, but in a >> manner that is intended to be strictly limited by policy. If one is >> connecting two VPNs that have overlapping address spaces, one has to be >> sure that the inter-VPN traffic isn't to/from the part of the address >> space that is in the overlap. The draft discusses a lot of the corner >> cases, and a lot of the scenarios in which things can go wrong. >> >> *From:*BESS [mailto:bess-bounces@ietf.org] *On Behalf Of *Eric C Rosen >> *Sent:* Tuesday, December 22, 2015 2:08 PM >> *To:* Susan Hares; 'Benoit Claise'; 'The IESG' >> *Cc:* draft-ietf-bess-mvpn-extranet@ietf.org; 'John G. Scudder'; >> aretana@cisco.com; bess-chairs@ietf.org; >> martin.vigoureux@alcatel-lucent.com; bess@ietf.org >> *Subject:* Re: [bess] Benoit Claise's Discuss on >> draft-ietf-bess-mvpn-extranet-04: (with DISCUSS and COMMENT) >> >> On 12/22/2015 12:51 PM, Susan Hares wrote: >> >> Eric: >> >> Thank you for revisions in version -05 of your document. Unfortunately >> it does not resolve either of the two points I raised. >> >> 1)*On the BGP Extended Communities*, I feel your specification is >> *unclear and warrants change on the DISCUSS* Criteria due to >> interoperability issues. >> >> >> I've explained why I don't think this is correct. In particular, I >> don't think it is wise to mention the value of the "Transitive Opaque >> Extended Community Type" codepoint, as this can be found in the IANA >> registry for Transitive Extended Community types, and implementers >> should really be encouraged to consult the registries for the >>codepoints. >> >> >> 2)I¹ve given you 2 small sections to add to your document at the >> beginning of section 4.4. to resolve this DISCUSS point. >> >> >> Note that the codepoint you mention for Transitive Opaque Extended >> Community Type is not correct. Unnecessary last minute changes do tend >> to introduce errors. >> >> >> 3)You need to just fill in one part below on RR restrictions for >> *Extranet Separation Extended community*. >> >> >> I will add some text saying that RRs must not add or remove this EC. >> >> >> 2) *On the deployment section:* I given text and examples but I think >> you still misunderstand what I am looking for. >> >> >> Perhaps. >> >> >> Since you are an author of academic papers, >> >> >> I am not. >> >> >> consider I am looking for an operator-based ³abstract² that focuses the >> reader on the key points.I am sure you can create one for this document, >> but I not clear why you object to it the concept. >> >> >> It seems to me that you are asking for something that could be titled >> "An Operator's Guide to Provisioning Extranet MVPN". While that might >> be useful, it is not within the scope of the current document. As I've >> said, I am not aware of any IETF requirement that requires such a thing >> to be included. >> >> >> will you please let me know that you have read my suggested text >> insertions on both these topics. >> >> >> I have. >> >> >> >> >> >> >>
- [bess] Benoit Claise's Discuss on draft-ietf-bess… Benoit Claise
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Stephen Farrell
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Susan Hares
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Eric C Rosen
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Susan Hares
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Eric C Rosen
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Eric C Rosen
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Susan Hares
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Eric C Rosen
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Susan Hares
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Eric C Rosen
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Benoit Claise
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Eric C Rosen
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… joel jaeggli
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Eric C Rosen
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… joel jaeggli
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Eric C Rosen
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Martin Vigoureux
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Alvaro Retana (aretana)
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Susan Hares