Re: [bess] John Scudder's Discuss on draft-ietf-bess-srv6-services-11: (with DISCUSS and COMMENT)
Gyan Mishra <hayabusagsm@gmail.com> Wed, 16 March 2022 14:38 UTC
Return-Path: <hayabusagsm@gmail.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4533F3A18D8; Wed, 16 Mar 2022 07:38:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UNxC5J5ZXN-C; Wed, 16 Mar 2022 07:38:18 -0700 (PDT)
Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DDA63A18DA; Wed, 16 Mar 2022 07:38:13 -0700 (PDT)
Received: by mail-pl1-x632.google.com with SMTP id w8so1945588pll.10; Wed, 16 Mar 2022 07:38:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=N3s0xrCFwHOMLnHHCn5JLgLFTAAgMHv3lkcttVe65OI=; b=Ol/mAQuG9GPDtF1ibxjKcsY1vqYf8jnweeySEZoOlksdt18JvAzxfyPx4Uo0oXf0ej N2QDwSyn4CWpEfKeZuNGLYNu7PzVNL7GYUIk0CFdPG5yWuuD2m3BR/bHUNDgIhfYnus9 XXWI1B8kAoyWZvrRb2raI15aWJAsp/5TyM1WJpgFUa6PiIlqsStSrLSaev2jmafR+sf2 b67Y5LaAiShjefYcs7V/Sv7CeTZTIi4h/rLXrG9oMLEqodQi5hdLUAOWOA7yslblwOJe MogtGNhYA4FHz6nAeK6KXJC9ceQ4S629X5KhMwyF4QYdbZWOnZM66kM8yd5Z73IhxlGX C76A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=N3s0xrCFwHOMLnHHCn5JLgLFTAAgMHv3lkcttVe65OI=; b=G5FMFjRYn1dvf0uj0ZssAJ8kXx14Jyppk0+2Pe4vjGFJ0q1SZ61fDGPjvrd+WdjcxK DfazyJsq5TpYncmSIefEdXDzha0GgrbO1LJ70VMQackTLOEkSwsm2tYtydXv2McGDVtI p+wked4tF0F+XEB1lWS5H7Kzmx87GGHCzKAw1EJXS99F3DQ5JTFj2Dk67PQGUCMWsMRF ibh7h7iUr0gGDPII+r0dHBxwV5IamndNRlV4mVGNPfrpUDKRCG8fzMrcM3Ey7bRegsKs edbfEEE7ZO8Ipf1QZRlUeYTScWrp8f+8fb5A3uQaO4c/xn1EhjN5wJ3ZIDOVlb4qT/pA 2vNA==
X-Gm-Message-State: AOAM533eaZFyp7imURdLxIS6N91eV8dTL7Y/71+0MzQJvUoWeCIqj45f GHuXUAw1UqmEOTA5aCs/sUQLbIhOez/TZ6kTS4k=
X-Google-Smtp-Source: ABdhPJww1ZeBSTUIvBgRNGk6hGfmg1RKPxKS8nkDtfgqLQCEfPHGD0rPqG9jXWYL2xJvd4F2/Xj35XTiQUSDJ57nyJw=
X-Received: by 2002:a17:902:8548:b0:153:61bb:f73e with SMTP id d8-20020a170902854800b0015361bbf73emr16922838plo.80.1647441492106; Wed, 16 Mar 2022 07:38:12 -0700 (PDT)
MIME-Version: 1.0
References: <164504757419.5632.9536270153833731412@ietfa.amsl.com> <CAH6gdPxTtVfh02odMdreGnnsD8fnY2rPDqPhU9cucSOuU=bxNw@mail.gmail.com> <DB75B564-CF18-4D93-B183-5C31203E860D@juniper.net> <183B3A89-B7CA-4B8B-888C-6404BB65E8F3@juniper.net> <CAOj+MMG711xUEFTHkcVzgX64fGhB+4Nn3Adkv_ywqS78LVMv4Q@mail.gmail.com> <CAH6gdPxV+r2iUouqom3rRZBoDbdbi45N_H-GBr_hOqgmYPBa3w@mail.gmail.com>
In-Reply-To: <CAH6gdPxV+r2iUouqom3rRZBoDbdbi45N_H-GBr_hOqgmYPBa3w@mail.gmail.com>
From: Gyan Mishra <hayabusagsm@gmail.com>
Date: Wed, 16 Mar 2022 10:37:41 -0400
Message-ID: <CABNhwV0Ym=WpQ+HpWEmBgw+0F0OwKrJ7JHqPk6VvWCEJpsRr_g@mail.gmail.com>
To: Ketan Talaulikar <ketant.ietf@gmail.com>
Cc: BESS <bess@ietf.org>, "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>, John Scudder <jgs@juniper.net>, Robert Raszuk <robert@raszuk.net>, The IESG <iesg@ietf.org>, "bess-chairs@ietf.org" <bess-chairs@ietf.org>, "draft-ietf-bess-srv6-services@ietf.org" <draft-ietf-bess-srv6-services@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ece36f05da56dc5d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/FmLazziVANJzknIVYImdwV-AiDk>
Subject: Re: [bess] John Scudder's Discuss on draft-ietf-bess-srv6-services-11: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Mar 2022 14:38:25 -0000
Hi Ketan I reviewed the updated security considerations section and the update looks good. As well section 10.3 Data plane considerations and read again the referenced documents security considerations section of RFC 8402, RFC 8986, RFC 8754 and RFC 8996. All looks very good. One question I had was that if operators only advertises the SRv6 summary block B:N::/48 to the internet, the summarization route would not contain the embedded BGP Prefix SID attribute encoding of L2 and L3 Service SID in the FUNCT field of the SRv6 SID. If you agree with what I have stated , then that would limit the exposure drastically related to service SID leakage to the internet. The security exposure is related to only the inter-as peering lateral, provider or RS peering and not customer peering as the SRv6 source node encapsulates customer traffic into payload of outer IPv6 header. So I think customer PE-CE edge peering would not be a security issue. Also another thought is that within an SRv6 domain as next hop self is used internally on any inter-as lateral, provider or RS ties which is done on both ends of the peering between operators, does the SRv6 B:N::/48 underlay block even need to be advertised externally. As the BGP overlay is what holds the internet table and that is all that needs transitivity for internet route reachability. That would further reduce the exposure of data plane service sid encoding in SRv6 SID leaking to the internet. As far as SRv6 service capabilities draft below, my thoughts are as any parallel multi transport that exists would only be done within the confines of a domain within the same operators Administrative domain and not between providers which would also be limited during a transition from brown field MPLS or SR-MPLS to a parallel Green field SRv6 transport. As this use case is all within the same domain, careful design is on the onus of the operator as relates to SRv6 to MPLS BGP overlay interoperability for SAFI 128. So I don’t see this as a major issue for operators as all the careful considerations will be taken for that interoperability as well as there are many underlying solutions for SRv6 to MPLS or SR-MPLS interoperability. This is more of an interoperability issue use case that could be considered orthogonal to this draft that only exists within an operators network during migration. https://datatracker.ietf.org/doc/html/draft-lz-bess-srv6-service-capability-02 Kind Regards Gyan On Sat, Mar 5, 2022 at 4:40 AM Ketan Talaulikar <ketant.ietf@gmail.com> wrote: > Hi John, > > We've just posted an update to the draft to address the comments raised > and to clarify the security considerations. > > https://datatracker.ietf.org/doc/html/draft-ietf-bess-srv6-services-12 > > Thanks, > Ketan > > > On Thu, Feb 24, 2022 at 3:42 PM Robert Raszuk <robert@raszuk.net> wrote: > >> Hi John, >> >> You have highlighted below a very important point. It was discussed among >> co-authors, but perhaps not sufficiently during the BESS process as the >> issue is really not a BESS WG problem. >> >> In BGP protocol any new service deployment using existing AFI/SAFI is not >> easy. Especially when you are modifying content of MP_REACH or MP_UNREACH >> NLRI attributes. Main reason being is that using capabilities only goes one >> hop. In full mesh it all works perfect, but the moment you put RR in >> between BGP speakers things are getting ugly as capabilities are not >> traversing BGP nodes. /* Even in full mesh mixing transports for the same >> service is a serious challenge for routers when say multihomes sites are >> advertised from different PEs with different transport options */. >> >> Imagine RR signals SRv6 Service Capability to the PE. Then this PE >> happily sends a new format of the UPDATE messages. Well as today we also do >> not have a notion of conditional capabilities (only send when received from >> all) so if some of the RR peers do not support it you end up in partial >> service. One can argue that in this case the only deterministic model is to >> push the configuration from the management station and control partial >> deployment of the new service from mgmt layer. >> >> The natural alternative would be to never modify NLRI format once shipped >> by RFC. When needed issue a new SAFI. Yes that is an option (and has always >> been) but it also comes with its own set of issues. New SAFI is really >> great to define for new service/feature etc ... Here however in the context >> of this discussion we are changing transport for existing service. And >> just like it was the case with MPLS over UDP or tunnel attribute etc ... >> using a new SAFI would be very hard to deploy as there would need to be >> well defined behaviour of BGP speakers receiving duplicate information for >> the same VPN prefixes or receiving at one time only from single SAFI then a >> bit later from the other one .. Of course one solution is to permit only >> one SAFI for a given service at any given time, but that seems way too >> restrictive too. >> >> So to summarize while I am personally a huge proponent of new SAFI and >> new capabilities to be defines for new service here I do have some >> reservations. It seems to me that deployment of new transport for VPN >> service should be either network management driven or enabled when all >> participating PEs support it. Enabling it automagically with one hop >> capabilities seems to me like not a good thing as the data being sent in >> the UPDATES is not optional and dropping it means dropping actual routes. >> >> So at the current time the subject draft took a management approach. >> >> Many thx, >> Robert. >> >> On Thu, Feb 24, 2022 at 2:04 AM John Scudder <jgs@juniper.net> wrote: >> >>> Further to this point: >>> >>> > On Feb 18, 2022, at 3:32 PM, John Scudder <jgs@juniper.net> wrote: >>> > >>> >> On Feb 17, 2022, at 3:19 AM, Ketan Talaulikar <ketant.ietf@gmail.com> >>> wrote: >>> >> >>> >>> 2. One area of concern I would have hoped IDR might have looked into >>> is, the >>> >>> document makes a creative use of the MPLS Label field of the NLRI to >>> carry the >>> >>> Function part of the SID. This means the SID is effectively split >>> across the >>> >>> NLRI and the Prefix-SID attribute. What are the potential error >>> modes if the >>> >>> Prefix-SID attribute should be lost from the route, while the NLRI >>> is retained? >>> >>> >>> >>> (An obvious way of addressing this particular concern would be to >>> define a new >>> >>> NLRI type with the desired semantics, instead of creatively >>> repurposing fields >>> >>> within an existing NLRI type contrary to their definitions. Such an >>> NLRI type >>> >>> would, for example, presumably state in its specification that if it >>> was >>> >>> received without an accompanying Prefix-SID attribute, that would >>> constitute an >>> >>> error.) >>> >>> >>> >> KT> This document follows the approach similar as taken for extending >>> MPLS EVPN RFC7432 by RFC8365. >>> > >>> > I take it you’re referring to RFC 8365 §5.1.3 which talks about using >>> the MPLS Label field (or MPLS1 Label field) to carry the VNI in the >>> presence of a BGP Encapsulation Extended Community? Yes, that seems like a >>> pretty close analogue. And given this particular trick is only with >>> VPN-type address families one can also argue that there’s not a risk of >>> affected routes leaking into the big-I Internet, which is the typical >>> associated concern. >>> >>> In a separate reply, the authors of >>> draft-lz-bess-srv6-service-capability-02 pointed out that it provides a >>> critique of bess-srv6-services which is similar to this discuss point. (The >>> authors dropped the IESG from the cc, so I’m following up here instead of >>> to their original note.) >>> >>> On first reading, the critique in >>> draft-lz-bess-srv6-service-capability-02 seems well argued and responsive >>> to my question above about potential error modes. In section 3 of their >>> draft, the authors provide a worked scenario where a VPN route carrying a >>> SRv6 service SID using the Transposition scheme, if received by an >>> MPLS-only PE, could result in misdelivered traffic. At minimum, that seems >>> worth surfacing in the Security Considerations section, since historically >>> we’ve considered misdelivered VPN traffic to be a Bad Thing that could >>> expose confidential information. >>> >>> The authors do acknowledge that bess-srv6-services proposes a mitigation: >>> >>> To avoid these problems, [I-D.ietf-bess-srv6-services] specifies that >>> implementations SHOULD provide a mechanism to control advertisement >>> of SRv6-based BGP service routes on a per neighbor and per service >>> basis. >>> >>> but they go on to argue that this mitigation isn’t fit for purpose: >>> >>> The above method may be feasible in small-scale networks, but are not >>> applicable to large-scale networks. >>> >>> [etc] >>> >>> It’s not my preference to get into the minutiae of this argument as part >>> of this discuss. However, I’d like to ask: was this consideration something >>> the WG discussed? I looked for discussion of >>> draft-lz-bess-srv6-service-capability in the archives and didn’t find much — >>> >>> - When an earlier version was posted to the list it resulted only in >>> discussion between the original author, Liu Yao, and Eduard Metz, who >>> became co-author, but there wasn’t any discussion I saw of the actual issue >>> that the draft identified, but rather refinement of the mitigation it >>> proposes (which I don’t want to discuss in this note). >>> - There was an agenda slot request for the draft at IETF-111. It was on >>> the agenda in the “if time allows” section. I assume time did NOT allow >>> because I don’t see mention of it in the minutes. (I did find the slides, >>> slides 3 and 4 summarize the critique, >>> https://datatracker.ietf.org/meeting/111/materials/slides-111-bess-sessa-srv6-service-capability-00 >>> ). >>> >>> But of course, the issue raised might have been discussed by the WG in a >>> different thread, that doesn’t match a search for >>> draft-lz-bess-srv6-service-capability. If so, I’d appreciate a pointer to >>> it. >>> >>> If there wasn’t any discussion in the WG of the authors’ critique, I >>> think it deserves to be discussed a bit as part of this thread. In >>> particular, does the “this is the same as the trick EVPN does in RFC 8365” >>> reply apply equally? Probably it does, although that might boil down to >>> “gosh, we should have caught this when publishing 8365, shouldn’t we?” >>> >>> Even if the outcome of the discussion is that the limitation was >>> discussed by the WG/isn’t a big deal because reasons/maybe it’s a big deal >>> but we’ll fix it in a followup… as I mentioned earlier, covering it in the >>> Security Considerations seems worthwhile. >>> >>> Thanks, >>> >>> —John >> >> _______________________________________________ > BESS mailing list > BESS@ietf.org > https://www.ietf.org/mailman/listinfo/bess > -- <http://www.verizon.com/> *Gyan Mishra* *Network Solutions A**rchitect * *Email gyan.s.mishra@verizon.com <gyan.s.mishra@verizon.com>* *M 301 502-1347*
- [bess] John Scudder's Discuss on draft-ietf-bess-… John Scudder via Datatracker
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Robert Raszuk
- Re: [bess] John Scudder's Discuss on draft-ietf-b… liu.yao71
- Re: [bess] John Scudder's Discuss on draft-ietf-b… liu.yao71
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Ketan Talaulikar
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Ketan Talaulikar
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Bocci, Matthew (Nokia - GB)
- Re: [bess] John Scudder's Discuss on draft-ietf-b… John Scudder
- Re: [bess] John Scudder's Discuss on draft-ietf-b… John Scudder
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Bocci, Matthew (Nokia - GB)
- Re: [bess] John Scudder's Discuss on draft-ietf-b… John Scudder
- Re: [bess] John Scudder's Discuss on draft-ietf-b… John Scudder
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Robert Raszuk
- Re: [bess] John Scudder's Discuss on draft-ietf-b… John Scudder
- Re: [bess] John Scudder's Discuss on draft-ietf-b… John Scudder
- Re: [bess] John Scudder's Discuss on draft-ietf-b… John Scudder
- Re: [bess] John Scudder's Discuss on draft-ietf-b… John Scudder
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Robert Raszuk
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Ketan Talaulikar
- Re: [bess] John Scudder's Discuss on draft-ietf-b… liu.yao71
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Robert Raszuk
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Eduard Metz
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Gyan Mishra
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Gyan Mishra
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Ketan Talaulikar
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Gyan Mishra
- Re: [bess] John Scudder's Discuss on draft-ietf-b… John Scudder
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Ketan Talaulikar
- Re: [bess] John Scudder's Discuss on draft-ietf-b… John Scudder
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Ketan Talaulikar
- Re: [bess] John Scudder's Discuss on draft-ietf-b… John Scudder
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Ketan Talaulikar
- Re: [bess] John Scudder's Discuss on draft-ietf-b… John Scudder