IETF Logo Mail Archive

Re: [bess] John Scudder's Discuss on draft-ietf-bess-srv6-services-11: (with DISCUSS and COMMENT)

Gyan Mishra <hayabusagsm@gmail.com> Wed, 16 March 2022 14:38 UTC

Return-Path: <hayabusagsm@gmail.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4533F3A18D8; Wed, 16 Mar 2022 07:38:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UNxC5J5ZXN-C; Wed, 16 Mar 2022 07:38:18 -0700 (PDT)
Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DDA63A18DA; Wed, 16 Mar 2022 07:38:13 -0700 (PDT)
Received: by mail-pl1-x632.google.com with SMTP id w8so1945588pll.10; Wed, 16 Mar 2022 07:38:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=N3s0xrCFwHOMLnHHCn5JLgLFTAAgMHv3lkcttVe65OI=; b=Ol/mAQuG9GPDtF1ibxjKcsY1vqYf8jnweeySEZoOlksdt18JvAzxfyPx4Uo0oXf0ej N2QDwSyn4CWpEfKeZuNGLYNu7PzVNL7GYUIk0CFdPG5yWuuD2m3BR/bHUNDgIhfYnus9 XXWI1B8kAoyWZvrRb2raI15aWJAsp/5TyM1WJpgFUa6PiIlqsStSrLSaev2jmafR+sf2 b67Y5LaAiShjefYcs7V/Sv7CeTZTIi4h/rLXrG9oMLEqodQi5hdLUAOWOA7yslblwOJe MogtGNhYA4FHz6nAeK6KXJC9ceQ4S629X5KhMwyF4QYdbZWOnZM66kM8yd5Z73IhxlGX C76A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=N3s0xrCFwHOMLnHHCn5JLgLFTAAgMHv3lkcttVe65OI=; b=G5FMFjRYn1dvf0uj0ZssAJ8kXx14Jyppk0+2Pe4vjGFJ0q1SZ61fDGPjvrd+WdjcxK DfazyJsq5TpYncmSIefEdXDzha0GgrbO1LJ70VMQackTLOEkSwsm2tYtydXv2McGDVtI p+wked4tF0F+XEB1lWS5H7Kzmx87GGHCzKAw1EJXS99F3DQ5JTFj2Dk67PQGUCMWsMRF ibh7h7iUr0gGDPII+r0dHBxwV5IamndNRlV4mVGNPfrpUDKRCG8fzMrcM3Ey7bRegsKs edbfEEE7ZO8Ipf1QZRlUeYTScWrp8f+8fb5A3uQaO4c/xn1EhjN5wJ3ZIDOVlb4qT/pA 2vNA==
X-Gm-Message-State: AOAM533eaZFyp7imURdLxIS6N91eV8dTL7Y/71+0MzQJvUoWeCIqj45f GHuXUAw1UqmEOTA5aCs/sUQLbIhOez/TZ6kTS4k=
X-Google-Smtp-Source: ABdhPJww1ZeBSTUIvBgRNGk6hGfmg1RKPxKS8nkDtfgqLQCEfPHGD0rPqG9jXWYL2xJvd4F2/Xj35XTiQUSDJ57nyJw=
X-Received: by 2002:a17:902:8548:b0:153:61bb:f73e with SMTP id d8-20020a170902854800b0015361bbf73emr16922838plo.80.1647441492106; Wed, 16 Mar 2022 07:38:12 -0700 (PDT)
MIME-Version: 1.0
References: <164504757419.5632.9536270153833731412@ietfa.amsl.com> <CAH6gdPxTtVfh02odMdreGnnsD8fnY2rPDqPhU9cucSOuU=bxNw@mail.gmail.com> <DB75B564-CF18-4D93-B183-5C31203E860D@juniper.net> <183B3A89-B7CA-4B8B-888C-6404BB65E8F3@juniper.net> <CAOj+MMG711xUEFTHkcVzgX64fGhB+4Nn3Adkv_ywqS78LVMv4Q@mail.gmail.com> <CAH6gdPxV+r2iUouqom3rRZBoDbdbi45N_H-GBr_hOqgmYPBa3w@mail.gmail.com>
In-Reply-To: <CAH6gdPxV+r2iUouqom3rRZBoDbdbi45N_H-GBr_hOqgmYPBa3w@mail.gmail.com>
From: Gyan Mishra <hayabusagsm@gmail.com>
Date: Wed, 16 Mar 2022 10:37:41 -0400
Message-ID: <CABNhwV0Ym=WpQ+HpWEmBgw+0F0OwKrJ7JHqPk6VvWCEJpsRr_g@mail.gmail.com>
To: Ketan Talaulikar <ketant.ietf@gmail.com>
Cc: BESS <bess@ietf.org>, "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>, John Scudder <jgs@juniper.net>, Robert Raszuk <robert@raszuk.net>, The IESG <iesg@ietf.org>, "bess-chairs@ietf.org" <bess-chairs@ietf.org>, "draft-ietf-bess-srv6-services@ietf.org" <draft-ietf-bess-srv6-services@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ece36f05da56dc5d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/FmLazziVANJzknIVYImdwV-AiDk>
Subject: Re: [bess] John Scudder's Discuss on draft-ietf-bess-srv6-services-11: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Mar 2022 14:38:25 -0000

Hi Ketan

I reviewed the updated security considerations section and the update looks
good.  As well section 10.3 Data plane considerations and read again the
referenced documents security considerations section of RFC 8402, RFC 8986,
RFC 8754 and RFC 8996.  All looks very good.

One question I had was that if operators only advertises the SRv6 summary
block B:N::/48 to the internet, the summarization route would not contain
the embedded BGP Prefix SID attribute encoding of L2 and L3 Service SID in
the FUNCT field of the SRv6 SID.

If you agree with what I have stated , then that would limit the exposure
drastically related to service SID leakage to the internet.

The security exposure is related to only the inter-as peering lateral,
provider or RS peering and not customer peering as the SRv6 source node
encapsulates customer traffic into payload of outer IPv6 header.  So I
think customer  PE-CE edge peering would not be a security issue.

Also another thought is that within an SRv6 domain as next hop self is used
internally on any inter-as lateral, provider or RS ties which is done on
both ends of the peering between operators, does the SRv6 B:N::/48 underlay
block even need to be advertised externally.  As the BGP overlay is what
holds the internet table and that is all that needs transitivity for
internet route reachability.  That would further reduce the exposure of
data plane service sid encoding in SRv6 SID leaking to the internet.

As far as SRv6 service capabilities draft below, my thoughts are as any
parallel multi transport that exists would only be done within the confines
of a domain within the same operators Administrative domain and not between
providers which would also be limited during a transition from brown field
MPLS or SR-MPLS to a parallel Green field SRv6 transport.  As this use case
is all within the same domain, careful design is on the onus of the
operator as relates to SRv6 to MPLS BGP overlay interoperability for SAFI
128.  So I don’t see this as a major issue for operators as all the careful
considerations will be taken for that interoperability as well as there are
many underlying solutions for SRv6 to MPLS or SR-MPLS interoperability.

This is more of an interoperability issue use case that could be considered
orthogonal to this draft that only exists within an operators network
during migration.

https://datatracker.ietf.org/doc/html/draft-lz-bess-srv6-service-capability-02


Kind Regards

Gyan

On Sat, Mar 5, 2022 at 4:40 AM Ketan Talaulikar <ketant.ietf@gmail.com>
wrote:

> Hi John,
>
> We've just posted an update to the draft to address the comments raised
> and to clarify the security considerations.
>
> https://datatracker.ietf.org/doc/html/draft-ietf-bess-srv6-services-12
>
> Thanks,
> Ketan
>
>
> On Thu, Feb 24, 2022 at 3:42 PM Robert Raszuk <robert@raszuk.net> wrote:
>
>> Hi John,
>>
>> You have highlighted below a very important point. It was discussed among
>> co-authors, but perhaps not sufficiently during the BESS process as the
>> issue is really not a BESS WG problem.
>>
>> In BGP protocol any new service deployment using existing AFI/SAFI is not
>> easy. Especially when you are modifying content of MP_REACH or MP_UNREACH
>> NLRI attributes. Main reason being is that using capabilities only goes one
>> hop. In full mesh it all works perfect, but the moment you put RR in
>> between BGP speakers things are getting ugly as capabilities are not
>> traversing BGP nodes. /* Even in full mesh mixing transports for the same
>> service is a serious challenge for routers when say multihomes sites are
>> advertised from different PEs with different transport options */.
>>
>> Imagine RR signals SRv6 Service Capability to the PE. Then this PE
>> happily sends a new format of the UPDATE messages. Well as today we also do
>> not have a notion of conditional capabilities (only send when received from
>> all) so if some of the RR peers do not support it you end up in partial
>> service. One can argue that in this case the only deterministic model is to
>> push the configuration from the management station and control partial
>> deployment of the new service from mgmt layer.
>>
>> The natural alternative would be to never modify NLRI format once shipped
>> by RFC. When needed issue a new SAFI. Yes that is an option (and has always
>> been) but it also comes with its own set of issues. New SAFI is really
>> great to define for new service/feature etc ... Here however in the context
>> of this discussion we are changing transport for existing service.  And
>> just like it was the case with MPLS over UDP or  tunnel attribute etc ...
>> using a new SAFI would be very hard to deploy as there would need to be
>> well defined behaviour of BGP speakers receiving duplicate information for
>> the same VPN prefixes or receiving at one time only from single SAFI then a
>> bit later from the other one .. Of course one solution is to permit only
>> one SAFI for a given service at any given time, but that seems way too
>> restrictive too.
>>
>> So to summarize while I am personally a huge proponent of new SAFI and
>> new capabilities to be defines for new service here I do have  some
>> reservations. It seems to me that deployment of new transport for VPN
>> service should be either network management driven or enabled when all
>> participating PEs support it. Enabling it automagically with one hop
>> capabilities seems to me like not a good thing as the data being sent in
>> the UPDATES is not optional and dropping it means dropping actual routes.
>>
>> So at the current time the subject draft took a management approach.
>>
>> Many thx,
>> Robert.
>>
>> On Thu, Feb 24, 2022 at 2:04 AM John Scudder <jgs@juniper.net> wrote:
>>
>>> Further to this point:
>>>
>>> > On Feb 18, 2022, at 3:32 PM, John Scudder <jgs@juniper.net> wrote:
>>> >
>>> >> On Feb 17, 2022, at 3:19 AM, Ketan Talaulikar <ketant.ietf@gmail.com>
>>> wrote:
>>> >>
>>> >>> 2. One area of concern I would have hoped IDR might have looked into
>>> is, the
>>> >>> document makes a creative use of the MPLS Label field of the NLRI to
>>> carry the
>>> >>> Function part of the SID. This means the SID is effectively split
>>> across the
>>> >>> NLRI and the Prefix-SID attribute. What are the potential error
>>> modes if the
>>> >>> Prefix-SID attribute should be lost from the route, while the NLRI
>>> is retained?
>>> >>>
>>> >>> (An obvious way of addressing this particular concern would be to
>>> define a new
>>> >>> NLRI type with the desired semantics, instead of creatively
>>> repurposing fields
>>> >>> within an existing NLRI type contrary to their definitions. Such an
>>> NLRI type
>>> >>> would, for example, presumably state in its specification that if it
>>> was
>>> >>> received without an accompanying Prefix-SID attribute, that would
>>> constitute an
>>> >>> error.)
>>> >>>
>>> >> KT> This document follows the approach similar as taken for extending
>>> MPLS EVPN RFC7432 by RFC8365.
>>> >
>>> > I take it you’re referring to RFC 8365 §5.1.3 which talks about using
>>> the MPLS Label field (or MPLS1 Label field) to carry the VNI in the
>>> presence of a BGP Encapsulation Extended Community? Yes, that seems like a
>>> pretty close analogue. And given this particular trick is only with
>>> VPN-type address families one can also argue that there’s not a risk of
>>> affected routes leaking into the big-I Internet, which is the typical
>>> associated concern.
>>>
>>> In a separate reply, the authors of
>>> draft-lz-bess-srv6-service-capability-02 pointed out that it provides a
>>> critique of bess-srv6-services which is similar to this discuss point. (The
>>> authors dropped the IESG from the cc, so I’m following up here instead of
>>> to their original note.)
>>>
>>> On first reading, the critique in
>>> draft-lz-bess-srv6-service-capability-02 seems well argued and responsive
>>> to my question above about potential error modes. In section 3 of their
>>> draft, the authors provide a worked scenario where a VPN route carrying a
>>> SRv6 service SID using the Transposition scheme, if received by an
>>> MPLS-only PE, could result in misdelivered traffic. At minimum, that seems
>>> worth surfacing in the Security Considerations section, since historically
>>> we’ve considered misdelivered VPN traffic to be a Bad Thing that could
>>> expose confidential information.
>>>
>>> The authors do acknowledge that bess-srv6-services proposes a mitigation:
>>>
>>>    To avoid these problems, [I-D.ietf-bess-srv6-services] specifies that
>>>    implementations SHOULD provide a mechanism to control advertisement
>>>    of SRv6-based BGP service routes on a per neighbor and per service
>>>    basis.
>>>
>>> but they go on to argue that this mitigation isn’t fit for purpose:
>>>
>>>    The above method may be feasible in small-scale networks, but are not
>>>    applicable to large-scale networks.
>>>
>>>    [etc]
>>>
>>> It’s not my preference to get into the minutiae of this argument as part
>>> of this discuss. However, I’d like to ask: was this consideration something
>>> the WG discussed? I looked for discussion of
>>> draft-lz-bess-srv6-service-capability in the archives and didn’t find much —
>>>
>>> - When an earlier version was posted to the list it resulted only in
>>> discussion between the original author, Liu Yao, and Eduard Metz, who
>>> became co-author, but there wasn’t any discussion I saw of the actual issue
>>> that the draft identified, but rather refinement of the mitigation it
>>> proposes (which I don’t want to discuss in this note).
>>> - There was an agenda slot request for the draft at IETF-111. It was on
>>> the agenda in the “if time allows” section. I assume time did NOT allow
>>> because I don’t see mention of it in the minutes. (I did find the slides,
>>> slides 3 and 4 summarize the critique,
>>> https://datatracker.ietf.org/meeting/111/materials/slides-111-bess-sessa-srv6-service-capability-00
>>> ).
>>>
>>> But of course, the issue raised might have been discussed by the WG in a
>>> different thread, that doesn’t match a search for
>>> draft-lz-bess-srv6-service-capability. If so, I’d appreciate a pointer to
>>> it.
>>>
>>> If there wasn’t any discussion in the WG of the authors’ critique, I
>>> think it deserves to be discussed a bit as part of this thread. In
>>> particular, does the “this is the same as the trick EVPN does in RFC 8365”
>>> reply apply equally? Probably it does, although that might boil down to
>>> “gosh, we should have caught this when publishing 8365, shouldn’t we?”
>>>
>>> Even if the outcome of the discussion is that the limitation was
>>> discussed by the WG/isn’t a big deal because reasons/maybe it’s a big deal
>>> but we’ll fix it in a followup… as I mentioned earlier, covering it in the
>>> Security Considerations seems worthwhile.
>>>
>>> Thanks,
>>>
>>> —John
>>
>> _______________________________________________
> BESS mailing list
> BESS@ietf.org
> https://www.ietf.org/mailman/listinfo/bess
>
-- 

<http://www.verizon.com/>

*Gyan Mishra*

*Network Solutions A**rchitect *

*Email gyan.s.mishra@verizon.com <gyan.s.mishra@verizon.com>*



*M 301 502-1347*

v2.23.0 | Report a Bug | By Email