IETF Logo Mail Archive

Re: [bess] John Scudder's Discuss on draft-ietf-bess-srv6-services-11: (with DISCUSS and COMMENT)

John Scudder <jgs@juniper.net> Thu, 24 February 2022 01:04 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2411A3A120B; Wed, 23 Feb 2022 17:04:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.675
X-Spam-Level:
X-Spam-Status: No, score=-2.675 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.576, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=xOyt6AQk; dkim=pass (1024-bit key) header.d=juniper.net header.b=HJi9ACH5
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nAd6yZMdiYAf; Wed, 23 Feb 2022 17:04:28 -0800 (PST)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8761D3A1203; Wed, 23 Feb 2022 17:04:26 -0800 (PST)
Received: from pps.filterd (m0108158.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 21NGPmbZ027067; Wed, 23 Feb 2022 17:04:25 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=tEd1770gYXPDCOSga+D4V4ASYD4egfM+S23ql96IeEM=; b=xOyt6AQkokoWQDJ2OWG1JGz9kR56TTOdrCeJCAZZI8Ns7ipgBebC9DF3/ykeCZd05DPb MvjZYIB+iPbaEVDrSLynVoQb7gQjSgD93L0XDVpuPfvrmjO5TuTmnanFm3tjDWUgdtJ+ MT8KpY1ZaLUg+z7D7vryndt+Jtqcg7EEehpeD6QMsde9qoE1VxKVXK/slewz5e8WqNf2 yFFkCLTW2vNyqaYf8DNyKyynDPxBTaX+RBSuHj1NTV4fNXGRbfDUbXNnZJpzBt/8FHOe G88HpL5c80+BQ6B5WxNihx+bUVqYWRgt87SU8TaCChn5CL//OpFDNctTdBF1glNRxOa+ pQ==
Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2172.outbound.protection.outlook.com [104.47.57.172]) by mx0a-00273201.pphosted.com (PPS) with ESMTPS id 3edrej0v4u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 23 Feb 2022 17:04:24 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cZHqmO7Qubw+la8XDDomglhG+nJzqs+Zx602ff+Qe53Tw1w2Aou9/F3o+Rw5bG2LiY+wI5K6J80uBYr2i/q2WWFZBSfz/7prVGETNWR4B/8nOvEJIkWffPOTDElXGAmWRpCtDMrcU/03RAKFR8hfFFlhgTte0KgKwpzeIMr6n4CA+17Rbbw5k37impPLK+kgfZSGZPaJCH1bjN5I1qGIUx3GKf9XWYMOeWhqhxeAJxuUWy+vXkf/CU3opVbbWzf9/ZH3odGYei9DahP9sxNh6WipeJRaBWewARqzzrKElA3Ut6WnpiGOBo9+CMY9cbu6re0wnYOS8P3YQJ250f8WQQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tEd1770gYXPDCOSga+D4V4ASYD4egfM+S23ql96IeEM=; b=c+I8mgcKof0R1NkWeYpLrtK/Kzzgdw0KD/7aLYMVm4KPoC1H9R+v7v48XzT/ECH2j9+d/8mfP1WCxFMm65U918MatfO4nEZ3SWa3Q6o03YfyiCgL0EMnHsTJJaP6YLePP0vbtelMZuIHzz51P63xcHXFownZAudvLBwTqYQQD0yeg0uGqt3CYjFjWzGCCDxblYakB1nWykNHOKW+nBt1c8aeU9S6eusHbCoDQTu2M907DGg10+DYGRonw30i7Y84wY7ZNPsjYNIBDhOWhnNuHFq5ULdk4qAF/TPeMYlsIlfFBPuDYKrbjnWY8nifONAXSQriFSWbSuXpXqrxAOldVg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tEd1770gYXPDCOSga+D4V4ASYD4egfM+S23ql96IeEM=; b=HJi9ACH5QBgEOriw6/yXlN9TUNRTw8i4v2UnaqP0w16q8/uN9eK6Pp5R3OHOxEa9TNQhnbhWBtBW2FAhJNisIrQTKrdXUlZMq0iuG8terJBRKJSAQv+tYgFt737Uy//Wy8TWrPDDnWFC4ySVPNAYL4K6U0lhbwgFDcU1OboBNSE=
Received: from MN2PR05MB6109.namprd05.prod.outlook.com (2603:10b6:208:c4::20) by SJ0PR05MB8712.namprd05.prod.outlook.com (2603:10b6:a03:389::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5017.7; Thu, 24 Feb 2022 01:04:22 +0000
Received: from MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::ac4f:f5d8:f411:5dcf]) by MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::ac4f:f5d8:f411:5dcf%6]) with mapi id 15.20.5038.009; Thu, 24 Feb 2022 01:04:22 +0000
From: John Scudder <jgs@juniper.net>
To: Ketan Talaulikar <ketant.ietf@gmail.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-bess-srv6-services@ietf.org" <draft-ietf-bess-srv6-services@ietf.org>, "bess-chairs@ietf.org" <bess-chairs@ietf.org>, BESS <bess@ietf.org>, "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>
Thread-Topic: John Scudder's Discuss on draft-ietf-bess-srv6-services-11: (with DISCUSS and COMMENT)
Thread-Index: AQHYI322mbek+dF3+EGw0XVWK3Fiw6yXZ0uAgAJe5QCACCe9gA==
Date: Thu, 24 Feb 2022 01:04:21 +0000
Message-ID: <183B3A89-B7CA-4B8B-888C-6404BB65E8F3@juniper.net>
References: <164504757419.5632.9536270153833731412@ietfa.amsl.com> <CAH6gdPxTtVfh02odMdreGnnsD8fnY2rPDqPhU9cucSOuU=bxNw@mail.gmail.com> <DB75B564-CF18-4D93-B183-5C31203E860D@juniper.net>
In-Reply-To: <DB75B564-CF18-4D93-B183-5C31203E860D@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3654.120.0.1.13)
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 36e4bbbf-901c-44f6-4b3f-08d9f73197c6
x-ms-traffictypediagnostic: SJ0PR05MB8712:EE_
x-ms-exchange-atpmessageproperties: SA|SL
x-microsoft-antispam-prvs: <SJ0PR05MB8712DF1968A58A7848B09CB5AA3D9@SJ0PR05MB8712.namprd05.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Py+GQFBIbJANVMctFEme7LbHGs1NyEVy5VDVAPiO5gnLlG1EhtH1V9DZ0Chff/8R/T5V/hHSN65DpXX6T+i5Pm6nNfGixfVlNWTyeBpjSSig0lkGGgNa9Pkc8e1BX4NUPzV+ERTJasWCaTKLSiMXyeqNCNrHIoJzh/4nmO0ziX2p94nHg7QyG4BGV4/HShq04VC8Xcci73iUhl0BPJCyFuwkaUYCmVoKE2/HSscWv27uNVH+L0B7R5B23Gv/g/InQsFaX16pvmV3rWkM9kl+EBzPVYFjhqB+sTLi+0k5eTbgun0YXFMiPbGSUKSqLchmtW6QVt6FaCrTphbStFhSANRg62rIk0FhxEdHeFw4Ucq+OdBz8CLdXtKnDN61fDYnhKeI1vUGPBBzWX6Gkk/OPHQWDPFqebHnzUkBkeQi4yq1VcwZnMG1MflURfAT9dF+TQpoN/RYhO/gObxSwXb1pI7ct8lp3U9+9UPm80cf0aMx5Q80rsghoUQ4TeC11caogtZyFbZ2aEuU+7E7saJnFLSOvOvd8h1qbN6moKjMmQJEmuqSY1Ex5WrQ2+nlOXqUuQVoyUFThXhSQw8G2I7qYNhSG623oCe+eX/jaxfwmRzBYnT1/YjoFZ4edZo+AXSNDO66oYZxrgcJdk9EaDiV6Eyzhy2pNe0gJzAnbUkv5ypwOoaKz1fjiLgAFN11uJOFZ0ulOXQwdxLfS32ofwQvS4kjvXfhefu/YJJWJUdItSZstIsPiBtM+Y2hu6IhWAU8dC77SolsxyRbIgHCW0fB2aAdJnmqBSCqZD1f/XwvM6VKQMYIXD7+HhwtBYkHndcp
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR05MB6109.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(53546011)(6512007)(6506007)(508600001)(71200400001)(5660300002)(83380400001)(38070700005)(122000001)(36756003)(26005)(2616005)(186003)(2906002)(8936002)(76116006)(4326008)(33656002)(91956017)(66946007)(38100700002)(66446008)(64756008)(66476007)(66556008)(6916009)(54906003)(86362001)(8676002)(66574015)(966005)(6486002)(316002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: FwjxGs5kXJM2AIsH+aFaWhVUzmcuYj4M6v1nfAKRBxRZqjJ6lfQzYzbrR036+W6radOFT5v7mI9oIjd0ekyG1AluDlpBxIciVbbFIZZy38EIw4NrV3dE0WA6hY1XxPZs9UOrSOLroE/q+p3TYj5VSVz3SIV9G8CYgy0lje/Wf0ELBxHquBE6dJFZoMzkDVseaLcHAv1ELjUdFyh0FJFYce9jbP/sUSTQpEaCp2ZLGLYXXS/Ch95Qx3apK7S6NKEpL52u0Sst8qw9PdnJ0EUinC/7mQFyhTEIkx+CpAyv/OG9OvTxvHFpcP00dV/dx+fVVV0zyFRbFlY33wVihWyRil6ej/9H0ImqNjmkxPQgLsN2BVzoMT4f57GKydAmx7KQB0UXC7x2CyyZBIwhDS56NWG1Qje+edQTuWPMhPtFrEdJ6DtIztQ0J6w9yMaHp0cNw3M7JN5IaIwnVtm8Ao68PyOErFAowuFnt9MAlx4Tj3BbNeHWA+V6azMFlICDi/T/dAO4NnlmHCGOEN2T2phicf5D382ahVwfLvfgqvpRnXt9ynhhC1MIjS1Cpw4RyQn7h4WkxIhhdCc1vwbfO7uAV4ZtB3TS6bJ/4BHB39DPeB+Bnz61UT4aaEGXmROpWL9+U1IgyOCVjULokUogdfHfe7IMnU0OtRibvtpOrR1q7firM66qzHBEKMvpW4P4u/o9B3/upd5zSsbKLas6/YuNCPIYOgmISOvJEPgdAPa9iUJJJHmI8x8bwQEU0OnFYjvX370LK8wsi14YmOWkplYUi7f6T1Ajnjv7yyPgNCzF7Gi+iE63iyJ0xPr70F3EP6eSyK0c9RL7cZeAgX4lGKUpzlPSXDZH1PRFNhdYtQsPRK/nTk3DGxKr3j+HRvmfFnOos15C09NLnQFfzguINMrRC0x0c1IUIuaKBBRlctgIG5bQXYxR2pFJ4DAFLnCWG0zOoYyKrISj8LcRQZlCMYF7fDcnCrqrzeQzXZnKaVvBuUqGJlst+ZlFwMYXB8TQfNmZWgGmha3iZvR7cB/PVhwcLHTDR7Afzxh2dJUKAzzzrVZ+bAupF3rIFsryq5oeO8MvVPQhqUwiFwY7pLJlEp/jnK6HZnIMxNmwkCVc61c2hnO7Gkh3XLaDIyuNN2ZMxlFhs428gxbirkU0hpFa4zJd5U+z5xE3Jw9ThTO8oTHPKoOtqkN80rhk7S1+oweNRYjR55qEM82/trW7LXT2++xRl0oaimmQr+FPtdoxNAO68LQyPoRh0mEAN7LGMlKxm1rWzLQWNqzZ7c0q1lBtkxbwUhgiWzxhwgm1Xxe+A0eEhBLRJRjO1GgHyApOYKdbteQydCwtdzqnWohWQU3iF5unEREszbMGIlbVM41q04jPVWTiW8Me8guUGk9Fe0rlMIS+1cF1XSzm35JFpSADj9UfYYd8isSUwJMCJ5nm71UCGp4wQyGTlsO64SB3muMX+nvRjQs6C92kDo3rTNiTCBNpaX7S0AkOgcG5M2GTK6vWiV2MZPQPl3TsCYAGA3Fyj0b/yq0/agpDUU6PysZ4ie34BKq04rbuh7VttvKBwl7IoyY9EdMNLLUhJYMmcueoWO4w
Content-Type: text/plain; charset="utf-8"
Content-ID: <6744C71D4AD02C4A8B5EA228627774C2@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR05MB6109.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 36e4bbbf-901c-44f6-4b3f-08d9f73197c6
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Feb 2022 01:04:22.0042 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: sFmGqnzAmZ71lkmcjRMypr7+hJvp8EOPVln+SzE04nTwwGwU4xqjNsNjapitWMZl
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR05MB8712
X-Proofpoint-GUID: tmIFCFnVsdb37exKGDFNYHp7jk0DGN4-
X-Proofpoint-ORIG-GUID: tmIFCFnVsdb37exKGDFNYHp7jk0DGN4-
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.816,Hydra:6.0.425,FMLib:17.11.64.514 definitions=2022-02-23_09,2022-02-23_01,2022-02-23_01
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 lowpriorityscore=0 suspectscore=0 bulkscore=0 adultscore=0 clxscore=1015 phishscore=0 mlxscore=0 mlxlogscore=686 priorityscore=1501 malwarescore=0 impostorscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2201110000 definitions=main-2202240002
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/JyzFH7Z9SjbS4Ni82_Knv9Ou-iM>
Subject: Re: [bess] John Scudder's Discuss on draft-ietf-bess-srv6-services-11: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Feb 2022 01:04:36 -0000

Further to this point:

> On Feb 18, 2022, at 3:32 PM, John Scudder <jgs@juniper.net> wrote:
> 
>> On Feb 17, 2022, at 3:19 AM, Ketan Talaulikar <ketant.ietf@gmail.com> wrote:
>> 
>>> 2. One area of concern I would have hoped IDR might have looked into is, the
>>> document makes a creative use of the MPLS Label field of the NLRI to carry the
>>> Function part of the SID. This means the SID is effectively split across the
>>> NLRI and the Prefix-SID attribute. What are the potential error modes if the
>>> Prefix-SID attribute should be lost from the route, while the NLRI is retained?
>>> 
>>> (An obvious way of addressing this particular concern would be to define a new
>>> NLRI type with the desired semantics, instead of creatively repurposing fields
>>> within an existing NLRI type contrary to their definitions. Such an NLRI type
>>> would, for example, presumably state in its specification that if it was
>>> received without an accompanying Prefix-SID attribute, that would constitute an
>>> error.)
>>> 
>> KT> This document follows the approach similar as taken for extending MPLS EVPN RFC7432 by RFC8365.
> 
> I take it you’re referring to RFC 8365 §5.1.3 which talks about using the MPLS Label field (or MPLS1 Label field) to carry the VNI in the presence of a BGP Encapsulation Extended Community? Yes, that seems like a pretty close analogue. And given this particular trick is only with VPN-type address families one can also argue that there’s not a risk of affected routes leaking into the big-I Internet, which is the typical associated concern. 

In a separate reply, the authors of draft-lz-bess-srv6-service-capability-02 pointed out that it provides a critique of bess-srv6-services which is similar to this discuss point. (The authors dropped the IESG from the cc, so I’m following up here instead of to their original note.)

On first reading, the critique in draft-lz-bess-srv6-service-capability-02 seems well argued and responsive to my question above about potential error modes. In section 3 of their draft, the authors provide a worked scenario where a VPN route carrying a SRv6 service SID using the Transposition scheme, if received by an MPLS-only PE, could result in misdelivered traffic. At minimum, that seems worth surfacing in the Security Considerations section, since historically we’ve considered misdelivered VPN traffic to be a Bad Thing that could expose confidential information.

The authors do acknowledge that bess-srv6-services proposes a mitigation:

   To avoid these problems, [I-D.ietf-bess-srv6-services] specifies that
   implementations SHOULD provide a mechanism to control advertisement
   of SRv6-based BGP service routes on a per neighbor and per service
   basis.

but they go on to argue that this mitigation isn’t fit for purpose:

   The above method may be feasible in small-scale networks, but are not
   applicable to large-scale networks.

   [etc]

It’s not my preference to get into the minutiae of this argument as part of this discuss. However, I’d like to ask: was this consideration something the WG discussed? I looked for discussion of draft-lz-bess-srv6-service-capability in the archives and didn’t find much —

- When an earlier version was posted to the list it resulted only in discussion between the original author, Liu Yao, and Eduard Metz, who became co-author, but there wasn’t any discussion I saw of the actual issue that the draft identified, but rather refinement of the mitigation it proposes (which I don’t want to discuss in this note). 
- There was an agenda slot request for the draft at IETF-111. It was on the agenda in the “if time allows” section. I assume time did NOT allow because I don’t see mention of it in the minutes. (I did find the slides, slides 3 and 4 summarize the critique, https://datatracker.ietf.org/meeting/111/materials/slides-111-bess-sessa-srv6-service-capability-00).

But of course, the issue raised might have been discussed by the WG in a different thread, that doesn’t match a search for draft-lz-bess-srv6-service-capability. If so, I’d appreciate a pointer to it.

If there wasn’t any discussion in the WG of the authors’ critique, I think it deserves to be discussed a bit as part of this thread. In particular, does the “this is the same as the trick EVPN does in RFC 8365” reply apply equally? Probably it does, although that might boil down to “gosh, we should have caught this when publishing 8365, shouldn’t we?” 

Even if the outcome of the discussion is that the limitation was discussed by the WG/isn’t a big deal because reasons/maybe it’s a big deal but we’ll fix it in a followup… as I mentioned earlier, covering it in the Security Considerations seems worthwhile.

Thanks,

—John

v2.23.0 | Report a Bug | By Email