IETF Logo Mail Archive

Re: [bess] John Scudder's Discuss on draft-ietf-bess-srv6-services-11: (with DISCUSS and COMMENT)

Ketan Talaulikar <ketant.ietf@gmail.com> Thu, 17 March 2022 17:15 UTC

Return-Path: <ketant.ietf@gmail.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6A173A1317; Thu, 17 Mar 2022 10:15:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dn_c-8AMQXKI; Thu, 17 Mar 2022 10:15:30 -0700 (PDT)
Received: from mail-vs1-xe35.google.com (mail-vs1-xe35.google.com [IPv6:2607:f8b0:4864:20::e35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C3783A12EE; Thu, 17 Mar 2022 10:15:30 -0700 (PDT)
Received: by mail-vs1-xe35.google.com with SMTP id t66so771064vst.7; Thu, 17 Mar 2022 10:15:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AsWw37gooni1OUwvmMgIs2iiApCqtyGP9iM7lePngXs=; b=edLSC7GhOQpTBeXVyAwhUpGaNzb3lMMyzgg/RtlroeUGmS48dSb4gjPOE/6K8/RjyM aeBcjwJf262mo7Mz/iOI5s1YP0SNDZn6NrZHJNTx5tFWybB1iOxCqJa5thSA2f7s3q1A 3XfkJHAOiazY5/wx1rtDlESq8KS6LITGN8RAv7dWbE0uz8u2voaGoIQiTpi7h5SKewdv 3jZVzTos4x83VE3abu+NTE6271HJRyLFTaC7JML7fV/X5LfUBh3/x6LyiT77NzdIQYMw p9C7mOqat21mlsapoPN5+ywiPqK5updH7IkiMzEQtIt0jsaAFkTQ+EmpR0jR8tT8aMQx pwGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AsWw37gooni1OUwvmMgIs2iiApCqtyGP9iM7lePngXs=; b=iTKY+5b/ahRojwEA+zHr8KXgRk2wjEh8iwlHt/i+c35fm7FykLsHLYh94pXPPIy3mP 3/Vuq6wRcrngUUtpSdNV3XfOzCjdenv74fqu0WazMkYav1lXiCTEBaHFGPf3MAKkjWcd +dBB17bTlS3gMUXcZBscC1/ojyS4W3F1DoVFRBS5GILWFaWmA0UqnOsamPgM8Hq594GR s83rKMPgNozwhDYZK/Q06HiaRNjW5Y4bJ/4+lOVU1TUn1HH0ivqKPN4s/s7MiTvGc3O0 LAM+qJ4+wp9mU8367YUWWioPgaV1TSE8Qx9DmVx12loDUHbkVfRW66NVLvIqi5x0MEcs 7SPQ==
X-Gm-Message-State: AOAM530tvw8StZauOEXMmQ0x5jFgV4yt+RPBJrxTSBHvEq/bflgGUPsa qYTn698DKru3T+whsis5WvFdSTMSV1ru3dmktYYMuJDU
X-Google-Smtp-Source: ABdhPJxrx9TXhDx0WeG4AGgiIHRuC2BWbmG0FfaD5OvYx5UPThbCmT+nwsCn1dyLUyI0v50/ePVNaJgn6aMYyZWv4iw=
X-Received: by 2002:a05:6102:c0b:b0:322:a17a:a806 with SMTP id x11-20020a0561020c0b00b00322a17aa806mr2316431vss.34.1647537328874; Thu, 17 Mar 2022 10:15:28 -0700 (PDT)
MIME-Version: 1.0
References: <164504757419.5632.9536270153833731412@ietfa.amsl.com> <CAH6gdPxTtVfh02odMdreGnnsD8fnY2rPDqPhU9cucSOuU=bxNw@mail.gmail.com> <DB75B564-CF18-4D93-B183-5C31203E860D@juniper.net> <183B3A89-B7CA-4B8B-888C-6404BB65E8F3@juniper.net> <CAOj+MMG711xUEFTHkcVzgX64fGhB+4Nn3Adkv_ywqS78LVMv4Q@mail.gmail.com> <CAH6gdPxV+r2iUouqom3rRZBoDbdbi45N_H-GBr_hOqgmYPBa3w@mail.gmail.com> <CABNhwV0Ym=WpQ+HpWEmBgw+0F0OwKrJ7JHqPk6VvWCEJpsRr_g@mail.gmail.com>
In-Reply-To: <CABNhwV0Ym=WpQ+HpWEmBgw+0F0OwKrJ7JHqPk6VvWCEJpsRr_g@mail.gmail.com>
From: Ketan Talaulikar <ketant.ietf@gmail.com>
Date: Thu, 17 Mar 2022 22:45:16 +0530
Message-ID: <CAH6gdPx+RC=6d06fatDnCTOKWjzo1+qgSCjCuXi5x9ck_MqwVg@mail.gmail.com>
To: Gyan Mishra <hayabusagsm@gmail.com>
Cc: BESS <bess@ietf.org>, "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>, John Scudder <jgs@juniper.net>, Robert Raszuk <robert@raszuk.net>, The IESG <iesg@ietf.org>, "bess-chairs@ietf.org" <bess-chairs@ietf.org>, "draft-ietf-bess-srv6-services@ietf.org" <draft-ietf-bess-srv6-services@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003de6df05da6d2d08"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/OGDdgIsu2SaSi2W0WBJCbogtPtU>
Subject: Re: [bess] John Scudder's Discuss on draft-ietf-bess-srv6-services-11: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Mar 2022 17:15:36 -0000

Hi Gyan,

Please check inline below for responses.


On Wed, Mar 16, 2022 at 8:08 PM Gyan Mishra <hayabusagsm@gmail.com> wrote:

>
> Hi Ketan
>
> I reviewed the updated security considerations section and the update
> looks good.  As well section 10.3 Data plane considerations and read again
> the referenced documents security considerations section of RFC 8402, RFC
> 8986, RFC 8754 and RFC 8996.  All looks very good.
>
> One question I had was that if operators only advertises the SRv6 summary
> block B:N::/48 to the internet, the summarization route would not contain
> the embedded BGP Prefix SID attribute encoding of L2 and L3 Service SID in
> the FUNCT field of the SRv6 SID.
>
> If you agree with what I have stated , then that would limit the exposure
> drastically related to service SID leakage to the internet.
>

KT> I agree. However, an even better approach is simply not even
advertising the reachability for the SRv6 summary block on the Internet.
This way, it becomes challenging for someone on the Internet to send
packets to any SRv6 Locators/SIDs belonging to the provider. Also, as
discussed in RFC8986, the allocation of SRv6 Block from the ULA space is
another technique to mitigate this.


>
> The security exposure is related to only the inter-as peering lateral,
> provider or RS peering and not customer peering as the SRv6 source node
> encapsulates customer traffic into payload of outer IPv6 header.  So I
> think customer  PE-CE edge peering would not be a security issue.
>
> Also another thought is that within an SRv6 domain as next hop self is
> used internally on any inter-as lateral, provider or RS ties which is done
> on both ends of the peering between operators, does the SRv6 B:N::/48
> underlay block even need to be advertised externally.
>

KT> It doesn't and should not be advertised externally.


> As the BGP overlay is what holds the internet table and that is all that
> needs transitivity for internet route reachability.  That would further
> reduce the exposure of data plane service sid encoding in SRv6 SID leaking
> to the internet.
>

KT> Correct.


>
> As far as SRv6 service capabilities draft below, my thoughts are as any
> parallel multi transport that exists would only be done within the confines
> of a domain within the same operators Administrative domain and not between
> providers which would also be limited during a transition from brown field
> MPLS or SR-MPLS to a parallel Green field SRv6 transport.  As this use case
> is all within the same domain, careful design is on the onus of the
> operator as relates to SRv6 to MPLS BGP overlay interoperability for SAFI
> 128.  So I don’t see this as a major issue for operators as all the careful
> considerations will be taken for that interoperability as well as there are
> many underlying solutions for SRv6 to MPLS or SR-MPLS interoperability.
>
> This is more of an interoperability issue use case that could be
> considered orthogonal to this draft that only exists within an operators
> network during migration.
>
>
> https://datatracker.ietf.org/doc/html/draft-lz-bess-srv6-service-capability-02
>

KT> Agree that this topic is orthogonal but is also somewhat complex and we
(WG) need to continue work on this separate from this base document.

Thanks,
Ketan


>
>
> Kind Regards
>
> Gyan
>
> On Sat, Mar 5, 2022 at 4:40 AM Ketan Talaulikar <ketant.ietf@gmail.com>
> wrote:
>
>> Hi John,
>>
>> We've just posted an update to the draft to address the comments raised
>> and to clarify the security considerations.
>>
>> https://datatracker.ietf.org/doc/html/draft-ietf-bess-srv6-services-12
>>
>> Thanks,
>> Ketan
>>
>>
>> On Thu, Feb 24, 2022 at 3:42 PM Robert Raszuk <robert@raszuk.net> wrote:
>>
>>> Hi John,
>>>
>>> You have highlighted below a very important point. It was discussed
>>> among co-authors, but perhaps not sufficiently during the BESS process as
>>> the issue is really not a BESS WG problem.
>>>
>>> In BGP protocol any new service deployment using existing AFI/SAFI is
>>> not easy. Especially when you are modifying content of MP_REACH or
>>> MP_UNREACH NLRI attributes. Main reason being is that using capabilities
>>> only goes one hop. In full mesh it all works perfect, but the moment you
>>> put RR in between BGP speakers things are getting ugly as capabilities are
>>> not traversing BGP nodes. /* Even in full mesh mixing transports for the
>>> same service is a serious challenge for routers when say multihomes sites
>>> are advertised from different PEs with different transport options */.
>>>
>>> Imagine RR signals SRv6 Service Capability to the PE. Then this PE
>>> happily sends a new format of the UPDATE messages. Well as today we also do
>>> not have a notion of conditional capabilities (only send when received from
>>> all) so if some of the RR peers do not support it you end up in partial
>>> service. One can argue that in this case the only deterministic model is to
>>> push the configuration from the management station and control partial
>>> deployment of the new service from mgmt layer.
>>>
>>> The natural alternative would be to never modify NLRI format once
>>> shipped by RFC. When needed issue a new SAFI. Yes that is an option (and
>>> has always been) but it also comes with its own set of issues. New SAFI is
>>> really great to define for new service/feature etc ... Here however in the
>>> context of this discussion we are changing transport for existing service.
>>> And just like it was the case with MPLS over UDP or  tunnel attribute etc
>>> ... using a new SAFI would be very hard to deploy as there would need to be
>>> well defined behaviour of BGP speakers receiving duplicate information for
>>> the same VPN prefixes or receiving at one time only from single SAFI then a
>>> bit later from the other one .. Of course one solution is to permit only
>>> one SAFI for a given service at any given time, but that seems way too
>>> restrictive too.
>>>
>>> So to summarize while I am personally a huge proponent of new SAFI and
>>> new capabilities to be defines for new service here I do have  some
>>> reservations. It seems to me that deployment of new transport for VPN
>>> service should be either network management driven or enabled when all
>>> participating PEs support it. Enabling it automagically with one hop
>>> capabilities seems to me like not a good thing as the data being sent in
>>> the UPDATES is not optional and dropping it means dropping actual routes.
>>>
>>> So at the current time the subject draft took a management approach.
>>>
>>> Many thx,
>>> Robert.
>>>
>>> On Thu, Feb 24, 2022 at 2:04 AM John Scudder <jgs@juniper.net> wrote:
>>>
>>>> Further to this point:
>>>>
>>>> > On Feb 18, 2022, at 3:32 PM, John Scudder <jgs@juniper.net> wrote:
>>>> >
>>>> >> On Feb 17, 2022, at 3:19 AM, Ketan Talaulikar <ketant.ietf@gmail.com>
>>>> wrote:
>>>> >>
>>>> >>> 2. One area of concern I would have hoped IDR might have looked
>>>> into is, the
>>>> >>> document makes a creative use of the MPLS Label field of the NLRI
>>>> to carry the
>>>> >>> Function part of the SID. This means the SID is effectively split
>>>> across the
>>>> >>> NLRI and the Prefix-SID attribute. What are the potential error
>>>> modes if the
>>>> >>> Prefix-SID attribute should be lost from the route, while the NLRI
>>>> is retained?
>>>> >>>
>>>> >>> (An obvious way of addressing this particular concern would be to
>>>> define a new
>>>> >>> NLRI type with the desired semantics, instead of creatively
>>>> repurposing fields
>>>> >>> within an existing NLRI type contrary to their definitions. Such an
>>>> NLRI type
>>>> >>> would, for example, presumably state in its specification that if
>>>> it was
>>>> >>> received without an accompanying Prefix-SID attribute, that would
>>>> constitute an
>>>> >>> error.)
>>>> >>>
>>>> >> KT> This document follows the approach similar as taken for
>>>> extending MPLS EVPN RFC7432 by RFC8365.
>>>> >
>>>> > I take it you’re referring to RFC 8365 §5.1.3 which talks about using
>>>> the MPLS Label field (or MPLS1 Label field) to carry the VNI in the
>>>> presence of a BGP Encapsulation Extended Community? Yes, that seems like a
>>>> pretty close analogue. And given this particular trick is only with
>>>> VPN-type address families one can also argue that there’s not a risk of
>>>> affected routes leaking into the big-I Internet, which is the typical
>>>> associated concern.
>>>>
>>>> In a separate reply, the authors of
>>>> draft-lz-bess-srv6-service-capability-02 pointed out that it provides a
>>>> critique of bess-srv6-services which is similar to this discuss point. (The
>>>> authors dropped the IESG from the cc, so I’m following up here instead of
>>>> to their original note.)
>>>>
>>>> On first reading, the critique in
>>>> draft-lz-bess-srv6-service-capability-02 seems well argued and responsive
>>>> to my question above about potential error modes. In section 3 of their
>>>> draft, the authors provide a worked scenario where a VPN route carrying a
>>>> SRv6 service SID using the Transposition scheme, if received by an
>>>> MPLS-only PE, could result in misdelivered traffic. At minimum, that seems
>>>> worth surfacing in the Security Considerations section, since historically
>>>> we’ve considered misdelivered VPN traffic to be a Bad Thing that could
>>>> expose confidential information.
>>>>
>>>> The authors do acknowledge that bess-srv6-services proposes a
>>>> mitigation:
>>>>
>>>>    To avoid these problems, [I-D.ietf-bess-srv6-services] specifies that
>>>>    implementations SHOULD provide a mechanism to control advertisement
>>>>    of SRv6-based BGP service routes on a per neighbor and per service
>>>>    basis.
>>>>
>>>> but they go on to argue that this mitigation isn’t fit for purpose:
>>>>
>>>>    The above method may be feasible in small-scale networks, but are not
>>>>    applicable to large-scale networks.
>>>>
>>>>    [etc]
>>>>
>>>> It’s not my preference to get into the minutiae of this argument as
>>>> part of this discuss. However, I’d like to ask: was this consideration
>>>> something the WG discussed? I looked for discussion of
>>>> draft-lz-bess-srv6-service-capability in the archives and didn’t find much —
>>>>
>>>> - When an earlier version was posted to the list it resulted only in
>>>> discussion between the original author, Liu Yao, and Eduard Metz, who
>>>> became co-author, but there wasn’t any discussion I saw of the actual issue
>>>> that the draft identified, but rather refinement of the mitigation it
>>>> proposes (which I don’t want to discuss in this note).
>>>> - There was an agenda slot request for the draft at IETF-111. It was on
>>>> the agenda in the “if time allows” section. I assume time did NOT allow
>>>> because I don’t see mention of it in the minutes. (I did find the slides,
>>>> slides 3 and 4 summarize the critique,
>>>> https://datatracker.ietf.org/meeting/111/materials/slides-111-bess-sessa-srv6-service-capability-00
>>>> ).
>>>>
>>>> But of course, the issue raised might have been discussed by the WG in
>>>> a different thread, that doesn’t match a search for
>>>> draft-lz-bess-srv6-service-capability. If so, I’d appreciate a pointer to
>>>> it.
>>>>
>>>> If there wasn’t any discussion in the WG of the authors’ critique, I
>>>> think it deserves to be discussed a bit as part of this thread. In
>>>> particular, does the “this is the same as the trick EVPN does in RFC 8365”
>>>> reply apply equally? Probably it does, although that might boil down to
>>>> “gosh, we should have caught this when publishing 8365, shouldn’t we?”
>>>>
>>>> Even if the outcome of the discussion is that the limitation was
>>>> discussed by the WG/isn’t a big deal because reasons/maybe it’s a big deal
>>>> but we’ll fix it in a followup… as I mentioned earlier, covering it in the
>>>> Security Considerations seems worthwhile.
>>>>
>>>> Thanks,
>>>>
>>>> —John
>>>
>>> _______________________________________________
>> BESS mailing list
>> BESS@ietf.org
>> https://www.ietf.org/mailman/listinfo/bess
>>
> --
>
> <http://www.verizon.com/>
>
> *Gyan Mishra*
>
> *Network Solutions A**rchitect *
>
> *Email gyan.s.mishra@verizon.com <gyan.s.mishra@verizon.com>*
>
>
>
> *M 301 502-1347*
>
>

v2.23.0 | Report a Bug | By Email