Re: [bess] Benoit Claise's Discuss on draft-ietf-bess-mvpn-extranet-04: (with DISCUSS and COMMENT)
Eric C Rosen <erosen@juniper.net> Fri, 18 December 2015 14:30 UTC
Return-Path: <erosen@juniper.net>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA9581B2B58; Fri, 18 Dec 2015 06:30:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xYFxKiFdNRY4; Fri, 18 Dec 2015 06:30:17 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0122.outbound.protection.outlook.com [65.55.169.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D9CD1B2C12; Fri, 18 Dec 2015 06:30:14 -0800 (PST)
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=erosen@juniper.net;
Received: from [172.29.35.68] (66.129.241.14) by BY2PR0501MB2007.namprd05.prod.outlook.com (10.163.197.18) with Microsoft SMTP Server (TLS) id 15.1.355.16; Fri, 18 Dec 2015 14:30:09 +0000
To: Benoit Claise <bclaise@cisco.com>, The IESG <iesg@ietf.org>
References: <20151217133049.1038.44405.idtracker@ietfa.amsl.com>
From: Eric C Rosen <erosen@juniper.net>
Message-ID: <56741869.5020505@juniper.net>
Date: Fri, 18 Dec 2015 09:30:01 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <20151217133049.1038.44405.idtracker@ietfa.amsl.com>
Content-Type: multipart/alternative; boundary="------------040605010800010508050204"
X-Originating-IP: [66.129.241.14]
X-ClientProxiedBy: CO2PR20CA0015.namprd20.prod.outlook.com (25.163.96.25) To BY2PR0501MB2007.namprd05.prod.outlook.com (25.163.197.18)
X-Microsoft-Exchange-Diagnostics: 1; BY2PR0501MB2007; 2:/FY3oXygpKVQJSZmk0U/UzJ769TLvKgG8BiyvZHC2xsD2hwNzVJRcmAtQ7DRgulH4D3BetMX9rMFeP1VWKKsZNAJpULsIuoqrfJUzQ6ORQ+cRCoLFmJDBH7Rb4CKObpH7WnHnKotSXo4wImufll2hg==; 3:iPLVGCUKGfxHt4OtOTHsm5vyXzznj3EqToyHvrKvqx4o+8+z7ZdpaSn3EkaznyaXPSu7R+Q9CCvjRI0kV+MyITnJ32cFnasXRwbDPAPn69YE585splAa2a31WVey3CWq; 25:DWt0ZDndj05k670F0OoEOPhddjAsuMrWnvxCF77LXIYz6fWiExbhZkBorKIAIG9Xgs8+mjr6y4SPvzNBglIgI+sfI4vuj0sZDNCPLh3knA96tePfOjs2zlP3Wg7bRtQatWDL3UALse7hFx6K/KIz2IYRHcSkDVhEnLxM5VlJea/eOZVln5s9t/B2XlctYaTXZMVpG7MfJHKd3r4rECudTayaYL64TNO5qRuSc7W1etHL6X0hW+fHeqw1kxb8IT/d
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR0501MB2007;
X-Microsoft-Exchange-Diagnostics: 1; BY2PR0501MB2007; 20:KMq79L9/P/bxkGFCW3QpgaJ2EUlqh1KfkjOWzr5xVex5DmOMRJI2xbelfoCaMWTnB0mI9br3Vd97D9J4wmfYiZo0KBsScHRxci6hdrTbvm4kR9WFWo0L3hMsQuXCxgrAvaagpecNlAIgxo+A1HO9i76jZELbcae6IK8Dhf7wDdDfIayxQzW0s8Oi+SR5Dod+UMK9KeJRDRDzUHEMU4o3XVgCLBG0xMb5uLaJPePg4TCbZDejnodtoXBGvdqq6vZHXBKMHO6U/c94B+QjGleFQO7TtURn2O8SstDJpQZpW0aKNRymgLNpbcqOvCQHqvvOpBX+7G/G5lAXwQSq4ZzUkBOGHXtYu9d2L34/EpT8LbP1cMSCao/BSbCT60/PvWIobaqaRjMQoxcBJB32ycAkrMOkGWhOtI4A6FzWjBWo3XBbgxLC43W8ZCDeLYbQogvsTFCEBwqlKuJtYYxluW+w05v5nEqgtFmfqrnCa6UKelzz8vUzXa5GqS8Buk/0HyG+; 4:wOquIDrufi3dXiPiOZu8afKn6H3sNQ5EkL9j4urF+XA9j6DcBQjTnPx9uHhSd8y/ebiqBoTCuGyVwlhwRlpQnNdmVwj0JiQAzJTgmAXVGVd+8DIwnq7ADHrbGXlrQFgTV/ZPY11nKuI117pbvHgP4BPbg1aTqtr2MKDtPlWiwqbPNKwFuVBa86tREqG9AjMDNNapUUN6nDxK6VUt4dDKr+6gbtvtuaRdMBpotcv6hubgjJtOtI+7mzE5i8cNsd84qKJrn3cd55dkwtFIIHFvj88VMU7yBdcHuAozJwldNk+TlQOm+fq5Wd3xFWzz3nw1THhm4DgpLJ8pGBlxDuqYbQYBaJaHgFYohl9EdQ6OZ4v88wC3A2Mz5I24ZqSoqyTC
X-Microsoft-Antispam-PRVS: <BY2PR0501MB2007DA035460629DA5DB18CAD4E10@BY2PR0501MB2007.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(520078)(8121501046)(10201501046)(3002001); SRVR:BY2PR0501MB2007; BCL:0; PCL:0; RULEID:; SRVR:BY2PR0501MB2007;
X-Forefront-PRVS: 07943272E1
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(979002)(6049001)(6009001)(76104003)(199003)(24454002)(479174004)(377454003)(189002)(87976001)(65806001)(4001350100001)(117636001)(5008740100001)(83506001)(84326002)(5890100001)(586003)(5004730100002)(105586002)(19580395003)(6116002)(66066001)(1096002)(64126003)(87266999)(54356999)(3846002)(65956001)(92566002)(106356001)(101416001)(2950100001)(230783001)(189998001)(76176999)(86362001)(77096005)(122386002)(42186005)(81156007)(65816999)(50986999)(40100003)(5001960100002)(5001770100001)(97736004)(36756003)(512874002)(59896002)(99136001)(62816006)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR0501MB2007; H:[172.29.35.68]; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
Received-SPF: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 1;BY2PR0501MB2007;23:BUmWshQmu6ICt0PQKdRqH/cNOkZA9wSuBrLIsm4iNtDWh8NEdo47QZgJg71kdLhSXfNcTjKc17OQJqpkNHe5fbJPMR5/OqWXHod+29Kd2oTLnJq0ndhl3G5ojHktiBRLcW51JmNG9UsM5bKLgOM5Vy2ijm+XEsddkQPXfOzTj6/ZFamCzljDUQLoTUA8dnFSc/TuQmhCDaV76AwVcF4LLYsKce3xPo6v42SWFYB1iO/SPdJW7kItTwXqUl8LQn6Yhe7XlQdYE+5sr/9gxaILxAmeraIhD3laoEfOuzIXEgJcX2ZgQJrlsde8xBwtihOapFYcJlql+paxxCHfjt9hyuAB0mfHlJ449w90gjhtb/aFH9mX1fk4OQMl13WUOlqGhrAqyv77II7upE1zc46vV4LQvSu5wFVorkYjr+7XE+YLpwcS2UGfCHwbEjjiQYW/3U7F3GSn02kLgTcK8+eotoEC6V4vlwKf6/LKloK03FdFWwjQu8S7sUJESAvUzXJByIwRS7bnEi4AamyP18ezkV+5l+kAiVBmrUNBZiN9y59cQqKivXpH0CjwsIR9/gvTw/+RM/1kdL8YPs9MBDdKDUznoxVTrGjWCzt9yNXosH0kqJOy/fa4XfDBJbjEnA+x38XIWDckyd6X8c1T+/l/M2jJV3pv3TlItLYCtc2Es6ERMhUgyY9qQu5l74Qs2THwsyLjLa/0IC7+R58YzayDtNBY8rFUl6H846brTIhECvu9a2ntNUEO/vzkoA4siJ36X766Ctfmp3t0F+DaawwC4REuF7I/tu0hLr7fKyh6zLu1sfno49NKgUZMKNyUeunzDFpHuleM5gFnK8GTKeSD5WZi1ZElSQj8VlebUVcxI9YtrNawMIYUZ3qv4Wg7/bkxbIjd2bOAubTyQJ0bsjYzdzVSsNjBTLfMBRkDDRJxAUnxqyN2fkCDD7xTOK+yHuMYUB07VnRtnmDKm9UNJkuhzQNyKZAdbyRv17NdVP/k8/ObmtRn9gw+KkZe1qDM9Cd7Uj3qANX79E0YjL7mwUbDWj6aZDWpsC9eEQpiN8WKIjE4kL9g+5hFDnmwo4ueEZDZk9pZBlQeiGqOGseT1TqUf3g65y2x8wyQ8Ey02nR3H9SkDcaVAZEcpztyNAJxewkFQ/4YsTSpR+ZbZVli8KbQ+6pHfAxAcar/zMBu8vQWdOqhD0l84FUpY3TKaXiJ6is39s6jP067GzSfdrWBzL4I0Iwu2DjbQmb87hA04FcxPR7bgSxpzt5onzxNRRxxyJk5J7/itI0UR8VOZ0rugkq56GJIHWG78lUJYCrxMZ7q5kepYx9dmOgAFS12lYdfxhN1y4bNlibJ977z/Ft0pvYOU/32nnczE/IkTXEC8shpBgLmOsdUdEZkFSyJI+jziiTOxVSlMaTfnUx4zEiRhvwQTA==
X-Microsoft-Exchange-Diagnostics: 1; BY2PR0501MB2007; 5:bb/LhwcEHlrDgy9mM2ClHnKeA+KlpPOqWk1fY9hvMuXRPUJinRa6zZ9EBtklEE4hmbyYAZT6ep2/G3TgjRGcGYucBmbl5b129HL6O5fMbC7K9vy9CYiMmMZven++XXHLggNJPY6e6+CSokTArkb6zQ==; 24:+8mMMwfKa6hTn80Q5mO3IPMoK2MhKAffZtd0Q8FTKs2v3PF//3Z8b5TfP1rjPiiHGqlX/x0IC/pGax0L/T1lAgJCUvLZU0zL2fnB3X74li4=
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Dec 2015 14:30:09.5596 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR0501MB2007
Archived-At: <http://mailarchive.ietf.org/arch/msg/bess/QMA2emWpMbSYJqBmSE3-7CD-6jQ>
Cc: draft-ietf-bess-mvpn-extranet@ietf.org, shares@ndzh.com, aretana@cisco.com, bess-chairs@ietf.org, martin.vigoureux@alcatel-lucent.com, bess@ietf.org
Subject: Re: [bess] Benoit Claise's Discuss on draft-ietf-bess-mvpn-extranet-04: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2015 14:30:22 -0000
I responded to Sue's review, but noticed that the response did not go to the BESS mailing list. So I am sending my response again; apologies to those who are getting it twice. On 12/17/2015 7:47 AM, Susan Hares wrote: > > Eric, Rahul, Yiqun, and Thomas: > > I have reviewed this document as part of the Operational directorate's > > ongoing effort to review all IETF documents being processed by the > IESG. These > > comments were written with the intent of improving the operational > aspects of the > > IETF drafts. Comments that are not addressed in last call may be > included in AD reviews > > during the IESG review. Document editors and WG chairs should treat > these comments > > just like any other last call comments. > > Please let me know if any of these comments are unclear. This is > interesting BESS work, and a clear deployable specification will help > with multicast traffic (video and other traffic). > > Sue Hares > > ====== > > Status: Not ready, three major concerns and two editorial nits: > > Major concerns: > > 1)Specification of the Extranet Source Extended Community and Extra > Source extended Community > > Please provide the type of detail as show in RFC 4360 sections 3.1, > 3.2, and 3.3. > It would not be correct to do so. As you may recall, RFC7153 reorganized the Extended Community registries, and Section 4 of RFC7153 provides instructions on how to request Extended Community codepoints from IANA. In fact, one of the main purposes of RFC7153 was to eliminate the need to provide IANA with the sort of detail that is indicated in RFC4360. I believe that the specification of the two ECs (and the request for codepoints for them) is in accord with RFC7153 and does not need revision. > 2)Why is there no Deployment considerations section? > There is no requirement for a Deployment Considerations section, so absence of one cannot be grounds for a DISCUSS. I will interpret this comment as meaning that there is insufficient discussion of deployment issues. However, I find the comment puzzling, as so much of the draft is about proper provisioning of the Route Targets, and Route Distinguishers. There is also quite a bit of discussion about corner cases, such as (a) the problem that may arise if a source host originates both extranet and non-extranet sources, and (b) the problem that may arise if a single address prefix is the best match for both an extranet source and a non-extranet source. In fact, you say yourself: > > The whole draft is a set of rules for handling policy, BGP A-D routes, > tunnel set-up, and PIM Join/leaves in the case of an intra net. > Unless these rules are followed exactly, traffic may flow into a VPN > it is not suppose to. > So I really don't understand what you think is missing. > > If the customer and the SP must coordinate on setting up filters, the > procedure is outside the document. > Yes, the interaction between the service provider and its customers is outside the scope of this document. > An error in any of these set-ups is considered a “security violation”. > Not quite; any error in these set-ups could result in a security violation, i.e., in delivery of data to hosts that aren't supposed to get it. > In this set-up, one has to ask “is there another choice” to this whole > design > Certainly the WG has had plenty of time to come up with up with a better alternative. > there should be a deployment section indicating how to manage the > RTs, RDs, and policy set-up. > I do not understand what you think is missing. This is covered quite extensively in sections 1.3, 4, and 5. > Perhaps experience with the Intra-As has shown deployment tips that > would make this less fragile. If so, it would be good to include an > operations consideration section. > I do not think there is any requirement to have "deployment tips" in this document, nor is there any requirement to have an "operations considerations" section. However, since so much of the document is devoted to the issue of how to properly provision the RTs and RDs, I don't quite understand what you think is not covered. > > If a new class of tools provides monitoring or provisioning, > mentioning these would be useful. If yang modules are being > developed, that would be useful. > It is not within the scope of this document to "mention" monitoring or provisioning tools. Yang models are also outside the scope of this document. > > Places that indicate issues with violated constraint: > > p. 11, 12, 19 (2.3.2 – a priori knowledge, inability to detect), , > I am not entirely sure what you are asking. As discussed in Section 2, the big problem in MVPN extranet is that an egress PE may receive two distinct multicast flows that happen to have the same IP source and IP group address, say (S,G). The procedures and policies specified in the draft prevent two such flows from traveling across the backbone on the same tunnel. However, the detailed examples in sections 2.1 and 2.2 show how a given egress VRF can end up listening to two tunnels, each of which is carrying an (S,G) flow. In this case, only one of the tunnels is carrying the (S,G) flow that needs to be delivered to the VRF, but the other tunnel is carrying other flows that need to be delivered to the VRF. The problem is how to prevent the "wrong" (S,G) flow from being delivered to a given VRF. Section 2.3 outlines two methods for preventing this: - Since the VRF "knows" the tunnel from which to expect the (S,G) flow, it can discard (S,G) packets coming from the other tunnel. However, not all deployed hardware platforms are able to do this at speed. Hence the other alternative: - Don't put more than one flow on a tunnel; then if (S,G) is flowing on two tunnels, a given egress VRF will only be listening to one of them. That eliminates the problematic situation in which "the other tunnel is carrying other flows that need to be delivered to the VRF". The actual constraint is a bit more complicated than 'don't put more than one flow on a tunnel', but this is detailed in Section 2.3. I think this is all explained in the draft. Are you saying that the explanation above is incomprehensible, or are you saying that the draft just doesn't make it clear and needs some additional text? Or are you saying something else? > p. 25 last paragraph (violation of constraints will cause things to > not work. However, only policy can control), > Again, not sure what you are asking. This page specifies a set of constraints on the way RTs are assigned. It points out that these constraints are presupposed by the procedures that are later specified for determining whether a given flow is expected to arrive from a given tunnel. It is explained elsewhere in the document that accepting a flow from other than the expected tunnel can result in misdelivery of data. What else needs to be added? > p. 27 4.2.2 (1^st paragraph, Route Reflector must not change), > That's section 4.4.2; the topic is the propagation of routes that carry the Extranet Source EC. Recall that a CE puts the Extranet Source EC on an IP route to indicate that the route represents an extranet source. The PE then translates the IP route to a VPN-IP route, and attaches a specific set of RTs to the VPN-IP route. The draft requires that the Extranet Source EC also be carried by the VPN-IP route, and that it not get stripped off while the VPN-IP route is being propagated. This rule is needed in order to support the scenario in which a VPN contains an "Option A" interconnect. At the Option A interconnect, the VPN-IP route gets translated back to an IP route, and the RTs are stripped off before the IP route is propagated. If the Extranet Source EC has also been stripped off, there is no way for the router at the other end of the Option A interconnect to know that the route represents an extranet source. Thus the technique of using the Extranet Source EC to dynamically signal that a particular route represents an extranet source will not work correctly across an Option A interconnect unless the rules of section 4.4.2 are followed. I can add some text about this to section 4.4.2. > p. 31 (5.1, first paragraph), > Section 5.1 specifies a set of constraints on the assignment of RTs, and explains the need for them. I'm not sure what more you think is necessary. > > 3)Is security section really a security section? It seems more like > “do this policy” or this will fail. It should get a stronger review > from the security directorate > The Security Considerations section mentions those things that are specific to MVPN Extranet and that need to be done properly in order to prevent misdelivery of data. That seems like an appropriate security section for this document. General issues of privacy/integrity/authentication are not specific to MVPN Extranet, and so are not mentioned here. > Editorial suggestions: > > Summary: In general the authors provide dense English text to describe > this rules. In general the English text contains valid complex > sentences. However, a few things should be suggested: > > 1)PTA – define it in a definition section or spell out the abbreviation > This acronym is expanded at first occurrence, but I will be happy to add it to the Terminology section as well. > 4)P. 36 second paragraph. The reason for the “MUST” in 1^st full > paragraph is a bit vague. It seems logical, but the reasoning is just > vague in the text. > Are you referring to the following: "the VPN-R VRF MUST also originate one or more additional Intra-AS I-PMSI A-D routes. It MUST originate one additional Intra- AS I-PMSI A-D route for each Incoming Extranet RT with which it has been configured" * *At the beginning of section 6.2, it says: "if a VPN-S VRF has extranet multicast C-sources, and a VPN-R VRF has extranet multicast C-receivers allowed by policy to receive from the C-sources in the VPN-S VRF, then the VPN-R VRF joins the MI-PMSI that VPN-S uses for its non-extranet traffic." The former paragraph describes the mechanism that VPN-R uses to join the MI-PMSI into which VPN-S transmits. I can add a sentence to the paragraph on page 36 saying "This is the method that VPN-R uses to join the MI-PMSIs that may contain extranet flows that are of interest to it". > 7)Page 53 – section 7.4.5 paragraph 3 “VRF route Import EC” – please > spell out first usage and give abbreviation (VRF Route Import Extended > Community (EC). > I see only two occurrences of "EC" in the draft, so I'll just replace them with "Extended Community".
- [bess] Benoit Claise's Discuss on draft-ietf-bess… Benoit Claise
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Stephen Farrell
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Susan Hares
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Eric C Rosen
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Susan Hares
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Eric C Rosen
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Eric C Rosen
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Susan Hares
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Eric C Rosen
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Susan Hares
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Eric C Rosen
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Benoit Claise
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Eric C Rosen
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… joel jaeggli
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Eric C Rosen
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… joel jaeggli
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Eric C Rosen
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Martin Vigoureux
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Alvaro Retana (aretana)
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Susan Hares