Re: [bess] Comments on draft-dawra-idr-srv6-vpn-03
Robert Raszuk <robert@raszuk.net> Thu, 28 December 2017 18:55 UTC
Return-Path: <rraszuk@gmail.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1681C126D73; Thu, 28 Dec 2017 10:55:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NRMKrGPwIPWh; Thu, 28 Dec 2017 10:55:20 -0800 (PST)
Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3A32126C89; Thu, 28 Dec 2017 10:55:19 -0800 (PST)
Received: by mail-wm0-x22b.google.com with SMTP id t8so45245907wmc.3; Thu, 28 Dec 2017 10:55:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=fznLT/3gOsAVzAwJ1ly2JWjO8AVXUzskIRM9+k6JSPc=; b=nlTQ6x5s3gRnKplZ4W/4mE35NrV6F5rO9akwiaV0uhjkl7EzD4PspEU8yekC/Qh4+4 1BWGTE0IjnPWMyOacgz3Y2bCOYUeuaNDDKcfidkWBTlYkkXffc3vcI1/c91CU3IFm8IU HzG3CnW+XNHLswFnqsiNqhb/dT1iJJ1b6SBkaSpY9ilyEJXsD9Rv928vEf6O/T4euJaz YC+zBwHo/CgXV29clSrYFcrnmcdKdnqK795AYg/GQ1YdPvvchHn2YEVurW+t3eweqCqv 4C8CQOP00JxtqM3whL9vXhp5lzoUbjrgSpbrCUFazjr44oW+NQ6e9030kfBUu8azZV6S WcAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=fznLT/3gOsAVzAwJ1ly2JWjO8AVXUzskIRM9+k6JSPc=; b=VGGQcwSyHd6WNLgn0cWdxYxpA4NkyXq0qNPCl24eIYYna3lFdyHbnFWtxWoZ+arbSR i23TnPxxQY4qbYHSwP1sYMW/KeyNXqvdbawuHCk5SQ33LOiwl+8/RCqsvT403R9ZbQYn MCxvyMenKGfC02p3lsCfKyyurTOvmSyVh8ep8r/R+GyxrbFe5Kh5EKJ0Q6j7mlSeDpZc Bfb/eFyYUCb3UNJhA5VUl6yK3bQg8htWjyWmWFOyFPZmnKlzMcI4Ed5uNb+xoq8uU7ag j2SK5jpI4VBQL3/a4Juc0JVbhBOUTCnsS0oBgvuv10gDImCYTxnUrsbuU8ivaAC/Z9Vy N6jw==
X-Gm-Message-State: AKGB3mJ2tzfn08rM6LrkPP31f0o/vQi8//VrsUHXUIxW04U8Km4Ir1Pt fl+HQ9MX8MQXEokjPrjjT6GwGcEU+ioMDUV2rm0=
X-Google-Smtp-Source: ACJfBovkLJ6v1HC3WIs3Gsc/QclVlcFFPqpdhbLQ8eeLVWgMTDK5XFy8Mx01QTMVw/j/vlNtoV9JGOWtSjrND0UGHDk=
X-Received: by 10.28.136.15 with SMTP id k15mr25590227wmd.147.1514487318062; Thu, 28 Dec 2017 10:55:18 -0800 (PST)
MIME-Version: 1.0
Sender: rraszuk@gmail.com
Received: by 10.28.54.217 with HTTP; Thu, 28 Dec 2017 10:55:17 -0800 (PST)
In-Reply-To: <afb80dad-4f6a-332f-bb3a-4641a3c61a77@juniper.net>
References: <afb80dad-4f6a-332f-bb3a-4641a3c61a77@juniper.net>
From: Robert Raszuk <robert@raszuk.net>
Date: Thu, 28 Dec 2017 19:55:17 +0100
X-Google-Sender-Auth: pbCSth6XFYbkpuyr5sKlljDcjmM
Message-ID: <CA+b+ERmbqc+HDrHnhdUMYqPanyV513acTWo8La9v2hWZ7eo6ng@mail.gmail.com>
To: Eric C Rosen <erosen@juniper.net>
Cc: "bess@ietf.org" <bess@ietf.org>, draft-dawra-idr-srv6-vpn.authors@ietf.org, spring@ietf.org
Content-Type: multipart/alternative; boundary="001a1144242a9c373305616b0ed5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/VDM561SdjUKeo83jJ9dOu4ri_1E>
Subject: Re: [bess] Comments on draft-dawra-idr-srv6-vpn-03
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Dec 2017 18:55:23 -0000
Ok let's start all over :) **** This suggests that an IPv6 address has to be assigned to each VRF (for > **** per-VRF "labeling"), or even to each CE (for per-CE labeling). > No one suggests that. VPN SID is not IPv6 address .. it is part of v6 SID which when appended to IPv6 prefix forms a complete SRv6 SID. Semantics does matter here. **** If those addresses are routable, doesn't this create a security issue > **** as discussed in RFC 4023 Section 8.2? > PE's loopback address say /64 being routable causes any security risk ? **** The phrase "only has local significance" suggests that these SIDs are > **** not routable. But later on there is a suggestion that they are > **** routable, or at least that they might be. > Again SIDs are not routable and they have only local significance - true. They are prepended to say loopback address to form IPv6 SID. **** So there are a number of options: > **** - not routable > **** - globally routable > **** - routable only within egress AS > This is referring to routability of SID ... not right. SID does not need to be routable. What prefix they are part of may be routable. > and the BGP ingress device receiving this route > MAY choose to encapsulate or insert an SRv6 SRH, second it indicates > the value of the SID to include in the SRH encapsulation. For L3VPN, > only a single SRv6-VPN SID MAY be necessary. > > **** I don't understand the phrase "only a single SRv6-VPN SID MAY be > **** necessary". > Analogy to basic L3VPN when you have VPN label and underlay LDP label. If the BGP speaker supports MPLS based > L3VPN simultaneously, it MAY also populate the Label values in L3VPN > route types and allow the BGP ingress device to decide which > encapsulation to use. If the BGP speaker does not support MPLS based > L3VPN services the MPLS Labels in L3VPN route types MUST be set to > IMPLICIT-NULL. > > **** Please provide a reference that specifies how you set the Label field > **** of a SAFI-4 or SAFI-128 route to "implicit null". I don't recall any > **** such thing existing in RFC 3107, 4364, or 8277. > 4364 does not restrict what value of VPN label is used - does it ? I think this draft now right here defines how to read implicit-null being placed there :) It's not my idea though - so I will let real inventors to comment on it more. > **** If you mean "set to three" (the value defined in RFC 3032 to represent > **** "implicit null"), I don't think the SAFI-4/SAFI-128 implementations > **** generally interpret the value three in that manner. > As mentioned I think it just is being defined here and now. > **** I'm not really sure what you're trying to do here. There are at least > **** four cases to consider: > > **** 1. For the case where the backbone doesn't have MPLS, there is no harm > **** in saying "set the label to zero". > Really ? What does the backbone having or not having MPLS has to do with this ? Underlay forwarding does not matter and this is what I read as "backbone". **** 2. For the case where the backbone supports both MPLS and SRv6, and > **** some PEs support L3VPN both ways, while others support only MPLS-based > **** L3VPN, then a real label needs to be put in. > OK. > **** 3. For the case where the backbone supports both MPLS and SRv6, but a > **** particular egress PE only supports SRv6, there needs to be some way to > **** instruct the ingress PEs to use SRv6 and not MPLS. Perhaps the > **** presence of the prefix-SID attribute with VPN-SID TLV is sufficient. > Perhaps not ... and this is exactly the case trying to be addressed. **** 4. For the case where the backbone supports both MPLS and SRv6, the > **** egress PE supports both for transit, but the egress PE only supports > **** SRv6 for L3VPN, the label in the SAFI-1/SAFI-128 routes should be a > Label in SAFI 1 ? > **** value that will cause the egress PE to discard the packet. If there > **** happens to be an ingress PE that only supports the MPLS style of > L3VPN, > **** this will prevent the egress PE from misrouting MPLS packets that > **** arrive from that ingress PE. (This would be an odd, probably > **** transitional, deployment. But the draft isn't very explicit about > just > **** what combinations of MPLS and SRv6 it is supposed to support.) > > **** In any event, the draft would be better off specifying the actual > label value > **** to be included rather than saying "implicit null". This occurs several > **** times in the draft. > .. or to define a new special or reserved label for that embedded signalling. Kind regards, R.
- [bess] Comments on draft-dawra-idr-srv6-vpn-03 Eric C Rosen
- Re: [bess] Comments on draft-dawra-idr-srv6-vpn-03 Robert Raszuk
- Re: [bess] Comments on draft-dawra-idr-srv6-vpn-03 Eric C Rosen
- Re: [bess] Comments on draft-dawra-idr-srv6-vpn-03 Robert Raszuk
- Re: [bess] Comments on draft-dawra-idr-srv6-vpn-03 Eric C Rosen
- Re: [bess] Comments on draft-dawra-idr-srv6-vpn-03 Robert Raszuk