[bess] Roman Danyliw's Discuss on draft-ietf-bess-datacenter-gateway-10: (with DISCUSS and COMMENT)

[Roman Danyliw via Datatracker <noreply@ietf.org>]

Roman Danyliw has entered the following ballot position for
draft-ietf-bess-datacenter-gateway-10: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-bess-datacenter-gateway/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

RFC8402 tells us:

(a)“Segment Routing domain (SR domain): the set of nodes participating in the
source-based routing model …

(a.1) “These nodes may be connected to the same physical infrastructure (e.g.,
a Service Provider's network).”

(a.2) “They may as well be remotely connected to each other (e.g., an 
enterprise VPN or an overlay).”

(b) “By default, SR operates within a trusted domain.  Traffic MUST be filtered
at the domain boundaries.” My understanding of this document is that it is an
enabling capability to help establish SR domains of the like described in
(a.2).  What I see missing is text that provides the confidence suggested by
the language of “trusted domain” in (b).

-- Section 1 hints at various VPN technologies perhaps being used  “The various
ASes that provide connectivity between the Ingress and Egress   Domains could
each be constructed differently and use different technologies such as IP, MPLS
with global table routing native BGP to the edge, MPLS IP VPN, SR-MPLS IP VPN,
or SRv6 IP VPN.”  However, the security properties of all of those aren’t clear
to a degree that would seem consistent with being a “trusted domain”.  For
example, saying “IP” might suggest that naked IP packets with SR headers (with
no additional security primitives) could be dropped onto the open Internet, or
at least through networks not under the control the “data centers” use case
suggested by the name of the document.

-- The discussion at
https://mailarchive.ietf.org/arch/msg/bess/zY783PgnXSCp6GNSRF4kY0diLYs/ around
the forwarding plane trust model is also informative.   It is noted that that
the “transit nodes of the AS are not part of the domain.”  I could agree, but
only to the degree that the SR packets are tunneled in such as way that
suggested a trusted domain at least of equal security as (a.1).

I think language is needed to describe the normative security requirements of
the tunnels that will be created on top of the routes enables by this work to
substantiate the claim that at a “trusted domain” is being maintained.  This
has some overlap with John’s text about clarify the proposed trust model.


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Thank you to Daniel Migault for the SECDIR review.

I support John DISCUSS positions.