IETF Logo Mail Archive

Re: [bess] John Scudder's Discuss on draft-ietf-bess-srv6-services-11: (with DISCUSS and COMMENT)

Gyan Mishra <hayabusagsm@gmail.com> Tue, 15 March 2022 22:04 UTC

Return-Path: <hayabusagsm@gmail.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFBBC3A0BB0; Tue, 15 Mar 2022 15:04:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ynIAIHegILa; Tue, 15 Mar 2022 15:04:29 -0700 (PDT)
Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C165D3A0B70; Tue, 15 Mar 2022 15:04:28 -0700 (PDT)
Received: by mail-pf1-x42c.google.com with SMTP id t5so1125199pfg.4; Tue, 15 Mar 2022 15:04:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=X5bTwyq6/T7fTmUAx9DfMJ/WwpEw7cOgRnP3aN1Y9g0=; b=hzoEQYma0WUNf6xuuMJByCIF6jMF/QDw/FAJlhlsqYQCGW8XzZucb/dhNZVhdMcmFI EGPL4r7y2cnkOl3rmvWZOnTy+V/wUIuGIGAfk4oihwZmIbNSVKoWHjNF2ykV1p7zctXF Enp8NaxCEbKGRDJQHHuQjlGs4vWZl5OpSEQfoRqysdE37Vv+6pLARl4x8Lnt+xiQpgG0 KQU0XzCMfyGQV0jKwvuqrPAfLksCF0GmMFPBWc019rBVXJW7tTlHWKiWbPQNLgqpO/BS bAbBnth2jF23I8M7PNlJ5f/+0CzLe0S6P5crSYMfZzDR0yrjZaQPycKIZzTIfG/vBLZc azMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=X5bTwyq6/T7fTmUAx9DfMJ/WwpEw7cOgRnP3aN1Y9g0=; b=mUCpy3BLkX4klsMyH8xnep0faqRU9Wn+xdXsuyg1+l4IuvOo2eyqh/eTU/m9Y5IwRl RybGX33CRBfa9gj97DkfSJKPCpaA6HfQTi35bhOLvkreWDLe7VdL3RWFTBKJbi5I+xxc xcpPwBU+pM/4wsyTtAYq96DY0tx5K7mbcRH8Bzr+iz8XVsfaDEIyLwmJvLZBcK1RN8+v le+wSc79M2nggrfUE6UoYI1ktlsY+HPlA12s5nhyh78HdebqAahTLttdcTGMe+oTSyTK Hb/iA9IxVSs7WYi3n/vALqPx3+5aDicSGRtYcQc4WYdzCXY20cQR7Bnv3rxWiKeTsee7 sRhg==
X-Gm-Message-State: AOAM532VNZrRQIX3ez0ynwmvNlYS4VvobWZTfhIJr844VquAssCC7KWt JCP1o5BTjMxrCY6nD6qsJZJG3F+I6VWu2+BvX60=
X-Google-Smtp-Source: ABdhPJxov+x7LDROJPQMnY8prztIJfut9InZvh1jgn84an82FH72FXFZUH4/8xzdlU21p6ywHFWpaeTknarmkXAXV7w=
X-Received: by 2002:a05:6a00:14c1:b0:4f7:55ba:5f5a with SMTP id w1-20020a056a0014c100b004f755ba5f5amr31020392pfu.76.1647381867535; Tue, 15 Mar 2022 15:04:27 -0700 (PDT)
MIME-Version: 1.0
References: <202203081200085293755@zte.com.cn> <CAOj+MMGzpsWJnzN0zVjxdv=MhysCZnt3XgGee3rz_cFB6i602w@mail.gmail.com>
In-Reply-To: <CAOj+MMGzpsWJnzN0zVjxdv=MhysCZnt3XgGee3rz_cFB6i602w@mail.gmail.com>
From: Gyan Mishra <hayabusagsm@gmail.com>
Date: Tue, 15 Mar 2022 18:04:16 -0400
Message-ID: <CABNhwV3c2dNnf7BCak7MD4i=GCE-hDWYrj_COqkkdeJGX5eB5A@mail.gmail.com>
To: Robert Raszuk <robert@raszuk.net>
Cc: BESS <bess@ietf.org>, "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>, John Scudder <jgs@juniper.net>, Ketan Talaulikar <ketant.ietf@gmail.com>, The IESG <iesg@ietf.org>, bess-chairs@ietf.org, draft-ietf-bess-srv6-services@ietf.org, liu.yao71@zte.com.cn
Content-Type: multipart/alternative; boundary="0000000000000622a205da48fb76"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/XcSwn9iCiNmbmDthpak-YrBhbIA>
Subject: Re: [bess] John Scudder's Discuss on draft-ietf-bess-srv6-services-11: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2022 22:04:35 -0000

Hi Robert

Agreed.  A new SAFI for VPN and even MVPN application service encoding with
multiple transports adds quite lot of complexity.

The P2P one hop nature of MP Reach has been a Day 1 issue that has been
problematic to troubleshoot and that would be great if you have a solution
that does a dynamic capabilities discovery and push maybe a Pub/Sub model
would work.

The security implications of SRv6 transport encoding of what normally would
be in MPLS shim and with the label stack is automatically limited to the
MPLS domain.  However  with SRV6 BGP prefix SID attribute encoding of VPN
label into the ARG field of the SRV6 SID is a definite security
consideration which was identified in RFC 8402 to take the best practices
of securing the edges.

I think with Ketan update of the verbiage in the security considerations
should highlight to operators that this issue exists and to carefully
protect against the leakage.

Kind Regards

Gyan

On Tue, Mar 8, 2022 at 7:04 AM Robert Raszuk <robert@raszuk.net> wrote:

> Dear Yao,
>
> The issue is not related to support or no support of a new feature
> although that is also not well addressed in current BGP-4 specification.
> The question is about coexistence of multiple transports and
> service encoding for the same application.
>
> I have a separate proposal on this, but did not post it before the cut off
> date. So expect more on this after IETF in Vienna.
>
> Best,
> R.
>
>
>
>
>
>
>
>
>
>
> On Tue, Mar 8, 2022 at 5:00 AM <liu.yao71@zte.com.cn> wrote:
>
>> Hi Robert,
>>
>> Thanks for sharing your detailed consideration on BGP capability and new
>> NLRI.
>> A few comments about the BGP capability solution. Please see inline [YAO].
>>
>>
>> ==============================================================================
>>
>> In BGP protocol any new service deployment using existing AFI/SAFI is not
>> easy. Especially when you are modifying content of MP_REACH or MP_UNREACH
>> NLRI attributes. Main reason being is that using capabilities only goes
>> one
>> hop. In full mesh it all works perfect, but the moment you put RR in
>> between BGP speakers things are getting ugly as capabilities are not
>> traversing BGP nodes. /* Even in full mesh mixing transports for the same
>> service is a serious challenge for routers when say multihomes sites are
>> advertised from different PEs with different transport options */.
>>
>> [YAO] As you mentioned, in the scenario multihomes sites are advertised
>> from different PEs with different transport options without RR, e.g, CE1
>> are connected to PE1 and PE2, PE1 supports MPLS VPN while PE2 support SRv6
>> VPN, PE3 is the peer of PE1 and PE2, imagine PE3 supports both
>> capabilities,  I don't think this brings much difference between the
>> configuration approach and BGP capability approach.
>> If BGP capability is introduced, PE3 will receive both MPLS VPN and BGP
>> VPN routes, how to process them is based on user's requirement,e.g,
>> choosing one fixed type of routes, using the lastest routes, ECMP and so on.
>> If configuration approach is used, how to configure is based user's
>> requirement as well. Before configuration on PE1 and PE2, one should first
>> decide whether PE3 wants to receive only one type of route or to receive
>> both routes. And if PE3 receive both routes, the processing rule also
>> should be considered.
>> In a word, in scenario like this, the consideration on user's requirement
>> is similar in both approach.
>>
>> Imagine RR signals SRv6 Service Capability to the PE. Then this PE happily
>> sends a new format of the UPDATE messages. Well as today we also do not
>> have a notion of conditional capabilities (only send when received from
>> all) so if some of the RR peers do not support it you end up in partial
>> service. One can argue that in this case the only deterministic model is
>> to
>> push the configuration from the management station and control partial
>> deployment of the new service from mgmt layer.
>>
>> [YAO] By saying "RR peers", do you mean that in the scenario that
>> there're multiple RRs, and they're peers of each other, if some of the RRs
>> don't support the new BGP capability, the SRv6 service routes will not be
>> sent to them thus result in losing part of the routes?
>> If this is the case, I don't think it's a serious problem. No matter what
>> new BGP capability one wants to introduce in this scenario, RRs are always
>> required to support it if we want to get it right.
>> If "RR peers" means other PEs, it is the expected result that PEs don't
>> support the new capability will not receive the new kind of UPDATE
>> messages.  So the dropping the  new routes sent to these PEs is not a
>> problem.
>> On the other hand, the management approach is always a practical option
>> by not sending new messages to these PEs .
>>
>>
>> Regards,
>> Yao
>>
> _______________________________________________
> BESS mailing list
> BESS@ietf.org
> https://www.ietf.org/mailman/listinfo/bess
>
-- 

<http://www.verizon.com/>

*Gyan Mishra*

*Network Solutions A**rchitect *

*Email gyan.s.mishra@verizon.com <gyan.s.mishra@verizon.com>*



*M 301 502-1347*

v2.8.7 | Report a Bug | By Email