Re: [bess] Shepherd's review of draft-ietf-bess-mvpn-expl-track

"Dolganow, Andrew (Nokia - SG/Singapore)" <andrew.dolganow@nokia.com> Fri, 19 January 2018 05:40 UTC

Return-Path: <andrew.dolganow@nokia.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14637126FDC; Thu, 18 Jan 2018 21:40:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R_g_4r3-8Gnm; Thu, 18 Jan 2018 21:40:09 -0800 (PST)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on0101.outbound.protection.outlook.com [104.47.2.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 471211200B9; Thu, 18 Jan 2018 21:40:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=LzQ0xG77vvCvyXxd67glq2SPRwgcle+I2UEOA8TggDA=; b=EiizkDNIr8w2QByGQbqAX6DJppKOMpL5WeqNutFKh62qSUy3FXyRELck1BeyspjiaFLrJLnDkvMu2F4MGPyrAnke3l9Ot38Qs1KAcr+ZnFGf7xcEP/fWtE4xHLAmyN3CdEmhYAXigAL8UbP5RL0FuBStNS5cBmBBd7PtRq9Gddg=
Received: from DB5PR0701MB2055.eurprd07.prod.outlook.com (10.167.229.11) by DB5PR0701MB1910.eurprd07.prod.outlook.com (10.167.228.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.428.9; Fri, 19 Jan 2018 05:40:04 +0000
Received: from DB5PR0701MB2055.eurprd07.prod.outlook.com ([fe80::2c42:3402:c4e3:16dc]) by DB5PR0701MB2055.eurprd07.prod.outlook.com ([fe80::2c42:3402:c4e3:16dc%13]) with mapi id 15.20.0428.014; Fri, 19 Jan 2018 05:40:04 +0000
From: "Dolganow, Andrew (Nokia - SG/Singapore)" <andrew.dolganow@nokia.com>
To: Eric C Rosen <erosen@juniper.net>, "stephane.litkowski@orange.com" <stephane.litkowski@orange.com>, "draft-ietf-bess-mvpn-expl-track.authors@ietf.org" <draft-ietf-bess-mvpn-expl-track.authors@ietf.org>
CC: "bess@ietf.org" <bess@ietf.org>, "bess-chairs@ietf.org" <bess-chairs@ietf.org>
Thread-Topic: Shepherd's review of draft-ietf-bess-mvpn-expl-track
Thread-Index: AdN5jsmXDQSoAwXXRoKBWZf9DikTzQVWFg8AAJD3fYA=
Date: Fri, 19 Jan 2018 05:40:04 +0000
Message-ID: <B62A72C4-B4A8-4786-BB63-25A8A32846C4@nokia.com>
References: <7712_1514984470_5A4CD416_7712_401_1_9E32478DFA9976438E7A22F69B08FF921EB01322@OPEXCLILMA4.corporate.adroot.infra.ftgroup> <ecd0de7c-c395-2105-ab94-e1a9ca5381be@juniper.net>
In-Reply-To: <ecd0de7c-c395-2105-ab94-e1a9ca5381be@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.29.0.171205
x-originating-ip: [203.116.163.2]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DB5PR0701MB1910; 7:RTe6+uRyoMKswsLKrzipLrSfwJYqOhtaMZFz0oN4s0GaV325WWtfvFryaTrP/QDAdZObo+waDeBYutZyDvLMX2TtrjfH2bTolw6RBpgfmZox29a7/fet0E3Z3uU9B7TBj0mcKrUehkZj4WvF0HAx5ip9FnDgE3wTbSOnskugjaygp7d4+XLlMaeZg7DjptxgkxrWmtI7FHxTu4JBYF5yP/omfh97VJ9kJyw8opEOU+EenQodS0K30xn61vpvCekD
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: a30c5b3f-329b-4fd0-f7e7-08d55eff173a
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534125)(4602075)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603307)(7193020); SRVR:DB5PR0701MB1910;
x-ms-traffictypediagnostic: DB5PR0701MB1910:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=andrew.dolganow@nokia.com;
x-microsoft-antispam-prvs: <DB5PR0701MB191088266F6542292494E2EBE5EF0@DB5PR0701MB1910.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(138986009662008)(82608151540597)(18271650672692)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040495)(2401047)(5005006)(8121501046)(10201501046)(3002001)(93006095)(93001095)(3231046)(11241501184)(806099)(2400072)(944501161)(6055026)(6041282)(20161123564045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123560045)(6072148)(201708071742011); SRVR:DB5PR0701MB1910; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:DB5PR0701MB1910;
x-forefront-prvs: 0557CBAD84
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(396003)(346002)(376002)(39380400002)(39860400002)(51444003)(43544003)(189003)(199004)(6512007)(58126008)(54906003)(6306002)(2501003)(8936002)(54896002)(236005)(478600001)(82746002)(53946003)(68736007)(53936002)(5250100002)(6246003)(230783001)(14454004)(229853002)(8676002)(110136005)(66066001)(81156014)(81166006)(316002)(6486002)(36756003)(6436002)(8666007)(33656002)(2900100001)(7736002)(561944003)(2950100002)(83716003)(5660300001)(3846002)(6116002)(99286004)(59450400001)(26005)(53546011)(76176011)(6506007)(3660700001)(102836004)(105586002)(106356001)(97736004)(25786009)(3280700002)(4326008)(1941001)(2906002)(2201001)(83506002)(86362001)(579004); DIR:OUT; SFP:1102; SCL:1; SRVR:DB5PR0701MB1910; H:DB5PR0701MB2055.eurprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: InQekbIukeQ7Mz5w/5tQSO0qKju3+cTHLsC9+/z0BT2mMv8wAbrLgQu8Ari1Mo94s12R6DMUOF6SXoVzN3rk69WfTnGO2O3g9KreGnop/ZTDY7dsIpDBrvM6lWZUoZhD
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_B62A72C4B4A84786BB6325A8A32846C4nokiacom_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a30c5b3f-329b-4fd0-f7e7-08d55eff173a
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jan 2018 05:40:04.1736 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5PR0701MB1910
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/bUBMksDTVvdqhUd6VoojfvHu1EU>
Subject: Re: [bess] Shepherd's review of draft-ietf-bess-mvpn-expl-track
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jan 2018 05:40:14 -0000

inline with “ad>”

From: Eric Rosen <erosen@juniper.net>
Date: Wednesday, January 17, 2018 at 12:31 AM
To: "stephane.litkowski@orange.com" <stephane.litkowski@orange.com>om>, "draft-ietf-bess-mvpn-expl-track.authors@ietf.org" <draft-ietf-bess-mvpn-expl-track.authors@ietf.org>
Cc: "bess@ietf.org" <bess@ietf.org>rg>, "bess-chairs@ietf.org" <bess-chairs@ietf.org>
Subject: Re: Shepherd's review of draft-ietf-bess-mvpn-expl-track
Resent-From: <alias-bounces@ietf.org>
Resent-To: Andrew Dolganow <andrew.dolganow@nokia.com>om>, Jayant Kotalwar <jayant.kotalwar@nokia.com>om>, Eric Rosen <erosen@juniper.net>et>, Jeffrey Zhang <zzhang@juniper.net>
Resent-Date: Wednesday, January 17, 2018 at 12:31 AM

Thanks for your review.  I have posted revision -04 which I believe addresses your substantive comments.
On 1/3/2018 8:01 AM, stephane.litkowski@orange.com<mailto:stephane.litkowski@orange.com> wrote:
Hi,

As shepherd of this document, please find below some comments that I have:

Overall comments:

-          Please add a section that contains all the abbreviations expansions: that may help non expert people to follow the acronyms without looking for the first reference in the text.

This is not generally required of an RFC.

ad> just to add, a reader should have read other RFCs first before reading this which I believe define abbreviations we use. If you can point to any specific abbreviation never explained we can spell out words before abbreviating for the first tie in the text.



-          I usually like figures. For the intro, it may be wonderful to build a figure that reminds the existing S-PMSI/Leaf A-D procedure. So without reading the text, we can remember how it works.

-          The interAS case may also be better with a Figure and an example (or couples of).

This seems like a matter of taste.  Admitedly, I'd probably like figures more if I had any skill in producing them ;-)



Introduction:

“By originating one of these BGP routes, an ingress node advertises that
   it is transmitting a particular multicast flow.”
[SLI] Is “is transmitting” correct ? Can’t we have situations where an S-PMSI route is/was advertised but no traffic is flowing (no yet started or switched, or stopped).

Fixed.




“Now

   suppose that the ingress node wants explicit tracking for each

   individual flow that it transmits (following the procedures of

   [RFC6625] on that P-tunnel.”

[SLI] Missing “)”

Fixed.







“This allows the

   ingress node to determine the set of egress nodes that are receiving

   flows from the ingress node.”

[SLI] I think the Leaf A-D tells that there is a receiver interested by the flow, but does not tell that it actually receives it.

Correct; fixed.







“   Howver, this procedure requires several clarifications:”

[SLI] There is a typo s/Howver/However/

Fixed.





“The procedures of [RFC6625] do not clearly state how to handle an

      S-PMSI A-D route if its NLRI contains wild cards, but its PTA

      specifies "no tunnel info".”



[SLI] I quickly ran over RFC6625, it does not mention anything on explicit tracking or Leaf A-D routes.So we assume that RFC6513/6514 only applies here.

RFC 6625 specifies the handling of wildcard S-PMSI A-D routes, but did not consider the case where the S-PMSI A-D routes do not carry a PTA.  This document corrects that.







“   *  The explicit tracking procedures do not allow an ingress node

         to "see" past the boundaries of the segmentation domain.



         This particular problem is not further addressed in this

         revision of this document.

“

[SLI] Do you plan to address it ? Or do we now consider it as out of scope ?

I think this is actually addressed in Section 5.3, so I've removed the remark.

ad> out of scope







Section 2:

“Prior specifications define one flag in the PTA, the "Leaf Info

   Required" (LIR) flag, that is used for explicit tracking.”



[SLI] Please point to the right reference

Fixed.





“If the LIR-pF flag is set in a given PTA, the LIR flag of that PTA

   SHOULD also be set.”

[SLI] Why not using a MUST ?

If all the PEs support the LIR-pF flag, the procedures will work as intended even if the LIR flag is not set.  So I don't think a MUST is appropriate.

ad> agree



“one forces a

   a response to be sent an egress node that does not support LIR-pF”

[SLI] Is there a missing word like ‘sent by an egress node” ?

Fixed.









Section 3:

“The definition of "match for reception" in [RFC6625] is hereby

   modified as follows:”



[SLI] Please point to the section that you are updating.

In addition, section 3.2 of RFC6625 contains multiple if then else conditions for each cases (C-S,C-G) and (C-*,C-G). Please give some precision in where do you want to insert your new statement in this processing sequence. I guess it is at the beginning.

I tried to make this clearer.







“When finding the "match for reception" for a given (C-S,C-G) or

      (C-*,C-G), ignore any S-PMSI A-D route that has no PTA, or whose

      PTA specifying "no tunnel information".”
[SLI] I would be in favor to introduce a normative statement here.

Fixed.




“We also introduce a new notion: the "match for tracking".  This

   differs from the "match for reception" as follows:”

[SLI] It would be better to give a definition of the “match for tracking” before giving the rules. Here you’re explaining only the rules, not the difference in the meaning. Wouldn’t it be easier to tell that the implementation MUST consider only the S-PMSI A-D routes that have a LIR flag and/or LR-pF flag set and then run the same rules as the RFC6625. Why do you want to have S-PMSI routes with PTA and LIR unset in your route list for “match for tracking” ? You need to take care here on your text proposal as one of your previous statement updates the RFC6625 and the match reception procedure, so the rules to be applied are the original one from RFC6625 and not the updated one.

IMO, the clearest way to express this is to give the rules and then illustrate with a couple of examples.

ad> Eric, will you propose new text?





“   Also note that if a match for tracking does not have the LIR flag or

   the LIR-pF flag set, no explicit tracking information will be

   generated.  See Section 5.”

[SLI] Again I do not see the value added of keeping such route as a match for tracking as there is no tracking requested.

As the terms are defined, there is always a "match for tracking" route for each flow.    If tracking is not requested, this route will have LIR and LIR-pF clear.  There are no unnecessary routes.







Section 4:

“Such a route could be an

       I-PMSI A-D route, a (C-*,C-G1) S-PMSI A-D route, a (C-S1,C-*)

       S-PMSI A-D route, or a (C-*,C-*) S-PMSI A-D route. “

[SLI] Is per flow explicit tracking also required for I-PMSI ? I do not see it listed in the goals of the doc ? The goal was to address wildcards S-PMSI AD routes.

The above simply says that some route must specify the tunnel on which the (C-S1,C-G1) is to be transmitted, and that this route could be an I-PMSI A-D route.





“Further, if the ingress node originates a wildcard S-PMSI A-D
       route carrying a PTA specifying the tunnel to be used for
       carrying (C-S1,C-G1) traffic, and if that PTA has the LIR-pF bit
       set, then explicit tracking for (C-S1,C-G1) is requested by that
       S-PMSI A-D route.  Thus the ingress node SHOULD NOT originate a
       (C-S1,C-G1) S-PMSI A-D route whose PTA specifies "no tunnel
       info"; such a route would not provide any additional
       functionality.”

[SLI] I do not fully understand this text in the context of your procedure 1. which deals with an origination of an (C-S1,C-G1) S-PMSI A-D route (no wildcard). As I understand the procedure for the wildcard is defined in 2.

This just says that there's no point in originating S-PMSI(C-S,C-G) with LIR set if you've already originated S-PMSI(C-*,C-G) with LIR-pF set.  That seems to be an appropriate bit of advice.

ad> Yes, the text ensures that bad implementations do not add to unnecessary signallng.







“2. The following procedure can be used if (and only if) it is known
       that the egress nodes support the optional LIR-pF flag.”



I have some issue with this sentence. It does not seem to be normative as there is no normative statement. However I understand it as a critical thing (“and only if” !) so it may require at least a SHOULD.

Then the issue I see is that this knowledge does not come from the protocol, so it sounds important to me to highlight the impact of a mistake.



BUT, reading the section 5. I understand that it is not as critical as it seems as the receiver will ignore simply the LIR-pF flag and apply the standard procedure (LIR set).

Please clarify the criticity to have or not this knowledge.

I added some text saying that procedure 2 may yield unexpected results if not all the PEs support LIR-pF, and that the procedure SHOULD NOT be used in that case.

ad> yes agree on the normative: SHOULD NOT








“       To terminate explicit tracking that has been initiated by an
       S-PMSI A-D route whose PTA specifies a tunnel, the ingress node
       re-originates the route without the LIR flag set”

[SLI] Do we also need to clear the LIR-pf ? It would make sense to do so.

Fixed.





“If the match for tracking has LIR set and if either (a) the
       egress node does not support LIR-pF, or (b) LIR-pF is not set,
       then the egress node must respond to the match for tracking,
       following procedures specified in other documents for the case
       where LIR is set.”

[SLI] Please state the relevant document references here.

In the case described above, the handling of the LIR flag is not modified by this document.  I don't think it is necessary to cite a specific set of documents that discuss the LIR flag.

ad> maybe we can say “the procedures specified in this document do not apply are not applicable on the egress node” instead of “then the egress node…”




Section 5.2



“Note that, per RFC4364, every RD begins with a two-octet type field
   that is either 0, 1, or 2.  By adding 16 to the second octet of the
   RD, we force the type field to be 16, 17, or 18. “

[SLI] It works but we may need to ensure that the types > 16 cannot be used anymore by new applications.

There is  a registry for the Route Distinguisher Type field.  Only types 16, 17, and 18 are defined here, other values are still available.


Moreover if new RD types are created, new siblings will have to be created.

Your point is correct, but there hasn't been a new RD type in 20 years.  The draft shouldn't really say "add 16", it should just point out the new types.


Wouldn’t it be easier to set the MSB of the RD type to 1 ? so we only lock half of the type space.

I think it is easier to use three new type values than to turn one of the bits into a flag.

ad>agree
Or what could be the impact of using the RD of the local VRF of the egress node ?

The RD of the Leaf A-D route needs to be derived from the RD of the S-PMSI A-D route that elicits it.  Otherwise the ingress node receiving the Leaf A-D route will have diffculty matching it to the corresponding S-PMSI A-D route.



Section 5.3


“In the case where the egress
   node is not a PE, but rather an ABR or ASBR, it will not know whether
   it needs to receive a given flow unless it receives a Leaf A-D route
   whose NLRI specifies that flow and whose IP-address-specific RT
   specifies an address of the egress node.”

[SLI] The sentence works but when reading it I needed multiple reread to understand that the “IP-address-specific RT
   specifies an address of the egress node.” was referring to the ASBR/ABR and not the receiver PE.
Do you mind using “this egress node” or “this ABR/ASBR” ?

I tried to clarify that.




Section 8.
[SLI] Do we have counter-measures against such “attack” ? Ingress PE dropping ?

I consider the specification of such counter-measures to be outside the scope of the document.

ad> agree, we do not specify counter measures for this type of attack anywhere else


Andrew

Section 9.2
I think RFC7524 needs to be referenced as normative giving that its knowledge is required to understand section 5.3.

I'm not sure that RFC7524 should be a normative reference, as this draft does not require segmentation at the ABRs.  However, since RFC7524 is already published, there's no harm in adding it to the "normative references" section.


I think that section 5.3 is also updating/complementing the procedures in RFC7524 with the “no-tunnel info” case.

There don't seem to be any clear and objective criteria for determining whether one document "updates" another.