IETF Logo Mail Archive

Re: [bess] John Scudder's Discuss on draft-ietf-bess-srv6-services-11: (with DISCUSS and COMMENT)

Gyan Mishra <hayabusagsm@gmail.com> Thu, 17 March 2022 18:54 UTC

Return-Path: <hayabusagsm@gmail.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 632F83A155E; Thu, 17 Mar 2022 11:54:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eoLq6gqrv31B; Thu, 17 Mar 2022 11:53:56 -0700 (PDT)
Received: from mail-pl1-x636.google.com (mail-pl1-x636.google.com [IPv6:2607:f8b0:4864:20::636]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7B703A14E5; Thu, 17 Mar 2022 11:53:55 -0700 (PDT)
Received: by mail-pl1-x636.google.com with SMTP id e13so5216893plh.3; Thu, 17 Mar 2022 11:53:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CYNeg72WS/DA0Zz1oGFofAK6MoyZX8NQSKbZxOGrpOI=; b=YcGp7QqOke1lsMrSB6mzSlC5x3n3coV6KiwyX1fwx1BWL3Q97AoJ2anO1+FQFFyRti KTd4Xke9FTXIa4HH2JIaryz7oh3MR+yrg5HZAMi5TiLIpYlYNN/zxFrYEnyoiueEd5YG t5izJ1ouTXmFQfg5xo3GqeTAZyuABYepoiEBjwKPpXi+WH8kbw9UK/GPMgr08OQyK+ft uGnfrTgQYr44DN9zrI1KVSC4ILeVbTS8P1/eg961AA2fUQTHrexJ5PkdfxF0ba4jZenP TmjrmZG1liLga2GNL7vA8LGuOuC8PHyuS5nvQKCZpzxCkhg66D05+t34YPkzgXOgElMd dOEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CYNeg72WS/DA0Zz1oGFofAK6MoyZX8NQSKbZxOGrpOI=; b=VYscxCK4Vkn8ToimS/LX+jyLdYIXwqovBZvyptBDK4C/U12i1AkQNNacfpi83SkpjD 24LwCIwtJUleqzGvVR/1mXVA5FVwYErbyAollq6KAxeUn/HEQEa/kzptUF/BRdjU/gVf 7vdmDXRyKLqGvhwlPv9n31Z/CRgz+a+Y5QriKHpzALCTjbtvpVgyOcoM7EhZnl0P97wV JCX5SjdixG8/0KZyu0LdNZBRh3Z+OBcqAmpAXiWbMY6xxzyIIemYCQhiZfNwiDd/8T/E 4qkZAH6g3S6m5jcqQ9lbNl+GQTh6VoAK5Ow2wBf09sHLnFnODjtKfrM/8mJJMz2Noqi+ G+jw==
X-Gm-Message-State: AOAM530l4DFlpRcAjNLZNUFkApLlAHvHkA5qd7OV/P7iCHyUOZ2eMDrf yhA0tCfUhxtePJvUmR5oA5Nm1Eb/5fgmZ14WY4w=
X-Google-Smtp-Source: ABdhPJwUM4zA0N5Ix8L0F10wba86wOVx9kr2RkxQ22WjI76YRFMyNtAVglhVZZy/97vTcFxbexfwqXsgIv2W86kxFlA=
X-Received: by 2002:a17:902:e302:b0:151:bfe9:da34 with SMTP id q2-20020a170902e30200b00151bfe9da34mr5917957plc.100.1647543234197; Thu, 17 Mar 2022 11:53:54 -0700 (PDT)
MIME-Version: 1.0
References: <164504757419.5632.9536270153833731412@ietfa.amsl.com> <CAH6gdPxTtVfh02odMdreGnnsD8fnY2rPDqPhU9cucSOuU=bxNw@mail.gmail.com> <DB75B564-CF18-4D93-B183-5C31203E860D@juniper.net> <183B3A89-B7CA-4B8B-888C-6404BB65E8F3@juniper.net> <CAOj+MMG711xUEFTHkcVzgX64fGhB+4Nn3Adkv_ywqS78LVMv4Q@mail.gmail.com> <CAH6gdPxV+r2iUouqom3rRZBoDbdbi45N_H-GBr_hOqgmYPBa3w@mail.gmail.com> <CABNhwV0Ym=WpQ+HpWEmBgw+0F0OwKrJ7JHqPk6VvWCEJpsRr_g@mail.gmail.com> <CAH6gdPx+RC=6d06fatDnCTOKWjzo1+qgSCjCuXi5x9ck_MqwVg@mail.gmail.com>
In-Reply-To: <CAH6gdPx+RC=6d06fatDnCTOKWjzo1+qgSCjCuXi5x9ck_MqwVg@mail.gmail.com>
From: Gyan Mishra <hayabusagsm@gmail.com>
Date: Thu, 17 Mar 2022 14:53:43 -0400
Message-ID: <CABNhwV3sXP3oDTE8=ZaBJOW1avU=tHnEc4QspR4Pr1AMf-8U7w@mail.gmail.com>
To: Ketan Talaulikar <ketant.ietf@gmail.com>
Cc: BESS <bess@ietf.org>, "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>, John Scudder <jgs@juniper.net>, Robert Raszuk <robert@raszuk.net>, The IESG <iesg@ietf.org>, "bess-chairs@ietf.org" <bess-chairs@ietf.org>, "draft-ietf-bess-srv6-services@ietf.org" <draft-ietf-bess-srv6-services@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000039fc9305da6e8d29"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/d9sFu97UgWwVwcchbrMuZpN8lpE>
Subject: Re: [bess] John Scudder's Discuss on draft-ietf-bess-srv6-services-11: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Mar 2022 18:54:02 -0000

Hi Ketan

Responses in-line



On Thu, Mar 17, 2022 at 1:15 PM Ketan Talaulikar <ketant.ietf@gmail.com>
wrote:

> Hi Gyan,
>
> Please check inline below for responses.
>
>
> On Wed, Mar 16, 2022 at 8:08 PM Gyan Mishra <hayabusagsm@gmail.com> wrote:
>
>>
>> Hi Ketan
>>
>> I reviewed the updated security considerations section and the update
>> looks good.  As well section 10.3 Data plane considerations and read again
>> the referenced documents security considerations section of RFC 8402, RFC
>> 8986, RFC 8754 and RFC 8996.  All looks very good.
>>
>> One question I had was that if operators only advertises the SRv6 summary
>> block B:N::/48 to the internet, the summarization route would not contain
>> the embedded BGP Prefix SID attribute encoding of L2 and L3 Service SID in
>> the FUNCT field of the SRv6 SID.
>>
>> If you agree with what I have stated , then that would limit the exposure
>> drastically related to service SID leakage to the internet.
>>
>
> KT> I agree. However, an even better approach is simply not even
> advertising the reachability for the SRv6 summary block on the Internet.
> This way, it becomes challenging for someone on the Internet to send
> packets to any SRv6 Locators/SIDs belonging to the provider. Also, as
> discussed in RFC8986, the allocation of SRv6 Block from the ULA space is
> another technique to mitigate this.
>
>
    Gyan> Can we add that in the considerations section as I think that
will help with John and Warrens security concerns with sid leakage.

>
>> The security exposure is related to only the inter-as peering lateral,
>> provider or RS peering and not customer peering as the SRv6 source node
>> encapsulates customer traffic into payload of outer IPv6 header.  So I
>> think customer  PE-CE edge peering would not be a security issue.
>>
>> Also another thought is that within an SRv6 domain as next hop self is
>> used internally on any inter-as lateral, provider or RS ties which is done
>> on both ends of the peering between operators, does the SRv6 B:N::/48
>> underlay block even need to be advertised externally.
>>
>
> KT> It doesn't and should not be advertised externally.
>

   Gyan> Excellent.  I think explicit verbiage to block externally would be
good.

>
>
>> As the BGP overlay is what holds the internet table and that is all that
>> needs transitivity for internet route reachability.  That would further
>> reduce the exposure of data plane service sid encoding in SRv6 SID leaking
>> to the internet.
>>
>
> KT> Correct.
>
>
>>
>> As far as SRv6 service capabilities draft below, my thoughts are as any
>> parallel multi transport that exists would only be done within the confines
>> of a domain within the same operators Administrative domain and not between
>> providers which would also be limited during a transition from brown field
>> MPLS or SR-MPLS to a parallel Green field SRv6 transport.  As this use case
>> is all within the same domain, careful design is on the onus of the
>> operator as relates to SRv6 to MPLS BGP overlay interoperability for SAFI
>> 128.  So I don’t see this as a major issue for operators as all the careful
>> considerations will be taken for that interoperability as well as there are
>> many underlying solutions for SRv6 to MPLS or SR-MPLS interoperability.
>>
>> This is more of an interoperability issue use case that could be
>> considered orthogonal to this draft that only exists within an operators
>> network during migration.
>>
>>
>> https://datatracker.ietf.org/doc/html/draft-lz-bess-srv6-service-capability-02
>>
>
> KT> Agree that this topic is orthogonal but is also somewhat complex and
> we (WG) need to continue work on this separate from this base document.
>

   Gyan> Understood.

Thanks

>
> Thanks,
> Ketan
>
>
>>
>>
>> Kind Regards
>>
>> Gyan
>>
>> On Sat, Mar 5, 2022 at 4:40 AM Ketan Talaulikar <ketant.ietf@gmail.com>
>> wrote:
>>
>>> Hi John,
>>>
>>> We've just posted an update to the draft to address the comments raised
>>> and to clarify the security considerations.
>>>
>>> https://datatracker.ietf.org/doc/html/draft-ietf-bess-srv6-services-12
>>>
>>> Thanks,
>>> Ketan
>>>
>>>
>>> On Thu, Feb 24, 2022 at 3:42 PM Robert Raszuk <robert@raszuk.net> wrote:
>>>
>>>> Hi John,
>>>>
>>>> You have highlighted below a very important point. It was discussed
>>>> among co-authors, but perhaps not sufficiently during the BESS process as
>>>> the issue is really not a BESS WG problem.
>>>>
>>>> In BGP protocol any new service deployment using existing AFI/SAFI is
>>>> not easy. Especially when you are modifying content of MP_REACH or
>>>> MP_UNREACH NLRI attributes. Main reason being is that using capabilities
>>>> only goes one hop. In full mesh it all works perfect, but the moment you
>>>> put RR in between BGP speakers things are getting ugly as capabilities are
>>>> not traversing BGP nodes. /* Even in full mesh mixing transports for the
>>>> same service is a serious challenge for routers when say multihomes sites
>>>> are advertised from different PEs with different transport options */.
>>>>
>>>> Imagine RR signals SRv6 Service Capability to the PE. Then this PE
>>>> happily sends a new format of the UPDATE messages. Well as today we also do
>>>> not have a notion of conditional capabilities (only send when received from
>>>> all) so if some of the RR peers do not support it you end up in partial
>>>> service. One can argue that in this case the only deterministic model is to
>>>> push the configuration from the management station and control partial
>>>> deployment of the new service from mgmt layer.
>>>>
>>>> The natural alternative would be to never modify NLRI format once
>>>> shipped by RFC. When needed issue a new SAFI. Yes that is an option (and
>>>> has always been) but it also comes with its own set of issues. New SAFI is
>>>> really great to define for new service/feature etc ... Here however in the
>>>> context of this discussion we are changing transport for existing service.
>>>> And just like it was the case with MPLS over UDP or  tunnel attribute etc
>>>> ... using a new SAFI would be very hard to deploy as there would need to be
>>>> well defined behaviour of BGP speakers receiving duplicate information for
>>>> the same VPN prefixes or receiving at one time only from single SAFI then a
>>>> bit later from the other one .. Of course one solution is to permit only
>>>> one SAFI for a given service at any given time, but that seems way too
>>>> restrictive too.
>>>>
>>>> So to summarize while I am personally a huge proponent of new SAFI and
>>>> new capabilities to be defines for new service here I do have  some
>>>> reservations. It seems to me that deployment of new transport for VPN
>>>> service should be either network management driven or enabled when all
>>>> participating PEs support it. Enabling it automagically with one hop
>>>> capabilities seems to me like not a good thing as the data being sent in
>>>> the UPDATES is not optional and dropping it means dropping actual routes.
>>>>
>>>> So at the current time the subject draft took a management approach.
>>>>
>>>> Many thx,
>>>> Robert.
>>>>
>>>> On Thu, Feb 24, 2022 at 2:04 AM John Scudder <jgs@juniper.net> wrote:
>>>>
>>>>> Further to this point:
>>>>>
>>>>> > On Feb 18, 2022, at 3:32 PM, John Scudder <jgs@juniper.net> wrote:
>>>>> >
>>>>> >> On Feb 17, 2022, at 3:19 AM, Ketan Talaulikar <
>>>>> ketant.ietf@gmail.com> wrote:
>>>>> >>
>>>>> >>> 2. One area of concern I would have hoped IDR might have looked
>>>>> into is, the
>>>>> >>> document makes a creative use of the MPLS Label field of the NLRI
>>>>> to carry the
>>>>> >>> Function part of the SID. This means the SID is effectively split
>>>>> across the
>>>>> >>> NLRI and the Prefix-SID attribute. What are the potential error
>>>>> modes if the
>>>>> >>> Prefix-SID attribute should be lost from the route, while the NLRI
>>>>> is retained?
>>>>> >>>
>>>>> >>> (An obvious way of addressing this particular concern would be to
>>>>> define a new
>>>>> >>> NLRI type with the desired semantics, instead of creatively
>>>>> repurposing fields
>>>>> >>> within an existing NLRI type contrary to their definitions. Such
>>>>> an NLRI type
>>>>> >>> would, for example, presumably state in its specification that if
>>>>> it was
>>>>> >>> received without an accompanying Prefix-SID attribute, that would
>>>>> constitute an
>>>>> >>> error.)
>>>>> >>>
>>>>> >> KT> This document follows the approach similar as taken for
>>>>> extending MPLS EVPN RFC7432 by RFC8365.
>>>>> >
>>>>> > I take it you’re referring to RFC 8365 §5.1.3 which talks about
>>>>> using the MPLS Label field (or MPLS1 Label field) to carry the VNI in the
>>>>> presence of a BGP Encapsulation Extended Community? Yes, that seems like a
>>>>> pretty close analogue. And given this particular trick is only with
>>>>> VPN-type address families one can also argue that there’s not a risk of
>>>>> affected routes leaking into the big-I Internet, which is the typical
>>>>> associated concern.
>>>>>
>>>>> In a separate reply, the authors of
>>>>> draft-lz-bess-srv6-service-capability-02 pointed out that it provides a
>>>>> critique of bess-srv6-services which is similar to this discuss point. (The
>>>>> authors dropped the IESG from the cc, so I’m following up here instead of
>>>>> to their original note.)
>>>>>
>>>>> On first reading, the critique in
>>>>> draft-lz-bess-srv6-service-capability-02 seems well argued and responsive
>>>>> to my question above about potential error modes. In section 3 of their
>>>>> draft, the authors provide a worked scenario where a VPN route carrying a
>>>>> SRv6 service SID using the Transposition scheme, if received by an
>>>>> MPLS-only PE, could result in misdelivered traffic. At minimum, that seems
>>>>> worth surfacing in the Security Considerations section, since historically
>>>>> we’ve considered misdelivered VPN traffic to be a Bad Thing that could
>>>>> expose confidential information.
>>>>>
>>>>> The authors do acknowledge that bess-srv6-services proposes a
>>>>> mitigation:
>>>>>
>>>>>    To avoid these problems, [I-D.ietf-bess-srv6-services] specifies
>>>>> that
>>>>>    implementations SHOULD provide a mechanism to control advertisement
>>>>>    of SRv6-based BGP service routes on a per neighbor and per service
>>>>>    basis.
>>>>>
>>>>> but they go on to argue that this mitigation isn’t fit for purpose:
>>>>>
>>>>>    The above method may be feasible in small-scale networks, but are
>>>>> not
>>>>>    applicable to large-scale networks.
>>>>>
>>>>>    [etc]
>>>>>
>>>>> It’s not my preference to get into the minutiae of this argument as
>>>>> part of this discuss. However, I’d like to ask: was this consideration
>>>>> something the WG discussed? I looked for discussion of
>>>>> draft-lz-bess-srv6-service-capability in the archives and didn’t find much —
>>>>>
>>>>> - When an earlier version was posted to the list it resulted only in
>>>>> discussion between the original author, Liu Yao, and Eduard Metz, who
>>>>> became co-author, but there wasn’t any discussion I saw of the actual issue
>>>>> that the draft identified, but rather refinement of the mitigation it
>>>>> proposes (which I don’t want to discuss in this note).
>>>>> - There was an agenda slot request for the draft at IETF-111. It was
>>>>> on the agenda in the “if time allows” section. I assume time did NOT allow
>>>>> because I don’t see mention of it in the minutes. (I did find the slides,
>>>>> slides 3 and 4 summarize the critique,
>>>>> https://datatracker.ietf.org/meeting/111/materials/slides-111-bess-sessa-srv6-service-capability-00
>>>>> ).
>>>>>
>>>>> But of course, the issue raised might have been discussed by the WG in
>>>>> a different thread, that doesn’t match a search for
>>>>> draft-lz-bess-srv6-service-capability. If so, I’d appreciate a pointer to
>>>>> it.
>>>>>
>>>>> If there wasn’t any discussion in the WG of the authors’ critique, I
>>>>> think it deserves to be discussed a bit as part of this thread. In
>>>>> particular, does the “this is the same as the trick EVPN does in RFC 8365”
>>>>> reply apply equally? Probably it does, although that might boil down to
>>>>> “gosh, we should have caught this when publishing 8365, shouldn’t we?”
>>>>>
>>>>> Even if the outcome of the discussion is that the limitation was
>>>>> discussed by the WG/isn’t a big deal because reasons/maybe it’s a big deal
>>>>> but we’ll fix it in a followup… as I mentioned earlier, covering it in the
>>>>> Security Considerations seems worthwhile.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> —John
>>>>
>>>> _______________________________________________
>>> BESS mailing list
>>> BESS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/bess
>>>
>> --
>>
>> <http://www.verizon.com/>
>>
>> *Gyan Mishra*
>>
>> *Network Solutions A**rchitect *
>>
>> *Email gyan.s.mishra@verizon.com <gyan.s.mishra@verizon.com>*
>>
>>
>>
>> *M 301 502-1347*
>>
>> --

<http://www.verizon.com/>

*Gyan Mishra*

*Network Solutions A**rchitect *

*Email gyan.s.mishra@verizon.com <gyan.s.mishra@verizon.com>*



*M 301 502-1347*

v2.23.0 | Report a Bug | By Email