Re: [bess] John Scudder's Discuss on draft-ietf-bess-srv6-services-11: (with DISCUSS and COMMENT)
Gyan Mishra <hayabusagsm@gmail.com> Thu, 17 March 2022 18:54 UTC
Return-Path: <hayabusagsm@gmail.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 632F83A155E; Thu, 17 Mar 2022 11:54:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eoLq6gqrv31B; Thu, 17 Mar 2022 11:53:56 -0700 (PDT)
Received: from mail-pl1-x636.google.com (mail-pl1-x636.google.com [IPv6:2607:f8b0:4864:20::636]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7B703A14E5; Thu, 17 Mar 2022 11:53:55 -0700 (PDT)
Received: by mail-pl1-x636.google.com with SMTP id e13so5216893plh.3; Thu, 17 Mar 2022 11:53:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CYNeg72WS/DA0Zz1oGFofAK6MoyZX8NQSKbZxOGrpOI=; b=YcGp7QqOke1lsMrSB6mzSlC5x3n3coV6KiwyX1fwx1BWL3Q97AoJ2anO1+FQFFyRti KTd4Xke9FTXIa4HH2JIaryz7oh3MR+yrg5HZAMi5TiLIpYlYNN/zxFrYEnyoiueEd5YG t5izJ1ouTXmFQfg5xo3GqeTAZyuABYepoiEBjwKPpXi+WH8kbw9UK/GPMgr08OQyK+ft uGnfrTgQYr44DN9zrI1KVSC4ILeVbTS8P1/eg961AA2fUQTHrexJ5PkdfxF0ba4jZenP TmjrmZG1liLga2GNL7vA8LGuOuC8PHyuS5nvQKCZpzxCkhg66D05+t34YPkzgXOgElMd dOEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CYNeg72WS/DA0Zz1oGFofAK6MoyZX8NQSKbZxOGrpOI=; b=VYscxCK4Vkn8ToimS/LX+jyLdYIXwqovBZvyptBDK4C/U12i1AkQNNacfpi83SkpjD 24LwCIwtJUleqzGvVR/1mXVA5FVwYErbyAollq6KAxeUn/HEQEa/kzptUF/BRdjU/gVf 7vdmDXRyKLqGvhwlPv9n31Z/CRgz+a+Y5QriKHpzALCTjbtvpVgyOcoM7EhZnl0P97wV JCX5SjdixG8/0KZyu0LdNZBRh3Z+OBcqAmpAXiWbMY6xxzyIIemYCQhiZfNwiDd/8T/E 4qkZAH6g3S6m5jcqQ9lbNl+GQTh6VoAK5Ow2wBf09sHLnFnODjtKfrM/8mJJMz2Noqi+ G+jw==
X-Gm-Message-State: AOAM530l4DFlpRcAjNLZNUFkApLlAHvHkA5qd7OV/P7iCHyUOZ2eMDrf yhA0tCfUhxtePJvUmR5oA5Nm1Eb/5fgmZ14WY4w=
X-Google-Smtp-Source: ABdhPJwUM4zA0N5Ix8L0F10wba86wOVx9kr2RkxQ22WjI76YRFMyNtAVglhVZZy/97vTcFxbexfwqXsgIv2W86kxFlA=
X-Received: by 2002:a17:902:e302:b0:151:bfe9:da34 with SMTP id q2-20020a170902e30200b00151bfe9da34mr5917957plc.100.1647543234197; Thu, 17 Mar 2022 11:53:54 -0700 (PDT)
MIME-Version: 1.0
References: <164504757419.5632.9536270153833731412@ietfa.amsl.com> <CAH6gdPxTtVfh02odMdreGnnsD8fnY2rPDqPhU9cucSOuU=bxNw@mail.gmail.com> <DB75B564-CF18-4D93-B183-5C31203E860D@juniper.net> <183B3A89-B7CA-4B8B-888C-6404BB65E8F3@juniper.net> <CAOj+MMG711xUEFTHkcVzgX64fGhB+4Nn3Adkv_ywqS78LVMv4Q@mail.gmail.com> <CAH6gdPxV+r2iUouqom3rRZBoDbdbi45N_H-GBr_hOqgmYPBa3w@mail.gmail.com> <CABNhwV0Ym=WpQ+HpWEmBgw+0F0OwKrJ7JHqPk6VvWCEJpsRr_g@mail.gmail.com> <CAH6gdPx+RC=6d06fatDnCTOKWjzo1+qgSCjCuXi5x9ck_MqwVg@mail.gmail.com>
In-Reply-To: <CAH6gdPx+RC=6d06fatDnCTOKWjzo1+qgSCjCuXi5x9ck_MqwVg@mail.gmail.com>
From: Gyan Mishra <hayabusagsm@gmail.com>
Date: Thu, 17 Mar 2022 14:53:43 -0400
Message-ID: <CABNhwV3sXP3oDTE8=ZaBJOW1avU=tHnEc4QspR4Pr1AMf-8U7w@mail.gmail.com>
To: Ketan Talaulikar <ketant.ietf@gmail.com>
Cc: BESS <bess@ietf.org>, "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>, John Scudder <jgs@juniper.net>, Robert Raszuk <robert@raszuk.net>, The IESG <iesg@ietf.org>, "bess-chairs@ietf.org" <bess-chairs@ietf.org>, "draft-ietf-bess-srv6-services@ietf.org" <draft-ietf-bess-srv6-services@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000039fc9305da6e8d29"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/d9sFu97UgWwVwcchbrMuZpN8lpE>
Subject: Re: [bess] John Scudder's Discuss on draft-ietf-bess-srv6-services-11: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Mar 2022 18:54:02 -0000
Hi Ketan Responses in-line On Thu, Mar 17, 2022 at 1:15 PM Ketan Talaulikar <ketant.ietf@gmail.com> wrote: > Hi Gyan, > > Please check inline below for responses. > > > On Wed, Mar 16, 2022 at 8:08 PM Gyan Mishra <hayabusagsm@gmail.com> wrote: > >> >> Hi Ketan >> >> I reviewed the updated security considerations section and the update >> looks good. As well section 10.3 Data plane considerations and read again >> the referenced documents security considerations section of RFC 8402, RFC >> 8986, RFC 8754 and RFC 8996. All looks very good. >> >> One question I had was that if operators only advertises the SRv6 summary >> block B:N::/48 to the internet, the summarization route would not contain >> the embedded BGP Prefix SID attribute encoding of L2 and L3 Service SID in >> the FUNCT field of the SRv6 SID. >> >> If you agree with what I have stated , then that would limit the exposure >> drastically related to service SID leakage to the internet. >> > > KT> I agree. However, an even better approach is simply not even > advertising the reachability for the SRv6 summary block on the Internet. > This way, it becomes challenging for someone on the Internet to send > packets to any SRv6 Locators/SIDs belonging to the provider. Also, as > discussed in RFC8986, the allocation of SRv6 Block from the ULA space is > another technique to mitigate this. > > Gyan> Can we add that in the considerations section as I think that will help with John and Warrens security concerns with sid leakage. > >> The security exposure is related to only the inter-as peering lateral, >> provider or RS peering and not customer peering as the SRv6 source node >> encapsulates customer traffic into payload of outer IPv6 header. So I >> think customer PE-CE edge peering would not be a security issue. >> >> Also another thought is that within an SRv6 domain as next hop self is >> used internally on any inter-as lateral, provider or RS ties which is done >> on both ends of the peering between operators, does the SRv6 B:N::/48 >> underlay block even need to be advertised externally. >> > > KT> It doesn't and should not be advertised externally. > Gyan> Excellent. I think explicit verbiage to block externally would be good. > > >> As the BGP overlay is what holds the internet table and that is all that >> needs transitivity for internet route reachability. That would further >> reduce the exposure of data plane service sid encoding in SRv6 SID leaking >> to the internet. >> > > KT> Correct. > > >> >> As far as SRv6 service capabilities draft below, my thoughts are as any >> parallel multi transport that exists would only be done within the confines >> of a domain within the same operators Administrative domain and not between >> providers which would also be limited during a transition from brown field >> MPLS or SR-MPLS to a parallel Green field SRv6 transport. As this use case >> is all within the same domain, careful design is on the onus of the >> operator as relates to SRv6 to MPLS BGP overlay interoperability for SAFI >> 128. So I don’t see this as a major issue for operators as all the careful >> considerations will be taken for that interoperability as well as there are >> many underlying solutions for SRv6 to MPLS or SR-MPLS interoperability. >> >> This is more of an interoperability issue use case that could be >> considered orthogonal to this draft that only exists within an operators >> network during migration. >> >> >> https://datatracker.ietf.org/doc/html/draft-lz-bess-srv6-service-capability-02 >> > > KT> Agree that this topic is orthogonal but is also somewhat complex and > we (WG) need to continue work on this separate from this base document. > Gyan> Understood. Thanks > > Thanks, > Ketan > > >> >> >> Kind Regards >> >> Gyan >> >> On Sat, Mar 5, 2022 at 4:40 AM Ketan Talaulikar <ketant.ietf@gmail.com> >> wrote: >> >>> Hi John, >>> >>> We've just posted an update to the draft to address the comments raised >>> and to clarify the security considerations. >>> >>> https://datatracker.ietf.org/doc/html/draft-ietf-bess-srv6-services-12 >>> >>> Thanks, >>> Ketan >>> >>> >>> On Thu, Feb 24, 2022 at 3:42 PM Robert Raszuk <robert@raszuk.net> wrote: >>> >>>> Hi John, >>>> >>>> You have highlighted below a very important point. It was discussed >>>> among co-authors, but perhaps not sufficiently during the BESS process as >>>> the issue is really not a BESS WG problem. >>>> >>>> In BGP protocol any new service deployment using existing AFI/SAFI is >>>> not easy. Especially when you are modifying content of MP_REACH or >>>> MP_UNREACH NLRI attributes. Main reason being is that using capabilities >>>> only goes one hop. In full mesh it all works perfect, but the moment you >>>> put RR in between BGP speakers things are getting ugly as capabilities are >>>> not traversing BGP nodes. /* Even in full mesh mixing transports for the >>>> same service is a serious challenge for routers when say multihomes sites >>>> are advertised from different PEs with different transport options */. >>>> >>>> Imagine RR signals SRv6 Service Capability to the PE. Then this PE >>>> happily sends a new format of the UPDATE messages. Well as today we also do >>>> not have a notion of conditional capabilities (only send when received from >>>> all) so if some of the RR peers do not support it you end up in partial >>>> service. One can argue that in this case the only deterministic model is to >>>> push the configuration from the management station and control partial >>>> deployment of the new service from mgmt layer. >>>> >>>> The natural alternative would be to never modify NLRI format once >>>> shipped by RFC. When needed issue a new SAFI. Yes that is an option (and >>>> has always been) but it also comes with its own set of issues. New SAFI is >>>> really great to define for new service/feature etc ... Here however in the >>>> context of this discussion we are changing transport for existing service. >>>> And just like it was the case with MPLS over UDP or tunnel attribute etc >>>> ... using a new SAFI would be very hard to deploy as there would need to be >>>> well defined behaviour of BGP speakers receiving duplicate information for >>>> the same VPN prefixes or receiving at one time only from single SAFI then a >>>> bit later from the other one .. Of course one solution is to permit only >>>> one SAFI for a given service at any given time, but that seems way too >>>> restrictive too. >>>> >>>> So to summarize while I am personally a huge proponent of new SAFI and >>>> new capabilities to be defines for new service here I do have some >>>> reservations. It seems to me that deployment of new transport for VPN >>>> service should be either network management driven or enabled when all >>>> participating PEs support it. Enabling it automagically with one hop >>>> capabilities seems to me like not a good thing as the data being sent in >>>> the UPDATES is not optional and dropping it means dropping actual routes. >>>> >>>> So at the current time the subject draft took a management approach. >>>> >>>> Many thx, >>>> Robert. >>>> >>>> On Thu, Feb 24, 2022 at 2:04 AM John Scudder <jgs@juniper.net> wrote: >>>> >>>>> Further to this point: >>>>> >>>>> > On Feb 18, 2022, at 3:32 PM, John Scudder <jgs@juniper.net> wrote: >>>>> > >>>>> >> On Feb 17, 2022, at 3:19 AM, Ketan Talaulikar < >>>>> ketant.ietf@gmail.com> wrote: >>>>> >> >>>>> >>> 2. One area of concern I would have hoped IDR might have looked >>>>> into is, the >>>>> >>> document makes a creative use of the MPLS Label field of the NLRI >>>>> to carry the >>>>> >>> Function part of the SID. This means the SID is effectively split >>>>> across the >>>>> >>> NLRI and the Prefix-SID attribute. What are the potential error >>>>> modes if the >>>>> >>> Prefix-SID attribute should be lost from the route, while the NLRI >>>>> is retained? >>>>> >>> >>>>> >>> (An obvious way of addressing this particular concern would be to >>>>> define a new >>>>> >>> NLRI type with the desired semantics, instead of creatively >>>>> repurposing fields >>>>> >>> within an existing NLRI type contrary to their definitions. Such >>>>> an NLRI type >>>>> >>> would, for example, presumably state in its specification that if >>>>> it was >>>>> >>> received without an accompanying Prefix-SID attribute, that would >>>>> constitute an >>>>> >>> error.) >>>>> >>> >>>>> >> KT> This document follows the approach similar as taken for >>>>> extending MPLS EVPN RFC7432 by RFC8365. >>>>> > >>>>> > I take it you’re referring to RFC 8365 §5.1.3 which talks about >>>>> using the MPLS Label field (or MPLS1 Label field) to carry the VNI in the >>>>> presence of a BGP Encapsulation Extended Community? Yes, that seems like a >>>>> pretty close analogue. And given this particular trick is only with >>>>> VPN-type address families one can also argue that there’s not a risk of >>>>> affected routes leaking into the big-I Internet, which is the typical >>>>> associated concern. >>>>> >>>>> In a separate reply, the authors of >>>>> draft-lz-bess-srv6-service-capability-02 pointed out that it provides a >>>>> critique of bess-srv6-services which is similar to this discuss point. (The >>>>> authors dropped the IESG from the cc, so I’m following up here instead of >>>>> to their original note.) >>>>> >>>>> On first reading, the critique in >>>>> draft-lz-bess-srv6-service-capability-02 seems well argued and responsive >>>>> to my question above about potential error modes. In section 3 of their >>>>> draft, the authors provide a worked scenario where a VPN route carrying a >>>>> SRv6 service SID using the Transposition scheme, if received by an >>>>> MPLS-only PE, could result in misdelivered traffic. At minimum, that seems >>>>> worth surfacing in the Security Considerations section, since historically >>>>> we’ve considered misdelivered VPN traffic to be a Bad Thing that could >>>>> expose confidential information. >>>>> >>>>> The authors do acknowledge that bess-srv6-services proposes a >>>>> mitigation: >>>>> >>>>> To avoid these problems, [I-D.ietf-bess-srv6-services] specifies >>>>> that >>>>> implementations SHOULD provide a mechanism to control advertisement >>>>> of SRv6-based BGP service routes on a per neighbor and per service >>>>> basis. >>>>> >>>>> but they go on to argue that this mitigation isn’t fit for purpose: >>>>> >>>>> The above method may be feasible in small-scale networks, but are >>>>> not >>>>> applicable to large-scale networks. >>>>> >>>>> [etc] >>>>> >>>>> It’s not my preference to get into the minutiae of this argument as >>>>> part of this discuss. However, I’d like to ask: was this consideration >>>>> something the WG discussed? I looked for discussion of >>>>> draft-lz-bess-srv6-service-capability in the archives and didn’t find much — >>>>> >>>>> - When an earlier version was posted to the list it resulted only in >>>>> discussion between the original author, Liu Yao, and Eduard Metz, who >>>>> became co-author, but there wasn’t any discussion I saw of the actual issue >>>>> that the draft identified, but rather refinement of the mitigation it >>>>> proposes (which I don’t want to discuss in this note). >>>>> - There was an agenda slot request for the draft at IETF-111. It was >>>>> on the agenda in the “if time allows” section. I assume time did NOT allow >>>>> because I don’t see mention of it in the minutes. (I did find the slides, >>>>> slides 3 and 4 summarize the critique, >>>>> https://datatracker.ietf.org/meeting/111/materials/slides-111-bess-sessa-srv6-service-capability-00 >>>>> ). >>>>> >>>>> But of course, the issue raised might have been discussed by the WG in >>>>> a different thread, that doesn’t match a search for >>>>> draft-lz-bess-srv6-service-capability. If so, I’d appreciate a pointer to >>>>> it. >>>>> >>>>> If there wasn’t any discussion in the WG of the authors’ critique, I >>>>> think it deserves to be discussed a bit as part of this thread. In >>>>> particular, does the “this is the same as the trick EVPN does in RFC 8365” >>>>> reply apply equally? Probably it does, although that might boil down to >>>>> “gosh, we should have caught this when publishing 8365, shouldn’t we?” >>>>> >>>>> Even if the outcome of the discussion is that the limitation was >>>>> discussed by the WG/isn’t a big deal because reasons/maybe it’s a big deal >>>>> but we’ll fix it in a followup… as I mentioned earlier, covering it in the >>>>> Security Considerations seems worthwhile. >>>>> >>>>> Thanks, >>>>> >>>>> —John >>>> >>>> _______________________________________________ >>> BESS mailing list >>> BESS@ietf.org >>> https://www.ietf.org/mailman/listinfo/bess >>> >> -- >> >> <http://www.verizon.com/> >> >> *Gyan Mishra* >> >> *Network Solutions A**rchitect * >> >> *Email gyan.s.mishra@verizon.com <gyan.s.mishra@verizon.com>* >> >> >> >> *M 301 502-1347* >> >> -- <http://www.verizon.com/> *Gyan Mishra* *Network Solutions A**rchitect * *Email gyan.s.mishra@verizon.com <gyan.s.mishra@verizon.com>* *M 301 502-1347*
- [bess] John Scudder's Discuss on draft-ietf-bess-… John Scudder via Datatracker
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Robert Raszuk
- Re: [bess] John Scudder's Discuss on draft-ietf-b… liu.yao71
- Re: [bess] John Scudder's Discuss on draft-ietf-b… liu.yao71
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Ketan Talaulikar
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Ketan Talaulikar
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Bocci, Matthew (Nokia - GB)
- Re: [bess] John Scudder's Discuss on draft-ietf-b… John Scudder
- Re: [bess] John Scudder's Discuss on draft-ietf-b… John Scudder
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Bocci, Matthew (Nokia - GB)
- Re: [bess] John Scudder's Discuss on draft-ietf-b… John Scudder
- Re: [bess] John Scudder's Discuss on draft-ietf-b… John Scudder
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Robert Raszuk
- Re: [bess] John Scudder's Discuss on draft-ietf-b… John Scudder
- Re: [bess] John Scudder's Discuss on draft-ietf-b… John Scudder
- Re: [bess] John Scudder's Discuss on draft-ietf-b… John Scudder
- Re: [bess] John Scudder's Discuss on draft-ietf-b… John Scudder
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Robert Raszuk
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Ketan Talaulikar
- Re: [bess] John Scudder's Discuss on draft-ietf-b… liu.yao71
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Robert Raszuk
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Eduard Metz
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Gyan Mishra
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Gyan Mishra
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Ketan Talaulikar
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Gyan Mishra
- Re: [bess] John Scudder's Discuss on draft-ietf-b… John Scudder
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Ketan Talaulikar
- Re: [bess] John Scudder's Discuss on draft-ietf-b… John Scudder
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Ketan Talaulikar
- Re: [bess] John Scudder's Discuss on draft-ietf-b… John Scudder
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Ketan Talaulikar
- Re: [bess] John Scudder's Discuss on draft-ietf-b… John Scudder