Re: [bess] Roman Danyliw's Discuss on draft-ietf-bess-nsh-bgp-control-plane-13: (with DISCUSS and COMMENT)
"Adrian Farrel" <adrian@olddog.co.uk> Thu, 19 December 2019 11:32 UTC
Return-Path: <adrian@olddog.co.uk>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9256A1200B5; Thu, 19 Dec 2019 03:32:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5rk3nqPOq-Tz; Thu, 19 Dec 2019 03:32:33 -0800 (PST)
Received: from mta7.iomartmail.com (mta7.iomartmail.com [62.128.193.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18DF71200B4; Thu, 19 Dec 2019 03:32:32 -0800 (PST)
Received: from vs1.iomartmail.com (vs1.iomartmail.com [10.12.10.121]) by mta7.iomartmail.com (8.14.4/8.14.4) with ESMTP id xBJBWQdB029799; Thu, 19 Dec 2019 11:32:27 GMT
Received: from vs1.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4838622054; Thu, 19 Dec 2019 11:32:26 +0000 (GMT)
Received: from asmtp3.iomartmail.com (unknown [10.12.10.224]) by vs1.iomartmail.com (Postfix) with ESMTPS id 3CE482204E; Thu, 19 Dec 2019 11:32:26 +0000 (GMT)
Received: from LAPTOPK7AS653V (178-119-99-237.access.telenet.be [178.119.99.237]) (authenticated bits=0) by asmtp3.iomartmail.com (8.14.4/8.14.4) with ESMTP id xBJBWNAd016271 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 19 Dec 2019 11:32:25 GMT
Reply-To: adrian@olddog.co.uk
From: Adrian Farrel <adrian@olddog.co.uk>
To: 'Roman Danyliw' <rdd@cert.org>, 'The IESG' <iesg@ietf.org>
Cc: draft-ietf-bess-nsh-bgp-control-plane@ietf.org, bess-chairs@ietf.org, slitkows.ietf@gmail.com, bess@ietf.org
References: <157669650999.4863.505212001960463291.idtracker@ietfa.amsl.com>
In-Reply-To: <157669650999.4863.505212001960463291.idtracker@ietfa.amsl.com>
Date: Thu, 19 Dec 2019 11:32:23 -0000
Organization: Old Dog Consulting
Message-ID: <028e01d5b65f$fd721c40$f85654c0$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQF6PhHW9k589S8pKUaAYs8LOAPaTqh4Qdhg
Content-Language: en-gb
X-Originating-IP: 178.119.99.237
X-Thinkmail-Auth: adrian@olddog.co.uk
X-TM-AS-GCONF: 00
X-TM-AS-Product-Ver: IMSVA-9.0.0.1623-8.2.0.1013-25112.006
X-TM-AS-Result: No--14.706-10.0-31-10
X-imss-scan-details: No--14.706-10.0-31-10
X-TMASE-Version: IMSVA-9.0.0.1623-8.2.1013-25112.006
X-TMASE-Result: 10--14.706200-10.000000
X-TMASE-MatchedRID: HLMPCFyIyBPxIbpQ8BhdbFyuZHgmvm5o9oVAKMBioqcjRiu1AuxJTIst NWRuMmhqsTmEhLXy858pD43V2FP3DDeiGq2NlS7Fu6cTLrgJBGqlAfiiC1VA/X6hVrHbLLE3TSy DPY8FHmcaTjuMW6GGOh+2OZjj2n0/LhiVcI0czH+zmX56C89UdzoSfZud5+GgkBqzlpo2fKoXxG DD7ldukG5YdKGEGLxcy0M3tme4VcNhaj10i6TXQMK1Ib9JAALxKINyBe8DNbJOz8YOQHnBec09U qYtaWXKIUM+EI7fOGMC6XtYOY/asHrR0gNA/fPxuUfxsv33x29zHsCOuSqn1m933pK2DkkP2t/L NQuvrMc6GUZqpJ9QXsgR1ZdF6W4mquGM4v2rVftFeAr5guIYJn4JYJwdJw4TD+XGOhgZ/4fZsxQ i3r7qySqHm8ByZBvliXUXFNwxv/oK5hvD34r1FcPRlYRmv+e2Mx981lgKTcOw0EfjpqqTDu4qgL hL/5nVX4tQOIJWO4156p6RyrN5UqoYieEpL+b+N0pSxRe2p7LdXhRKGhNdp3xO7py+RBC8sJ1cQ SX44pvoa11hcuZhEpcID6snPAKyBBja7g4HU82aq3sWuAmxEP6lpfpte41h6ZQigqVYehBWCB3i cG4VKpifuz+pG1a3DfRUKk+cPEMcBxRL3Awc71mLj2N8zyoQOYqKF7UrYh6Ss1st/hpgbl2cZ6r nVk0UhFWxJSj6s/Z9KPiMkqBdP/sheBRE9AAcfY+iJfFQBxc+JhnZ04ASMJsoi2XrUn/JjcFmPi pjlBsMyrfP9j+C1SAHAopEd76vrtRYoYfndffVECHZHN6blqAkP0ruW+7n62QNFsnQ0a/2cTGas b5O6Q==
X-TMASE-SNAP-Result: 1.821001.0001-0-1-12:0,22:0,33:0,34:0-0
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/f-RGEKJaQ4oV4WLxBij1AYfEGnM>
Subject: Re: [bess] Roman Danyliw's Discuss on draft-ietf-bess-nsh-bgp-control-plane-13: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Dec 2019 11:32:36 -0000
Hi Roman, Without delving deeper (yet), why is this document any different from any other document in which BGP is used? Will you be placing a Discuss on every document coming out of IDR and BESS until there is a clear statement of how to secure BGP-based systems? Thanks, Adrian -----Original Message----- From: Roman Danyliw via Datatracker <noreply@ietf.org> Sent: 18 December 2019 19:15 To: The IESG <iesg@ietf.org> Cc: draft-ietf-bess-nsh-bgp-control-plane@ietf.org; bess-chairs@ietf.org; slitkows.ietf@gmail.com; bess@ietf.org Subject: Roman Danyliw's Discuss on draft-ietf-bess-nsh-bgp-control-plane-13: (with DISCUSS and COMMENT) Roman Danyliw has entered the following ballot position for draft-ietf-bess-nsh-bgp-control-plane-13: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-bess-nsh-bgp-control-plane/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- * Section 9 cites a number of references (which cite additional references) on BGP security. My summary of the highlights is: (1) RFC4271 => TCP MD5 (RFC2385) is a MUST (2) RFC4271 => consider RFC 3562 for key management guidance (3) ietf-idr-tunnel-encaps => caution on Tunnel Encapsulation attribute (4) rfc4364 => TCP MD5 is a non-rfc2119 “should” (5) rfc4364 => don’t make connections with untrusted peers (6) RFC7432 => references the utility of TCP-AO (RFC5925) - Could the text articulate more clearly de-conflict (1), (4) and (6) – what is the recommended approach? - a discuss-discuss – Given the green field nature of this specification (the shepherd’s report notes no implementation) and the assumed SFC deployment model (not the internet; a single provider’s operational domain where key management should be easier), could a more robust transport security option such as BGP over IPSec be RECOMMENDED? ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- * Section 2.2. Could you please clarify connect between these two statements about the SFC architecture: 1. “The SFIR is advertised by the node hosting the service function instance” 2. “We assume BGP connectivity between the Controller and all SFFs within each service function overlay network” Is the node referenced in statement (1) the SFF. If not, it seems like they need to be added to statement #2 as entities that have BGP connectivity. * Section 2.2. Per Figure 1, where is the “Controller” in this reference model? * Section 3.1. Per “If two SFIRs are originated from different administrative domains …”, are these administrative domains still in a “within a single provider's operational domain” per Section 2.2.? * Section 3.1.1. Per the SFIR Pool Identifier Value being “globally unique”, is that globally unique per Controller? Per overlay network? * Section 4.3. Per the summary notation of “RT, {SFPR-RD, SPI}, m * {SI, {n * {SFT, p * SFIR-RD} } }”, it isn’t clear to me what this expression is summarizing. Also, what does the “*” mean? * Section 4.5.1. Per “Therefore, while this document requires that the SI values in an SFP are monotonic decreasing, it makes no assumption that the SI values are sequential.”, should this “requires” be a RFC2119 MUST or REQUIRED? * Section 6. Per “Therefore, the use of NSH metadata may be required in order to prevent infinite loops”, what is this meta-data? * Section 7.2. Per “In such cases it can be important or necessary that all packets from a flow continue to traverse the same instance of a service function so that the state can be leveraged and does not need to be regenerated.”, how is this requirement signaled through the SFIRs for the computation of SFPs? * Editorial Nits: - Section 2.2. s/channelled/channeled/ - Section 4.5.1. s/bevahior/behavior/ - Section 7.1. Per “As noted in Section 3.2.1.1 SFPRs reference each other one SFPR advertisement will be received before the other.”, this sentence didn’t parse for me. - Section 8.9.1. Typo. s/is is/is/
- [bess] Roman Danyliw's Discuss on draft-ietf-bess… Roman Danyliw via Datatracker
- Re: [bess] Roman Danyliw's Discuss on draft-ietf-… Adrian Farrel