Re: [bess] Benoit Claise's Discuss on draft-ietf-bess-mvpn-extranet-04: (with DISCUSS and COMMENT)
Eric C Rosen <erosen@juniper.net> Wed, 13 January 2016 15:16 UTC
Return-Path: <erosen@juniper.net>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 977171B2A64; Wed, 13 Jan 2016 07:16:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OVvoTmj-Rib1; Wed, 13 Jan 2016 07:16:24 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0141.outbound.protection.outlook.com [65.55.169.141]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1E841B2E93; Wed, 13 Jan 2016 07:16:23 -0800 (PST)
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=erosen@juniper.net;
Received: from [172.29.35.81] (66.129.241.12) by BLUPR0501MB2148.namprd05.prod.outlook.com (10.164.23.154) with Microsoft SMTP Server (TLS) id 15.1.361.13; Wed, 13 Jan 2016 15:16:18 +0000
To: Susan Hares <shares@ndzh.com>, 'Benoit Claise' <bclaise@cisco.com>, 'The IESG' <iesg@ietf.org>
References: <20151217133049.1038.44405.idtracker@ietfa.amsl.com> <56741869.5020505@juniper.net> <00af01d139c6$898fb720$9caf2560$@ndzh.com> <567859EC.6030103@juniper.net> <006101d13ce1$725cd650$571682f0$@ndzh.com> <56799F9F.4010907@juniper.net> <000d01d13d94$80868a10$81939e30$@ndzh.com>
From: Eric C Rosen <erosen@juniper.net>
Message-ID: <56966A3D.4000708@juniper.net>
Date: Wed, 13 Jan 2016 10:16:13 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <000d01d13d94$80868a10$81939e30$@ndzh.com>
Content-Type: multipart/alternative; boundary="------------020602030602000305060706"
X-Originating-IP: [66.129.241.12]
X-ClientProxiedBy: BY2PR08CA0071.namprd08.prod.outlook.com (25.163.62.167) To BLUPR0501MB2148.namprd05.prod.outlook.com (25.164.23.154)
X-Microsoft-Exchange-Diagnostics: 1; BLUPR0501MB2148; 2:SfRM4aStch9yjELSjqwLc1xo51APLMl8DJGQDltva/OnUKdUI+o5FNAv0sIhS7NHWVsfV2IF/5grqLOrpVgbdy0OHKnTd9MpnjLo7RdcAh6dQc6ImNfxzSxlFSTg3HwElnMMPcU2RHoMQyYZAA+K/A==; 3:MsIK/xGGKwxb8OoC5MycphKtM8rlGJV4PG1sFK7za8L7X+TUD1rX2QB2YvyrvE34xRQa9/D5DrzEGhPwd3eu5Zcqc5pSMGXRFiK/3zn6EGUaUtAmfcW4M0mQT1k+R51d; 25:4YdXc8XVcjhZMtFWkv9Fbc69gLNZqLaSPXBSs3LPx2Fm9Bek0rKzFfKdhfw/z4OsEZdPOral2I8Ze5+TyJCc3H5pHIuw2OpvT8ZtnQmRiCx1v0W8MYNT5+DUwPqwFIW1BxfF7FBaQcDaGBfpW5PSqf7FFe0dEzSAwzowXf+xTKhIY1f+X3hkqNrp6ic2pbFLgeuXJnXhfpnmk72ROpWpTfv/G3uhna0qgvvkh+mlr2T57NHo/DABdstKTKYFsYHV
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR0501MB2148;
X-MS-Office365-Filtering-Correlation-Id: 3b17e445-a9a7-439d-9bc5-08d31c2c7dfd
X-Microsoft-Exchange-Diagnostics: 1; BLUPR0501MB2148; 20:cuW/Bsc90gqYk9o7XOk9XHB28sW4DFYLrjaVGcmxfdsVRfGa9dNQcrJGrUTzRPefWalXdNeUaN0Ppw4mvebiEZzJqz91NWvboCh/hjaRRQOBYug/9bguwz9xK8yjMMpVVnb3Iv+XeZr52BrH/QU+7oPaeUAm4kO4JtuE4/4nUP88mn4sbmg9cm8uLCk4b2KTGx++Ta0pSsYPLgxkQ+N0xuCyFe1jvkjJTDnv57vrXMl1Yw3nOgVJU0W1NU8s39qPX5TsEFIPAlVkF/NVpAJXpkhc85CZXZBZSx91pD6acEbleYfbP4vZ0l82U3nbkv5j6mnXGF+iPCgP75qizyeQFTOU10t7nHBJQqYcahnEJqwdxdD5uOPjQms9xd83hapKEtHFpM5JOfTYgw35260tpbjhlcKSPYRmSS+yUhxE2l+1+aQ/EPVR5h0aVKN7BUn7nedpQK5ylXfLocphpkxQIt6owt/AXifwK+GfF4Rg8ChjiyOYUjmVT+my8+XxRFdr; 4:HIlTEi9m9vrEDceTs5yieKh+pmF6V22Al4G/yF0KIUtdduHg9bQURnHwV1D+PKYnDNw7vM0BfCFLnvPQBdmS67xdJv9f+bh6/ave5DyLVi4CwBpcrhE1k73kbGoLK/gHkxi4Fk45iOGyLk8rjoAxR66HD9sIri07wpfM9/atQH3+4QS0AQlCKcbFAeqDT8g4wR7NRugGb6+bMd/wAhR1wQlx/+iSU9qFBXs8C4Hh2fMD0u+LKtFZCgqTzcXGnf00SaJV0DH/iahirfo0rERKeyj7lD7KPBZY6z3CbtuqMgjEP+Dwg2sBtu+OA2We4/bJuHajC791neKZlGfyCSfy+5zUbWIqAE1bPWGZsRNs4Ug6ZLx/vn6spfvdPhyX6pf9
X-Microsoft-Antispam-PRVS: <BLUPR0501MB21481A854928B0564B742929D4CB0@BLUPR0501MB2148.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(520078)(8121501046)(3002001)(10201501046); SRVR:BLUPR0501MB2148; BCL:0; PCL:0; RULEID:; SRVR:BLUPR0501MB2148;
X-Forefront-PRVS: 08200063E9
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(6009001)(6049001)(189002)(199003)(24454002)(479174004)(377454003)(122386002)(4326007)(106356001)(42186005)(5008740100001)(2950100001)(84326002)(105586002)(66066001)(65956001)(77096005)(65806001)(16236675004)(512874002)(6116002)(3846002)(790700001)(2906002)(87266999)(586003)(65816999)(54356999)(1096002)(5001770100001)(81156007)(99136001)(97736004)(19580395003)(80316001)(86362001)(40100003)(50986999)(5004730100002)(93886004)(4001350100001)(5001960100002)(76176999)(83506001)(59896002)(230783001)(101416001)(189998001)(19625215002)(36756003)(92566002)(87976001)(33656002)(64126003); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR0501MB2148; H:[172.29.35.81]; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Received-SPF: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 1;BLUPR0501MB2148;23:xxHfWNIEtdTVpUfhUyHxa8Haof7LxSmGowJZiTagAV45EexJM6hFX4Mzh9AMEBlCx09PWLzxsXl31gNDIK6C8aoKomIKanVmqn7GNsv327+N8jOeTODn0IVNdm76n9u1yeS7zzH2+fkHLQUnbGnZ4c2jo54Fc5pM1k6yZLYL1iYV1absvA2IlqAsybXRlkx+Q3rgjC07UqXAUcqsmmuyGvysWnb2sT/YAf8zLmlMWb2eFNBm0DVvC+hT4z9gJ65JALT1QW37oJI2Ft8A9P9tfS10sQd3lP/C5D/Lnpm9yuJRTGPGourwRDLH59aqtutiYkQMXrqbk9uea0LTQroDwKGm7bVhFM+IYyJAuVACIoiA40eRaWXN2mUKhJ2f223gT3jGDM17EuomPNWdMWpQrkyV3DdN/ufWXU1viNGadXsr6NNzMdO98nDWn1ZIFpUk2AE0aDH4F6aMzvR3rWWKU4bXjFUs+bBqkaUxSWoYu/wvdW0643tPf/R5yBQfHzZsxkBgv6GKXfk25aqLa1AIfZ4Fv6LHPt6vGlvwQb0T6h2vJA2JVQ4djsz3m8NJWlT4/RnFGQOrqQrUkmQtNHBVoIRhOXMrqS5xf+BFWBR7A+aA0OI0nnyBTTy2uP2B+i2RZr33831jwyPITr7/0CUIVZjzekKyu8kBEXb/N6fhyqYHvfMYz+rjGp13fGrcYl8eU4X24KxRWpNb7lEEv17Yjob9fKs6x9XPm9RQ/MeG4t5d6wzN+X8ivR16kCizQ3RgTvePF76MP4LNlAMSrD5aPaQw7xUnZYNYt2hSKGi09O760nGxAMWFMpaK7e35GvNS8lGoFFlGO+PKfzK7FGrMagJYKdQo/2jnThTZxzk8sc0E8MILGicqTVdCu6j7ipvDo3SRxEze4zth/a++d6ktibOmJMC5wDXucYgNICiIa7sYMxVbYsjsCPzz1QljcSQxW2yB9tDhSFQIvWPZ0qlvp2wLcLi9Ev0w0ikDAtEQnyQjF5qRmsDfeyvmrX4epN/rowzWcChmI5D+N78FXjrK+Tw4SXrr1GNF+K8+dnsbRAWgkj3oR2ioDfyTN91gDhLcs2Pwu5EDMolClxdwzStsYWFP/GV8ezqgslDBwf32FhNf+PaSqjX3AQYkQoTVc6a6jX5Tpvp3PBTBAVxfoGOFBc4b2a4u6RtUU33mOp9IBp2MVHp1Dw0rHznQOmcn9oK/Ea6mdSVyC72GCgPPDDUEo1/mxANFLYY/gFkVAskEpxaC+WvU9PRT9zaVBYMFReHEevI58qgE8P7GQ+FFK10fu7Fo0jKfSE0WPSgSI9eaH55gaG7HIVxStrsk0lv4PHRU4sfS6Q7gLnB7c4eMpD4dgNYqGzqj+2/G6FlQNukaOWN2ZlQ409ESWdOK2YFwpUvx
X-Microsoft-Exchange-Diagnostics: 1; BLUPR0501MB2148; 5:mkKec2bxNYFKFmWRxxOPNxnHMm5PUnUd+lUex/AslVpvr4FJ6U5PjFulhjnbRGFiS9EnJ+m7R3YhmwNgUuvt/z56e4CONcEsl7JnPvil9WsT7dQHANceeFLiM9fdJp7vIk9sQhXEAhMIWSx0U+RF3Q==; 24:KYZFIsfPoih/hlrbYRcFhYQnwkC0pwAT1PQx4TbO2olXJuNzNiLEI3NCxMT8/ck5ka2BsoQlXbwmTD24OkcdxSw/H4qvzPxTLj3tWpEuzvI=
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Jan 2016 15:16:18.5563 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR0501MB2148
Archived-At: <http://mailarchive.ietf.org/arch/msg/bess/h3H9joH90g2B1XplYi_H9QJaf6k>
Cc: draft-ietf-bess-mvpn-extranet@ietf.org, aretana@cisco.com, "'John G. Scudder'" <jgs@juniper.net>, bess-chairs@ietf.org, martin.vigoureux@alcatel-lucent.com, bess@ietf.org
Subject: Re: [bess] Benoit Claise's Discuss on draft-ietf-bess-mvpn-extranet-04: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2016 15:16:28 -0000
On to version -06 ...
On 12/23/2015 10:13 AM, Susan Hares wrote:
>
> Sections which must be added to clear my concerns
>
> ----------------------------------------------------------------
>
> *4.4.1 Extranet Source Extended Community *
>
> To facilitate this, we define a new Transitive Opaque Extended
> Community, the "Extranet Source" Extended Community.
>
> The value field of this extended community is all zeros.
>
> *Restrictions: *This value field MUST be set to zero upon
> origination, MUST be ignored upon reception and MUST be passed
> unchanged by intermediate routers.
>
> *Additional Restrictions: *A Route Reflector MUST NOT add/remove the
> Extranet Source Extended Community from the VPN-IP routes reflected
> by the Route Reflector, including the case where VPN-IP routes
> received via IBGP are reflected to EBGP peers (inter-AS option (c),
> see [RFC6513] Section 10).
>
The draft has the following text in section 4.4.1 ("The Extranet Source
Extended Community"):
"The value field of the Extended Community MUST be set to zero. "
"A PE router that interprets this Extended Community MUST ignore the
contents of the value field."
and the following text in section 4.4.2 ("Distribution of Extranet
Source Extended Community"):
"A Route Reflector MUST NOT add or remove the Extranet Source
Extended Community from the VPN-IP routes reflected by the Route
Reflector, including the case where VPN-IP routes received via IBGP are
reflected to EBGP peers (inter-AS option (c), see [RFC6513] Section
10). The value of the Extended Community MUST NOT be changed by the
route reflector."
"When re-advertising VPN-IP routes, ASBRs MUST NOT add/remove the
Extranet Source Extended Community from these routes. This includes
inter-AS options (b) and (c) (see [RFC6513] Section 10). The value of
the Extended Community MUST NOT be changed by the ASBRs."
It seems to me that this contains the information you have requested.
It may not be in the format you prefer, but I think it goes beyond the
scope of an ops-dir review (or an IESG Discuss) to demand format changes.
>
> *4.4.2 Extranet Separation Extended community *
>
> **
>
> We define a new Transitive Opaque Extended Community, the "Extranet
> Separation" Extended Community. This Extended Community is used only
> when extranet separation is being used.
>
> *Restrictions:* Its value field MUST be set to zero upon origination,
> MUST be ignored upon reception, and MUST be
>
> passed unchanged by intermediate routers.
>
> * Restrictions on Adding/deleting this community:* ?? (Eric –
> please add something here).
>
The draft now contains the following text in section 4.5 ("The Extranet
Separation Extended Community"):
"We define a new Transitive Opaque Extended Community, the "Extranet
Separation" Extended Community (see [RFC4360], [RFC7153], and Section 9
of this document). This Extended Community is used only when extranet
separation is being used. Its value field MUST be set to zero upon
origination, MUST be ignored upon reception, and MUST be passed
unchanged by intermediate routers. A Route Reflector MUST NOT add or
remove the Extranet Separation Extended Community from the routes it
reflects, including the case where routes received via IBGP are
reflected to EBGP peers (inter-AS option (c), see [RFC6513] Section 10)."
It seems to me that this contains the information you have requested.
> *Comments that could be put in a Security section: *
>
> **
>
> Whenever a VPN is provisioned, there is a risk that provisioning
> errors will result in an unintended cross-connection of VPNs, which
> would create a security problem for the customers. Extranet can be
> particularly tricky, as it intentionally cross-connects VPNs, but in a
> manner that is intended to be strictly limited by policy.
>
The Security Considerations section already contains the following text:
"As is the case with any application of technology based upon
[RFC4364], misconfiguration of the RTs may result in VPN security
violations (i.e., may result in a packet being delivered to a VPN where,
according to policy, it is not supposed to go)."
I don't think the above requested text really adds anything, it's just
saying the same thing over again.
>
> If one is connecting two VPNs that have overlapping address spaces,
> one has to be sure that the inter-VPN traffic isn't to/from the part
> of the address space that is in the overlap. The draft discusses a
> lot of the corner cases, and a lot of the scenarios in which things
> can go wrong.
>
The difficulty of dealing with overlapping address spaces when
connecting two VPNs is already discussed extensively throughout the
document. I don't see that the requested paragraph adds anything of
substance.
- [bess] Benoit Claise's Discuss on draft-ietf-bess… Benoit Claise
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Stephen Farrell
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Susan Hares
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Eric C Rosen
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Susan Hares
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Eric C Rosen
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Eric C Rosen
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Susan Hares
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Eric C Rosen
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Susan Hares
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Eric C Rosen
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Benoit Claise
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Eric C Rosen
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… joel jaeggli
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Eric C Rosen
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… joel jaeggli
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Eric C Rosen
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Martin Vigoureux
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Alvaro Retana (aretana)
- Re: [bess] Benoit Claise's Discuss on draft-ietf-… Susan Hares