Re: [bess] John Scudder's Discuss on draft-ietf-bess-bgp-sdwan-usage-20: (with DISCUSS and COMMENT)
John Scudder <jgs@juniper.net> Wed, 28 February 2024 15:05 UTC
Return-Path: <jgs@juniper.net>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBBE9C14F696; Wed, 28 Feb 2024 07:05:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.806
X-Spam-Level:
X-Spam-Status: No, score=-2.806 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b="YQJ4u0OX"; dkim=pass (1024-bit key) header.d=juniper.net header.b="jiYtG325"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qASog5bh-1XM; Wed, 28 Feb 2024 07:05:20 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8455C14F619; Wed, 28 Feb 2024 07:05:19 -0800 (PST)
Received: from pps.filterd (m0108160.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 41S9cN5s006198; Wed, 28 Feb 2024 07:05:17 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h= from:to:cc:subject:date:message-id:references:in-reply-to :content-type:content-id:content-transfer-encoding:mime-version; s=PPS1017; bh=B2B5KrNpnXqqEybycfGrPBXI86pJnDA4f5e9HIBUboA=; b=Y QJ4u0OXLXLDNIl2VEFQV06WInuOGO4sh2KB1TVU6mRYLrU5cjSDc4LX/FZ5zz0Vj ztctfC/cor2KsAYNzZReG8gbcgxHLBIRQC4T16KL++l3DJg3QjnOaItWgk34eRDG CuHHMlT2fuHvWmGj5DT6jeE1cTwQYKff44kLDo0ilVbeD0IektnbjpvVtu8Eeuz5 gim4qrc0T1aSXg87KVSM2l5wv1ixMKj6BUwP8Xonr59Qr9/tcddp16bv4tIbMWiC lh2vioviYYuTeTlem2QmjsufLCyMdmBYTNi6ia2L+Fkfc8rFupPeIFykvgMGhPPm GxL7nUOGEnWQhwiFZeG8w==
Received: from bn1pr04cu002.outbound.protection.outlook.com (mail-eastus2azlp17012018.outbound.protection.outlook.com [40.93.12.18]) by mx0b-00273201.pphosted.com (PPS) with ESMTPS id 3wff8hqp6j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 28 Feb 2024 07:05:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LsFnkeymgY4DS173qETJEtRnQRJLuIZB3+5V4dE3tUKc9TYzqm35MgdCwqy2mk142tASx4cpp4XbeEQU4d8m/GxtxST8EbtgWkrv9JqDpE/zTPkQFqQFqJ/5IChV2wnp8fNpi7qnX/e2gJfaIPHOL7GRFFIMv2b3Q/JaKBoeOXPTR/NOFuTUwB2Zjn7uV8gA5vuCvUX0tSJA9rssTMdQgkEnSgOlLE/MZ2npj+UfCER8T9H2AcbEUVZLsM2YHTEE4xojipOsLSO51BFPCB36qlKvF4ZWDysODE32cSoItpWLNWOMFZDOLQr6ozpv4EpRq3lPvOjHND7C8hwn6INSmA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=B2B5KrNpnXqqEybycfGrPBXI86pJnDA4f5e9HIBUboA=; b=D8M227++BuOu6m6qK3b857jrTZhKcB9APIrlxkwXKILUfq4Hh5mdEO1fFz1q7UbOv9RwO/iLIhffGC87GLCBLD+XdLxxOPx9NbosYha/hHIrBqB0ApPML6QfZ7Ud/OvHX2LnKvT2jPXKR31jsizGI8TzCSPQ25Ef9gqFId/PKrzkOe9Ifez2v/T0XMEaHppdIn3MFzERqGFzRx/a34lwYpaL2dvpr6C/bX8MjmxWSObNBgFumfX+gqyoY0P9g458HtdN2zevIBk8lM+RwJCrW/MDaSIU0Kp7JKaL4H0eUf3uq8mMjUd4p3LyzXIrpV0jfJ8+xHTifmSdW9yroEgGWg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=B2B5KrNpnXqqEybycfGrPBXI86pJnDA4f5e9HIBUboA=; b=jiYtG325bjTt9OcoF4TmTvUBNqMlLXfKk5NVs5T2ddXP3MMH3hstvnfxD/RdrfaLolrMR7Cu+rFyI81DN0MKvMEJivIXY4izME/wPYGckqPBjINPksQDr5kCZ/6tMWUVyvzIntqi8V0aHjcRo0vLNT/584coGgKlaLC+G+vlzdI=
Received: from CH2PR05MB6856.namprd05.prod.outlook.com (2603:10b6:610:3e::11) by PH8PR05MB9991.namprd05.prod.outlook.com (2603:10b6:510:1bf::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7316.36; Wed, 28 Feb 2024 15:05:12 +0000
Received: from CH2PR05MB6856.namprd05.prod.outlook.com ([fe80::e182:8767:9915:7b07]) by CH2PR05MB6856.namprd05.prod.outlook.com ([fe80::e182:8767:9915:7b07%6]) with mapi id 15.20.7316.037; Wed, 28 Feb 2024 15:05:11 +0000
From: John Scudder <jgs@juniper.net>
To: Linda Dunbar <linda.dunbar@futurewei.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-bess-bgp-sdwan-usage@ietf.org" <draft-ietf-bess-bgp-sdwan-usage@ietf.org>, "bess-chairs@ietf.org" <bess-chairs@ietf.org>, "bess@ietf.org" <bess@ietf.org>, "matthew.bocci@nokia.com" <matthew.bocci@nokia.com>
Thread-Topic: John Scudder's Discuss on draft-ietf-bess-bgp-sdwan-usage-20: (with DISCUSS and COMMENT)
Thread-Index: AQHaacrvS1ZbJsuwFk6JJPlfuqjnObEfHiEAgAC9SAA=
Date: Wed, 28 Feb 2024 15:05:11 +0000
Message-ID: <84AE656D-708D-4458-9A4E-F91ACF02B5DA@juniper.net>
References: <170907231389.62883.1060466592403115326@ietfa.amsl.com> <CO1PR13MB4920CCEDE24E814E38C504EF85582@CO1PR13MB4920.namprd13.prod.outlook.com>
In-Reply-To: <CO1PR13MB4920CCEDE24E814E38C504EF85582@CO1PR13MB4920.namprd13.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3774.400.31)
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH2PR05MB6856:EE_|PH8PR05MB9991:EE_
x-ms-office365-filtering-correlation-id: 425e1b06-b2bd-48aa-04f4-08dc386ea8fb
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: avqCvAA9wrOE9LokhM8DyWreadBeHb6fBDY48cHhhkLg5NWI4Fmv0PwYtMadwuVrdSlu5rHk8OtSjlXX6R0PQzvySq90/3311NQrB45PkWP6kMwH5oxWPcAvgMa/7Suti8GIMzyg8dxkCRxeUuzy6xCSJc71E29VzhyhS+jJvdKcwdJC9HP3jtd3yq7bFEVrcrQefHpH8bYkM7ceAMRAyVMStuHkuNa83fk9/E7kzdldxsVF7XKx93x+rnYEGLWESUTlogd6JrBfqQtCPd31QKQiBR+ehIZfZ27PTi3upcMTEvl1FKRxJY9HNxUSZC2IHH/E8WTfTLN+U1spOi0BqpbNuNHKADrwmMC8SKTyyQnRTxiwcbRO8ixUI6Qfk4X/w5U3WcpwOj4yR8cIRX9iU1PvyZ1JkM7a57Knyz40bqcf4/DvJgyHQyLfPhfV5vp9ZPwvc5Gx1VdFCn7tG4UF4MCRF/r+VGyhCJD4a4UVdkoo3TtrGXBTXYcXP8s1Sv4wWxZcbt8Tksc42217zgHLdja9WdBBa0pMfNe0UljawyBESK6xDVrGseaHtnX5L0zB4U0PrD2hbITYJdqG//KqqS1+UgyD8H0rl8+qwY7DXX6RV4htoPDsM34+/4dZsg7YkxcDEc6o6eFr2S7CJh6en/P27A+7OAn8rXwGkid2ioc=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR05MB6856.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(38070700009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: GVGsdb4in/RxosDDrv9yzbrEwA7aKdftDTlSwGhppx9dsA8QIsC5BM1g7wry+I5xxwnu/tmUiqwu042We5qolwycbZMaFhgrsPZyIffWoZn/BSmfr/ALrlXmmcu0cgwzfAJmgZ/E3y1CFBkweRo5z8bpFTHbtBKxMuZcD0QU4UW6wSZxQqDwylhJjGxyooSGLMbc07nw0CHT1ejVLssaDlUFJx5DZR5nCUg5kgMAmEOK0w6eGuttzbCa6H2iTcmsHyJYBJG9QoVB5VCm6HeTYrxzaIeGhjhJ+swn2pH35SGejv39WVU1Jh7ntJPhnphZC7nUXsiNqI0grkCamg3mxcm5Z+slj7v/gBrnDiLSDojrW6yAsgjaPxckwlbv2jM15qybrYp8a6iMI20cNZkEHMQ50csj1dL9qxPLKDy3kZxb+TWTGZJFW07QssR5VaR4HGldsjDu3pZZa1510mlYMTpI9QPGIgwwenr09w8iqUhJkrxMFZgOILHON47pSYN2k6r1qUkELoEIKWi0HyHuFNTP4LxOlMuqiAeKohrYdaDAZnaJFPmTqw26xnqm6jVSYuT6PwYtld9ZoTYLplya9rMme2w6ZGAsE8lv9QBmRxKDMvAAweFombkH8lVAYtJF1GInZhBwry+A5EZVPKDQZDTZM2ivJstwzs1jz3h0VhvccHayMdIvdfH+VaXqfbx77jZiorwcRvhZTVaxPWodSRosjxN/3yRL1NRXpkeHIB2v6bTld6Fr12rufTSsxBfPqBGFc3moreT751zUcey/B/8pMqZignPpP7WotyJoABoza6pKcK3zd1mhYLMPx797CIj9g4Sfyb/KIpjvahilbX2mVj8bm4uK/Wr2el4wzxgWOu6e7dRmXfswpSD0JYmJfZZH9ima9Gqj0y0E/4MZOSq/SaTripceWhmyqFJTc8tk4LeD5hp46TMwEAWwVSXk2uEDn4ilF0pn0y4wz6CyI8bg5uiQgP+eNIJT3tFgjtMEDa0XeGIBhuTb4mlJ2A5NmS8pV58blvmWiu9rMdb40UQMuBezNzNVnsI8UREjDtL1f2MnVo2Bx/hNUbXINWqPveXWFw2g+VNrnCXIh0renPvKPJt0jXNf7j2E75kYUyClmdI+Y8NVsl1pYxJK9m2rWmNNU1m+XciOn0+EGKkXPRPbALNoda8Hmw5/6e6uIcM+btSlA7/4BW+gsLI+dirdRfTAq23Fq5o7mVBcxvni7kmClpD70AmQiTp9GaELld8wICCRq9/dIY75+CBORFt5p1JSGn9ZCUyqrBTNmhGCD27ej1U7We/oW/SnuRd6DVISgEyRY3EVwWcYrIIMm3p5Px0qUki0qWDN/auD3MNeHNp8ZXtJoN+O7df+Bag02qQFZfGUc4xKp9SbcwOl17P22IjhkuMiDu14ax5skPJfm544iFUpZDso2N+Q0wlffj2h7arGl5RawP9021sridGqR5FPlPUKhnE4s5+IpehrX294qfySI3npmXmN6ZiCnuwMfIi3k61o+99zoybBQGJQQIChw6/mpMzkKbiXNKTVQP2OMIfv+GlWsIo2LvZ7IN227qJc6Fpho2I7TCxoQYZS
Content-Type: text/plain; charset="utf-8"
Content-ID: <DA9C32447E19FA4AA88935AEDE1CADC5@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH2PR05MB6856.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 425e1b06-b2bd-48aa-04f4-08dc386ea8fb
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Feb 2024 15:05:11.1958 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: +DEF4+WvPXSDWBmHzwaWECBb2ojxqFfEyNEvR0NInKmtkVzn35jZ5IdARYmNQv8e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH8PR05MB9991
X-Proofpoint-GUID: V_3lMJibaE9iiL6zz_rz0SvvWhRronZG
X-Proofpoint-ORIG-GUID: V_3lMJibaE9iiL6zz_rz0SvvWhRronZG
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-02-28_07,2024-02-27_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 impostorscore=0 lowpriorityscore=0 spamscore=0 suspectscore=0 bulkscore=0 mlxlogscore=999 clxscore=1015 priorityscore=1501 mlxscore=0 malwarescore=0 phishscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2402120000 definitions=main-2402280119
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/mFqxRi7KBYyPSsEBkg6T_V-OkGw>
Subject: Re: [bess] John Scudder's Discuss on draft-ietf-bess-bgp-sdwan-usage-20: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2024 15:05:24 -0000
Hi Linda, A few replies to some of the more specific/actionable points, below. > On Feb 27, 2024, at 10:47 PM, Linda Dunbar <linda.dunbar@futurewei.com> wrote: ... > ### Error in how RFC 9012 is used > > In Section 5.2, the Encapsulation Extended Community is misused. See > https://mailarchive.ietf.org/arch/msg/idr/umBB5yfoC3mFMpIWIT2K8159Gos/ for > related explanation of the error. The error recurs in Sections 5.3 and 5.4. > > [Linda] Please see the discussions related to the topic. For SD-WAN scenario, simple NextHop is not enough for client routes advertisement because different client routes need to be forwarded by different underlay paths. It is not practical to include all the information about the underlay path with the client routes advertisement. To paraphrase my reply to the other thread linked above, just because you want a nail, that doesn't mean Encapsulation Extended Community is a nail. In that last reply, I suggested a few other mechanisms you could use, but if you think you must have some kind of tunnel affinity indicator that isn’t color, you can specify one, there are plenty of unused extended community code points available. But Encapsulation Extended Community has already been specified and does not have the semantics you want. (As an aside, anywhere you’re referencing a code point, if you’re not using the exact name found in the IANA registry, please mention the numeric value also.) > Also, there is no such thing as “TYPE = IPsec” (referenced in Sections 5.2 and > 5.4), see > https://www.iana.org/assignments/bgp-tunnel-encapsulation/bgp-tunnel-encapsulation.xhtml#tunnel-types > > [Linda] RFC5566 has specified IPsec Tunnel Type (IPsec in Tunnel-mode: Tunnel Type = 4 [RFC4302], [RFC4303]). We can add the reference. RFC 5566 status is Obsolete, Tunnel Type = 4 status is Deprecated (that’s why I put the link to the registry there, in part). I don’t think we should be publishing new RFCs with normative references to Obsolete RFCs and Deprecated code points. > This one should be straightforward to fix. It does lead me to be worried about > the level of review the document has received, though. > > ### Section 3.1.5, security model > BGP is well suited for this purpose. RFC4684 has specified the > procedure to constrain the distribution of BGP UPDATE to only a > subset of nodes. Each edge node informs the Route-Reflector (RR) > [RFC4456] on its interested SD-WAN VPNs. The RR only propagates > the BGP UPDATE from an edge to others within the same SD-WAN VPN. > > RFC 4684 is driven by demand -- a PE will advertise RT membership NLRI to > "request" that it receive routes with the given RT. So, this means the security > model is that the client router is implicitly trusted to declare its VPN > membership(s) truthfully and accurately. I don't see this addressed in the > Security Considerations. > > [Linda] Section 3.2 states that the SD-WAN Local Network Controller, e.g., RR in BGP-controlled SD-WAN, is managing the policy governing communication among peers. > > Here is the wording added in Section 3.1.5 to address your concern: > “Route-Reflector (RR) [RFC4456], as an integral part of the SD-WAN controller, has the policy governing communication among peers. The RR only propagates the BGP UPDATE from an edge to its authorized peers.” If the RR has to be explicitly configured to police all propagation of routes, instead of trusting RT membership NLRI… what value does RFC 4684 bring? You’re already requiring that the distribution topology be comprehensively configured. (As an aside, no BGP speaker “propagates BGP UPDATE” messages, that’s not a thing, the closest we get in our standards is BMP Route Mirroring mode, but that’s not applicable here. What you mean is that the RR only propagates BGP routes from an edge to its authorized peers.) > ---------------------------------------------------------------------- > COMMENT: > ——————————————————————————————————— ... > [Linda] The term “Client Route” is adopted from the RFC4364. In this document, client route means the prefixes attached to the client ports of an SD-WAN edge. Add this to the Terminology section. I don’t see “client route” in RFC 4364, but if you’ve added a definition that’s fine. ... > What anti-DDoS mechanism is that? None is specified here, nor referenced. > > [Linda] anti-DDoS is a commonly used tool for any interface facing ports. It is out of the scope of this document to describe the details. Is adding the following sentence helpful? > “The anti-DDoS mechanism comprises numerous components, and their detailed discussion is beyond the scope of this document.” Not helpful to me — if it’s a commonly used tool, surely there might be some reference available for it. But I see Roman has raised this point too, I’ll defer to him for further discussion of it. > ### Figure 7 > > Figure 7 is mangled to the point of being unreadable. > > [Linda] Figure 7 is to show underlay paths can be via trusted VPN and “untrusted network”. Over the “Untrusted Network”, packets have to be encrypted. We greatly appreciate any suggestion to make it better. The intent is to demonstrate some traffic have to be forwarded via trusted VPN, while other traffic can be forwarded via either untrusted network (with encryption) or trusted VPN. I literally mean that the lines and boxes and such don’t line up, there are boxes without labels, etc. It looks like the ASCII-art got trashed in version 16, so my suggestion would be to revert to what was in version 15 as “figure 8”. Even that version is a little funky — is it really your intent that there be no connection between A3 and the adjacent PE? Seems like it couldn’t possibly be, since as currently pictured C-PE-a has no connection to the trusted VPN and therefore isn’t actually illustrating “hybrid”. So probably add that arc too. —John
- [bess] John Scudder's Discuss on draft-ietf-bess-… John Scudder via Datatracker
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Linda Dunbar
- Re: [bess] John Scudder's Discuss on draft-ietf-b… John Scudder
- [bess] BESS charter [was: Re: John Scudder's Disc… John Scudder
- Re: [bess] BESS charter [was: Re: John Scudder's … Susan Hares
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Linda Dunbar
- Re: [bess] John Scudder's Discuss on draft-ietf-b… John Scudder
- Re: [bess] John Scudder's Discuss on draft-ietf-b… Linda Dunbar