IETF Logo Mail Archive

Re: [bess] John Scudder's Discuss on draft-ietf-bess-srv6-services-11: (with DISCUSS and COMMENT)

Ketan Talaulikar <ketant.ietf@gmail.com> Sat, 05 March 2022 09:40 UTC

Return-Path: <ketant.ietf@gmail.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18E463A11D2; Sat, 5 Mar 2022 01:40:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id loOdb4bfs8g3; Sat, 5 Mar 2022 01:40:35 -0800 (PST)
Received: from mail-vk1-xa34.google.com (mail-vk1-xa34.google.com [IPv6:2607:f8b0:4864:20::a34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6ADED3A1644; Sat, 5 Mar 2022 01:40:35 -0800 (PST)
Received: by mail-vk1-xa34.google.com with SMTP id i133so3386704vki.8; Sat, 05 Mar 2022 01:40:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DcCkQXQcrBMS+kxW4JCkjGvFloqISJX41UaRWqHhnOU=; b=RcomKwUUl5erHGqtaJedvwtSzqiRl0yZOi19JsUXCFPQFQxoO5nr0LzTQFzGI6aYrT 5fFpADu64DVISrVl45by7VylB3x1DD4fHEyXEQoT7Y5j/TFiT5IJx0Md5DbH9uMJfBRz 6kK3NRT0tM6vVJZybuqIj7uKB1FY3JcnfpY5AsBF7YPNkAPIm748S8p/YywHpT/QoPqh eRK0cVcU4y/WxmuxVMWYzDXd3NRs8TwlbNNHaM8CuDYnFPQ5YOLs08YDDuiax4l/fYL5 CY8MHRF2g7ih7m1Y1m4ja+mk02dg8gM9EbRvrgmK7XIOCSZQykbv3HpuAqYt6gu49ZgS XKTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DcCkQXQcrBMS+kxW4JCkjGvFloqISJX41UaRWqHhnOU=; b=RrAMhiLbgZvUxXXO2eqW9Nyad4o0JvZzI441uaZw3mf1mguzqQ05rxCw3qgUov5wmn bC1zqcGNX9gRCF6LhX1fWOp2okqdb3+FXJim/e+UtPplzPgo6XVR247oaOlQgS4mukaq Hax5IN4UddO6Uc/UCcPImw0avyFSsas/q9jJ9dvM9qXk91X1ozAmI+1FswLSkt+VK1YE mRBhtYf6V5PiqEkb1sz1imGYadWWN9Vo3FnGUmOSvoVYJsgxNniPLNDn/263hQZz3Y3E xciG87S22V1itGtl3X+ZCIbzTn+T27tl7dPbOSo19nFLXw5MVdLuLVWCrK+hUwXWX9Pc Sfng==
X-Gm-Message-State: AOAM531GFq9n1uNrkbXMoA5ocnsmMDm9LDoOaH1WTc+VIr8FbZnQE1gm AEQ1gUcDVUC2hjbR8MEx4dPGGkt5Yzc2SY/bTtc=
X-Google-Smtp-Source: ABdhPJzS6vWI25HLtxNasVDLSjlzKy1dE//Zk5+ZHjl/5iluy3/uVyjkKq+CVMhw++94X19NntI0pkxv17PJjNaOKyk=
X-Received: by 2002:a05:6122:d98:b0:331:47bf:b437 with SMTP id bc24-20020a0561220d9800b0033147bfb437mr827842vkb.29.1646473234039; Sat, 05 Mar 2022 01:40:34 -0800 (PST)
MIME-Version: 1.0
References: <164504757419.5632.9536270153833731412@ietfa.amsl.com> <CAH6gdPxTtVfh02odMdreGnnsD8fnY2rPDqPhU9cucSOuU=bxNw@mail.gmail.com> <DB75B564-CF18-4D93-B183-5C31203E860D@juniper.net> <183B3A89-B7CA-4B8B-888C-6404BB65E8F3@juniper.net> <CAOj+MMG711xUEFTHkcVzgX64fGhB+4Nn3Adkv_ywqS78LVMv4Q@mail.gmail.com>
In-Reply-To: <CAOj+MMG711xUEFTHkcVzgX64fGhB+4Nn3Adkv_ywqS78LVMv4Q@mail.gmail.com>
From: Ketan Talaulikar <ketant.ietf@gmail.com>
Date: Sat, 05 Mar 2022 15:10:21 +0530
Message-ID: <CAH6gdPxV+r2iUouqom3rRZBoDbdbi45N_H-GBr_hOqgmYPBa3w@mail.gmail.com>
To: Robert Raszuk <robert@raszuk.net>
Cc: John Scudder <jgs@juniper.net>, The IESG <iesg@ietf.org>, "draft-ietf-bess-srv6-services@ietf.org" <draft-ietf-bess-srv6-services@ietf.org>, "bess-chairs@ietf.org" <bess-chairs@ietf.org>, BESS <bess@ietf.org>, "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>
Content-Type: multipart/alternative; boundary="0000000000003f463e05d9756c4d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/uh3mAKLqwQoWg_wc4AsJaZq5qKA>
Subject: Re: [bess] John Scudder's Discuss on draft-ietf-bess-srv6-services-11: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Mar 2022 09:40:41 -0000

Hi John,

We've just posted an update to the draft to address the comments raised and
to clarify the security considerations.

https://datatracker.ietf.org/doc/html/draft-ietf-bess-srv6-services-12

Thanks,
Ketan


On Thu, Feb 24, 2022 at 3:42 PM Robert Raszuk <robert@raszuk.net> wrote:

> Hi John,
>
> You have highlighted below a very important point. It was discussed among
> co-authors, but perhaps not sufficiently during the BESS process as the
> issue is really not a BESS WG problem.
>
> In BGP protocol any new service deployment using existing AFI/SAFI is not
> easy. Especially when you are modifying content of MP_REACH or MP_UNREACH
> NLRI attributes. Main reason being is that using capabilities only goes one
> hop. In full mesh it all works perfect, but the moment you put RR in
> between BGP speakers things are getting ugly as capabilities are not
> traversing BGP nodes. /* Even in full mesh mixing transports for the same
> service is a serious challenge for routers when say multihomes sites are
> advertised from different PEs with different transport options */.
>
> Imagine RR signals SRv6 Service Capability to the PE. Then this PE happily
> sends a new format of the UPDATE messages. Well as today we also do not
> have a notion of conditional capabilities (only send when received from
> all) so if some of the RR peers do not support it you end up in partial
> service. One can argue that in this case the only deterministic model is to
> push the configuration from the management station and control partial
> deployment of the new service from mgmt layer.
>
> The natural alternative would be to never modify NLRI format once shipped
> by RFC. When needed issue a new SAFI. Yes that is an option (and has always
> been) but it also comes with its own set of issues. New SAFI is really
> great to define for new service/feature etc ... Here however in the context
> of this discussion we are changing transport for existing service.  And
> just like it was the case with MPLS over UDP or  tunnel attribute etc ...
> using a new SAFI would be very hard to deploy as there would need to be
> well defined behaviour of BGP speakers receiving duplicate information for
> the same VPN prefixes or receiving at one time only from single SAFI then a
> bit later from the other one .. Of course one solution is to permit only
> one SAFI for a given service at any given time, but that seems way too
> restrictive too.
>
> So to summarize while I am personally a huge proponent of new SAFI and new
> capabilities to be defines for new service here I do have  some
> reservations. It seems to me that deployment of new transport for VPN
> service should be either network management driven or enabled when all
> participating PEs support it. Enabling it automagically with one hop
> capabilities seems to me like not a good thing as the data being sent in
> the UPDATES is not optional and dropping it means dropping actual routes.
>
> So at the current time the subject draft took a management approach.
>
> Many thx,
> Robert.
>
> On Thu, Feb 24, 2022 at 2:04 AM John Scudder <jgs@juniper.net> wrote:
>
>> Further to this point:
>>
>> > On Feb 18, 2022, at 3:32 PM, John Scudder <jgs@juniper.net> wrote:
>> >
>> >> On Feb 17, 2022, at 3:19 AM, Ketan Talaulikar <ketant.ietf@gmail.com>
>> wrote:
>> >>
>> >>> 2. One area of concern I would have hoped IDR might have looked into
>> is, the
>> >>> document makes a creative use of the MPLS Label field of the NLRI to
>> carry the
>> >>> Function part of the SID. This means the SID is effectively split
>> across the
>> >>> NLRI and the Prefix-SID attribute. What are the potential error modes
>> if the
>> >>> Prefix-SID attribute should be lost from the route, while the NLRI is
>> retained?
>> >>>
>> >>> (An obvious way of addressing this particular concern would be to
>> define a new
>> >>> NLRI type with the desired semantics, instead of creatively
>> repurposing fields
>> >>> within an existing NLRI type contrary to their definitions. Such an
>> NLRI type
>> >>> would, for example, presumably state in its specification that if it
>> was
>> >>> received without an accompanying Prefix-SID attribute, that would
>> constitute an
>> >>> error.)
>> >>>
>> >> KT> This document follows the approach similar as taken for extending
>> MPLS EVPN RFC7432 by RFC8365.
>> >
>> > I take it you’re referring to RFC 8365 §5.1.3 which talks about using
>> the MPLS Label field (or MPLS1 Label field) to carry the VNI in the
>> presence of a BGP Encapsulation Extended Community? Yes, that seems like a
>> pretty close analogue. And given this particular trick is only with
>> VPN-type address families one can also argue that there’s not a risk of
>> affected routes leaking into the big-I Internet, which is the typical
>> associated concern.
>>
>> In a separate reply, the authors of
>> draft-lz-bess-srv6-service-capability-02 pointed out that it provides a
>> critique of bess-srv6-services which is similar to this discuss point. (The
>> authors dropped the IESG from the cc, so I’m following up here instead of
>> to their original note.)
>>
>> On first reading, the critique in
>> draft-lz-bess-srv6-service-capability-02 seems well argued and responsive
>> to my question above about potential error modes. In section 3 of their
>> draft, the authors provide a worked scenario where a VPN route carrying a
>> SRv6 service SID using the Transposition scheme, if received by an
>> MPLS-only PE, could result in misdelivered traffic. At minimum, that seems
>> worth surfacing in the Security Considerations section, since historically
>> we’ve considered misdelivered VPN traffic to be a Bad Thing that could
>> expose confidential information.
>>
>> The authors do acknowledge that bess-srv6-services proposes a mitigation:
>>
>>    To avoid these problems, [I-D.ietf-bess-srv6-services] specifies that
>>    implementations SHOULD provide a mechanism to control advertisement
>>    of SRv6-based BGP service routes on a per neighbor and per service
>>    basis.
>>
>> but they go on to argue that this mitigation isn’t fit for purpose:
>>
>>    The above method may be feasible in small-scale networks, but are not
>>    applicable to large-scale networks.
>>
>>    [etc]
>>
>> It’s not my preference to get into the minutiae of this argument as part
>> of this discuss. However, I’d like to ask: was this consideration something
>> the WG discussed? I looked for discussion of
>> draft-lz-bess-srv6-service-capability in the archives and didn’t find much —
>>
>> - When an earlier version was posted to the list it resulted only in
>> discussion between the original author, Liu Yao, and Eduard Metz, who
>> became co-author, but there wasn’t any discussion I saw of the actual issue
>> that the draft identified, but rather refinement of the mitigation it
>> proposes (which I don’t want to discuss in this note).
>> - There was an agenda slot request for the draft at IETF-111. It was on
>> the agenda in the “if time allows” section. I assume time did NOT allow
>> because I don’t see mention of it in the minutes. (I did find the slides,
>> slides 3 and 4 summarize the critique,
>> https://datatracker.ietf.org/meeting/111/materials/slides-111-bess-sessa-srv6-service-capability-00
>> ).
>>
>> But of course, the issue raised might have been discussed by the WG in a
>> different thread, that doesn’t match a search for
>> draft-lz-bess-srv6-service-capability. If so, I’d appreciate a pointer to
>> it.
>>
>> If there wasn’t any discussion in the WG of the authors’ critique, I
>> think it deserves to be discussed a bit as part of this thread. In
>> particular, does the “this is the same as the trick EVPN does in RFC 8365”
>> reply apply equally? Probably it does, although that might boil down to
>> “gosh, we should have caught this when publishing 8365, shouldn’t we?”
>>
>> Even if the outcome of the discussion is that the limitation was
>> discussed by the WG/isn’t a big deal because reasons/maybe it’s a big deal
>> but we’ll fix it in a followup… as I mentioned earlier, covering it in the
>> Security Considerations seems worthwhile.
>>
>> Thanks,
>>
>> —John
>
>

v2.23.0 | Report a Bug | By Email