Re: [bess] Alvaro Retana's Discuss on draft-ietf-bess-nsh-bgp-control-plane-13: (with DISCUSS and COMMENT)
Alvaro Retana <aretana.ietf@gmail.com> Wed, 17 June 2020 16:21 UTC
Return-Path: <aretana.ietf@gmail.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28C3C3A09D6; Wed, 17 Jun 2020 09:21:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iFyIIPVQ3lle; Wed, 17 Jun 2020 09:21:05 -0700 (PDT)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F18EF3A09BE; Wed, 17 Jun 2020 09:21:04 -0700 (PDT)
Received: by mail-wr1-x42d.google.com with SMTP id t13so553371wrs.2; Wed, 17 Jun 2020 09:21:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc:content-transfer-encoding; bh=GvpWuhFkVfjC5yoK6d3BDzs321BsqQHLiBiIchXtssQ=; b=bbhtqPqV4SbU7wHgRfeZijh/StsNwdNNC/pmXzsIOBLV1wKgCg98Zw5MIT+lWB6C4p 4xcokkO5PKO6M8yGzqfZfjAJP6xr+HA+zs4XCkpWO69S0EGq+mcQ0Ocvbu4e2Qp4ZbKo cJLO13LJFSqJltBR7R5Jun0M27mtc/Xdluw7on8xwEaxpaArcVNOjmsupq3+apSQFCg8 JcdZ5/7K0lL17Ydva5HjJzPIlQf7LGl++gAan4+ui7lXmoOBUu0E73nPSv3PKmEk9o2j RXxW68HD6UcdNN6P0W/0LZ/hdRsNA6IQuibA7p/OPYdvRlAaQGqbjSB4C6fWzjRGx26n a/ig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc:content-transfer-encoding; bh=GvpWuhFkVfjC5yoK6d3BDzs321BsqQHLiBiIchXtssQ=; b=MWXWFgkoMynp8+DSxxDHldNoc4XT4GYMPLZJeETprCBOT5XgbpQqQgCyo3Z/WhGOJZ 9VX/4Ro0b0ZZ357gVCFEjsPG0ErLxvdZUdVrMuehzc4YePkrCUOtuiVKPo0EZGTQv6Iq dSkgN2LHO+qqwXCNXChDSxr0cH9wWQh+xEfB4F0Y3SDC+oX1rMGmS9YwLVUgAoHW08VV XHscxYP831XTwMB/NlS795WGlJdOtC1Sk/4G/kGuTkrL7T1GPI/VYefXEPrktsZDd6hQ WH3YCuzIP2niqC9Sh5+3NR3vhdLs+4nL07M7vMM1w0u0zPTYOnUyL01tFUjvEJAZpdvV N/aA==
X-Gm-Message-State: AOAM532Gpabhpyue+hyZOCO/ndJGp9Wfh8wa0knkgq4Rw6p2XIP1rpRt 6LE0vHPtFwvHUlg+cXZPLlCgm8wHohfc9cdG+PdrrgBJ
X-Google-Smtp-Source: ABdhPJz1XC2JGI/LZqNb6w9zrmfY6x/LSkvVbMRF8KVvWMTEbtpJ/pimkPx5neUtaVVyl8nQAFpRDIzmSXWRdNfZiQ0=
X-Received: by 2002:a5d:4385:: with SMTP id i5mr38156wrq.420.1592410863309; Wed, 17 Jun 2020 09:21:03 -0700 (PDT)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Wed, 17 Jun 2020 09:21:02 -0700
From: Alvaro Retana <aretana.ietf@gmail.com>
In-Reply-To: <00a301d63787$89a36db0$9cea4910$@olddog.co.uk>
References: <157672423820.4788.15963554106411963869.idtracker@ietfa.amsl.com> <00a301d63787$89a36db0$9cea4910$@olddog.co.uk>
MIME-Version: 1.0
Date: Wed, 17 Jun 2020 09:21:02 -0700
Message-ID: <CAMMESswL8erpQfAs5rqv=y+pGWkWpjsUuWNOq5VzYVabd7JMJA@mail.gmail.com>
To: adrian@olddog.co.uk, The IESG <iesg@ietf.org>
Cc: bess-chairs@ietf.org, bess@ietf.org, draft-ietf-bess-nsh-bgp-control-plane@ietf.org, sfc-chairs@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/v1X7jLPlmavcD_3jzO0YSfkDS_U>
Subject: Re: [bess] Alvaro Retana's Discuss on draft-ietf-bess-nsh-bgp-control-plane-13: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2020 16:21:08 -0000
On May 31, 2020 at 4:10:35 PM, Adrian Farrel wrote: Adrian: Hi! > > DISCUSS: > > ------------------------------------------------------------- > > > > (1) Controllers and other nodes. ... > So, you are right and we are highlighting it in the security section, and > we can note the existing mitigations in a BGP-based routing system against > rogue players. You didn't explicitly say so, but it looks like this may be the added text: Similarly, there is a vulnerablity if a rogue or subverted controller announces SFPs especially if that controller "takes over" an existing SFP and changes its contents. This is corresponds to a rogue BGP speaker entering a routing system, or even to a Route Reflector becoming subverted. Protection mechanisms, as above, include securing BGP sessions and protecting software loads on the controllers. [nit] s/vulnerablity/vulnerability Authentication helps, but it doesn't stop an authenticated subverted node from taking over control of an SFP. Maybe I haven't been clear with my concern. I am concerned about authorization of the BGP speaker to even act as a controller -- this is akin to route origin validation: should a BGP speaker even be generating SFPRs? In "normal" BGP a mitigation against invalid origination is ingress filtering -- in this case, a mitigation might be for the operator to receive (using an access list, for example) SFPRs originated by only some nodes. > > (2) New Flow Specification Traffic Filtering Action ... > I said: > : Hmmm, we don't tent to explain why "MUST NOT" in our specifications. > : The reasoning here is that it would be highly confusing to mix and match > : SFC Classification with BGP routing. Perhaps I am wrong about that > : confusion. > : I think that when you program an SFC classifier, that is a single peer-to- > : peer communication targeted at an SFC Classifier. > : A 5575-only node will not be a classifier. > > You responded: > | I raised this point as a DISCUSS because the text is at odds with other > | standards track documents. That is the reason I'm asking for an > | explanation. You missed the second part of my response (to the last couple of sentences): You> I think that when you program an SFC classifier, that is a single peer-to-peer communication targeted at an SFC Classifier. A 5575-only node will not be a classifier. Me> That is the type of operational considerations that I would like to see the document include. That's all I'm looking for. By "isolating" the communication from potential rfc5575bis-only nodes you eliminate my concern. BTW, I didn't mention this before... You use both rfc5575 and I-D.ietf-idr-rfc5575bis as Normative references. rfc5575bis is already in the RFC Editor's queue, so you really only need that one. ... > > (3) Use of the Control Plane ... > And you said... > > | Everywhere I look at (§3.2, §4.3, for example) seems to indicate to me > | that an SFT is necessary in the definition of the SPF. I may of course be > | wrong or have missed where it clearly isn't. An example of how to do > | it would be very useful. > > We see a number of types discussed > - in this document > - RFC 7665 Ok...so you now added to the table in §10.5. Some of the new values are not defined in this document, please add references to where they are described. > - https://tools.ietf.org/html/draft-dawra-idr-bgp-ls-sr-service-segments-02#section-4.1 > - https://tools.ietf.org/html/draft-dawra-idr-bgp-ls-sr-service-segments-02#section-4.2 > > We have decided to group these all together and request population of the > registry in Section 10.5. > We are discussing with the authors of > draft-dawra-idr-bgp-ls-sr-service-segments precisely what we should include > and what they will ask for in their own draft. draft-dawra-idr-bgp-ls-sr-service-segments needs "service types" and "function identifiers" for purposes other than implementing this SFC control plane. I would still like to hear from the AD/sfc-chairs about whether there is interest in the sfc WG to take advantage of the control plane. > > COMMENT: > > --------------------------------------------------------------- ... > > (4) §3.1.1/§3.1.2: The two new Extended Communities are defined as > > different types. Is it really necessary to request two different types, > > instead of one type with sub-types? The transitive space is not close to > > exhaustion, but having a single type would make it easier for any future > > SFC-related extended communities to be identified/grouped. Just a > > thought... > > Yeah, that's an easy change. You're creating the new SFC Extended Community Sub-Types Registry, so you can go ahead and assign the TBD7/TBD8 values. Thanks! Alvaro.
- [bess] Alvaro Retana's Discuss on draft-ietf-bess… Alvaro Retana via Datatracker
- Re: [bess] Alvaro Retana's Discuss on draft-ietf-… Adrian Farrel
- Re: [bess] Alvaro Retana's Discuss on draft-ietf-… Alvaro Retana
- Re: [bess] Alvaro Retana's Discuss on draft-ietf-… Adrian Farrel
- Re: [bess] Alvaro Retana's Discuss on draft-ietf-… Alvaro Retana
- Re: [bess] Alvaro Retana's Discuss on draft-ietf-… Adrian Farrel
- Re: [bess] Alvaro Retana's Discuss on draft-ietf-… Alvaro Retana
- Re: [bess] Alvaro Retana's Discuss on draft-ietf-… Adrian Farrel
- Re: [bess] Alvaro Retana's Discuss on draft-ietf-… Alvaro Retana
- Re: [bess] Alvaro Retana's Discuss on draft-ietf-… Adrian Farrel
- Re: [bess] Alvaro Retana's Discuss on draft-ietf-… Adrian Farrel
- Re: [bess] Alvaro Retana's Discuss on draft-ietf-… Alvaro Retana