[bess] Alvaro Retana's Discuss on draft-ietf-bess-nsh-bgp-control-plane-13: (with DISCUSS and COMMENT)

[Alvaro Retana via Datatracker <noreply@ietf.org>]

Alvaro Retana has entered the following ballot position for
draft-ietf-bess-nsh-bgp-control-plane-13: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-bess-nsh-bgp-control-plane/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

(1) Controllers and other nodes.

Background: This document defines the new SFC NLRI, which has two distinct
route types, originated by either a node hosting an SFI or a Controller.  Each
route type has a specific function and it is reasonable to expect that the
originators represent different nodes in the network, with different functions,
location, etc..  BGP Capabilities Advertisement doesn't have a route type
granularity; instead, a BGP speaker known to support the SFC NLRI could
originate any type of route.

The facts above open the possibility that any node in the network can originate
an SFPR and take over an SFP.  §3.2.2 does a very good job of explaining the
potential existence of multiple Controllers and even offers the appropriate tie
breaker to take control of the SFP: "MUST use the SFPR with the numerically
lowest SFPR-RD".

The document proposes no mitigation to the possibility of any node (a rogue
node, for example) issuing SFPRs.  The assumption (§2.2) of "BGP connectivity
between the Controllers and all SFFs" introduces also the ability to locate a
rogue controller anywhere; I interpret "BGP connectivity" to include the
presence of a router reflector (for example), which then allows distribution of
SFPRs without going through a central policy point.

On one hand I think this condition is a feature (the Controller can be
anywhere), but the case of a rogue node that wants to act as a controller is
not considered.

To address this issue, I would like to see text that (1) acknowledges the issue
(maybe in the security considerations section), and (2) discusses operational
considerations for the placement, control, filtering, etc. of Controllers and
the corresponding UPDATES from them and/or other nodes in the network.  IOW,
the considerations around proper initial setup of the system should be clear.

(2) New Flow Specification Traffic Filtering Action

§7.4 (Flow Spec for SFC Classifiers) defines a new Traffic Filtering Action to
be used with the Flow Specification NLRI.  rfc5775bis allows for any
combination of Traffic Filtering Actions to be present, but this document says
that "other action extended communities MUST NOT be present".  I believe that
specifying the use of treat-as-withdraw is ok as a case of Traffic Filtering
Action Interference -- I just say "ok" because it is not clear to me (nor
explained anywhere) why other Traffic Filtering Actions cannot be used; for
example, I could imagine rate-limiting the traffic into an SFP.

What concerns me more (and the reason for this DISCUSS point) is that
rfc5575-only implementations will not consider the new Traffic Filtering
Action, but could, depending on the components encoded in the NLRI, take
actions based on other Traffic Filtering Actions.  The result can then be an
inconsistent application of Traffic Filtering Actions in the network -- for
example, some nodes may want to drop the matching traffic (traffic-rate of 0),
while others may want to have the same traffic entering an SFP.

What are the operational considerations of using the new Traffic Filtering
Action in a network where "legacy" (rfc5575bis-only) nodes exist?  Is there a
potential migration path?  What might be the impact?  How can correct operation
be verified?

(3) Use of the Control Plane

This last point is not specifically for the authors, but for the Responsible AD
and the Chairs for the sfc WG (cc'd).

The SFPRs are built on, among other things, knowledge of the SFT(s) supported
at a specific node.  I note that only one Special Purpose SFT is defined in
this document.  The lack of SFT definitions means that no actual SFP can be
instantiated.  IOW, without additional work to define new SFTs it seems to me
that the control plane as specified in this document cannot be used. :-(

I couldn't find any related work (referencing this document) where new SFTs are
proposed/defined.  What are the plans to develop that work?  Is there interest
in the sfc WG to take advantage of the control plane?


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Non-blocking comments:

(1) I support Ben's DISCUSS point about the extension to the SFC Architecture.

(2) rfc7665/§5.2 (SFC Control Plane) lists the expected functionality provided
by the control plane.  The last two points in the list are not part of the
specification in this document, but there is no explanation why or if there is
an alternate mechanism -- these are those points:

   5.  Provides the metadata and usage information classifiers need so
       that they in turn can provide this metadata for appropriate
       packets in the data plane.

   6.  When needed, provide information including policy information to
       other SFC elements to be able to properly interpret metadata.

(3) Add a Normative reference to rfc4360 (BGP Extended Communities Attribute).

(4) §3.1.1/§3.1.2: The two new Extended Communities are defined as different
types.  Is it really necessary to request two different types, instead of one
type with sub-types?  The transitive space is not close to exhaustion, but
having a single type would make it easier for any future SFC-related extended
communities to be identified/grouped.  Just a thought...

(5) Operational Considerations: there are multiple pieces of the puzzle that
need to be coordinated, from RDs and RTs to pool identifiers and the assignment
of SFIs to pools...  It would be very nice if all the information that needs to
be operationally managed/provisioned was mentioned in a single place in the
document...and if recommendations for the operator where included.

(6) §3.2.1 says that "Each TLV may include sub-TLVs", but that is not always
true; for example, the length of the Association TLV is specified as being 12
(with no room for anything else).  This is a minor and easy issue to fix.

(7) §3.2.1: "Unknown TLVs SHOULD be ignored"  When would an unknown TLV not be
ignored?  IOW, why not use MUST?

(8) §3.2.1.1 specifies a series of errors in the Association TLV that result in
"SHOULD be ignored".  When would these values not be ignored, when would they
be useful?  IOW, why not use MUST?

(9) Please review §7.4 against the language used in rfc5575bis for consistency.
 For example "flow spec" is only used in the name of IANA registries or related
entries; Flow Specification is used instead.

(10) Please include a pointer to I-D.ietf-idr-tunnel-encaps somewhere in §7.5.

(11) I would really like to see a registry set up for the bits in the new
SPI/SI Representation sub-TLV.

(12) Other nits:

s/set to loopback address/set to the loopback address

s/[RFC4271] defines the BGP Path attribute./[RFC4271] defines BGP Path
attributes.