Re: [Idr] Benjamin Kaduk's Discuss on draft-ietf-idr-tunnel-encaps-20: (with DISCUSS and COMMENT)

John Scudder <jgs@juniper.net> Fri, 04 December 2020 01:35 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82C0A3A1245; Thu, 3 Dec 2020 17:35:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=b8vUQF4F; dkim=pass (1024-bit key) header.d=juniper.net header.b=hauSGC/3
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eXaT3NKbwvyv; Thu, 3 Dec 2020 17:35:21 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EB843A11FC; Thu, 3 Dec 2020 17:35:21 -0800 (PST)
Received: from pps.filterd (m0108157.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 0B41YkqS014368; Thu, 3 Dec 2020 17:35:20 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=AoSJyjeEE/Zh0HDOlzun3s17vF4a8DP4R8clwdUWxwc=; b=b8vUQF4FcHUAj9nUr3mzmvKx68PqUTmQ782Xm+DPKK2n40o2C4ODooxUBLdUfN24bTtT P03uKGFf0hdyLC2OcNuqOGtWkfVD58UYpHm5iEBkAuNkd4yTLMUYnjpJdZ6/5w4LT3hY 83hd+Aas99G49WchKRfcr/DcLqcOFwhkYhID3Nx0HDtLwaB08tsz4kzyPZOX25+EOwfO RnPiD9rPnoFuAq/zKNvFEot8u7X9RguBN36ZOkGXFvzmlaykhh2y/q1e/bCaQ6ZJXN7R qjT71xOFlnAFGdL9V/dLXsFYVmWCSfpB8pt4aLo43uC1erBSHFtS7M1VNAEmEf/IEOvU fw==
Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2177.outbound.protection.outlook.com [104.47.57.177]) by mx0a-00273201.pphosted.com with ESMTP id 355vj1vx92-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 03 Dec 2020 17:35:19 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PzQZ1YnnjEX6Zt9C0y1Oja6RD6whi8sj6orF9eo1W1KV3yIi2ZrTJcQ9xhZRJQpkdOFsaM3PjXiJe+CJCO9D7WpnfXpqRKrdtBf3jNElKc2hvSNUFT57kY0zZ31gKIgSfAsQ4Qz/Q8qZvWyLNKGQbl1QPwCOHS7F1vM/XiVaLm21P2UQdxYzz0oMsO8M/TTNz+/FH3Crd0G7JQWE4eCKYHD9u2JQqs019QYlYoVJfh++dUpGte7EolaiXasJzCuQ9CT2XtEqR9dBymok8qfZWmsJHEtEeHtHWUnbYVGqI8wgXNSThYTuopiDKCcrDiUNdyorRVPxIAHssv6Y0SZevQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AoSJyjeEE/Zh0HDOlzun3s17vF4a8DP4R8clwdUWxwc=; b=QUSnOX0lCimhRQN+7ddEEH4MFE++ReGDX+TqsqeJsz5Gk2rw4imyRl5GPhmrv7Hn4Qn9NmuQYgps6LAbIX4+BbULBNNyBG3hGrxk2ibWMWEaAd0jG/cVfDBiX4Z6BQrfr2qUfgoO28TkshZiTqEK52hivQ2qHa4oZKx3ZnuKg8lpQRCTq+A3MnjRNxBlgrp97r10hu1ja8gF7EItArsyU5M45lDb/dkt07zK89gUhMBbLfp9vCCkFZ72cLePmToSqoP9d5amil5pC7E86yNmY9tN81CbF5kPsVtgnqJzTbcdXUOoJAzVY/28jrZhl5icoGXuFIk5i/UdMHkFmMk1sw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AoSJyjeEE/Zh0HDOlzun3s17vF4a8DP4R8clwdUWxwc=; b=hauSGC/3T9P06fz2lXev4Iz9CUjqKqiAAvK62oOXxRx6ojGlQjHB+MUQq9NhYBhdArGaVX8X8ANxaNiR7XSk1gv4rm+5hosdEdo3vBtvcFzO0wzuCre96tQM/m/RcOSnO6f/xjktdGc83B0cM+o0UMnFXRzkkstkNgEP3LnrFZ0=
Received: from MN2PR05MB6109.namprd05.prod.outlook.com (2603:10b6:208:c4::20) by MN2PR05MB6350.namprd05.prod.outlook.com (2603:10b6:208:d5::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3632.6; Fri, 4 Dec 2020 01:35:17 +0000
Received: from MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::f91f:55f3:3130:d318]) by MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::f91f:55f3:3130:d318%5]) with mapi id 15.20.3632.016; Fri, 4 Dec 2020 01:35:17 +0000
From: John Scudder <jgs@juniper.net>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: The IESG <iesg@ietf.org>, "draft-ietf-idr-tunnel-encaps@ietf.org" <draft-ietf-idr-tunnel-encaps@ietf.org>, "idr-chairs@ietf.org" <idr-chairs@ietf.org>, "idr@ietf.org" <idr@ietf.org>, "aretana.ietf@gmail.com" <aretana.ietf@gmail.com>, Hares Susan <shares@ndzh.com>
Thread-Topic: Benjamin Kaduk's Discuss on draft-ietf-idr-tunnel-encaps-20: (with DISCUSS and COMMENT)
Thread-Index: AQHWyA5X6afyebyui0SmqWUAtjHoCanmK1IA
Date: Fri, 04 Dec 2020 01:35:16 +0000
Message-ID: <9456ACB8-D843-41CD-9178-DBA0EA1D8EA7@juniper.net>
References: <160684669488.21585.5180075052177708759@ietfa.amsl.com>
In-Reply-To: <160684669488.21585.5180075052177708759@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.120.23.2.4)
authentication-results: mit.edu; dkim=none (message not signed) header.d=none;mit.edu; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [162.225.191.192]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 932beea2-1bfa-4867-ac01-08d897f4daec
x-ms-traffictypediagnostic: MN2PR05MB6350:
x-microsoft-antispam-prvs: <MN2PR05MB63507AFC8F92F3FC09008AB3AAF10@MN2PR05MB6350.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: bJsGEEid7cJZJNM+U/fhEbyOJs6ec7FEYq2TzXbsfUf0r8O4ggptb5US89oFfea0fjL4cWZIGBGImmLFrE4oIepKqsQIyxQ+UTrjdoKJzs8ejsHNIqsrSFDQWOrAC3EUMBa3jyPY7C9NsvhSeickci8/66+CpOxtBys2dv2XEAPEwvf8GaeoZUbOMHeoYoMo+qK2Y5LZCfzTg/XEY/kZMgAZXPS/ZAr0Njwe6goVt5QCuKAu7SmhU/SJqpjfQ6E3g+SMx++si2L1xR8KwnfHyxOO0OJvOh1GNy/ZaPHt2x6bhFrai7VChTRaYLzmgiH3tMqH+xks21foCXHC8IRObfwLbkRcPJjX8mcevNp8+a0ZbYGUKasDg5XfOBdHtTeg6kCiZmCEyxY/3yyVN/8M3zImp2ftOOHvfHBxytbLDqhoRJF9xhVF84uzV5WbHkCZ55GgM4QM3QiDoVXfd84XZQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR05MB6109.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(39860400002)(366004)(346002)(396003)(376002)(186003)(4326008)(8676002)(66574015)(6512007)(76116006)(54906003)(2906002)(83380400001)(8936002)(71200400001)(91956017)(316002)(66946007)(5660300002)(26005)(86362001)(6486002)(53546011)(478600001)(66556008)(6916009)(36756003)(6506007)(64756008)(30864003)(66446008)(966005)(33656002)(66476007)(2616005)(45980500001)(579004)(559001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: wAKk5YZbY2Q6EEdCYg1c3ean090rIWOnq83JPomv+0LgD/g+EUVhJHhvjNsGxu0ufrNkTYwsLzE5FkQWG9z3xLQGAC/QGBZIkmkpblACRxWNJSzmn++v0TlltA55hm3T0Yrs3LfmxbAgUY//Dt7MqoFvQ4NxFPEo2W+Xf2cMymGcm1w+4jidPbidCjQFlSRZxXvixFRso1abMv3wieASq+mpmrZysSmvfmZjnyXMYmPlms2UQ1Q571iCyKbuRS7F1C2k+a43lEAFGWK4WmhDTVhx0iZy7+mqxnJ8IraM9/RxWxV4pfpn89tDP6iyVOYABZmlJnSfWr6FOD2IDv23+PjoAO5h2DdzoGrquGczJy2AHiRs7iEMVLSqye8siTAVBSwH6n40JI4ntdEDUOqcp0n4WdKQGCsm7XjkwyyYUKGmY7jUowlh0cdMdXUhaHfhwSwVmSyh6WA6zOxA7nKHDZILTzoEtaDXv56G5lfxdxRtgGUiS0vh+/jr2c30gLMDzLTtgB9uAP6pRugFrn+j8mySJ/MMGdXLOLG7I1EzlomwaDN/6Cuyr4ePifWW+ha49BbmuoZ461JbIMZyY/5fm54SBqSiyBNjnX4RHdglLd87z/hfamr1xUEVVPX95iyi/zdCihcWuVm5yx7V2yKGYRdmiT52YidJg0VALvAIBNTFwaXMgyp7ivoYnMu2xBST39JEY+nxhc7EI3woL7vkrKfVnNyU+gxxfgxW3tjdQzw3+XZ2NRek2e3ArCmeQ4GRq8Kh+lM4zypz+5WzWPBF+rP1bXJn3VJuVrE9KrgWcxyXdMfU6l58+DGoi2ed2SBVvzj8iZLtzxtQ4a4EhmfNer1wXizGexLe/8xNL9hH+FtpuOU+U3o4LzKaLc6KxEPcirOT5n+nMtBxWilKSPtF5YJ+5ZJNpbjgydofVmBVynabCAEtjG5lQ5GSxaEuCqOwGqfrXGhvWDkipFTdtfFgOv0Ib1YfHZIoh21St2X1cl2Inij2dIyQEAFZfz+Eh1qr
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <EF55C4C361494046B0B8FCD27C46BFC1@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR05MB6109.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 932beea2-1bfa-4867-ac01-08d897f4daec
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Dec 2020 01:35:17.1714 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0vElffsNrwPGNubfmScAj+Y9CjftneqAK6aXJmlHQCHPaBa3iMv3bfeTZzgKQYwN
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR05MB6350
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-12-03_15:2020-12-03, 2020-12-03 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 malwarescore=0 spamscore=0 phishscore=0 priorityscore=1501 clxscore=1015 lowpriorityscore=0 mlxlogscore=999 impostorscore=0 suspectscore=0 adultscore=0 mlxscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012040006
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/NpnbqKZWO3KSRKe58f9T1NlKHao>
Subject: Re: [Idr] Benjamin Kaduk's Discuss on draft-ietf-idr-tunnel-encaps-20: (with DISCUSS and COMMENT)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 01:35:34 -0000

Hi Benjamin,

Thanks for your detailed review. Sorry my response has taken longer than the others, that’s what you get when you send such a comprehensive set of comments :-). You should have seen how long it took us to respond to Alvaro’s initial review! Anyhow, my responses are below.

> On Dec 1, 2020, at 1:18 PM, Benjamin Kaduk via Datatracker <noreply@ietf.org> wrote:
> 
> [External Email. Be cautious of content]
> 
> 
> Benjamin Kaduk has entered the following ballot position for
> draft-ietf-idr-tunnel-encaps-20: Discuss
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://urldefense.com/v3/__https://www.ietf.org/iesg/statement/discuss-criteria.html__;!!NEt6yMaO-gk!V6ZSnNHbpZSZrxPOIUPMT288dwgQIlfv1AnMX8u5GwjRGKj5VzXkTysVMfVqhA$
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-idr-tunnel-encaps/__;!!NEt6yMaO-gk!V6ZSnNHbpZSZrxPOIUPMT288dwgQIlfv1AnMX8u5GwjRGKj5VzXkTys5KSbgTg$
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> I support Erik's discuss.
> 
> I see that Roman has already suggested adding normative language
> regarding the limitation to a single administrative domain (in addition
> to the "MUST filter by default for EBGP sessions"), which I agree with.
> However, I think there is an additional consideration regarding the
> limitation of use to a single administrative domain, wherein the domain
> of use for the tunnel encapsulation attribute may diverge from the
> domain of use of segment routing, that seems to place this document in
> conflict with the requirements of RFC 8402.  In particular,
> RFC 8402 says, for SR-MPLS and SRv6, that boundary routers "MUST filter
> any external traffic", and additionally for SRv6 that "explicit routing
> information MUST NOT be leaked through the boundaries of the
> administrered domain".  In §3.7 of this document, though, we find that
> for the Prefix-SID sub-TLV, "the receiving BGP speaker need not even be
> in the same Segment Routing Domain as the tunnel's egress endpoint, and
> there is no implication that the prefix-SID for the advertised prefix is
> the same in the Segment Routing domains of the BGP speaker that
> originated the sub-TLV and the BGP speaker that received it", which
> seems to suggest violation of the RFC 8402 requirement.  I think we need
> to have greater clarity on what relationship is actually intended
> between the SR domain and the tunnel encapsulation usage domain, and if
> they are to diverge, we need to both somehow rectify this behavior with
> RFC 8402 and to very clearly document how the 8402-mandated filtering at
> the SR domain boundary is supposed to happen when the boundary includes
> tunneled traffic.

We’ll respond to this later, I need to discuss it with my coauthors and didn’t want to hold up the rest of the response any longer than I have.

> I also would like to ensure that we have had adequate discussion of the
> relationship between this document and RFC 8365.  The IESG has received
> comments recently (in the context of a different document) that it is
> irresponsible to effectively obsolete or deprecate existing work without
> identifying or explicitly updating such work, and without indicating
> whose responsibility it is to find discrepancies.  That seems like it
> might apply to what's currently in Appendix A, which on first reading
> suggests "there might be a problem here, but we aren't saying exactly
> what or how to fix it, or even who is going to do that work".

You and Sue are already discussing this one, we will await some conclusion to that discussion.

> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> It's good to see that the shepherd writeup got updated as things
> changed; thank you for keeping it up to date!
> 
> [I initially wrote some inline comments about handling internal
> inconsistencies within a given tunnel specification as malformed and
> ignoring the tunnel entirely vs specifying a precedence order (the
> latter being what this document does).  I removed them, because this
> seems to be a generic topic where security types tend to fail-closed and
> routing types tend to aim to provide some kind of service when possible,
> and I don't have anything new to add to the discussion for these
> particular cases.]
> 
> I didn't see a response to the secdir review; it would be good to get a
> response to that, in particular to hear what amount of consideration
> has been given to what new ways this provides to attack BGP.

Thanks for pointing that out, we hadn’t noticed it since it came along after the other ones. The question you’re referring to is,

"In a nutshell, the document deprecates one way of defining how to tunnel specific types of traffic, and then defines a different way to accomplish this. I'm not a BGP expert, and that's part of why it's taken me so long to respond. The main question I have is, does this introduce new ways to attack BGP, ways that have not already been considered?”

Since the question is focused on the BGP protocol itself, I think the short answer is “no”. The slightly longer answer is that if we broaden the question to mean, does it introduce new attacks that could be conducted using BGP as a vector, paragraph 2 of section 15 details the one we were able to identify, and paragraph 3 talks about mitigations. 

> Abstract
> 
>   of certain other SAFIs.  This document adds support for additional
>   Tunnel Types, and allows a remote tunnel endpoint address to be
>   specified for each tunnel.  This document also provides support for
> 
> The shepherd writeup suggests that the "remote tunnel endpoint"
> terminology was switched to be "tunnel egress endpoint"; was this spot
> missed?

It’s about to be moot since the abstract rewrite Éric spurred eliminates this text.

> Section 1.4
> 
>   o  Defining a new "Tunnel Egress Endpoint sub-TLV" (Section 3.1) that
>      can be included in any of the TLVs contained in the Tunnel
>      Encapsulation attribute.  This sub-TLV can be used to specify the
>      remote endpoint address of a particular tunnel.
> 
> ["remote endpoint" again]

I think lower-case “remote endpoint” is OK, it’s being used descriptively and not as the proper name of a protocol element. The thing that had the WG tearing their hair out was the latter.

If you think it’s confusing, let me know, but to my eye it’s OK. This is especially true since it’s merely a summary of changes, not protocol definition.

> Section 3.1
> 
> I agree with Martin V that there must be a story about this Reserved
> field and why it's only SHOULD send as zero.  I don't know whether this
> information needs to end up in the RFC but I think we should talk about
> why it is this way.  

See my reply to Martin.

> In particular, the current requirements suggest
> that it could be (mis?)used as an additional data channel by
> collaborating implementations (that ignore the "MUST be disregarded"),
> without actually writing up a specification for those semantics.

There’s already ample opportunity to stuff all manner of arbitrary bit strings into BGP Updates (for example, the Communities path attribute) so my first reaction to this is not to be concerned.

>   If the Address Family subfield has any value other than IPv4 or IPv6,
>   the Tunnel Egress Endpoint sub-TLV is considered "unrecognized" (see
> 
> We probably need to repeat the carve-out for the value 0 here, as well.
> (I dithered about remarking about the earlier "assumes that the Address
> Family is either IPv4 or IPv6" since the "one special case" is a few
> paragraphs later.)

Changed to “… if the Address Family subfield has any value other than IPv4, IPv6, or the special value 0…”

>   o  It can be determined that the IP address in the sub-TLV's address
>      subfield does not belong to the Autonomous System (AS) that
>      originated the route that contains the attribute.  Section 3.1.1
>      describes an optional procedure to make this determination.
> 
> This check seems highly important for the security of the system and
> should get called out in the security considerations.

Third paragraph of the Security Considerations section:

   In order to further mitigate the risk of diversion of traffic from
   its intended destination, Section 3.1.1 provides an optional
   procedure to check that the destination given in a Tunnel Egress
   Endpoint sub-TLV is within the AS that was the source of the route.

> Section 3.1.1
> 
>   sub-TLV is considered not to be valid.  In some cases a network
>   operator who controls a set of Autonomous Systems might wish to allow
>   a Tunnel Egress Endpoint to reside in an AS other than Route_AS;
>   configuration MAY allow for such a case, in which case the check
>   becomes, if Egress_AS is not within the configured set of permitted
>   AS numbers, then the Tunnel Egress Endpoint sub-TLV is considered to
>   be "malformed".
> 
> (nit?) maybe "the configured set of permitted AS numbers that contains
> Route_AS"?  The current wording implies that there can only be one such
> configured set and that it is used regardless of Route_AS, which does
> not seem right...

As it’s written right now, my reading is that the implementation MAY do either one of the things you say — provide a set of permitted aliases per AS, or provide a global set of trusted other ASes, or even both. The text is unspecific, and so the implementor is free to exercise creativity. I grant that creativity can be dangerous, but on the other hand I don’t want to overconstrain the implementor. 

> Section 3.2
> 
>   This section defines Encapsulation sub-TLVs for the following tunnel
>   types: VXLAN ([RFC7348]), NVGRE ([RFC7637]), MPLS-in-GRE ([RFC4023]),
>   L2TPv3 ([RFC3931]), and GRE ([RFC2784]).
> 
> Thanks for putting the links all in one place, here.  I, at least, would
> have benefited from also putting the links/references in the
> corresponding sections, but that is probably just a matter of style.

Added refs/links.

> Section 3.2.1
> 
>      R: The remaining bits in the 8-bit flags field are reserved for
>      further use.  They MUST always be set to 0 by the originator of
>      the sub-TLV.  Intermediate routers MUST propagate them without
>      modification.  Any receiving routers MUST ignore these bits upon a
>      receipt of the sub-TLV.
> 
> nit: spurious "a" in "upon a receipt" (and diffing this section against
> §3.2.2 it seems that maybe the "of the sub-TLV" is also superfluous?).

Thanks, fixed.

>   o  If the V bit is not set, and the BGP UPDATE message has AFI/SAFI
>      other than Ethernet VPNs (EVPN) then the VXLAN tunnel cannot be
>      used.
> 
> If this is intended to refer to SAFI 70 (from RFC 7432), I note that the
> IANA entry is named "BGP EVPNs".

Changed.

> [I also don't understand why it's okay for EVPN to not have a VN-ID when
> using the VXLAN tunnel, but assume that's just my ignorance.]

Mine, too. :-/ Perhaps one of my coauthors can follow up with the reason for this carveout.

> Section 3.2.2
> 
>      Reserved (two fields): MUST be set to zero on transmission and
>      disregarded on receipt.
> 
> (nit) I only see one field marked "Reserved" (this format is the same
> layout as for VXLAN).

Fixed.

>   o  The values of the V, M, and R bits are NOT copied into the flags
>      field of the NVGRE header.  The flags field of the VXLAN header is
>      set as per [RFC7637].
> 
> (nit) stray "VXLAN"?

Fixed.

> Section 3.2.5
> 
>   While it is not really necessary to have both the GRE and MPLS-in-GRE
>   tunnel types, both are included for reasons of backwards
>   compatibility.
> 
> It might be nice to have a few more words about which one is the
> "backward compatible" option and what it's compatible with.

Now says:

   Although the MPLS-in-GRE tunnel type is just a special case of the
   GRE tunnel type and thus is not strictly necessary, it is included
   for reasons of backwards compatibility with, for example,
   implementations of [RFC8365].

> Section 3.3
> 
>   If an outer Encapsulation sub-TLV occurs in a TLV for a Tunnel Type
>   that does not use the corresponding outer encapsulation, the sub-TLV
>   MUST be treated as if it were an unknown type of sub-TLV.
> 
> nit: this is the only instance of "unknown" in the document; using
> "unrecognized" seems to be the common case (and makes it easier to find
> Section 13).

Fixed.

> Section 3.3.1
> 
> I think we may need to discuss the semantics of the DS field here -- as
> I understand it, the attribute advertised in this TLV is the DSCP value
> that the BGP speaker would like to receive in traffic destined to the
> tunnel egress endpoint (which may be a different node than the BGP
> speaker itself, but is expected to be under the control of the same
> administrative entity).  Additionally, the interpretation of DSCP values
> is subject to local interpretation on a given network.  Since the tunnel
> encapsulation attribute is transitive, it will be propagated potentially
> across multiple BGP hops and multiple ASes, so that the tunnel ingress
> endpoint is not necessarily adjacent to the tunnel egress endpoint.
> Although we do say that we expect the tunnel encapsulation information
> to only be propagated within an administrative boundary, there is no
> guarantee that the administrative boundary in question uses a unified
> DSCP handling procedure throughout it.  As such, it may be possible to
> end up in a regime where the requested DSCP codepoint has a different,
> and potentially hazardous, interpretation, at the ingress of the tunnel.
> So, it seems that we need to say something about either local policy for
> DSCP value filtering, or only using this value when "directly" connected
> to the egress AS, or similar; we do have something like this already for
> the TC portion of the MPLS label stack entries.

How about this?

   Because the interpretation of the DSCP field at the recipient may be
   different from its interpretation at the originator, an
   implementation MAY provide a facility to use policy to filter or
   modify the DS Field.

> Section 3.5
> 
>   labeled address family, then the sub-TLV MUST be disregarded.  If the
>   sub-TLV is contained in a TLV whose Tunnel Type does not have a
>   virtual network identifier in its encapsulation header, the sub-TLV
>   MUST be disregarded.  In those cases where the sub-TLV is ignored, it
>   SHOULD NOT be stripped from the TLV before the route is propagated.
> 
> Why only SHOULD NOT here?  I thought we hat MUST-level requirements to
> preserve things unchaged in similar situations.

I can’t think of any good reason. Changed to MUST NOT.

> Section 4.1
> 
>   In the remainder of this specification, when a route is referred to
>   as containing a Tunnel Encapsulation attribute with a TLV identifying
>   a particular Tunnel Type, it implicitly includes the case where the
>   route contains a Tunnel Encapsulation Extended Community identifying
>   that Tunnel Type.
> 
> I searched the entire document for the string "identifying" and did not
> find any instances where a route was referred to as containing a Tunenl
> Encapsulation attribute with a TLV identifying a particular tunnel type.
> Perhaps I should be looking for the "attribute" keyword, but there are
> over 200 instances of that string; could you confirm whether this
> implicit inclusion is actually used anywhere (and if so, give an example
> of such usage)?

I’m a little confused here. We could certainly re-word this some other way, but the “identifying” language is used in many other places. A quick search finds:

   A TLV identifying a particular Tunnel Type may contain a sub-TLV that
   is meaningless for that Tunnel Type.  For example, perhaps the TLV
...
   If the MPLS Label Stack sub-TLV is included in a TLV identifying a
   Tunnel Type that uses virtual network identifiers (see Section 9),
...
   Note that this sub-TLV can appear within a TLV identifying any type
   of tunnel, not just within a TLV identifying an MPLS tunnel.
   However, if this sub-TLV appears within a TLV identifying an MPLS
   tunnel (or an MPLS-in-X tunnel), this sub-TLV plays the same role
…
   The Prefix-SID sub-TLV can occur in a TLV identifying any type of
   tunnel.  If an Originator SRGB is specified in the sub-TLV, that SRGB
…
   If the TLV identifying the tunnel contains an Encapsulation sub-TLV
   whose V bit is set, the virtual network identifier field of the
…
   If the TLV identifying the tunnel contains an Encapsulation sub-TLV
   whose V bit is set, the virtual network identifier field of the
…
   If the TLV identifying the tunnel does not contain an Encapsulation
   sub-TLV whose V bit is set, the virtual network identifier field of

Is it the association with the word “route” that’s bugging you, or can you otherwise be more specific? If a short call would make it easier to explain, that’s fine.

> Section 6
> 
>   [RFC5512] specifies the use of the Tunnel Encapsulation attribute in
>   BGP UPDATE messages of AFI/SAFI 1/7 and 2/7.  That document restricts
>   the use of this attribute to UPDATE messages of those SAFIs.  This
>   document removes that restriction.
> 
> I believe another reviewer commented on the ambiguity of "that", which I
> first thought referred to "this" vs "that"; I now see that there is
> additional ambituity as to whether it is the SAFI restriction or the
> UPDATE message restriction that is lifted, and suggest clarification
> of that as well.

Resolved by removing the paragraph entirely — in the spirit of Éric’s observation that ancient history didn’t need to be in the abstract, it doesn’t need to be here, either. It’s enough that the following (now first) paragraph of Section 6 says what AFI/SAFI the attribute MAY be carried with.

>   Once it is determined to send a packet through the tunnel specified
>   in a particular Tunnel TLV of a particular Tunnel Encapsulation
>   attribute, then the tunnel's egress endpoint address is the IP
>   address contained in the sub-TLV.  If the Tunnel TLV contains a
> 
> nit: I think we have to say "Tunnel Egress Endpoint sub-TLV"; the use of
> the definite article is not justified by the preceding context.

Fixed.

> Section 8
> 
>   However, suppose that one of the TLVs in U2's Tunnel Encapsulation
>   attribute contains the Color Sub-TLV.  In that case, packet P MUST
>   NOT be sent through the tunnel contained in that TLV, unless U1 is
>   carrying the Color Extended Community that is identified in U2's
>   Color Sub-TLV.
> 
> We should probably reword this in light of Section 13's discussion that
> a given Tunnel TLV can have more than one Color sub-TLV present.

Now says:

   However, suppose that one of the TLVs in U2's Tunnel Encapsulation
   attribute contains one or more Color Sub-TLVs.  In that case, packet
   P MUST NOT be sent through the tunnel contained in that TLV, unless
   U1 is carrying a Color Extended Community that is identified in one
   of U2's Color Sub-TLVs.

> Section 9.2
> 
>   Three of the tunnel types that can be specified in a Tunnel
>   Encapsulation TLV have virtual network identifier fields in their
>   encapsulation headers.  In the VXLAN encapsulation, this field is
>   called the VNI (Virtual Network Identifier) field; in the NVGRE
>   encapsulation, this field is called the VSID (Virtual Subnet
>   Identifier) field.
> 
> We start off by saying "three" types but list only two.  What's the
> third type?

On the cutting room floor. Thanks, I’ve updated this to say “two”.

> Section 9.2.2.2
> 
>   If the TLV identifying the tunnel does not contain an Encapsulation
>   sub-TLV whose V bit is set, the virtual network identifier field of
>   the encapsulation header is set as follows:
> 
> This perhaps sets us up for a nasty surprise in light of the
> error-handling behavior in §13, where we are supposed to disregard the
> second and subsequent instances of the Encapsulation sub-TLV.  This
> language is not particularly clear about whether it applies to only the
> first sub-TLV or all instances.

I see. To me, it’s clear that “disregarded” means “every other procedure in this specification should pretend the disregarded sub-TLV doesn’t exist”; in that context I think the language is clear as written.

If there’s a fix to be made (on which subject I’m open to further discussion) I think it’s in Section 13. I think my first offer on the fix would be to insert a definition like the one above.

>   o  If the TLV does not contain an Embedded Label Handling sub-TLV, or
>      if it contains an Embedded Label Handling sub-TLV whose value is
>      2, the embedded label is copied into the lower 3 octets of the
>      virtual network identifier field of the encapsulation header.
> 
> nit: I think "lower" is unneeded, since all the VNI fields are exactly 3
> octets now.

Fair point, but since “lower” is harmless and potentially useful if there’s a future extension with a different size VNI, I think it’s OK to let it stand.

> Section 10
> 
>   Note that if the Tunnel Encapsulation attribute is attached to a VPN-
>   IP route [RFC4364], and if Inter-AS "option b" (see section 10 of
>   [RFC4364]) is being used, and if the Tunnel Egress Endpoint sub-TLV
>   contains an IP address that is not in same AS as the router receiving
>   the route, it is very likely that the embedded label has been
>   changed.  [...]
> 
> I'm not sure that I'm understanding this scenario properly.  The label
> has been "changed" with respect to what baseline?  I'm also not sure why
> the tunnel egress endpoint would need to be in the same AS as the router
> receiving (vs originating) the route.

Option B always makes my head hurt, but as I recall the point here is that in Option B, the VPN label gets rewritten at the AS border. Since the Tunnel Encapsulation attribute sneaks right past that rewrite step, the procedures would be messed up, and we all know what happens when you cross the beams. 

The point about the egress endpoint and the router receiving the route is a restatement of the same point. Essentially the two ASes comprise different namespaces with respect to VPN labels. In Option B, mapping between the namespaces is done at the border. So, if you remain in the same namespace, i.e. don’t cross an AS border, it’s all good and you can use the Tunnel Encapsulation attribute. But if you change namespaces, it all goes pear-shaped because you’ve bypassed the mapping.

>   Other documents may define other ways to signal tunnel information in
>   BGP.  For example, [RFC6514] defines the "P-Multicast Service
>   Interface Tunnel" (PMSI Tunnel) attribute.  In this specification, we
>   do not consider the effects of advertising the Tunnel Encapsulation
>   Attribute in conjunction with other forms of signaling tunnels.  Any
>   document specifying such joint use should provide details as to how
>   interactions should be handled.
> 
> It seems like we should perhaps go a step further and explicitly
> recommend not advertising such combinations in the absence of a
> specification for their combined use?  Otherwise implementations will
> have to come up with their own interpretations, which could easily be
> uninteroperable.

Fair point. I changed “should” to “MUST”. Clear enough?

> Section 13
> 
>   The following sub-TLVs defined in this document MUST NOT occur more
>   than once in a given Tunnel TLV: Tunnel Egress Endpoint (discussed
>   below), Encapsulation, DS, UDP Destination Port, Embedded Label
>   Handling, MPLS Label Stack, Prefix-SID.  [...]
> 
> Ah, thanks for listing these out.  I had been wondering about this
> situation earlier in the doc, and it would have helped if the "not more
> than once" limitation was mentioned at each sub-TLV's definition (even
> if the actual error handling stays here).

An earlier reviewer pointed out the perils and pitfalls of specifying things in more than one place and there was actually a pass to try to eliminate redundancy. (I’m sure we missed plenty.) 

I can see the merits of both positions, I’m willing to bend either way, but for now will leave the text as written.

> Section 14.3
> 
> Why do we only move "BGP Tunnel Encapsulation Attribute Sub-TLVs" (but
> not "BGP Tunnel Encapsulation Attribute Tunnel Types") to the new "BGP
> Tunnel Encapsulation Parameters" grouping?

I think that was an oversight, thanks for catching it. I added a subsection to move it.

> Section 14.9
> 
> It might be useful to indicate in the registry metadata how many flags
> are available (and, I suppose, in which order the bits are numbered).

Updated.

> Section 15
> 
> We briefly discuss in the main body text the possibility that a tunnel
> will direct encapsulated traffic with (e.g) MPLS labels to a node that
> will misinterpret those labels; it might be worth reiterating the risk
> of such misinterpretation in the security considerations as well (or
> just referencing the previous discussion as security-relevant).

Thanks, I added a paragraph.

> I guess there's also a theoretical possibility that the flexibility in
> tunnel specification (including the type of expected content) could
> facilitate cross-protocol attacks, where the attacker causes the sender
> and recipient of encapsulated traffic to think that they should
> interpret the records in question as different protocols.  But this
> seems so remote, and unlikely to succeed given different protocols'
> message structure, that it is probably not worth mentioning.

Roger wilco. Not mentioned! :-)

> Section 18.2
> 
> If we're using RFC 5462 as a reference for a field in an MPLS label,
> that seems to make it normative.
> 
> We seem to depend on procedures from RFC 6811 in a few places, which
> also seems to make it normative.

Both moved.

Regards,

—John