[Idr] Benjamin Kaduk's No Objection on draft-ietf-idr-bgp-ls-segment-routing-ext-15: (with COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Wed, 12 June 2019 18:54 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: idr@ietf.org
Delivered-To: idr@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 97302120044; Wed, 12 Jun 2019 11:54:40 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-idr-bgp-ls-segment-routing-ext@ietf.org, Susan Hares <shares@ndzh.com>, aretana.ietf@gmail.com, idr-chairs@ietf.org, shares@ndzh.com, idr@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.97.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <156036568060.13998.2374436950168046474.idtracker@ietfa.amsl.com>
Date: Wed, 12 Jun 2019 11:54:40 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/VUrGlqCipQcM49MNf6DJrGrpebU>
Subject: [Idr] Benjamin Kaduk's No Objection on draft-ietf-idr-bgp-ls-segment-routing-ext-15: (with COMMENT)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jun 2019 18:54:41 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-idr-bgp-ls-segment-routing-ext-15: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-idr-bgp-ls-segment-routing-ext/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- -15 I agree with Mirja that mentioning the scope earlier in the document would be helpful (but will follow the discussion in her ballot thread). Basically, even though the SR Architecture is clear about the scope being limited to a trusted administrative domain, it's still helpful to remind the reader briefly at the start of the document that there is some expectation of trust to all participants receiving this information, and that it is not expected to leave into the broader Internet or generic BGP peers. Section 1 When Segment Routing is enabled in an IGP domain, segments are advertised in the form of Segment Identifiers (SIDs). The IGP link- state routing protocols have been extended to advertise SIDs and other SR-related information. IGP extensions are described in: IS-IS [I-D.ietf-isis-segment-routing-extensions], OSPFv2 [I-D.ietf-ospf-segment-routing-extensions] and OSPFv3 [I-D.ietf-ospf-ospfv3-segment-routing-extensions]. [...] nit: I think "described for" is more appropriate than "described in", which might suggest to the reader that these are part of the core protocols. Section 2.1.1 Length: Variable. Either 3 or 4 depending whether the value is encoded as a label or as an index/SID. nit: I think the secdir reviewer's concern might be alleviated by spelling these constants as 0x0003 and 0x0004. Section 2.1.2 Are the "SID/Label sub-TLV N" fields actually variable length? The description seems to be saying that we can only use the "label" variant encoding, which makes the overall length of the sub-TLV 7 bytes, always. Flags: 1 octet of flags as defined in [I-D.ietf-isis-segment-routing-extensions] for IS-IS. The flags are not currently defined for OSPFv2 and OSPFv3 and SHOULD be set to 0 and MUST be ignored on receipt. I agree with the other reviewers that the SHOULD here is surprising. Perhaps "Until the specification of flag value usage for OSPFv2 and/or OSPFv3 is defined, the flags MUST be set to zero and ignored on receipt"? The case for Reserved seems even more clear to mandate setting to zero. Section 2.1.3 Do the algorithm values need to appear in any specific order? The note about the maximum length being 256 seems to imply that duplicates are not expected, but I do not see any specific text forbidding them. Section 2.1.4 [Same comments as Section 2.1.2 about variable length sub-TLVs, and SHOULD/MUST] Section 2.2.1 The Adjacency SID TLV is used in order to advertise information related to an Adjacency SID. This information is derived from Adj- SID sub-TLV of IS-IS [I-D.ietf-isis-segment-routing-extensions], OSPFv2 [I-D.ietf-ospf-segment-routing-extensions] and OSPFv3 [I-D.ietf-ospf-ospfv3-segment-routing-extensions]. nit: I think this should be "Adj-SID sub-TLVs" plural. Weight: 1 octet carrying the weight used for load-balancing purposes. Maybe reference RFC 8402 for the weight semantics? (Otherwise we have to guess whether a larger value means to send more traffic vs. less traffic.) [Same comment about SHOULD/MUST for Reserved] Section 2.2.2 [same comment about Weight and SHOULD/MUST for Reserved] Do we want some IANA considerations and/or regisitry modifications to provide for any future BGP-LS Attribute TLVs that might be defined and be appropriate to include as sub-TLVs of the L2 Bundle Member Attribute TLV? Section 2.3.1 [same comment about SHOULD/MUST for Reserved] Section 2.3.3 The figure says "4 or 6 octet Router-ID"; should that bt "4 or 16" to match the body text? Section 2.3.4 [same comment about SHOULD/MUST for Reserved] It's a little weird to blandly cite the OSPF document for the Range Size definition and expect that to plainly transfer over to the IS-IS case as well. (Also, the linked document has three different usages for "Range Size"; I assume we mean the one in Section 4, "OSPF Extended Prefix Range TLV", since it's the right width, but it might be worth stating explicitly.) I didn't take the time to try to convince myself that the sub-TLV usage for prefix-to-SID mappings matches up with the statement that the length is "11 or 12 depending on Label or Index encoding of the SID", but I think the TLV overhead would push the length larger than 12. Section 5 The links for "required security and authentication mechanisms" are a little surprising, as those documents are the segment-routing-extensions documents for IS-IS and OSPF, respectively, and do not define the mechamisms themselves, rather referring to other document for the details of the security mechanisms. Furthermore, there seem to only be SHOULD-level requirements for authentication mechanisms, and only in certain cases (and only in the OSPFv2 document). So to say "the required mechanisms" here seems misleading, in that the set of *required* mechanisms seems to be the empty set. I always have a hard time accepting statements about "present no additional risk"; we are going from presenting "generic" link-state/prefix/node information across the BGP-LS domain to additionally presenting information about the SR topology and segment location/identifiers. So, one might concoct a scenario in which an attacker can learn about the internal SR configuration/topology based on the information conveyed by the mechanisms in this document, which is in some sense an "additional risk". That said, it is probably a minor one, given the expected scope of distribution.
- [Idr] Benjamin Kaduk's No Objection on draft-ietf… Benjamin Kaduk via Datatracker
- Re: [Idr] Benjamin Kaduk's No Objection on draft-… Ketan Talaulikar (ketant)