Re: [Idr] Benjamin Kaduk's Discuss on draft-ietf-idr-tunnel-encaps-20: (with DISCUSS and COMMENT)

Alvaro Retana <> Thu, 17 December 2020 21:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 198393A1049; Thu, 17 Dec 2020 13:45:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cIVtgyx_Cyyc; Thu, 17 Dec 2020 13:45:25 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::634]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 066653A1044; Thu, 17 Dec 2020 13:45:25 -0800 (PST)
Received: by with SMTP id ce23so203091ejb.8; Thu, 17 Dec 2020 13:45:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc; bh=LFy+4I0qwetezxLVY1rYxUa/7nTWwr4dVfD5VNszEC4=; b=sMW4kLVvGyoEKngrxSpiinv2MGhC3RPVWNJ0X/nnZ7t1G8/l2FJ8uUT5FQwO8EWh+Z r2Bx6ffJG80f/XceyD//TgnUlWqDIntfQQwFJrsmmkIpjCadHCZvFDhWbiZy3qKuwLys NovXnvFFSxJep7Q9ts4qSbuF+48P68zu7H4aJUe6Z2ZIjvGoe8xMeV+Ve1TOr1U4D+LY bCRa6IFL3rNHyTHnsferpPpNxnHxoN1A0UnXS7uEEdJpPaGeJdLinBDCdMPr2IJLNGWr dOpm+BtyWY8zcgM7oVkZGJSYPJu8kfhDLHRFV9CFQRRXyfTicH+aH6wyrzqX4j8dEfmU BTEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=LFy+4I0qwetezxLVY1rYxUa/7nTWwr4dVfD5VNszEC4=; b=azeV6gQGKwIX5nw5RriViLiY7ZqDIbbnVGLU1zJbMBLMybe6vjBLBxJOmRe2qPXf86 gZBxBx8HIov1jIZRGnhBqkmhNo192ugykW5zENfYNDXmIxAEs9bNwr5hGGoPIfRd2Ib0 PWPQTh3zWq7OeHA26qvn0t89dqh5YfZvSHwqNj4DZ9oBcA7wGNZnXFiovcoCWas31UZp CB4EtaOIWPi7GRbQT0LJpvJkBMh0Ub7ekLvrUPRk6HMYMl4ozAAgRG+13R2j9BA2Nmca 0pabeORbCsEeHP900CQJ4GiQ1w4W3YFNQZqQIjYI4XS5aJBqYbuBx7jLLqfzh290KPCj GEaQ==
X-Gm-Message-State: AOAM532Fe9xKXLjz4kqD7OegaQUsn0BBUFGPE/OY8AzGflj2IiafxXEv P0/GT08p0IxoBhUG9/bFrvVLO/nPKQpVFkgmZOY=
X-Google-Smtp-Source: ABdhPJwnH7/pN++u6yDdE3GxpTmafKzLzuJTZh6THjuwpJQPtack/AZmATgPM4/mCHuUz4VcP4UqH0begnZCNAJCDM8=
X-Received: by 2002:a17:906:cf81:: with SMTP id um1mr1094308ejb.122.1608241523634; Thu, 17 Dec 2020 13:45:23 -0800 (PST)
Received: from 1058052472880 named unknown by with HTTPREST; Thu, 17 Dec 2020 16:45:23 -0500
From: Alvaro Retana <>
In-Reply-To: <>
References: <> <> <> <>
MIME-Version: 1.0
Date: Thu, 17 Dec 2020 16:45:23 -0500
Message-ID: <>
To: John Scudder <>, Benjamin Kaduk <>
Cc: Hares Susan <>, "" <>, The IESG <>, "" <>, "" <>
Content-Type: multipart/alternative; boundary="000000000000bab69605b6afe869"
Archived-At: <>
Subject: Re: [Idr] Benjamin Kaduk's Discuss on draft-ietf-idr-tunnel-encaps-20: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 17 Dec 2020 21:45:27 -0000



Any thoughts on this?



On December 11, 2020 at 10:43:40 AM, John Scudder ( wrote:

Hi Ben,

In this reply I’ll just address your open Discuss:

On Dec 4, 2020, at 12:08 AM, Benjamin Kaduk <> wrote:


I support Erik's discuss.

I see that Roman has already suggested adding normative language
regarding the limitation to a single administrative domain (in addition
to the "MUST filter by default for EBGP sessions"), which I agree with.
However, I think there is an additional consideration regarding the
limitation of use to a single administrative domain, wherein the domain
of use for the tunnel encapsulation attribute may diverge from the
domain of use of segment routing, that seems to place this document in
conflict with the requirements of RFC 8402.  In particular,
RFC 8402 says, for SR-MPLS and SRv6, that boundary routers "MUST filter
any external traffic", and additionally for SRv6 that "explicit routing
information MUST NOT be leaked through the boundaries of the
administrered domain".  In §3.7 of this document, though, we find that
for the Prefix-SID sub-TLV, "the receiving BGP speaker need not even be
in the same Segment Routing Domain as the tunnel's egress endpoint, and
there is no implication that the prefix-SID for the advertised prefix is
the same in the Segment Routing domains of the BGP speaker that
originated the sub-TLV and the BGP speaker that received it", which
seems to suggest violation of the RFC 8402 requirement.  I think we need
to have greater clarity on what relationship is actually intended
between the SR domain and the tunnel encapsulation usage domain, and if
they are to diverge, we need to both somehow rectify this behavior with
RFC 8402 and to very clearly document how the 8402-mandated filtering at
the SR domain boundary is supposed to happen when the boundary includes
tunneled traffic.

We’ll respond to this later, I need to discuss it with my coauthors and
didn’t want to hold up the rest of the response any longer than I have.

Sounds good.  I am not surprised that this one is going to require more
discussion; it seems like a tricky task to figure out the right thing to

We did a review of RFC 8402’s definition of an “SR domain”. Here’s 8402,
from the Terminology section, emphasis added:

   Segment Routing domain (SR domain): the set of nodes participating in
   the source-based routing model.  These nodes may be connected to the
   same physical infrastructure (e.g., a Service Provider's network).
   *They may as well be remotely connected to each other (e.g., an*
   *enterprise VPN or an overlay).*  If multiple protocol instances are
   deployed, the SR domain most commonly includes all of the protocol
   instances in a network.  However, some deployments may wish to
   subdivide the network into multiple SR domains, each of which
   includes one or more protocol instances.  It is expected that all
   nodes in an SR domain are managed by the same administrative entity.

Other parts of 8402 imply other properties of an SR domain. One is that all
the participating routers share a Prefix-SID namespace (this is my
interpretation, not the wording of 8402), another is the text in Section
8.1 you quote above, about filtering external traffic.

The text that bothered you in tunnel-encaps (“need not even be in the same
Segment Routing Domain”) was directed only toward the namespace aspect: the
two ends of the tunnel may be using different prefix-SID namespaces. But as
we see above, the namespace isn’t a defining attribute of the SR domain.
So, I think the best way forward is to strike the offending text from
tunnel-encaps. The paragraph stands just as well (arguably better) without

   The Prefix-SID sub-TLV has slightly different semantics than the
   Prefix-SID attribute.  When the Prefix-SID attribute is attached to a
   given route, the BGP speaker that originally attached the attribute
   is expected to be in the same Segment Routing domain as the BGP
   speakers who receive the route with the attached attribute.  The
   Label-Index tells the receiving BGP speakers what the prefix-SID is
   for the advertised prefix in that Segment Routing domain.  When the

   Prefix-SID sub-TLV is used, the receiving BGP speaker need not even

   be in the same Segment Routing Domain as the tunnel's egress
endpoint, and there is no implication that the prefix-SID for the
   advertised prefix is the same in the Segment Routing domains of the
   BGP speaker that originated the sub-TLV and the BGP speaker that
   received it.

We’d also add something like the following to the Security Considerations

   RFC 8402 specifies that "SR domain boundary routers MUST filter any
   external traffic" ([RFC 8402] Section 8.1). For these purposes,
   traffic introduced into a SR domain using the Prefix-SID sub-TLV lies
   within the SR domain, even though the prefix-SIDs used by the routers
   at the two ends of the tunnel may be different, as discussed in
   Section 3.7. This implies that the duty to filter external traffic
   extends to all routers participating in such tunnels.

What do you think?