IETF Logo Mail Archive

Re: [Idr] Mirja Kühlewind's No Objection on draft-ietf-idr-bgp-ls-segment-routing-ext-15: (with COMMENT)

"Ketan Talaulikar (ketant)" <ketant@cisco.com> Fri, 31 May 2019 10:35 UTC

Return-Path: <ketant@cisco.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9611A12001A; Fri, 31 May 2019 03:35:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=iwnDP38W; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Y4aBqJvb
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NzsdSDERUbS8; Fri, 31 May 2019 03:35:27 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3166120019; Fri, 31 May 2019 03:35:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6232; q=dns/txt; s=iport; t=1559298927; x=1560508527; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=ORsobfJNQ//wecjGx7LfDvJEeIQnMn4FRpQuCGAH9Yg=; b=iwnDP38Wp8n0MgQWcy9JMpm11TgzK2FeGmwbhdNz1SnZYttRr6FJYhgr NN6nfC8PjfHtiP54cqBCU13I5f/L11lVqthRAc3jlRMLqZag/m3kafEl/ 9g+hGmFCJdmN3Wg6D9ib5xpDDOaXHlZCby5ByltlkYs78fkThsXdpvmgu o=;
IronPort-PHdr: 9a23:eV1WDhxBE1N6Zy7XCy+N+z0EezQntrPoPwUc9psgjfdUf7+++4j5YR2N/u1j2VnOW4iTq+lJjebbqejBYSQB+t7A1RJKa5lQT1kAgMQSkRYnBZuGBFHyKuLCZC0hF8MEX1hgrDm2
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AXAACWAvFc/4YNJK1lGwEBAQEDAQEBBwMBAQGBUQYBAQELAYE9JCwDaVUgBAsoCoQKg0cDhFKKIIJXfohEjW2BLhSBEANUCQEBAQwBASUIAgEBhEACF4JtIzQJDgEDAQEEAQECAQRtHAyFSgEBAQQSEREMAQE3AQsEAgEIEQQBAQMCJgICAh8RFQUDCAIEAQ0FCBqDAYFqAx0BDp8lAoE4iF9xgS+CeQEBBYFGQYJ/DQuCDwMGgQwoAYtVF4FAP4ERRoIXNT6CGkcCAQIBgSoBCwcBIYMIMoImi02CGy2ZeyY+CQKCDYY9iQcEg3+CIYZwjVODHYlchwmBX40uAgQCBAUCDgEBBYFPOEQjWBEIcBWDJ4IPDBcUgzmFFIU+AXIBgSiLAQ8XgQsBgSABAQ
X-IronPort-AV: E=Sophos;i="5.60,534,1549929600"; d="scan'208";a="278168736"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 31 May 2019 10:35:25 +0000
Received: from XCH-ALN-006.cisco.com (xch-aln-006.cisco.com [173.36.7.16]) by alln-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id x4VAZPWJ021714 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 31 May 2019 10:35:25 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-ALN-006.cisco.com (173.36.7.16) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 31 May 2019 05:35:24 -0500
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 31 May 2019 06:35:23 -0400
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Fri, 31 May 2019 05:35:22 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ORsobfJNQ//wecjGx7LfDvJEeIQnMn4FRpQuCGAH9Yg=; b=Y4aBqJvbSyW93RxJeKEyp7ZQnDAwKJcGdlKbF8iHGDIR707r+AbCekAhcN83hqWkty0zftvT/t0rl/70O7MKNWUntmp/3WdW70j1nZwu4cy7m+6Vza6auWkxTGLncEUP3zd7N45X2qkoAlz36qqd7IAjFUZ9rauGXDGQY10j09E=
Received: from DM5PR11MB2027.namprd11.prod.outlook.com (10.168.103.22) by DM5PR11MB1355.namprd11.prod.outlook.com (10.168.103.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1922.18; Fri, 31 May 2019 10:35:20 +0000
Received: from DM5PR11MB2027.namprd11.prod.outlook.com ([fe80::1487:6a62:8e05:d2c4]) by DM5PR11MB2027.namprd11.prod.outlook.com ([fe80::1487:6a62:8e05:d2c4%2]) with mapi id 15.20.1922.021; Fri, 31 May 2019 10:35:20 +0000
From: "Ketan Talaulikar (ketant)" <ketant@cisco.com>
To: Mirja Kühlewind <ietf@kuehlewind.net>, The IESG <iesg@ietf.org>
CC: "draft-ietf-idr-bgp-ls-segment-routing-ext@ietf.org" <draft-ietf-idr-bgp-ls-segment-routing-ext@ietf.org>, Susan Hares <shares@ndzh.com>, "aretana.ietf@gmail.com" <aretana.ietf@gmail.com>, "idr-chairs@ietf.org" <idr-chairs@ietf.org>, "idr@ietf.org" <idr@ietf.org>
Thread-Topic: Mirja Kühlewind's No Objection on draft-ietf-idr-bgp-ls-segment-routing-ext-15: (with COMMENT)
Thread-Index: AQHVF5X22go988fAYUe/ihOetoND8KaFAdow
Date: Fri, 31 May 2019 10:35:20 +0000
Message-ID: <DM5PR11MB2027F604F6C948C2A0A23B3FC1190@DM5PR11MB2027.namprd11.prod.outlook.com>
References: <155929607688.6602.7399415179534572381.idtracker@ietfa.amsl.com>
In-Reply-To: <155929607688.6602.7399415179534572381.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ketant@cisco.com;
x-originating-ip: [72.163.220.17]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 17dfaaf2-5eff-4f8a-4211-08d6e5b3ae76
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM5PR11MB1355;
x-ms-traffictypediagnostic: DM5PR11MB1355:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <DM5PR11MB1355B9C266E9ED358A8AE563C1190@DM5PR11MB1355.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 00540983E2
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(376002)(366004)(396003)(39860400002)(136003)(199004)(189003)(13464003)(74316002)(186003)(76176011)(55016002)(110136005)(7696005)(66574012)(256004)(2906002)(53546011)(68736007)(102836004)(86362001)(54906003)(478600001)(6436002)(4326008)(52536014)(5660300002)(11346002)(224303003)(25786009)(6306002)(9686003)(64756008)(966005)(66446008)(66556008)(6506007)(66476007)(99286004)(305945005)(81156014)(486006)(14454004)(66946007)(6116002)(53936002)(66066001)(81166006)(26005)(316002)(446003)(33656002)(7736002)(71190400001)(6246003)(3846002)(476003)(14444005)(229853002)(8936002)(76116006)(71200400001)(73956011); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR11MB1355; H:DM5PR11MB2027.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: g5KoP+eGvk/yAb8eBzhjHPAoWmM2Hl5AnYO391Lc8pMkhiujOZFWqXZfaBnrCOmk+T98jTJcW1FsTN2Bj75x90KviTv/oN9wLknNSIjgD+4wEofPSCJb9kQGm4cjiDm7Nldn4TeSQmNg3hv0A/UOke4Lv6wTQgftmEuaZS07nlxSNzbaSxVMTF2Qbhtsm6+6rToneG7ePNH3PaDjOHDK5aG5QSrOldV31Ar2VRtbyjBw8WgBoys0TEaMD+ZfEJnssVOuOCev10cUscLYs398DKKOWjCWbAJyUTqQPTmfiRCNhObqJsxAxR7U6JxrIzmTD9iHFA+3fMA9dzEdsKe1lMV2wHw28oQU5S+qAexP8mR3X16SJDV+OrobEGVDXjpX3YG7qO+MGR84S4D5zlz+oG0+TDJKjX54zIPMhdP/ugE=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 17dfaaf2-5eff-4f8a-4211-08d6e5b3ae76
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 May 2019 10:35:20.6144 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ketant@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1355
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.16, xch-aln-006.cisco.com
X-Outbound-Node: alln-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/n_r5QzlE-HDZJF_X3e9gC1G4h7w>
Subject: Re: [Idr] Mirja Kühlewind's No Objection on draft-ietf-idr-bgp-ls-segment-routing-ext-15: (with COMMENT)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 May 2019 10:35:30 -0000

Hi Mirja,

Thanks for your review and your comments. 

Regarding your first comment, we have the following text in the Introduction section that describes the use-case/applicability that you are referring to in the Security Considerations.

   Segment Routing (SR) allows advertisement of single or multi-hop
   paths.  The flooding scope for the IGP extensions for Segment routing
   is IGP area-wide.  Consequently, the contents of a Link State
   Database (LSDB) or a Traffic Engineering Database (TED) has the scope
   of an IGP area and therefore, by using the IGP alone it is not enough
   to construct segments across multiple IGP Area or AS boundaries.

   The flooding scope for the IGP extensions for Segment routing
   is IGP area-wide.  Consequently, the contents of a Link State
   Database (LSDB) or a Traffic Engineering Database (TED) has the scope
   of an IGP area and therefore, by using the IGP alone it is not enough
   to construct segments across multiple IGP Area or AS boundaries.

   This document describes extensions to BGP-LS to advertise the SR
   information.  An external component (e.g., a controller) can collect
   SR information from across an SR domain (as described in [RFC8402])
   and construct the end-to-end path (with its associated SIDs) that
   need to be applied to an incoming packet to achieve the desired end-
   to-end forwarding.  The SR domain may be comprised of a single AS or
   multiple ASes.

Please let know any suggestions for the same or anything that needs further elaboration.

I will let Sue clarify on the shepherd's report. My impression was that many of the concerns raised were not specific to this particular BGP-LS extension but in general on BGP-LS itself. There has been a lot of discussions in the WG on this topic and work is ongoing to address some of those challenges based on our experience with BGP-LS deployments. One such effort is draft-ketant-idr-rfc7752bis. That said, all concerns raised specifically on this BGP-LS extension during the WGLC and follow-on reviews have been addressed AFAIK to achieve consensus.

Thanks,
Ketan

-----Original Message-----
From: Mirja Kühlewind via Datatracker <noreply@ietf.org> 
Sent: 31 May 2019 15:18
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-idr-bgp-ls-segment-routing-ext@ietf.org; Susan Hares <shares@ndzh.com>; aretana.ietf@gmail.com; idr-chairs@ietf.org; shares@ndzh.com; idr@ietf.org
Subject: Mirja Kühlewind's No Objection on draft-ietf-idr-bgp-ls-segment-routing-ext-15: (with COMMENT)

Mirja Kühlewind has entered the following ballot position for
draft-ietf-idr-bgp-ls-segment-routing-ext-15: No Objection

When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-idr-bgp-ls-segment-routing-ext/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

There is the following statement on the applicability of this approach in the security consideration section:

“The SR traffic engineering
   policies using the SIDs advertised via BGP-LS are expected to be used
   entirely within this trusted SR domain (e.g. between multiple AS/
   domains within a single provider network).  Therefore, precaution is
   necessary to ensure that the SR information advertised via BGP-LS
   sessions is limited to consumers in a secure manner within this
   trusted SR domain.”

As this is every essential to the scope of the document I would like to see this earlier in the document, e.g. in the intro, and own applicability section, or even in the abstract.

One additional comment on the shepherd write-up:
I find the write-up a bit confusing but I assume that this document has wg consensus, even though it might be rough. There is a request to the IESG to make a judgment if this approach should be taken forward in general. However, if there are no technical or security concerns here and there is wg consensus, I don’t think I understand this request; expect this is not seen as covered by the charter, however, I don’t think this is indicated in the shepherd write-up.

v2.23.0 | Report a Bug | By Email