Re: [Idr] I-D Action: draft-ietf-idr-flowspec-l2vpn-09.txt

Donald Eastlake <d3e3e3@gmail.com> Mon, 30 September 2019 00:58 UTC

Return-Path: <d3e3e3@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDE931200C4 for <idr@ietfa.amsl.com>; Sun, 29 Sep 2019 17:58:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H_DMOdIksm20 for <idr@ietfa.amsl.com>; Sun, 29 Sep 2019 17:58:48 -0700 (PDT)
Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AECC912006D for <idr@ietf.org>; Sun, 29 Sep 2019 17:58:48 -0700 (PDT)
Received: by mail-io1-xd36.google.com with SMTP id c6so33563464ioo.13 for <idr@ietf.org>; Sun, 29 Sep 2019 17:58:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=q4x4EPu9d/rMjeTCP9sz1BoCQtnafzMbkENmyn5D1RM=; b=p/ql1oksm3wfSmJn4gmJ72oHmfh9Qezo/URr8iDK6Z/VY1INrcSZB23d8duuRlKTcx FQypy4qNpJnOZPTSuuBiw/SCtGKQKriouzdEoXXw/r8Vp5U2WsUoyo98znrhanP+Y8UD uSNVd8OA+uB6D8M20H3cPsEsztBlomZnH8PuOQ1TjPYQq1Ww4a2h7ol36YuYSeyJrK15 pgIYxG7Wuf5Y3+nYSbe01BQjeGozINpPVg55ihvuHLHTyh/dRtrsmjEZpuZgOya2am+2 8Pqsv5ITKe0S8U0cdd8KE+45YncerynnAQil3EDSgt8J/8ReURzkEaeEUR4gWa6+CnLL VuKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=q4x4EPu9d/rMjeTCP9sz1BoCQtnafzMbkENmyn5D1RM=; b=nyhFXQid8ThnDSIciezMUY5TwQrgWWTGRv0Tpc8JDQlJktW/+iiadw0aGVpYwaFZ8W jLsde07BYkKuM3AS+HyVdW7K5yIsAbBRQiP6LHsakzSC0wtl20lnyyxTtl5PA4tuKe74 5/EBxMM2FOEA6/DD2byAG/saZ8P9VxaKXz0/Uw2aJ5+4ZZ7aPEe4cvHG0U8fw9M7sJwz M6GHFvmFQlF/xBNfhOORoTmDU40ZYVZaKPWjbCKThkHxV8n1AguZTiUvvUmc7IBNTvNR s+73fgcjazqX6QjdLLc80XU6JtHiBC2MNt/Iy4XAlkVACepBmIQzAEkdW2jcPLevu8PT QyCg==
X-Gm-Message-State: APjAAAUnEgTyXV+FidWCHYVXs181q9M6UekfSfurmC/AoopQ1DtogJme k3MtpLfxpx6Cgync3TGJONHLwwQYMrHCIWpfNw0=
X-Google-Smtp-Source: APXvYqzwLK4Pk+D0vw7cckxoe8Ty0gubZepvfSazpSXtDunVHYFvirKuIJHwa2mZGXnU96xuNA7HFp40QjgME0sq580=
X-Received: by 2002:a92:1a4f:: with SMTP id z15mr17980857ill.199.1569805127790; Sun, 29 Sep 2019 17:58:47 -0700 (PDT)
MIME-Version: 1.0
References: <154650798507.29744.11843661823190688795@ietfa.amsl.com> <CAOj+MMGPmUs4fAzDEwhq4z47r=TK78Kk-6Tp+KMHS0K4O=VdGg@mail.gmail.com> <CAF4+nEHwwPNL4cmXH-TMhL3xnT3LGiP-hWov-YCf=h4B-+N7QQ@mail.gmail.com> <CAOj+MMFQbY3WY9jYSLVXMUvOVMGzOCd1LsFKJupPM0W_3oFJDQ@mail.gmail.com>
In-Reply-To: <CAOj+MMFQbY3WY9jYSLVXMUvOVMGzOCd1LsFKJupPM0W_3oFJDQ@mail.gmail.com>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Sun, 29 Sep 2019 20:58:35 -0400
Message-ID: <CAF4+nEG4=0ew=ZzjaxT9ignbKeA3CgLBwhLp2mteQLfaBLh7VQ@mail.gmail.com>
To: Robert Raszuk <robert@raszuk.net>
Cc: "idr@ietf. org" <idr@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/nfy6dyvpcjAZBPGfXsMqmMoNplI>
Subject: Re: [Idr] I-D Action: draft-ietf-idr-flowspec-l2vpn-09.txt
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Sep 2019 00:58:51 -0000

Hi Robert,

On Sun, Sep 29, 2019 at 6:00 AM Robert Raszuk <robert@raszuk.net> wrote:
>
> Hi Donald,
>
> The draft says:
>
> The following changes are defined:
>
>    "SAFI 134 for dissemination of L3VPN flow specification rules" to now
>    be defined as "SAFI 134 for dissemination of VPN flow specification
>    rules"
>
>    For SAFI 134 the indication to which address family it is referring
>    to will be recognized by AFI value (AFI=1 for VPNv4, AFI=2 VPNv6 and
>    AFI=25 for L2VPN).  Such modification is fully backwards compatible
>    with existing implementation and production deployments.
>
>    For SAFI 134 the indication to which address family it is referring
>    to will be recognized by AFI value (AFI=1 for VPNv4, AFI=2 VPNv6 and
>    AFI=25 for L2VPN).  Such modification is fully backwards compatible
>    with existing implementation and production deployments.
>
>
> Which at least to me clearly gives the impression that newly defined NLRI elements and format are targeted to all AFIs listed 1, 2 & 25.

As far as I know, that impression is wrong, which is why I said, after
saying that the draft applies to AFI=25/SAFI=134, that "The draft
should be clarified" to say that.

> If you do not intend to ever use them with AFI 1 or 2 then the draft must state this very clearly that they are only applicable to AFI 25.
>
> On the topic of renaming IANA registry to extend  L3VPN SAFI 134 to also cover L2VPN my personal view is that we should not do it. We should define a new SAFI for L2VPN and clearly separate those two.
>
> You either match on L2 or L3 and not both in a given packet. Of course you can send both SAFIs and match on both against traffic on a given interface. Changing SAFI 134 now will require not only adjustment to IANA registry ... Just imagine the effort required to change all vendor's documentation.

Well, isn't it also true that you either match on IPv4 or IPv6?

The current IANA registry entry for SAFI 134 says "VPNv4 dissemination
of flow specification rules". It has to be changed anyway to encompass
IPv6... You have expressed your opinion very clearly but I don't see
why it is so bad to replace "VPNv4" with "VPN" rather than "L3VPN"
given that the IANA registry has to change anyway. As for vendor
documentation, if a vendor organized their documentation by the
capabilities they support, that is the AFI/SAFI pairs, then I'm not
sure why any change at all would be required unless they actually
supported L2VPN flowspec.

in any case, I'll do what the consensus of the WG is.

Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 1424 Pro Shop Court, Davenport, FL 33896 USA
 d3e3e3@gmail.com

> Many thx,
> Robert
>
> On Sun, Sep 29, 2019 at 6:05 AM Donald Eastlake <d3e3e3@gmail.com> wrote:
>>
>> Hi Robert,
>>
>> Thanks for your review. Apologies for the delay in response.
>>
>> On Thu, Jan 3, 2019 at 6:04 AM Robert Raszuk <robert@raszuk.net> wrote:
>> >
>> > Hi,
>> >
>> > Two observations:
>> >
>> > 1.
>> >
>> > The current draft extends exisiting SAFI 134 with new NLRI types.
>> > That means that now we have new giant NLRI in SAFI 134.
>> >
>> > Have any consideration been made to just define a new flow spec SAFI
>> > instead for L2 filtering ? I am quite skeptical from implementation,
>> > operational and deployment points of view to extend the existing
>> > SAFI and it makes a gradual deployment a nightmare if not mission
>> > impossible.
>> >
>> > Any change to NLRI format without signalling it with new capability is
>> > far from good practice.
>>
>> My understanding is that flow spec capabilities are signalled by an
>> AFI/SAFI pair as specified in RFC 2858. So I think that
>> AFI=25/SAFI=134 already is a new capability. The draft should be
>> clarified to present things in those terms.
>>
>> It would be easy, from the IANA Considerations point of view, to get a
>> new SAFI that could be used with AFI=25 for L2VPN flowspec. But I
>> don't really see the benefit of burning a new SAFI value, say xyz, and
>> using AFI=25/SAFI=xyz instead of ARI=25/SAFI=134.
>>
>> In my opinion, the general format for the NLRI in this draft ia
>> similar to the flow specs for IPv4 and IPv6.  The components that are
>> added by this draft differ from the IPv4 and IPv6 components in the
>> generally the same way that the IPv4 and IPv6 components differ from
>> each other.
>>
>> > 2.
>> >
>> > The draft is pretty silent on adjusting validation procedures to make sure only
>> > senders of the original L2 information may inject the L2 flow routes..
>> >
>> > I would hope that this is basic omission and will be consider for addition into
>> > next version of he draft.
>>
>> That is an excellent point and the next version should have adjusted
>> validation procedures in it.
>>
>> Thanks,
>> Donald
>> =============================
>>  Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
>>  1424 Pro Shop Court, Davenport, FL 33896 USA
>>  d3e3e3@gmail.com
>>
>> > Thx,
>> > R.
>> >
>> >
>> >
>> > On Thu, Jan 3, 2019 at 10:33 AM <internet-drafts@ietf.org> wrote:
>> >>
>> >> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>> >> This draft is a work item of the Inter-Domain Routing WG of the IETF.
>> >>
>> >>         Title           : BGP Dissemination of L2VPN Flow Specification Rules
>> >>         Authors         : Weiguo Hao
>> >>                           Donald E. Eastlake, 3rd
>> >>                           James Uttaro
>> >>                           Stephane Litkowski
>> >>                           Shunwan Zhuang
>> >>         Filename        : draft-ietf-idr-flowspec-l2vpn-09.txt
>> >>         Pages           : 13
>> >>         Date            : 2019-01-03
>> >>
>> >> Abstract:
>> >>    This document defines a BGP flow-spec extension to disseminate L2 VPN
>> >>    Ethernet traffic filtering rules.  SAFI=134 in [RFC5575] is redefined
>> >>    for this purpose.  A new subset of component types and extended
>> >>    community also are defined.  A new subset of component types and new
>> >>    extended community also are defined.
>> >>
>> >>
>> >>
>> >> The IETF datatracker status page for this draft is:
>> >> https://datatracker.ietf.org/doc/draft-ietf-idr-flowspec-l2vpn/
>> >>
>> >> There are also htmlized versions available at:
>> >> https://tools.ietf.org/html/draft-ietf-idr-flowspec-l2vpn-09
>> >> https://datatracker.ietf.org/doc/html/draft-ietf-idr-flowspec-l2vpn-09
>> >>
>> >> A diff from the previous version is available at:
>> >> https://www.ietf.org/rfcdiff?url2=draft-ietf-idr-flowspec-l2vpn-09
>> >>
>> >>
>> >> Please note that it may take a couple of minutes from the time of submission
>> >> until the htmlized version and diff are available at tools.ietf.org.
>> >>
>> >> Internet-Drafts are also available by anonymous FTP at:
>> >> ftp://ftp.ietf.org/internet-drafts/