Re: [Idr] recap my questions and issues raised during IDR Thurs session for draft-ietf-idr-tunnel-encaps-11

Keyur Patel <> Sat, 08 June 2019 08:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1243C12008F; Sat, 8 Jun 2019 01:45:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bC7HKsJWH0_3; Sat, 8 Jun 2019 01:45:12 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9B345120058; Sat, 8 Jun 2019 01:45:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-NETORGFT1331857-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Z99lmEC+veEDxBD/TiReigRfF0E5nYfAEahgOnRv41o=; b=T8LXZA9SAgA4S47td8QCI1vW3RaC79LIYdmpu3l22g2Vn0UuJrD2kxSCNRRqozQRMTTh5+FboOzPmI/A7srOZLxoPbG7ev7RJMF9iJAPEFbYnr7d0XK/Tg526aFaVK2TiDAuznF71NIOxTBojxDzPitDkF8nJ3UJhK2MfxnE1HI=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1965.14; Sat, 8 Jun 2019 08:45:08 +0000
Received: from ([fe80::f855:74f:9e5f:d010]) by ([fe80::f855:74f:9e5f:d010%6]) with mapi id 15.20.1965.011; Sat, 8 Jun 2019 08:45:08 +0000
From: Keyur Patel <>
To: Linda Dunbar <>, "" <>, "" <>
Thread-Topic: recap my questions and issues raised during IDR Thurs session for draft-ietf-idr-tunnel-encaps-11
Thread-Index: AdTla1nnHU6FSbZ4QO2XZvQIoIn6YA4MHLeA
Date: Sat, 08 Jun 2019 08:45:08 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
authentication-results: spf=none (sender IP is );
x-originating-ip: [2601:646:8700:3b0:cd69:ec6:2a5f:1fc1]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b7e12b1f-1591-4e42-02f6-08d6ebed9cae
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600148)(711020)(4605104)(1401327)(2017052603328)(49563074)(7193020); SRVR:BYAPR18MB3015;
x-ms-traffictypediagnostic: BYAPR18MB3015:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0062BDD52C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(366004)(376002)(136003)(396003)(39830400003)(199004)(189003)(256004)(66946007)(733005)(66616009)(73956011)(5660300002)(76116006)(66556008)(66476007)(66446008)(64756008)(53546011)(6506007)(68736007)(7736002)(6436002)(9326002)(2201001)(86362001)(36756003)(33656002)(81156014)(81166006)(102836004)(54896002)(54556002)(6306002)(5024004)(2906002)(14454004)(6512007)(14444005)(8676002)(229853002)(6486002)(25786009)(46003)(2501003)(99286004)(476003)(2616005)(99936001)(11346002)(76176011)(82746002)(186003)(446003)(316002)(110136005)(8936002)(71190400001)(71200400001)(790700001)(6116002)(53936002)(4326008)(83716004)(508600001)(6246003)(486006)(66574012); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR18MB3015;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: jtEXyf3hB8/ZoAUl6ema5dQn3etq9BG/Mvjnulh8AM9xVVarWmZehO6wcTqIXSN+2CQ/j2xVEz283kQmQgRlL5uHqPWhp3P4Ws3pYeu2hsdJZtaQpZ7BVHDQ6A0hecvMYZpl/TcdVxjxNBt8oQXXVS5juJIr4tzGvIgC6gWQ9r7xgxunpRW+VEkLiM5JkAj5EMt4KYQ7S3pW2u+6PqCAxCdJwMaooTK7X/cQWUqLfdj6ZMCkmH/FbakbxFFQh4gTC2RHkiCaBoo2f+ls8lYBXk14XgVT5UHcmZ5oO4IjyeGKooN1YuVW8Q4xXiNXKbDF+7nr8btwM2qV2HbSHKSwZzNjsguQ6jCdbjFImhoCLU5tUTiMHuPdAZU8TAGiBa2DqSGc64QNRUQHcMhsynyu6FFHOl27OH100GfGp71QlJA=
Content-Type: multipart/related; boundary="_004_967C095507E34270919A991C7046803Earrcuscom_"; type="multipart/alternative"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: b7e12b1f-1591-4e42-02f6-08d6ebed9cae
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jun 2019 08:45:08.5601 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 697b3529-5c2b-40cf-a019-193eb78f6820
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR18MB3015
Archived-At: <>
Subject: Re: [Idr] recap my questions and issues raised during IDR Thurs session for draft-ietf-idr-tunnel-encaps-11
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 08 Jun 2019 08:45:15 -0000

Hi Linda,

Apologies for the delayed response. Responses are inline. #Keyur

From: Linda Dunbar <>
Date: Thursday, March 28, 2019 at 6:52 AM
To: idr wg <>, "" <>
Subject: recap my questions and issues raised during IDR Thurs session for draft-ietf-idr-tunnel-encaps-11
Resent-From: <>
Resent-To: <>, <>, <>
Resent-Date: Thursday, March 28, 2019 at 6:52 AM

Just want to reiterate my questions and issues I raised during IDR Thurs session for draft-ietf-idr-tunnel-encaps-11, to make it easier for the authors to address them in the next revision (I have sent the questions multiple times on the IDR mailing list, but no one responded):

  1.  When a client route can egress multiple egress ports (each with different IP addresses), does the Tunnel-Encap allow multiple “Remote-endpoint” SubTLV to be attached one UPDATE?

#Keyur: Yes. Section 5 of the draft version 12 has a following  text:

A Tunnel Encapsulation attribute may contain several TLVs that all
   specify the same tunnel type.  Each TLV should be considered as
   specifying a different tunnel.  Two tunnels of the same type may have
   different Remote Endpoint sub-TLVs, different Encapsulation sub-TLVs,
   etc.  Choosing between two such tunnels is a matter of local policy.

  1.  Section 3.1 Page 10: The last paragraph states that if “Remote-Endpoint sub-TLV contains address is valid but not reachable, and the containing TLV is NOT be malformed ..”. Why a address not reachable is considered as “Not Malformed”?

#Keyur: That is because the Remote-Endpoint could become reachable at the later time. Making it malformed would mean that the Remote-Endpoint has to be dropped upon a receipt of the update message (and could never be used).

  1.  In RFC5512, the BGP speaker indicates the originating Interface address in the NLRI (section 3):


draft-ietf-idr-tunnel-encaps-11  no longer has the BGP speaker originating the update. Is it intended? If Yes, does it mean that it allows a third party (which could be malicious entity) to inject routes on behalf of a legitimate router (but RFC5512 doesn’t)?  Why add this scenario? How to address the security threats introduced? If it is a conscious decision, should have some text to explain why and how to mitigate the security threats introduced.

#Keyur: Section 13 of the draft version 12 describes Security Considerations that should address your security questions. The option is to provide flexibility.


Thanks, Linda Dunbar