Re: [Idr] recap my questions and issues raised during IDR Thurs session for draft-ietf-idr-tunnel-encaps-11

Keyur Patel <keyur@arrcus.com> Sat, 08 June 2019 08:45 UTC

Return-Path: <keyur@arrcus.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1243C12008F; Sat, 8 Jun 2019 01:45:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netorgft1331857.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bC7HKsJWH0_3; Sat, 8 Jun 2019 01:45:12 -0700 (PDT)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-eopbgr760048.outbound.protection.outlook.com [40.107.76.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B345120058; Sat, 8 Jun 2019 01:45:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NETORGFT1331857.onmicrosoft.com; s=selector1-NETORGFT1331857-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Z99lmEC+veEDxBD/TiReigRfF0E5nYfAEahgOnRv41o=; b=T8LXZA9SAgA4S47td8QCI1vW3RaC79LIYdmpu3l22g2Vn0UuJrD2kxSCNRRqozQRMTTh5+FboOzPmI/A7srOZLxoPbG7ev7RJMF9iJAPEFbYnr7d0XK/Tg526aFaVK2TiDAuznF71NIOxTBojxDzPitDkF8nJ3UJhK2MfxnE1HI=
Received: from BYAPR18MB2856.namprd18.prod.outlook.com (20.179.58.82) by BYAPR18MB3015.namprd18.prod.outlook.com (20.179.94.161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1965.14; Sat, 8 Jun 2019 08:45:08 +0000
Received: from BYAPR18MB2856.namprd18.prod.outlook.com ([fe80::f855:74f:9e5f:d010]) by BYAPR18MB2856.namprd18.prod.outlook.com ([fe80::f855:74f:9e5f:d010%6]) with mapi id 15.20.1965.011; Sat, 8 Jun 2019 08:45:08 +0000
From: Keyur Patel <keyur@arrcus.com>
To: Linda Dunbar <ldunbar@futurewei.com>, "draft-ietf-idr-tunnel-encaps@ietf.org" <draft-ietf-idr-tunnel-encaps@ietf.org>, "idr@ietf.org" <idr@ietf.org>
Thread-Topic: recap my questions and issues raised during IDR Thurs session for draft-ietf-idr-tunnel-encaps-11
Thread-Index: AdTla1nnHU6FSbZ4QO2XZvQIoIn6YA4MHLeA
Date: Sat, 8 Jun 2019 08:45:08 +0000
Message-ID: <967C0955-07E3-4270-919A-991C7046803E@arrcus.com>
References: <4A95BA014132FF49AE685FAB4B9F17F66B33E1CA@sjceml521-mbs.china.huawei.com>
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F66B33E1CA@sjceml521-mbs.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=keyur@arrcus.com;
x-originating-ip: [2601:646:8700:3b0:cd69:ec6:2a5f:1fc1]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b7e12b1f-1591-4e42-02f6-08d6ebed9cae
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600148)(711020)(4605104)(1401327)(2017052603328)(49563074)(7193020); SRVR:BYAPR18MB3015;
x-ms-traffictypediagnostic: BYAPR18MB3015:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <BYAPR18MB30159E31202C8B0D485BD064C1110@BYAPR18MB3015.namprd18.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0062BDD52C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(366004)(376002)(136003)(396003)(39830400003)(199004)(189003)(256004)(66946007)(733005)(66616009)(73956011)(5660300002)(76116006)(66556008)(66476007)(66446008)(64756008)(53546011)(6506007)(68736007)(7736002)(6436002)(9326002)(2201001)(86362001)(36756003)(33656002)(81156014)(81166006)(102836004)(54896002)(54556002)(6306002)(5024004)(2906002)(14454004)(6512007)(14444005)(8676002)(229853002)(6486002)(25786009)(46003)(2501003)(99286004)(476003)(2616005)(99936001)(11346002)(76176011)(82746002)(186003)(446003)(316002)(110136005)(8936002)(71190400001)(71200400001)(790700001)(6116002)(53936002)(4326008)(83716004)(508600001)(6246003)(486006)(66574012); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR18MB3015; H:BYAPR18MB2856.namprd18.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arrcus.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: jtEXyf3hB8/ZoAUl6ema5dQn3etq9BG/Mvjnulh8AM9xVVarWmZehO6wcTqIXSN+2CQ/j2xVEz283kQmQgRlL5uHqPWhp3P4Ws3pYeu2hsdJZtaQpZ7BVHDQ6A0hecvMYZpl/TcdVxjxNBt8oQXXVS5juJIr4tzGvIgC6gWQ9r7xgxunpRW+VEkLiM5JkAj5EMt4KYQ7S3pW2u+6PqCAxCdJwMaooTK7X/cQWUqLfdj6ZMCkmH/FbakbxFFQh4gTC2RHkiCaBoo2f+ls8lYBXk14XgVT5UHcmZ5oO4IjyeGKooN1YuVW8Q4xXiNXKbDF+7nr8btwM2qV2HbSHKSwZzNjsguQ6jCdbjFImhoCLU5tUTiMHuPdAZU8TAGiBa2DqSGc64QNRUQHcMhsynyu6FFHOl27OH100GfGp71QlJA=
Content-Type: multipart/related; boundary="_004_967C095507E34270919A991C7046803Earrcuscom_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: arrcus.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b7e12b1f-1591-4e42-02f6-08d6ebed9cae
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jun 2019 08:45:08.5601 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 697b3529-5c2b-40cf-a019-193eb78f6820
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: keyur@arrcus.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR18MB3015
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/znpnftuqRqtPyyzFZEnWPx1JU38>
Subject: Re: [Idr] recap my questions and issues raised during IDR Thurs session for draft-ietf-idr-tunnel-encaps-11
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Jun 2019 08:45:15 -0000

Hi Linda,

Apologies for the delayed response. Responses are inline. #Keyur

From: Linda Dunbar <linda.dunbar@huawei.com>
Date: Thursday, March 28, 2019 at 6:52 AM
To: idr wg <idr@ietf.org>rg>, "draft-ietf-idr-tunnel-encaps@ietf.org" <draft-ietf-idr-tunnel-encaps@ietf.org>
Subject: recap my questions and issues raised during IDR Thurs session for draft-ietf-idr-tunnel-encaps-11
Resent-From: <keyur@arrcus.com>
Resent-To: <erosen52@gmail.com>om>, <keyur@arrcus.com>om>, <gunter.van_de_velde@nokia.com>
Resent-Date: Thursday, March 28, 2019 at 6:52 AM

Just want to reiterate my questions and issues I raised during IDR Thurs session for draft-ietf-idr-tunnel-encaps-11, to make it easier for the authors to address them in the next revision (I have sent the questions multiple times on the IDR mailing list, but no one responded):


  1.  When a client route can egress multiple egress ports (each with different IP addresses), does the Tunnel-Encap allow multiple “Remote-endpoint” SubTLV to be attached one UPDATE?

#Keyur: Yes. Section 5 of the draft version 12 has a following  text:

<snip>
A Tunnel Encapsulation attribute may contain several TLVs that all
   specify the same tunnel type.  Each TLV should be considered as
   specifying a different tunnel.  Two tunnels of the same type may have
   different Remote Endpoint sub-TLVs, different Encapsulation sub-TLVs,
   etc.  Choosing between two such tunnels is a matter of local policy.
</snip>



  1.  Section 3.1 Page 10: The last paragraph states that if “Remote-Endpoint sub-TLV contains address is valid but not reachable, and the containing TLV is NOT be malformed ..”. Why a address not reachable is considered as “Not Malformed”?

#Keyur: That is because the Remote-Endpoint could become reachable at the later time. Making it malformed would mean that the Remote-Endpoint has to be dropped upon a receipt of the update message (and could never be used).



  1.  In RFC5512, the BGP speaker indicates the originating Interface address in the NLRI (section 3):

[cid:image001.png@01D4E575.D3039A30]

draft-ietf-idr-tunnel-encaps-11  no longer has the BGP speaker originating the update. Is it intended? If Yes, does it mean that it allows a third party (which could be malicious entity) to inject routes on behalf of a legitimate router (but RFC5512 doesn’t)?  Why add this scenario? How to address the security threats introduced? If it is a conscious decision, should have some text to explain why and how to mitigate the security threats introduced.

#Keyur: Section 13 of the draft version 12 describes Security Considerations that should address your security questions. The option is to provide flexibility.

Regards,
Keyur



Thanks, Linda Dunbar