IETF Logo Mail Archive

Re: [Idr] draft-ymbk-l3vpn-origination-00.txt

Robert Raszuk <robert@raszuk.net> Tue, 16 October 2012 04:03 UTC

Return-Path: <rraszuk@gmail.com>
X-Original-To: l3vpn@ietfa.amsl.com
Delivered-To: l3vpn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B7AD11E8142; Mon, 15 Oct 2012 21:03:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.631
X-Spam-Level:
X-Spam-Status: No, score=-2.631 tagged_above=-999 required=5 tests=[AWL=-0.254, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XW4VOSvfrMPA; Mon, 15 Oct 2012 21:03:31 -0700 (PDT)
Received: from mail-ia0-f172.google.com (mail-ia0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id ACA7D11E8138; Mon, 15 Oct 2012 21:03:31 -0700 (PDT)
Received: by mail-ia0-f172.google.com with SMTP id o25so4905917iad.31 for <multiple recipients>; Mon, 15 Oct 2012 21:03:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=JK86SH99fmgI10eSinEIz2VirxNrUDZrspG5pBE+Rvc=; b=aBGoykO8zVcQKcS2BBXJryOvR1aVfQjja8Zx1Al685TctxZZecb2B+Bx4SW0+Dl6mR Yir9FkQm+yjUdWOYPAK0vbYBkBq9CiQTu+6tge1n8VHhlYTrYQBm6A5j3bc2hHk2CDE2 K3ZRlrnb9JLk1oD/D0biLmSj2tlxdVJY77woElJZJe3+FD38JXAB83Rw1YR4Ng5Lxm5P 9sfyQb6uOY6Pb+OOXygN7Tgy43otjbwAKvUGKXJDLVA30SP5dSpCZJoJbdHjUM7rvamV wgBrQdeK1Ka3x48NVSWA1sqqm8MmrZGJ5lgZxat3VXrQlxcDldIRfd8DSgXvZoORp+EF yBCQ==
MIME-Version: 1.0
Received: by 10.50.15.193 with SMTP id z1mr10833579igc.47.1350360211169; Mon, 15 Oct 2012 21:03:31 -0700 (PDT)
Sender: rraszuk@gmail.com
Received: by 10.42.68.133 with HTTP; Mon, 15 Oct 2012 21:03:31 -0700 (PDT)
In-Reply-To: <m2y5j7gk1r.wl%randy@psg.com>
References: <20121015175711.5993.31704.idtracker@ietfa.amsl.com> <m2391flias.wl%randy@psg.com> <CA+b+ERk7dzBFLFN7BGEEg7aj0ymoh50GKbMB6CGxCXWqaCCuUg@mail.gmail.com> <m2y5j7gk1r.wl%randy@psg.com>
Date: Tue, 16 Oct 2012 06:03:31 +0200
X-Google-Sender-Auth: sTKzOpe00_lIqwSf0a20kr0wAg0
Message-ID: <CA+b+ERkjmXv3pT7Jw_BbZ_f3hWy5rX6meW3sXGBnpmTu_FVwWA@mail.gmail.com>
Subject: Re: [Idr] draft-ymbk-l3vpn-origination-00.txt
From: Robert Raszuk <robert@raszuk.net>
To: Randy Bush <randy@psg.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: idr wg <idr@ietf.org>, L3VPN <l3vpn@ietf.org>, pmehta@cisco.com, luay.jalil@verizon.com
X-BeenThere: l3vpn@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <l3vpn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/l3vpn>, <mailto:l3vpn-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/l3vpn>
List-Post: <mailto:l3vpn@ietf.org>
List-Help: <mailto:l3vpn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/l3vpn>, <mailto:l3vpn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Oct 2012 04:03:32 -0000

Hello Randy,

On Tue, Oct 16, 2012 at 5:41 AM, Randy Bush <randy@psg.com> wrote:
> thanks for review!

You are very welcome !

>>    This document describes how the originating PE, West, may sign the
>>    announcement so that the destination PE, East, may authenticate the
>>    NLRI and the Route Distinguisher (RD), , see RFC 4364 [RFC4364]
>>
>> Let me point out that West PE is not the originator of the route
>> advertisement .. neither East PE is the destination. Originator and
>> destination are corresponding CEs on both sides.
>
> good catch!

I was not that much fishing here ... just trying to understand if you
are validating CE-CE or PE-PE. If the latter I unfortunately think
there is much less of the value.

When we originally started to roll out 2547 there was very clear
consensus that real protection must happen on the CE-CE boundary.
Trusting SP where anyone who logs into PE can do anything for any VPN
there was never taken serious.

Note that the draft could also allow both, but this needs to be
clearly stated in the text.

>> With this in mind let me also point out that RFC4364 VPN sites very
>> often use private addresses which are never part of any public RPKI
>> for one simple reason that public RPKI has no notion of RDs to make
>> such prefixes unique.
>
> if they want to use the rpki, then, just as other rpki publishers using
> 1918 space, they would have local trust anchors and certify the private
> space.  see draft-ietf-sidr-ltamgmt.

And what happens in the event of PE-PE validation where only one SP of
L3VPN subscribes to RPKI business ?

>> Last let me point out also that RFC4364 defines CSC interconnect model
>> which this draft also does not comment on.
>
> more specific cite, please?  thanks.

http://tools.ietf.org/html/rfc4364#section-9

Summary ... PEs are not involved in distribution of customer routes
between customer sites.

R.


> randy

v2.23.0 | Report a Bug | By Email