Re: [mpls] Ben's Comments on draft-ietf-mpls-sr-over-ip
Benjamin Kaduk <kaduk@mit.edu> Sat, 20 April 2019 06:21 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BF51120099; Fri, 19 Apr 2019 23:21:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZyKe8gpssYkn; Fri, 19 Apr 2019 23:21:46 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3761612008B; Fri, 19 Apr 2019 23:21:45 -0700 (PDT)
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x3K6Lf14026730 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 20 Apr 2019 02:21:43 -0400
Date: Sat, 20 Apr 2019 01:21:41 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Adrian Farrel <adrian@olddog.co.uk>
Cc: mpls@ietf.org, draft-ietf-mpls-sr-over-ip@ietf.org, 'The IESG' <iesg@ietf.org>
Message-ID: <20190420062140.GU51586@kduck.mit.edu>
References: <07cc01d4f232$19436200$4bca2600$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <07cc01d4f232$19436200$4bca2600$@olddog.co.uk>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mpls/dGhEqP20UTIpBjOsCsczS8qbcco>
Subject: Re: [mpls] Ben's Comments on draft-ietf-mpls-sr-over-ip
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Apr 2019 06:21:49 -0000
Hi Adrian, On Sat, Apr 13, 2019 at 08:50:07PM +0100, Adrian Farrel wrote: > Hi Ben, > > Thanks for your very detailed comments on this draft. Quite a lot to chew on. And thank you for the detailed replies. I read them all, but only have further comment on a handful. > > Thanks for this clearly-written document! I do have several > > suggestions for improvements, and note many places where IS-IS and OSPF > > seem to be described as normative references would, in the vein of > > Mirja's DISCUSS. I think it is possible to adjust the document to keep > > those as informative references, but the changes might be pretty > > intrusive. > > I'm going to come back to Mirja's Discuss (and part of Alvaro's Discuss) when I have some more clarity about how the LSR working group is advancing the relevant drafts. > > > I'm a little confused about what exactly the new protocol specified here > > is -- there seems to be a lot of "use these existing technologies > > together in the following way" going on, that may be screening the > > actual new bits from prominence. The only thing that comes to mind is > > the requirement to use the explicit null label when the last label has > > PHP and is going over the tunnel, which is admittedly important behavior > > to have! (To be clear, the implication is that a document consisting > > solely of "glue these existing pieces together" could well be published > > as Informational, though does not strictly speaking need to be.) > > I think the same way. It *could* have been Informational, but Standards Track felt better in this case as it is telling people how make an operational system out of the existing building blocks. > > > It might also be helpful to have a reference to RFC 4023 for the plain > > MPLS-in-IP encapsulation, even just to contrast it to the MPLS-in-UDP > > (RFC 7510) that we do use. (This reader did not discern why the RFC > > 4023 encapsulation was unpreferred.) > > Oh, right. > The short answer is "for the same reasons that 7510 unpreffered MPLS-in-IP" which was largely load balancing through an entropy indicator. > Will add a short note. > > > Section-by-section comments follow. > > > > Abstract > > > > SR-MPLS > > could be leveraged to realize a source routing mechanism across MPLS, > > IPv4, and IPv6 data planes by using an MPLS label stack as a source > > routing instruction set while preserving backward compatibility with > > SR-MPLS. > > > > Is this really saying "SR-MPLS could be leveraged ... while preserving > > compatibility with SR-MPLS"? > > Fixed per Alvaro's comments. > > > Section 1 (Introduction) > > > > Similarly to the above: > > Ditto > > > Section 2 > > > > o If encoding of entropy ([RFC6790] is desired, IP tunneling > > mechanisms that allow encoding of entropy, such as MPLS-in-UDP > > encapsulation [RFC7510] where the source port of the UDP header is > > > > I think it was already noted, but this language reads a little oddly, > > and it might be better as "If injection of additional entropy into the > > flow is needed". > > Just buffed up that text a bit. > > > Section 3.1 > > > > Consider router A that receives a labeled packet with top label L(E) > > that corresponds to the prefix-SID SID(E) of prefix P(E) advertised > > by router E. Suppose the i-th next-hop router (termed NHi) along the > > shortest path from router A toward SID(E) is not SR-MPLS capable > > while both routers A and E are SR-MPLS capable. [...] > > > > Do we ever actually use the fact that it is specifically the i-th router > > that is SR-MPLS-incapable, or just need to know that at least one router > > on the path is deficient in that way? > > It is just a name for that router. > It is mentioned again on the last line of section 3.1 > > > o The Segment Routing Global Block (SRGB) is defined in [RFC8402]. > > Router E is SR-MPLS capable, so it advertises an SRGB as described > > in [I-D.ietf-ospf-segment-routing-extensions] and > > [I-D.ietf-isis-segment-routing-extensions]. > > > > I see the first sentence was added in discussion with another reviewer; > > I wonder if the text would flow better if the order of the sentences was > > swapped (particularly since this is the very first "processing step", > > and that declarative sentence does not describe any processing > > actions). > > I'll work something out. The "as described" had confused a previous reader because it seemed to suggest that the SRGB was defined in those drafts. > > > o When Router E advertises the prefix-SID SID(E) of prefix P(E) it > > MUST also advertise the encapsulation endpoint and the tunnel type > > of any tunnel used to reach E. It does this using the mechanisms > > described in [I-D.ietf-isis-encapsulation-cap] or > > [I-D.ietf-ospf-encapsulation-cap]. > > > > This "it does this" still is implying that IS-IS and OSPF are the only > > ways this can be done, which (AIUI) is not the intention. (Similarly > > for the next bullet point's sub-bullets.) > > s/it does this/it can do this/ > > > * If router E is running ISIS and advertises the ISIS > > capabilities TLV (TLV 242) [RFC7981], it MUST set the "router- > > > > nit: 7981 seems to call this the "ISIS Router CAPABILITY TLV"; I don't > > know if the usage here has since become conventional. > > s/ies/y/ > > > o Router A programs the FIB entry for prefix P(E) corresponding to > > the SID(E) as follows: > > > > Keeping with the theme, this is a declarative statement of procedure, > > and the following sub-bullets only cover OSPF and ISIS. It would need > > to be a statement of requirements for behavior/functionality in order to > > keep them from being normative references. > > > > Once constructed, the FIB can be used to tell a router how to process > > packets. It encapsulates the packets according to the encapsulation > > advertised in [I-D.ietf-isis-encapsulation-cap] or > > [I-D.ietf-ospf-encapsulation-cap]. Then it sends the packets towards > > the next hop NHi. > > > > Oh, finally, "NHi" appears again. But are we actually forwarding > > towards the SR-MPLS-incapable router specifically, or just generically > > to the immediate next hop (which may or may not be NHi)? > > I told you so 😉 > It really means NHi. The previous hop does the encapsulation and then forwards *towards* (i.e., out of the interface pointing at NHi) but not with the DA set to NHi. > > > Also, I'll note that we introduced this list with "the following > > processing steps apply [for A wanting to send a packet towards E]", but > > most of the procedures therein involve things that E has to do to > > advertise the information that A will need in order to make the > > encapsulation, which feels like somewhat mismatched language. In short, > > this list of points doesn't tell me much about what specifically *A* > > does with this packet -- the last point handles what to do with the top > > label, but I guess we defer to the encapsulation scheme for the gory > > details (which is probably fine, but maybe the language could be tidied > > up to mention something about "using the appropriate mechanism for the > > selected tunnel type (e.g., IP)"). > > I'm going to call upon your "which is probably fine". > > > packets. It encapsulates the packets according to the encapsulation > > advertised in [I-D.ietf-isis-encapsulation-cap] or > > [I-D.ietf-ospf-encapsulation-cap]. Then it sends the packets towards > > > > nit: advertised *using the mechanisms in* > > Ack > > > Section 3.2 > > > > [RFC7510] specifies an IP-based encapsulation for MPLS, i.e., MPLS- > > in-UDP. This approach is applicable where IP-based encapsulation for > > MPLS is required and further fine-grained load balancing of MPLS > > packets over IP networks over Equal-Cost Multipath (ECMP) and/or Link > > Aggregation Groups (LAGs) is also required. This section provides > > details about the forwarding procedure when when UDP encapsulation is > > adopted for SR-MPLS over IP. > > > > (side note) Presumably this is just my lack of background showing, but > > this text seems to assume that the UDP encapsulation is the only way to > > do SR-MPLS over IP, with no discussion of RFC 4023. > > This section is certainly limited to the UDP choice. > Actually, we can add "Other encapsulation and tunnelling mechanisms can be applied using similar techniques, but for clarity this section uses UDP encapsulation as the exemplar." > > > Nodes that are SR-MPLS capable can process SR-MPLS packets. Not all > > of the nodes in an SR-MPLS domain are SR-MPLS capable. Some nodes > > may be "legacy routers" that cannot handle SR-MPLS packets but can > > forward IP packets. An SR-MPLS-capable node MAY advertise its > > capabilities using the IGP as described in Section 3. There are six > > types of node in an SR-MPLS domain: > > > > (side note) Similarly, we only talk about SR-MPLS and IP routers here; > > is there some intermediate "MPLS but not SR-MPLS" category or similar? > > Ah, a good question. > MPLS routers are automatically able to forward SR-MPLS packets. So, if they lack SR capabilities they still participate seamlessly. > And, in cast, if you had a sea of MPLS routers, you wouldn't need any encapsulation at all. > > > Also, the top-level Section 3 is just introductory text and doesn't > > really describe much of anything, and if we are considering this to > > refer to Section 3 and subsections, it then becomes self-referential. > > I think it applies to 3.2. > > > Section 3.2.1 > > > > Routers A, E, G, and H > > advertise their Segment Routing related information via IS-IS or > > OSPF. > > > > [still declarative] > > Still fixing 😊 > > > To handle this, when a router (here it is router G) pops the final > > SR-MPLS label, it inserts an explicit null label [RFC3032] before > > encapsulating the packet in an MPLS-over-UDP tunnel toward router H > > and sending it out. That is, router G pops the top label, discovers > > it has reached the bottom of stack, pushes an explicit null label, > > and then encapsulates the MPLS packet in a UDP tunnel to router H. > > > > This seems like a critical functional behavior that is not specific to > > the usage of IS-IS or OSPF. > > Agreed. Covered by previous fix. > > > Section 3.2.3 > > > > For instance, in the example as described in Figure 4, assume F is > > now an SR-MPLS-capable transit node while all the other > > assumptions keep unchanged, since F is not identified by a SID in > > the stack and an MPLS-over-UDP tunnel is preferred to an MPLS LSP > > according to local policies, router E would replace the current > > top label with an MPLS-over-UDP tunnel toward router G and send it > > out. > > > > (nit: There's a comma splice before "since F".) > > Ack > > > This description is a little sparse, and seems to assume the reader > > knows that, all else being equal, with E, F, and G all being > > MPLS-capable, the segment from E to G would transit native MPLS, absent > > the indicated local policy. Since this is explicitly the thing we are > > contrasting against, it's probably good style to mention the behavior > > explicitly, too. > > OK. "Good style" is our watchword. > > > IP Header Fields: When encapsulating an MPLS packet in UDP, the > > resulting packet is further encapsulated in IP for transmission. > > IPv4 or IPv6 may be used according to the capabilities of the > > network. The address fields are set as described in Section 2. > > > > (Does Section 2 say how to set the source address?) > > Sure does. > The tunnel selected MUST have its > remote end point (destination) address equal to the address of the > next SR-MPLS capable node along the path (i.e., the egress of the > active node segment). I might still be missing it. Is the idea that once you've selected a specific tunnel, that naturally will have a record of the source address corresponding to that tunnel? (I only see a literal "remote end point (destination) address" in the quoted text, i.e., "source" or "local" do not appear.) > > Entropy and ECMP: When encapsulating an MPLS packet with an IP > > tunnel header that is capable of encoding entropy (such as > > [RFC7510]), the corresponding entropy field (the source port in > > case UDP tunnel) MAY be filled with an entropy value that is > > > > nit: "in the case of a UDP tunnel" > > Ack > > > Section 5 > > > > [I'm going to comment on basically every line here; sorry to be so > > nitpicky.] > > I'm going to cross-check. If you have left a line uncommented I will demand a refund. > If only we had written more lines. > > > The security consideration of [RFC8354] and [RFC7510] apply. DTLS > > > > RFC 8354's security considerations are, for practical purposes, empty. > > Perhaps a direct reference to 5095 would be more appropriate. > > (The RFC 7510 security considerations are of course quite relevant and > > helpful.) > > Yes, let's have... > The security consideration of [RFC8354] (which redirects the reader to [RFC5095]) and [RFC7510] apply > ...since 8354 remains the more "relevant" reference. > > > [RFC6347] SHOULD be used where security is needed on an MPLS-SR-over- > > UDP segment. > > > > I think you need to give some indication of when that might be the case, > > e.g., if the IP segment crosses the public Internet or some other > > untrusted environment. > > I guess that is a good example. I'm worried that it may limit the imagination of the reader. > > I'm going to use "including when" in place of "e.g., if" I was not intending to suggest that the "e.g." appear in the document, so thank you for this. > > It is difficult for an attacker to pass a raw MPLS encoded packet > > into a network and operators have considerable experience at > > excluding such packets at the network boundaries. > > > > This is describing an expected/desired state (hopefully also the current > > state!) but not why that should be or what the consequences of failing > > to achieve that state are. I'm happy to contribute some text, but this > > seems like a generic MPLS consideration and I hope there is an > > already-published reference that could be used instead. > > Well, I'll add a reference to 5920, but I don't think that completely covers it. > This is the equivalent of an ACL to prevent IP-in-IP intrusion, but essentially says don't let MPLS emerge from an IP tunnel in the network. Everyone does it, not sure it is documented anywhere. > > That gives us... > > It is difficult for an attacker to pass a raw MPLS encoded packet > into a network and operators have considerable experience at excluding > such packets at the network boundaries, for example by excluding all > MPLS packets that are revealed as payload of IP tunnels. Further discussion > of MPLS security is found in [RFC5920]. Thanks. (I was pretty sure everyone does it, but that doesn't always mean that we don't need to say it in the doc, as I'm sure you know...) > > It is easy for an ingress node to detect any attempt to smuggle an IP > > packet into the network since it would see that the UDP destination > > port was set to MPLS. SR packets not having a destination address > > > > Easy, sure, if you know to look for it. Where is that requirement > > mandated? > > We don't mandate against self-harm. > But I add... > , and such filtering SHOULD be applied > > > terminating in the network would be transparently carried and would > > pose no security risk to the network under consideration. > > > > I'm not sure I see how the second sentence relates to the first; is this > > just trying to say that SR-MPLS is transparent to traffic flowing over > > such a network? There would still be generic capacity risks, of course, > > though maybe we don't need to be so specific -- "pose no different > > security risk than any other traffic" would be plenty. > > OK > > > Where control plane techniques are used (as described in Section 3), > > it is important that these protocols are adequately secured for the > > environment in which they are run. > > > > What does "adequately secured" mean? Is there a best-practices > > document, or security considerations for the control protocols in > > question that cover this? Is the needed property that "any packets > > interpreted as MPLS must be originated from authorized network devices > > within the administrative domain (or group of such domains), with no > > ability for attackers to inject such traffic inside the domain and > > blocking at the boundary"? When different administrative domains are > > joined together, what are the counterparty risks? > > OK, these are not MPLS packets, they are control plane packets. > The injection of MPLS packets was where we were a few comments further up. > > "Adequately secured" is indeed a wide scope. I think 5920 is our base reference for all MPLS control plane security issues. > > But perhaps 6862 as well. OK, I trust you to know better than I would. Thanks again, Ben
- [mpls] Ben's Comments on draft-ietf-mpls-sr-over-… Adrian Farrel
- Re: [mpls] Ben's Comments on draft-ietf-mpls-sr-o… Benjamin Kaduk
- Re: [mpls] Ben's Comments on draft-ietf-mpls-sr-o… Adrian Farrel