Re: [mpls] review of draft-shen-mpls-egress-protection-framework

Yimin Shen <> Fri, 01 September 2017 13:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CEA3E132D51 for <>; Fri, 1 Sep 2017 06:31:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.12
X-Spam-Status: No, score=-0.12 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Mad8nzcw2nbA for <>; Fri, 1 Sep 2017 06:31:39 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A7908132E33 for <>; Fri, 1 Sep 2017 06:31:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=hva719mTlxBnLiBivSoiaY3hqZQV6Bd4c6z5KTII5Xk=; b=Er1lPqWMTuB9k7ong5Xp5gZcEmMjudJ3AGQCJkrFeOb+yCQ4EkcNLZbuRI3inz5dODxbIBFEaHiBXCK/wpvnSKUrZoki/gQwdI0DnHNmDR88JDTvP03QzP2prDWNjPhHwjaDsmRQHopKbzW9TMLY+wtZJKwK5LEj7KR4Cgw/MTE=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id; Fri, 1 Sep 2017 13:31:37 +0000
Received: from ([]) by ([]) with mapi id 15.20.0035.005; Fri, 1 Sep 2017 13:31:37 +0000
From: Yimin Shen <>
To: Rolf Winter <>, "" <>
Thread-Topic: [mpls] review of draft-shen-mpls-egress-protection-framework
Thread-Index: AQHTIyaiK3WcV6yJ0k2h4KXOjWbgMQ==
Date: Fri, 01 Sep 2017 13:31:37 +0000
Message-ID: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/f.20.0.170309
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN3PR0501MB1203; 6:gbb5HcO5CH++ArJeSDvEBN+9MDZqNngEOWASKnjPSnBKP/1NXpCuf55gQ0R/tKXU7S+PF35hJJXQKNMKGMTjCkdFX9x1xu9fx7yRguMVSfA84aZFbqF/Qmjp9rmCIWfylGmuDq3kr5lchENRT7Wpw0niw2FUswLDvKOWfLHlpvyfDOKid6nb28N4HLp54go3E/IiO4UMZvD75gbSkQCIqKhaP3ldpILLsTjikiBl7BZsJvulmKgb1+xn1Wvot8O6uiMSLU8pAQuImr0UZcWLWbw951ps3WW6RoqV3C+HSog5dk1EMfJsUH14Tbx9h1R8EkfiAbbWmUcwvLcVzZaRIA==; 5:yjOGkhheMGEmRLKKStg9VKj6BbrfmCeYmEW6Ii0+74btTI4nHNBQ2zqMfiSJ6qctri5V6dnI9uGrsy0gGQfMa7LqzwLsmkKlrCXmEBPS2fnS7TyArW4ePNQvk8DJjRDATGJI8HKsjvqmaaykXy8aAA==; 24:Kn+/L8rzt55mSqASekDfNcyDBc8fwTQJaalt33/KuXToinFMU4su99Ry+CZ9H+O3tQExfi0SWj8fRjPFNKjiD8jlYDgNnIiCMEoXZXmchgw=; 7:ckmacxMz5jN+WHr516dpxJkNaCBf3a7DHxBj1+pxQXnrMBSm9z0nHESiTdSHRT99R57URlyimZ6C/kylJMdqORCiIOAoZ/Wq6YI1+LNtV9KHfVQEwdHd4Z1xTFdd6JTa3ONEsJMevLohUHKzMSEdAWmUXVuZJFf54vY9W5jq+lZEu7qJv5ol7VUimwzmQL1KgrqJj7EaN7RfS7n7RUhc5DDSMjTuCogPL7QxJNvQHpI=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 1504fb58-f59e-456b-2885-08d4f13dc596
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(48565401081)(300000503095)(300135400095)(2017052603199)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BN3PR0501MB1203;
x-ms-traffictypediagnostic: BN3PR0501MB1203:
x-exchange-antispam-report-test: UriScan:(192374486261705)(788757137089)(21748063052155);
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(100000703101)(100105400095)(93006095)(93001095)(6055026)(6041248)(20161123555025)(20161123558100)(20161123560025)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BN3PR0501MB1203; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BN3PR0501MB1203;
x-forefront-prvs: 0417A3FFD2
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39860400002)(189002)(199003)(377454003)(36756003)(81166006)(7736002)(83716003)(68736007)(54896002)(8936002)(101416001)(478600001)(6306002)(966005)(2501003)(5660300001)(8676002)(14454004)(6436002)(229853002)(6116002)(6486002)(102836003)(77096006)(83506001)(81156014)(3846002)(6246003)(6506006)(2900100001)(9326002)(97736004)(53936002)(33656002)(53546010)(4001350100001)(2906002)(25786009)(230783001)(66066001)(106356001)(189998001)(105586002)(3280700002)(54356999)(86362001)(3660700001)(99286003)(82746002)(50986999)(6512007); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1203;; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_B19FF9BBB73D4109A7325FA76D48DDFBjunipernet_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Sep 2017 13:31:37.5083 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1203
Archived-At: <>
Subject: Re: [mpls] review of draft-shen-mpls-egress-protection-framework
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multi-Protocol Label Switching WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 01 Sep 2017 13:31:43 -0000

Hi Rolf,

Again, thanks very much for your detailed review and great comments! Please see inline for our clarification and responses. We shall address the comments in the next revision. Thanks for helping us improve the clarity and quality of the draft.

Best regards,

-- Yimin Shen
Juniper Networks

From: mpls <> on behalf of Rolf Winter <>
Date: Sunday, August 13, 2017 at 11:39 AM
To: "" <>
Subject: [mpls] review of draft-shen-mpls-egress-protection-framework


I have reviewed draft-shen-mpls-egress-protection-framework and have a few comments:

Larger editorial things:

None of the requirements in section 4 have a requirements language MUSTs. Is that by intention and if yes, why?

[yshen] This section of “Requirements” describes what we considered as the requirements in designing the mechanism, rather than the requirements which the draft raises for implementation of this draft. Therefore, we are not using MUSTs. We can clarify this.

You write "The framework must be based on local failure detection and local repair". But you have specified it that way. Why spell it out as a requirement? It is like saying MPLS must use labels, and then you specify it to use labels in the same document and surprise... it fulfills the requirement.

[yshen] This does sounds redundant. We will remove it.

It is unclear how you guarantee this requirement: "It must accommodate existing and future signaling and label-distribution protocols of tunnels and bypass tunnels". In particular the future ones seems an interesting claim. You state something similar in the introduction.

[yshen] As you can see, when talking services, this draft doesn’t refer to any specific type of service. Instead, it talks about services generically, by modeling each service as an entity consisting of a common set of pieces, including service instance(s), service label, service label distribution protocol, service transport tunnel, etc. This generic service model has been used for all existing services, and hence we believe future services will continue to conform to this model as well. We can add text to clarify this assumption.

It is also unclear how you fulfill some of the other requirements. E.g. you say as a requirement: "be transparent to ingress routers". But the ingress is involved e.g. you say "The ingress router uses the context ID as destination to establish or resolve an egress-protected tunnel. The ingress router then maps the service to the tunnel for transportation". Not sure this counts as transparent.

[yshen] Yes, we need to clarify this. When doing the above, the ingress router is not aware of the special semantics of the context ID. It only views the context ID as an IP address of the remote peer (received in service advertisement). IOW, it behaves in the same manner as resolving a regular transport tunnel, although the end result will be an egress-protected tunnel. From that perspective, egress protection is transparent to it.

I also feel some requirements are missing. E.g. dual-homing of the site to two routers of the MPLS network, which received at least a MUST in 5.14.

[yshen] Will consider this suggestion.

Much of section 5 (at least the first few subsections) feels like an extended version of the terminology section and repetition. Maybe some text can be shortened.

 [yshen] Will consider shortening the terminology section. It is intended to help readers understand the main sections.

Minor editorial things:

[yshen] We will incorporate the suggestions below.


s/to ultimate service destination(s)./to the ultimate service destination(s)./
s/service label distribution to protector/service label distribution to the protector/

1. Intro

s/based on IP destination address/based on the destination IP address/
s/the router (aka.  PLR, i.e. point of local repair) upstream adjacent to an anticipated failure/the router upstream to an anticipated failure (aka.  PLR, i.e. point of local repair)/
s/the router (aka.  MP, i.e. merge point) downstream of the failure/the router downstream of the failure (aka.  MP, i.e. merge point)/

3. Terminology

s/A node failure of an egress router./A failure of an egress router./
TBD protector
s/A router at point of local repair/A router at the point of local repair/
s/The scenario where protector/The scenario where a protector/

4. Requirements

s/should only involve routers around egress/should only involve routers close to the egress/
s/for scalability and performance,/for scalability and performance reasons,/
s/ be agnostic with/ be agnostic to/ (search replace this... comes up a few times)
s/or TE topology to compute or resolve path for/or the TE topology to compute or resolve a path for/

5.2 Egress node failure

s/At service level,/At the service level,/
s/or distinguish between a link/or to distinguish between a link/

5.4 Protected egress

s/multiple protected egress'/multiple protected egresses/
s/two distinct protected egress/two distinct protected egresses/


s/in routing domain and TE domain/in the routing domain and the TE domain/ (this appears multiple times in the document)


s/for context ID is done on/for a context ID is done on/ (same in the title)
s/E and P must coordinate in IGP advertisement for the context ID in routing domain and TE domain./E and P must coordinate the context ID in the routing domain and the TE domain via IGP advertisements. /
s/but not PLR/but not the PLR/
s/requires P and PLR/requires P and the PLR/


s/ of egress-protected tunnel/of the egress-protected tunnel/
s/of egress protection schema/of the egress protection schema/
You should not use [1] for enumerations and lists, as the square brackets are used for references.

[yshen] Yes, that is good point.


s/agnostic with/agnostic to/
s/services labels/service labels/
s/on per-service basis/on a per-service basis/


s/be a session of service label distribution protocol/be a service label distribution protocol session/
This SHOULD: "extensions SHOULD be specified in separate documents" seems weird. A) because you already mentioned that without the requirements language and B) if you do not specify them, where else would such extensions be specified. At least make it a "should".

[yshen]  Agreed.


s/is the number of/is equal to the number of/
"{egress router, protector}" diverts from the previous nomenclature. Any particular reason for this?

[yshen] Good catch! Will fix them.


You should use the IP prefixes set aside for documentation in your document (see

[yshen] Will do. Thanks for pointing it out.


The first paragraph does not make much sense as part of the security considerations section. The second should maybe recommend to use the available security measures.

[yshen] We can rephrase the 1st paragraph. What we intended to say was that traffic rerouting should not introduce any security concerns.