Re: [OPSAWG] Martin Duke's Discuss on draft-ietf-opsawg-l3sm-l3nm-11: (with DISCUSS)

[mohamed.boucadair@orange.com]

Hi Michael,

Thank you for the follow-up. 

Please see inline. 

Cheers,
Med

> -----Message d'origine-----
> De : Scharf, Michael [mailto:Michael.Scharf@hs-esslingen.de]
> Envoyé : mercredi 22 septembre 2021 17:38
> À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com>; Martin
> Duke <martin.h.duke@gmail.com>; The IESG <iesg@ietf.org>
> Cc : draft-ietf-opsawg-l3sm-l3nm@ietf.org; opsawg@ietf.org; opsawg-
> chairs@ietf.org
> Objet : RE: Martin Duke's Discuss on draft-ietf-opsawg-l3sm-l3nm-11:
> (with DISCUSS)
> 
> Hi Med,
> 
> Thanks for the useful references. More inline.
> 
> > -----Original Message-----
> > From: mohamed.boucadair@orange.com
> > <mohamed.boucadair@orange.com>
> > Sent: Tuesday, September 21, 2021 2:56 PM
> > To: Scharf, Michael <Michael.Scharf@hs-esslingen.de>; Martin Duke
> > <martin.h.duke@gmail.com>; The IESG <iesg@ietf.org>
> > Cc: draft-ietf-opsawg-l3sm-l3nm@ietf.org; opsawg@ietf.org; opsawg-
> > chairs@ietf.org
> > Subject: RE: Martin Duke's Discuss on draft-ietf-opsawg-l3sm-l3nm-11:
> > (with
> > DISCUSS)
> >
> > Hi Michael,
> >
> > Please see inline.
> >
> > Cheers,
> > Med
> >
> > > -----Message d'origine-----
> > > De : Scharf, Michael [mailto:Michael.Scharf@hs-esslingen.de]
> > > Envoyé : lundi 20 septembre 2021 12:05 À : BOUCADAIR Mohamed
> > > INNOV/NET
> > <mohamed.boucadair@orange.com>; Martin
> > > Duke <martin.h.duke@gmail.com>; The IESG <iesg@ietf.org> Cc :
> > > draft-ietf-opsawg-l3sm-l3nm@ietf.org; opsawg@ietf.org; opsawg-
> > > chairs@ietf.org Objet : RE: Martin Duke's Discuss on
> > > draft-ietf-opsawg-l3sm-l3nm-11:
> > > (with DISCUSS)
> > >
> > > Hi Med,
> > >
> > > What happens if PEs and CEs are both under operator control? In that
> > > case, the customer-facing L3SM model may not need any TCP-AO
> > > configuration.
> > >
> > > However, in that case, TCP-AO may need to be configured on the PEs
> > > and the "send-id" and "receive-id" values must be consistent with
> > > the CEs, no?
> >
> > [[Med]] Agree.
> >
> >  If the PE configuration is done by L3NM, the "send-id" and "receive-
> > > id" must be part of L3NM model, no?
> >
> > [[Med]] Not necessarily. See below.
> >
> >  If not, how would the TCP-AO
> > > provisioning on CEs and PEs work?
> >
> > [[Med]] The assumption we had for this version of the module is that
> > send-id and recv-id are pre-configured while only the key reference is
> > manipulated in the L3NM. Some of the implementations separate the
> > TCP-AO configuration from the invocation in context of a particular
> > protocol, e.g.,
> >
> > *
> > https://www.juniper.net/documentation/en_US/junos/topics/reference/g
> > eneral/release-notes/20.3/infocus-topicmaps/tcp-authentication-option-
> > map-infocus.html
> > * https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/bgp/72x/b-bgp-
> > cg-ncs5500-72x/implementing-master-key-tuple-
> > configuration.html#id_77361
> 
> Good references. As far as I can see, in those two cases the send-id and
> recv-id are modelled in the key-chain and therefore configurable as part
> of the key-chain. With such a key-chain, your assumption would work.

[[Med]] Great. 

> 
> However, draft-ietf-opsawg-l3sm-l3nm-11 references to the key-chain from
> RFC 8177. Unlike in those two previous examples, I don't understand how
> one would encode send-id and recv-id in the RFC 8177 model.
> 
> So, my reading is that draft-ietf-opsawg-l3sm-l3nm-11 assumes that the
> referenced key-chain includes additional entries beyond RFC 8177, such
> as send-id and recv-id.
> 
> If that assumption is correct, IMHO the document draft-ietf-opsawg-l3sm-
> l3nm has to highlight that additions to the key-chain model beyond RFC
> 8177 may be required for TCP-AO to work.

[[Med]] Agree. 

> 
> > We can add a note about it you think this helps. Thank you.
> 
> If the document assumes additions to RFC 8177, this must be noted, IMHO.

[[Med]] Added this NEW text: 

      This version of the L3NM assumes that TCP-AO specific parameters
      are preconfigured as part of the key-chain that is referenced in
      the L3NM.  No assumption is made about how such a key-chain is
      pre-configured.  However, the structure of the key-chain should
      cover data nodes beyond those in [RFC8177], mainly SendID and
      RecvID (Section 3.1 of [RFC5925]).

Do we need to say more? Thanks.

> 
> Of course, an alternative would be just to import draft-ietf-tcpm-yang-
> tcp, which models the relevant entries, but that will be your call.

[[Med]] Thanks, but I prefer to not import this module for this version. This can be done in future augmentations when hopefully tcp-yang will be published as an RFC.  

> 
> Michael
> 


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.