Re: [Pce] Benjamin Kaduk's No Objection on draft-ietf-pce-segment-routing-14: (with COMMENT)
Jonathan Hardwick <Jonathan.Hardwick@metaswitch.com> Fri, 21 December 2018 16:59 UTC
Return-Path: <Jonathan.Hardwick@metaswitch.com>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71798130DFE; Fri, 21 Dec 2018 08:59:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=metaswitch.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7yq-ShOMXUbM; Fri, 21 Dec 2018 08:59:30 -0800 (PST)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-eopbgr790134.outbound.protection.outlook.com [40.107.79.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D95B12894E; Fri, 21 Dec 2018 08:59:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=metaswitch.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2uMqUMmy+Q1+n5D+wMlWUBAMrmG5Y8TEOndIYt58MgE=; b=ZmdI+nWtyE/NSTKMeQeQ++nsAYHaQBarXxyMx28psuT7kpS9CGT+HlQ7M1NLxIHe5g6MVp9jc6xaf7GkeoU4E5jZIw/66lXH7qUOUjt51sgETiZcY/BpV1Lko7Rdi74JIIE0MTSpORhNjgIU8sH+J0HyC+gpOQ4AQaI1jybSPRM=
Received: from BL0PR02MB4868.namprd02.prod.outlook.com (52.132.14.77) by BL0PR02MB3649.namprd02.prod.outlook.com (52.132.8.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1446.17; Fri, 21 Dec 2018 16:59:28 +0000
Received: from BL0PR02MB4868.namprd02.prod.outlook.com ([fe80::f847:bd2:c3c4:e1a3]) by BL0PR02MB4868.namprd02.prod.outlook.com ([fe80::f847:bd2:c3c4:e1a3%3]) with mapi id 15.20.1425.026; Fri, 21 Dec 2018 16:59:28 +0000
From: Jonathan Hardwick <Jonathan.Hardwick@metaswitch.com>
To: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>
CC: "draft-ietf-pce-segment-routing@ietf.org" <draft-ietf-pce-segment-routing@ietf.org>, Dhruv Dhody <dhruv.ietf@gmail.com>, "pce-chairs@ietf.org" <pce-chairs@ietf.org>, "dhruv.ietf@gmail.com" <dhruv.ietf@gmail.com>, "pce@ietf.org" <pce@ietf.org>
Thread-Topic: Benjamin Kaduk's No Objection on draft-ietf-pce-segment-routing-14: (with COMMENT)
Thread-Index: AQHUiQQzmSqj5oLIbUKPiu99QbcTX6WJhE0w
Date: Fri, 21 Dec 2018 16:59:28 +0000
Message-ID: <BL0PR02MB4868D21341B671EEB1E34E7084B80@BL0PR02MB4868.namprd02.prod.outlook.com>
References: <154362042021.27428.14843328031369141534.idtracker@ietfa.amsl.com>
In-Reply-To: <154362042021.27428.14843328031369141534.idtracker@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Jonathan.Hardwick@metaswitch.com;
x-originating-ip: [109.145.33.69]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BL0PR02MB3649; 6:bytaTpazW4si+8TENAw8KMiWYg2IggpM+1TGKu8trpZrqxpOJ4v6hQq/GHw+SVLHXe2Htvs1W8CGzOPp82WxBLINNL6PaGWQimd/I3Zf0z1ro9w7cz+su0tCGONEk4lM1Fv11D8QvIzpU8rfU7iKqfNzF4HzDmpK0wuTNPZPBC0IB080fJefcTV5ilIWyCuKM23R2UEZK9SinTzx7YNjiUFIIyGU97u3QuJTrO+ZH2qi45VQR2jNd2nl0ceJ3f3ZqxWDe6/Pw0H0x3nkKMP2LkMj5FtMs4Jiq5hDI64gK8CP1WBha+sdLsi/LSz60BzTLqqiQSKCBtJ+SDtyOoJuqIdton+rPfP9mt+oTy7A2+uGQilSsQ3shhy2l5isHzgbfXis1+3rGDUSpG1X2uQ4vXweNNcZcsOx7iIPIN6clJAc2xDPuOa+Ypohz0oHOukDF+MfZevtlXJBuGDm010siQ==; 5:yp2Fbs5QqvyIZAc1Olf/rnOFPmNR+cJD1vRNBWjwFYLVTFXdumflYQPHY/3NL8lL83ZxQr+WTzyXCG7RuP5eahdXOVjD505YP87NdEEc0Rth/FK4lUxkVH1lsTuyKXUlJ6754yW/rJthjKnFtK1hEoEgzAo3M8hidOTU6gkAr9o=; 7:u2OdXEJ+G8DVt8y8Kqtuz4cgz7I1Q44OgQLDeqQplcBYBVD9uhOC/WfwuVJqT6YcPSPgTFIHqCSa7W95oaFpMQxOxwvRwNMqrhp2hkgfhUu/eevrGVVWkzgbyOHoAXMAuJ0WnDTttzuL0FqZ5dVZ7Q==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: a843bae3-6a14-4001-70b4-08d66765ab7d
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:BL0PR02MB3649;
x-ms-traffictypediagnostic: BL0PR02MB3649:
x-microsoft-antispam-prvs: <BL0PR02MB3649DD9EE2187787776CB94D84B80@BL0PR02MB3649.namprd02.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(3230021)(999002)(5005026)(6040522)(2401047)(8121501046)(3231475)(944501520)(52105112)(93006095)(93001095)(10201501046)(3002001)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123564045)(20161123558120)(20161123560045)(201708071742011)(7699051)(76991095); SRVR:BL0PR02MB3649; BCL:0; PCL:0; RULEID:; SRVR:BL0PR02MB3649;
x-forefront-prvs: 0893636978
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(396003)(366004)(376002)(39850400004)(346002)(199004)(189003)(76176011)(74316002)(54906003)(5660300001)(68736007)(81166006)(8676002)(81156014)(2906002)(305945005)(7736002)(33656002)(66574012)(8936002)(55016002)(2171002)(39060400002)(53936002)(6246003)(6306002)(4326008)(9686003)(106356001)(97736004)(105586002)(72206003)(966005)(478600001)(476003)(486006)(99286004)(6506007)(11346002)(446003)(26005)(14454004)(186003)(3846002)(102836004)(6116002)(229853002)(86362001)(316002)(6436002)(7696005)(110136005)(71200400001)(71190400001)(14444005)(66066001)(256004)(25786009); DIR:OUT; SFP:1102; SCL:1; SRVR:BL0PR02MB3649; H:BL0PR02MB4868.namprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: metaswitch.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: kBI3ECfgNo7dUjXJd8nYxjAoYzpfMpjfDKV/ku8mh4slC+Kp+59f7dEMK6zUDmf+0niaCIxBSCh0wkXSwaIbSSISqq4JnWfhHBQjUVVmROOnxsPAaASvjwYaZM9SrM70bHxYComnVQmSCmgIm01WUccVBkI9Ce8L+UZHZoKMQT+3D977kemQdSmQ9hsF4zDEDiZ4dFmfV2rTFSlWTHQxuhDvA+9nWEqGqxWCNvsC3RQMoS/RHOW4dBDbglIAydXWem7GPX3oC4OPz80x5laB5JE+LCopGeqFB0qLcuKs/owtEjQ6nd2hZNjFTpJ96Y5B
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: metaswitch.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a843bae3-6a14-4001-70b4-08d66765ab7d
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Dec 2018 16:59:28.4580 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9d9e56eb-f613-4ddb-b27b-bfcdf14b2cdb
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR02MB3649
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/yLCbzYGB2YovFRPi9TlDfawgPYA>
Subject: Re: [Pce] Benjamin Kaduk's No Objection on draft-ietf-pce-segment-routing-14: (with COMMENT)
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Dec 2018 16:59:34 -0000
Hi Benjamin
Sorry for the delayed response. Please find replies to your comments below.
Best regards
Jon
Abstract
This document specifies extensions to the Path
Computation Element Communication Protocol (PCEP) that allow a
stateful PCE to compute and initiate Traffic Engineering (TE) paths,
as well as a PCC to request a path subject to certain constraints and
optimization criteria in SR networks.
Why are we talking about TE paths now instead of SR?
[Jon] TE is the primary application for SR paths instantiated by a PCE.
Section 1
Several types of segment are defined. A node segment represents an
ECMP-aware shortest-path to a specific node, and is always identified
uniquely within the SR/IGP domain. [...]
A path to a node is only going to be unique if the starting node is also included, is it not?
[Jon] I suggest we reword this to make it clearer:
OLD
A node segment represents an
ECMP-aware shortest-path to a specific node, and is always identified
uniquely within the SR/IGP domain.
NEW
A node segment uniquely identifies a specific node in the SR domain.
Each router in the SR domain associates a node segment with an
ECMP-aware shortest path to the node that it identifies.
END
Section 3
The sentences:
In an SR network, the ingress node of an SR path prepends an SR
header to all outgoing packets. The SR header consists of a list of
SIDs (or MPLS labels in the context of this document).
Appear virtually unchanged in both the start of the first paragraph and the middle of the second paragraph; is this duplication really needed?
[Jon] No - we'll remove the redundant text.
A PCC MAY include an RRO containing the recorded LSP in PCReq and
PCRpt messages as specified in [RFC5440] and [RFC8231], respectively.
This document defines a new RRO subobject for SR networks. The
methods used by a PCC to record the SR-TE LSP are outside the scope
of this document.
It's not entirely clear that we need to define a standard container to carry site-local data when a site-local container could also be used.
[Jon] Sorry, I don't understand your comment. The RRO is an existing PCEP object whose subobjects are used to describe the actual path taken by an LSP. We are adding subobjects to represent SIDs.
Section 5.2
Please expand SRP (and RP, for that matter) on first usage.
(Interestingly, https://www.rfc-editor.org/materials/abbrev.expansion.txt
does not seem to have the correct expansion for this usage.)
[Jon] Will do.
Section 5.3.1
* C: If the M bit and the C bit are both set to 1, then the TC,
S, and TTL fields in the MPLS label stack entry are specified
by the PCE. However, a PCC MAY choose to override these values
according its local policy and MPLS forwarding rules. If the M
bit is set to 1 but the C bit is set to zero, then the TC, S,
and TTL fields MUST be ignored by the PCC. The PCC MUST set
these fields according to its local policy and MPLS forwarding
rules. [...]
Must be ignored in incoming messages received from where?
[Jon] There are two types of entity in PCEP - PCC (client) and PCE (server). In any exchange of messages, one speaker takes the role of PCC and the other PCE. Thus, "MUST be ignored by the PCC" implies that the messages are coming from the PCE.
Isn't the 'F' bit fully redundant with NT?
[Jon] The F bit determines whether NAI is appended, or not. NT gives the type of the NAI that is appended. The NT field has no meaning if F=0.
Section 5.3.2
Do we need to say anything about which node is the reference point for evaluating "local" and "remote" w.r.t. IP addresses? (Maybe we don't, since these are always unidirectional adjacencies, right?)
[Jon] Effectively, yes. An adjacency SID is always given within the context of a particular node - it is meaningful only on that node. So "local" and "remote" are defined by that context.
Section 6.1
If a PCC sets the N flag to 1, then the PCE MAY send an SR-ERO
subobject containing NAI and no SID (see Section 6.2). Otherwise,
the PCE MUST NOT send an SR-ERO subobject containing NAI and no SID.
Sets the N flag in what message?
[Jon] This section is discussing capability exchange on the Open message.
If a PCE receives an
SR-PCE-CAPABILITY sub-TLV with the L flag set to 1 then it MUST
ignore the MSD field and MUST assume that the sender can impose a SID
stack of any depth. [...]
nit: this second MUST seems like overkill; "and assumes" would probably work fine. (Similarly for the following case.)
[Jon] OK
It's interesting that the routing protocols' MSD value supersedes the PCE-obtained one, given that all three (IS-IS, OSPF, and BGP-LS) documents have text to the effect of "PCEP provides a way to get this, but if PCEP is not used you can use our thing", which a naive reader would take to mean that PCEP is intended to be the primary distribution mechanism.
[Jon] Probably needs to be fixed in the other documents. PCEP is a fairly blunt tool for specifying the MSD, which it can only do per node. The IGPs can do better by specifying the MSD per network interface.
Section 7
Is there some history regarding making it MUST-level mandatory to treat top-level SR-CAPABILITY-TLV in OPEN for backwards-compatibility (as opposed to SHOULD-level but leaving open the option of a strict implementation)?
(The guidance for what to do when both forms appear seems good to have at MUST-level, to me.)
[Jon] The impact of not doing this is that you might not interoperate with a currently fielded implementation, which seemed serious enough to me for a MUST to apply. But I am open to discussion if you feel otherwise.
Section 9
RFC 8281's security considerations incorporate those of RFC 8231 by reference; we could save the reader a step and also mention it at the toplevel here.
[Jon] OK
I don't think it's a good idea to just refer to "the security mechanisms of [RFC 5440] and [RFC8281]", since there are qualitative differences between the TCP authentication schemes and the full-on encryption provided by TLS and IPsec. (Also, what exactly are the security mechanisms of RFC8281 supposed to be -- a quick look only sees the new guidance to apply resource
limits?) The second paragraph only requires integrity protection to avoid the vulnerability mentioned there, but the third paragraph requires confidentiality protection to preent the attack.
[Jon] RFC 8281 pulls in RFC 8231 in its security section, as you note above. RFC 8231 says
As a general precaution, it is RECOMMENDED that these PCEP extensions
only be activated on authenticated and encrypted sessions across PCEs
and PCCs belonging to the same administrative authority, using
Transport Layer Security (TLS) [PCEPS], as per the recommendations
and best current practices in [RFC7525].
Section 10.6
RFC 8408 does not "request" the creation of the registry; IANA has already created the registry. I would just say "[RFC8408] created a sub-registry [...]" but the smaller change to "requested" would be okay, too.
[Jon] OK.
- [Pce] Benjamin Kaduk's No Objection on draft-ietf… Benjamin Kaduk
- Re: [Pce] Benjamin Kaduk's No Objection on draft-… Jonathan Hardwick
- Re: [Pce] Benjamin Kaduk's No Objection on draft-… Benjamin Kaduk
- Re: [Pce] Benjamin Kaduk's No Objection on draft-… Jeff Tantsura
- Re: [Pce] Benjamin Kaduk's No Objection on draft-… Jonathan Hardwick
- Re: [Pce] Benjamin Kaduk's No Objection on draft-… Benjamin Kaduk