IETF Logo Mail Archive

Re: [RTG-DIR] [spring] Review of draft-ietf-spring-segment-routing-msdc-03

"Stefano Previdi (sprevidi)" <sprevidi@cisco.com> Tue, 07 March 2017 11:20 UTC

Return-Path: <sprevidi@cisco.com>
X-Original-To: rtg-dir@ietfa.amsl.com
Delivered-To: rtg-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C2EF129625; Tue, 7 Mar 2017 03:20:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.522
X-Spam-Level:
X-Spam-Status: No, score=-14.522 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D1EbSm9mGn6D; Tue, 7 Mar 2017 03:20:57 -0800 (PST)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71FFE129624; Tue, 7 Mar 2017 03:20:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=12330; q=dns/txt; s=iport; t=1488885657; x=1490095257; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=5yzUkbzR0I5EamRMiIDOE9sX1xawVk/9L/N/AFxP2RI=; b=TIlvlpSybLeBldsKDgtCKrAKDtagTOxHEO9kh38Q8uwLB8TrAHJlYzro K0HfPjWSwqO37b0YF0vH32iTMLZ1STkB/s+rheNLC1/CvNQzQnFSQUASc BqPgvu4xQO0vC5MjaxuJP3+e0efpzq5Dpd7/OfE8hTTFPM0WWpM5rgV3X s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BtAgDHlr5Y/4oNJK1dGQEBAQEBAQEBAQEBBwEBAQEBg1FhgQoHg1iKDJErH5U3gg0fC4UuSgIaggs/GAECAQEBAQEBAWsohRUBAQEDAQEBIREzBwsFCwIBCA4KAgIRFQICAiULFRACBA4FG4lZCA6vI4Imin4BAQEBAQEBAQEBAQEBAQEBAQEBAQEYBYELhUOCBQiBWYEJhD5VgkcugjEFnDABih2IGIF7hSKDVIR0gTqIQ4p3AR84gQNWFT8RAYRCHYFjdYkGgQ0BAQE
X-IronPort-AV: E=Sophos;i="5.35,258,1484006400"; d="scan'208";a="220713306"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 07 Mar 2017 11:20:55 +0000
Received: from XCH-RTP-006.cisco.com (xch-rtp-006.cisco.com [64.101.220.146]) by alln-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id v27BKtN5009684 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 7 Mar 2017 11:20:55 GMT
Received: from xch-rtp-010.cisco.com (64.101.220.150) by XCH-RTP-006.cisco.com (64.101.220.146) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Tue, 7 Mar 2017 06:20:54 -0500
Received: from xch-rtp-010.cisco.com ([64.101.220.150]) by XCH-RTP-010.cisco.com ([64.101.220.150]) with mapi id 15.00.1210.000; Tue, 7 Mar 2017 06:20:54 -0500
From: "Stefano Previdi (sprevidi)" <sprevidi@cisco.com>
To: Susan Hares <shares@ndzh.com>
Thread-Topic: [spring] Review of draft-ietf-spring-segment-routing-msdc-03
Thread-Index: AQHSlpZMkMzvhnBme0W79O2wdqWPfqGJkGaA
Date: Tue, 07 Mar 2017 11:20:54 +0000
Message-ID: <DA020A62-FCD9-4299-AB69-1321FCDB7C26@cisco.com>
References: <148881752958.15101.3565092696759250024.idtracker@ietfa.amsl.com>
In-Reply-To: <148881752958.15101.3565092696759250024.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.61.216.167]
Content-Type: text/plain; charset="utf-8"
Content-ID: <A23C7CC0D3732F4D97B4C3DA21EF8E8D@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-dir/zpp_ds06xoOYkydq8b7o_jB38ug>
Cc: "rtg-dir@ietf.org" <rtg-dir@ietf.org>, "spring@ietf.org" <spring@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "draft-ietf-spring-segment-routing-msdc.all@ietf.org" <draft-ietf-spring-segment-routing-msdc.all@ietf.org>
Subject: Re: [RTG-DIR] [spring] Review of draft-ietf-spring-segment-routing-msdc-03
X-BeenThere: rtg-dir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Routing Area Directorate <rtg-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-dir/>
List-Post: <mailto:rtg-dir@ietf.org>
List-Help: <mailto:rtg-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 11:20:59 -0000

Hi Sue,

thanks for the review. Some comments below.


> On Mar 6, 2017, at 5:25 PM, Susan Hares <shares@ndzh.com> wrote:
> 
> Reviewer: Susan Hares
> Review result: Has Issues
> 
> The RTG-DIR has the categories:  minor concerns or major concerns
> regarding "issues", I wil differentiate my issues by this quality. 
> I also have editorial nits regardign under specified text. 
> 
> Major concerns: 
> 1) The security section is not sufficient for any review by the
> Security area 
> 
> This draft depends on IDR WG draft (ietf-idr-bgp-prefix-sid) that
> defines the BGP Segment attribute.  If this attribute is used with
> IPv6, this simply gives more infromation about a link to a next. 
> However, the combination of this information with the information
> passed using draft-ietf-idr-bgpls-segment-routing-epe-09 that utilizes
> BGP to pass BGP topologies in BGP - requires a better security
> section.  BGP-LS was described to be an "information gathering"
> function handled by a few routers on the edge of the network to obtain
> link-state topology information.  The BGP peers would carry this
> information in a separate informational stream.  With this constraint,
> it was approved by the IESG.   


well, we have now different models that have been deployed and assuming that bgp-ls uses a separate stream is not accurate if we look what’s in the industry.

However, I take your point and I agree that more text in the security section is required in order to emphasize that the model the draft addresses is internal (DC and interconnected DC over a same-administration network).


> draft-ietf-idr-bgpls-segment-routing-epe  expands the initial concept
> of BGP-LS from "information gathering" to a full-routing scheme of BGP
> within BGP for data centers and for data center interconnection to the
> network.


EPE defines a model where the topology of the peering point (not the network, just the peering point) is advertised to an internal server.


>   This extension takes it out of the approved range of the
> BGP-LS.


I don’t know what is the “approved range”. To me, bgp-ls carries topology information. We started with lsdb, then extended to mpls-lsp's, ip tunnels, peering points, and more will come.

The security of bgp-ls doesn’t change. It’s the boundary of the network where bgp-ls is applied that matters.


>  Therefore, the security sections in both the IDR WG drafts
> and this draft need to describe the new threat scenarios and describe
> threat mitigation strategies for deployments.  


I will add more text about the information originated by bgp-ls (or the bgp prefix sid) and how it is intended to be consumed internally to a domain.


> In addition, the information by BGP-LS
> (draft-ietf-idr-bgpls-segment-routing-epe) or in draft-ietf-bgp-sid
> may have privacy issues - so these need to be described the security
> section. 


same here. I will emphasize the deployment model and the security boundaries.


> 2) through-out the text you use words such as "ebgp3107" or BGP 3107
> updates"
> 
> This phrase is inaccurate.  The base RFC3107 support will not provide
> BGP-Prefix support (as supported in bgp-idr-bgp-prefix.   Some texts
> goes on to clarify the addition of the BGP SID Prefix attribute.  It
> would be better to invent a new phrase or term.


I’ll check this out.


> In section 8.1, the authors state:
> "The Prefix Segement is a lightweight extension to the BGP Labelled
> Unicast".  As noted in my #1 major concern, this "hand-waving"
> description either needs to be refined to be accurate.  If the MPLS
> usage only uses the BGP-Prefix label and does not extend to the
> Egress, it is simplier.


the BGP Prefix SID Attribute is just an extension to a 3107 update.


>  However, it is not clear that is what section
> 8.1 is about.   If 8.1 includes the
> draft-ietf-idr-bgpls-segment-routing-epe, then BGP-LS addition does
> have a number of prefixes and rules.   The trade-off between BGP-LS +
> BGP-LS SID (draft-ietf-idr-bgp-sid) handling + BGP LS egress peer
> engineering draft (draft-ietf-idr-bgp-segment-routing-epe) and a
> signalling protocol is more complex than the hand-wave.


Not sure I understand your point but to me the statement: 
“The Prefix Segement is a lightweight extension to the BGP Labelled Unicast”
is correct because the prefix-sid is really just a new attribute. Here we’re just talking protocol extension.

The interaction and combination between prefix-sid and epe is a deployment and operational model that (we agreed above) requires more explanation in terms of security.


>  It may be the
> right choice based on current implementations and management issues,
> but these need to be laid specifically. 
> 
> 3) Why are you defining 2-byte Private Use AS when there are plenty of
> 4-Byte Private Use AS (p. 5). 


well, we just want to be sure we address the worse case where you only have 2 octets.


> 
> This usage increases the confusion regarding 2-byte/4-byte ASN.  IDR
> specifically worked on 4 byte ASN. 


yes but in order to be aligned with 7938 we also take into account 2 octet ASN and the re-usability of these numbers.


> Minor concerns  
> 1) It is not clear what happens in section 4.2.2 and figure 3-5
> 
> What happens if the traffic goes to node 3 instead of node 4 on the
> ECMP path? 
> What happens if the traffic goes to node 8 instead of node 7 on the
> ECMP Path? 
> 
> Is there something missing in the stroy? 


nope. This is plain segment routing. As explained in the draft, assuming that you use the same SRGB (as recommended) a node is known through the same sid value all along the network so ecmp becomes trivial.


> 2) section 4.3 - IBGP Labeled Unicast. 
> 
> The phrase "iBGP3107 reflection with nhop-self" needs to be explicitly
> spelled out as IBGP Route-Reflection with next-hop self.


ok


>  If that is
> not what the authors mean, then it needs to be further spelled out. 
> It is unclear where the central IBGP nodes are that share fully the
> information learned from the three clusters. (nodes:5-8 cluster 1,
> nodes 3-4 cluster 2, nodes 9-10 cluster 3).  
> 
> This section has hints of a solution, but it is miss a great deal. 
> Please upgrade to specific solution.  A diagram might help. 


yes. I’ll check this out. In short (you certainly figured it out) it’s about using iBGP session where each node acts as a RR so to propagate to other iBGP peers (this is what "iBGP reflection” refers to). I agree, it’s probably a bit too cryptic.


> 3) Load Sharing hints (Section 7.1) 
> 
> Elephant flow and mice flows are good descriptions.  Flowlets and VL2
> should either warrant a 1 sentence explanation that actually describes
> these features in a 22 page draft, or be removed.  


We have a reference for them but will add more text.


> 4)  The lack of a manageability or operations section (TBD in version
> -02) - concerns me.  The operational issues may be well known to the
> data centers and devices manufacturers who have implement this
> specification, but this is an interoperability specification for IETF.
> Some manageabilty comments should be included or a BCP pointed to. 


ack.


> Editorial issues: 


I’ll go through all below and update the draft asap.

Thanks.
s.


> 
> #1 - The following 4 abbrevitions need to be initially expanded when
> first used:  CLOs (p.3),  SRGB(p.6), flowlets (p. 14), and VL2 (p.
> 14). 
> 
> #2 - page 7, section 4.2 last paragraph 
> Old/: assuming the IP Addresses, AS and label-index allocation
> previously described, the"
> New/: assuming the IP address with the AS and label-index allocation
> previously described, the" 
> [Comma is optional]
> 
> #3 - page 14, section 7.1 paragraph 4,  /(e.g. spine switch Node1)/  -
> by the diagram it should be node 5-8 or an error.  Please check the
> number 
> 
> #4 - page 17, section 8.2 paragraph 2. 
> 
> Old/
> This is easily accomplished by encapsulating the trafffic either 
> directly at the host or the source ToR node by pushing the BGP-
> Prefix-SID of the destination ToR for intra-DC traffic, or border 
> node for inter-DC or DC-to-outside-world traffic./
> 
> New/
> This is easily accomplished by encapsulating the trafffic either 
> directly at the host or the source ToR node  by pushing  the BGP-
> Prefix-SID of the destination ToR for intra-DC traffic, or
> the BGP-Prefix-SID for the the border node for inter-DC or
> DC-to-outside-world traffic./
> 
> If this is not the correct logic, then you can reword this further. 
> I read it 4 or 5 times. 
> 
> #5 - Adding a diagram to section 4.3 might help your description. 
> 
> 
> _______________________________________________
> spring mailing list
> spring@ietf.org
> https://www.ietf.org/mailman/listinfo/spring

v2.23.0 | Report a Bug | By Email