Re: [RTG-DIR] [spring] Review of draft-ietf-spring-segment-routing-msdc-03
"Stefano Previdi (sprevidi)" <sprevidi@cisco.com> Tue, 07 March 2017 11:20 UTC
Return-Path: <sprevidi@cisco.com>
X-Original-To: rtg-dir@ietfa.amsl.com
Delivered-To: rtg-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C2EF129625; Tue, 7 Mar 2017 03:20:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.522
X-Spam-Level:
X-Spam-Status: No, score=-14.522 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D1EbSm9mGn6D; Tue, 7 Mar 2017 03:20:57 -0800 (PST)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71FFE129624; Tue, 7 Mar 2017 03:20:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=12330; q=dns/txt; s=iport; t=1488885657; x=1490095257; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=5yzUkbzR0I5EamRMiIDOE9sX1xawVk/9L/N/AFxP2RI=; b=TIlvlpSybLeBldsKDgtCKrAKDtagTOxHEO9kh38Q8uwLB8TrAHJlYzro K0HfPjWSwqO37b0YF0vH32iTMLZ1STkB/s+rheNLC1/CvNQzQnFSQUASc BqPgvu4xQO0vC5MjaxuJP3+e0efpzq5Dpd7/OfE8hTTFPM0WWpM5rgV3X s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BtAgDHlr5Y/4oNJK1dGQEBAQEBAQEBAQEBBwEBAQEBg1FhgQoHg1iKDJErH5U3gg0fC4UuSgIaggs/GAECAQEBAQEBAWsohRUBAQEDAQEBIREzBwsFCwIBCA4KAgIRFQICAiULFRACBA4FG4lZCA6vI4Imin4BAQEBAQEBAQEBAQEBAQEBAQEBAQEYBYELhUOCBQiBWYEJhD5VgkcugjEFnDABih2IGIF7hSKDVIR0gTqIQ4p3AR84gQNWFT8RAYRCHYFjdYkGgQ0BAQE
X-IronPort-AV: E=Sophos;i="5.35,258,1484006400"; d="scan'208";a="220713306"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 07 Mar 2017 11:20:55 +0000
Received: from XCH-RTP-006.cisco.com (xch-rtp-006.cisco.com [64.101.220.146]) by alln-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id v27BKtN5009684 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 7 Mar 2017 11:20:55 GMT
Received: from xch-rtp-010.cisco.com (64.101.220.150) by XCH-RTP-006.cisco.com (64.101.220.146) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Tue, 7 Mar 2017 06:20:54 -0500
Received: from xch-rtp-010.cisco.com ([64.101.220.150]) by XCH-RTP-010.cisco.com ([64.101.220.150]) with mapi id 15.00.1210.000; Tue, 7 Mar 2017 06:20:54 -0500
From: "Stefano Previdi (sprevidi)" <sprevidi@cisco.com>
To: Susan Hares <shares@ndzh.com>
Thread-Topic: [spring] Review of draft-ietf-spring-segment-routing-msdc-03
Thread-Index: AQHSlpZMkMzvhnBme0W79O2wdqWPfqGJkGaA
Date: Tue, 07 Mar 2017 11:20:54 +0000
Message-ID: <DA020A62-FCD9-4299-AB69-1321FCDB7C26@cisco.com>
References: <148881752958.15101.3565092696759250024.idtracker@ietfa.amsl.com>
In-Reply-To: <148881752958.15101.3565092696759250024.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.61.216.167]
Content-Type: text/plain; charset="utf-8"
Content-ID: <A23C7CC0D3732F4D97B4C3DA21EF8E8D@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-dir/zpp_ds06xoOYkydq8b7o_jB38ug>
Cc: "rtg-dir@ietf.org" <rtg-dir@ietf.org>, "spring@ietf.org" <spring@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "draft-ietf-spring-segment-routing-msdc.all@ietf.org" <draft-ietf-spring-segment-routing-msdc.all@ietf.org>
Subject: Re: [RTG-DIR] [spring] Review of draft-ietf-spring-segment-routing-msdc-03
X-BeenThere: rtg-dir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Routing Area Directorate <rtg-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-dir/>
List-Post: <mailto:rtg-dir@ietf.org>
List-Help: <mailto:rtg-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 11:20:59 -0000
Hi Sue, thanks for the review. Some comments below. > On Mar 6, 2017, at 5:25 PM, Susan Hares <shares@ndzh.com> wrote: > > Reviewer: Susan Hares > Review result: Has Issues > > The RTG-DIR has the categories: minor concerns or major concerns > regarding "issues", I wil differentiate my issues by this quality. > I also have editorial nits regardign under specified text. > > Major concerns: > 1) The security section is not sufficient for any review by the > Security area > > This draft depends on IDR WG draft (ietf-idr-bgp-prefix-sid) that > defines the BGP Segment attribute. If this attribute is used with > IPv6, this simply gives more infromation about a link to a next. > However, the combination of this information with the information > passed using draft-ietf-idr-bgpls-segment-routing-epe-09 that utilizes > BGP to pass BGP topologies in BGP - requires a better security > section. BGP-LS was described to be an "information gathering" > function handled by a few routers on the edge of the network to obtain > link-state topology information. The BGP peers would carry this > information in a separate informational stream. With this constraint, > it was approved by the IESG. well, we have now different models that have been deployed and assuming that bgp-ls uses a separate stream is not accurate if we look what’s in the industry. However, I take your point and I agree that more text in the security section is required in order to emphasize that the model the draft addresses is internal (DC and interconnected DC over a same-administration network). > draft-ietf-idr-bgpls-segment-routing-epe expands the initial concept > of BGP-LS from "information gathering" to a full-routing scheme of BGP > within BGP for data centers and for data center interconnection to the > network. EPE defines a model where the topology of the peering point (not the network, just the peering point) is advertised to an internal server. > This extension takes it out of the approved range of the > BGP-LS. I don’t know what is the “approved range”. To me, bgp-ls carries topology information. We started with lsdb, then extended to mpls-lsp's, ip tunnels, peering points, and more will come. The security of bgp-ls doesn’t change. It’s the boundary of the network where bgp-ls is applied that matters. > Therefore, the security sections in both the IDR WG drafts > and this draft need to describe the new threat scenarios and describe > threat mitigation strategies for deployments. I will add more text about the information originated by bgp-ls (or the bgp prefix sid) and how it is intended to be consumed internally to a domain. > In addition, the information by BGP-LS > (draft-ietf-idr-bgpls-segment-routing-epe) or in draft-ietf-bgp-sid > may have privacy issues - so these need to be described the security > section. same here. I will emphasize the deployment model and the security boundaries. > 2) through-out the text you use words such as "ebgp3107" or BGP 3107 > updates" > > This phrase is inaccurate. The base RFC3107 support will not provide > BGP-Prefix support (as supported in bgp-idr-bgp-prefix. Some texts > goes on to clarify the addition of the BGP SID Prefix attribute. It > would be better to invent a new phrase or term. I’ll check this out. > In section 8.1, the authors state: > "The Prefix Segement is a lightweight extension to the BGP Labelled > Unicast". As noted in my #1 major concern, this "hand-waving" > description either needs to be refined to be accurate. If the MPLS > usage only uses the BGP-Prefix label and does not extend to the > Egress, it is simplier. the BGP Prefix SID Attribute is just an extension to a 3107 update. > However, it is not clear that is what section > 8.1 is about. If 8.1 includes the > draft-ietf-idr-bgpls-segment-routing-epe, then BGP-LS addition does > have a number of prefixes and rules. The trade-off between BGP-LS + > BGP-LS SID (draft-ietf-idr-bgp-sid) handling + BGP LS egress peer > engineering draft (draft-ietf-idr-bgp-segment-routing-epe) and a > signalling protocol is more complex than the hand-wave. Not sure I understand your point but to me the statement: “The Prefix Segement is a lightweight extension to the BGP Labelled Unicast” is correct because the prefix-sid is really just a new attribute. Here we’re just talking protocol extension. The interaction and combination between prefix-sid and epe is a deployment and operational model that (we agreed above) requires more explanation in terms of security. > It may be the > right choice based on current implementations and management issues, > but these need to be laid specifically. > > 3) Why are you defining 2-byte Private Use AS when there are plenty of > 4-Byte Private Use AS (p. 5). well, we just want to be sure we address the worse case where you only have 2 octets. > > This usage increases the confusion regarding 2-byte/4-byte ASN. IDR > specifically worked on 4 byte ASN. yes but in order to be aligned with 7938 we also take into account 2 octet ASN and the re-usability of these numbers. > Minor concerns > 1) It is not clear what happens in section 4.2.2 and figure 3-5 > > What happens if the traffic goes to node 3 instead of node 4 on the > ECMP path? > What happens if the traffic goes to node 8 instead of node 7 on the > ECMP Path? > > Is there something missing in the stroy? nope. This is plain segment routing. As explained in the draft, assuming that you use the same SRGB (as recommended) a node is known through the same sid value all along the network so ecmp becomes trivial. > 2) section 4.3 - IBGP Labeled Unicast. > > The phrase "iBGP3107 reflection with nhop-self" needs to be explicitly > spelled out as IBGP Route-Reflection with next-hop self. ok > If that is > not what the authors mean, then it needs to be further spelled out. > It is unclear where the central IBGP nodes are that share fully the > information learned from the three clusters. (nodes:5-8 cluster 1, > nodes 3-4 cluster 2, nodes 9-10 cluster 3). > > This section has hints of a solution, but it is miss a great deal. > Please upgrade to specific solution. A diagram might help. yes. I’ll check this out. In short (you certainly figured it out) it’s about using iBGP session where each node acts as a RR so to propagate to other iBGP peers (this is what "iBGP reflection” refers to). I agree, it’s probably a bit too cryptic. > 3) Load Sharing hints (Section 7.1) > > Elephant flow and mice flows are good descriptions. Flowlets and VL2 > should either warrant a 1 sentence explanation that actually describes > these features in a 22 page draft, or be removed. We have a reference for them but will add more text. > 4) The lack of a manageability or operations section (TBD in version > -02) - concerns me. The operational issues may be well known to the > data centers and devices manufacturers who have implement this > specification, but this is an interoperability specification for IETF. > Some manageabilty comments should be included or a BCP pointed to. ack. > Editorial issues: I’ll go through all below and update the draft asap. Thanks. s. > > #1 - The following 4 abbrevitions need to be initially expanded when > first used: CLOs (p.3), SRGB(p.6), flowlets (p. 14), and VL2 (p. > 14). > > #2 - page 7, section 4.2 last paragraph > Old/: assuming the IP Addresses, AS and label-index allocation > previously described, the" > New/: assuming the IP address with the AS and label-index allocation > previously described, the" > [Comma is optional] > > #3 - page 14, section 7.1 paragraph 4, /(e.g. spine switch Node1)/ - > by the diagram it should be node 5-8 or an error. Please check the > number > > #4 - page 17, section 8.2 paragraph 2. > > Old/ > This is easily accomplished by encapsulating the trafffic either > directly at the host or the source ToR node by pushing the BGP- > Prefix-SID of the destination ToR for intra-DC traffic, or border > node for inter-DC or DC-to-outside-world traffic./ > > New/ > This is easily accomplished by encapsulating the trafffic either > directly at the host or the source ToR node by pushing the BGP- > Prefix-SID of the destination ToR for intra-DC traffic, or > the BGP-Prefix-SID for the the border node for inter-DC or > DC-to-outside-world traffic./ > > If this is not the correct logic, then you can reword this further. > I read it 4 or 5 times. > > #5 - Adding a diagram to section 4.3 might help your description. > > > _______________________________________________ > spring mailing list > spring@ietf.org > https://www.ietf.org/mailman/listinfo/spring
- [RTG-DIR] Review of draft-ietf-spring-segment-rou… Susan Hares
- Re: [RTG-DIR] [spring] Review of draft-ietf-sprin… Robert Raszuk
- Re: [RTG-DIR] [spring] Review of draft-ietf-sprin… Stefano Previdi (sprevidi)
- Re: [RTG-DIR] [spring] Review of draft-ietf-sprin… Susan Hares
- Re: [RTG-DIR] [spring] Review of draft-ietf-sprin… Stefano Previdi (sprevidi)