[secdir] Re: [Idr] draft-ietf-idr-vpn-prefix-orf-20 early Secdir review
Keyur Patel <keyur@arrcus.com> Wed, 01 October 2025 17:54 UTC
Return-Path: <keyur@arrcus.com>
X-Original-To: secdir@mail2.ietf.org
Delivered-To: secdir@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B253C6BF6C0D; Wed, 1 Oct 2025 10:54:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=netorgft1331857.onmicrosoft.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8-ZVEwOUDY2M; Wed, 1 Oct 2025 10:54:45 -0700 (PDT)
Received: from DM5PR21CU001.outbound.protection.outlook.com (mail-centralusazon11021129.outbound.protection.outlook.com [52.101.62.129]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 929B06BF67DD; Wed, 1 Oct 2025 10:53:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=hZ1Rt35QNAuD3dNa28V39UWAnYVojpTpkJ2abzLveN3I2hvSLh7GKOAcUlcr7CE/0VYgkgWfxxRCUwgWtY3uciEx1ZaP4EBwg/BU43498Rnz/8WuJB4SyKhwTbp5MPLMK5W8Oqv97q4hFYSfxuc4H+cNPcS5smg0c+W8hOUJ3DvZLCMCotgbJK6uahvNRaf8OmXM+UWGT2LVDhv7RK4+bxFbZggm0YISvbsRatN9mvyAbICd/OpMbmS3qKnG8KUmFprSvWRVks+R5PE/8sjYlt7BDpwQhHPStVSL/ow5v3e7+rBGO7ZAcG5s+Df7WIXgsK5U80uZBgQyWlHUcBTjGQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6m5AOkf2ZZWuU3PK1uaD2O7LtemlVSU448hxQ8Xic4g=; b=RQWO8cD7RYD+S8iD+bAZkMt8+rSZqgjspJS16n6GDbxF7HT/agSg2mwQjOJabHtY1bKm87ZdN2Me3Oxw5uF1yHvuTwSGzmKRUBNmf1cW6nMzDUf+3JVpsNuvSW7iw5NrnkJnLUHVtWCKlup6+mJ0cPwKjAgHx8lWnRrXGo1baBizOx2Y48HTAj1J2hwmCRLmn13xXcQ6Jo0gkpAVFfuvX1MZKhu6MzgEb8HTo0YYYQsfB7o57iaX8Zs4jZJzKkY/ntxzS3vZmMWWlXZ9QvE38/FhkY5ZdiZq1QVLno32EmjLOq+KifSMIPjg0ChAXONGhCtuPllA+311Y92m4R45uw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arrcus.com; dmarc=pass action=none header.from=arrcus.com; dkim=pass header.d=arrcus.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NETORGFT1331857.onmicrosoft.com; s=selector2-NETORGFT1331857-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6m5AOkf2ZZWuU3PK1uaD2O7LtemlVSU448hxQ8Xic4g=; b=V7+xU4Rv/7OXuYrRWnFVUE2wAy1lXDCxVhV9trakvmDW3+eVQ11Tbf7CwvqW3MqbAnsLfvzQKjL9db7cF5F3hpXLdlVRM4FAFZV0gReqe6dRea9Bs+Eao9rvx4nAHFordc6XuvwUEC+6L4nq0gUhS6MkTWKumVRE8ERt0wwm6Mk=
Received: from SJ0PR18MB3980.namprd18.prod.outlook.com (2603:10b6:a03:2e8::12) by SJ2PR18MB5713.namprd18.prod.outlook.com (2603:10b6:a03:56d::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9160.17; Wed, 1 Oct 2025 17:53:12 +0000
Received: from SJ0PR18MB3980.namprd18.prod.outlook.com ([fe80::ac46:9a3b:8e98:e5f2]) by SJ0PR18MB3980.namprd18.prod.outlook.com ([fe80::ac46:9a3b:8e98:e5f2%5]) with mapi id 15.20.9160.017; Wed, 1 Oct 2025 17:53:12 +0000
From: Keyur Patel <keyur@arrcus.com>
To: Wei Wang <weiwang94@foxmail.com>, Scott Kelly <scott@hyperthought.com>, secdir <secdir@ietf.org>
Thread-Topic: [Idr] draft-ietf-idr-vpn-prefix-orf-20 early Secdir review
Thread-Index: AQHcHQ08w2binojqUUi03/QEg4VfVrSChxmAgCs2+Nk=
Date: Wed, 01 Oct 2025 17:53:12 +0000
Message-ID: <SJ0PR18MB3980A51855A22122B9A37D97C1E6A@SJ0PR18MB3980.namprd18.prod.outlook.com>
References: <175692955510.2111990.6510225089682795023@dt-datatracker-67876766b7-bkzgr> <tencent_633D418F6ACE72FE9EED2B332C6ABC2DBE05@qq.com>
In-Reply-To: <tencent_633D418F6ACE72FE9EED2B332C6ABC2DBE05@qq.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arrcus.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR18MB3980:EE_|SJ2PR18MB5713:EE_
x-ms-office365-filtering-correlation-id: d1605efb-416a-4bf3-3762-08de01136414
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|4022899009|376014|38070700021|7053199007|8096899003;
x-microsoft-antispam-message-info: 2h0FBlQNLArjJ9mzH6i0qY3/r3BRk0oSV1Zk28v0xno8psctLSCVZjdzTyv8Dm4s4LmZ53NqDmyapddhlsEhY0yhLgfhu/W3sPRVzy5jEyNVC7EojR56caQqz/MOvfb6fORuaafeAztDuEHeti9amzI7raKGs/Tel2BvGrYHnFHuMUZu9osMGPgIhOORAO8SYPvDqAl4tI7ufrEautx6CIb5LTv0J8ycMrNpQZUZOvmfeAm9J5Kau8O2AVBk6onKRbmXy0waI2IUCvWJuMKKqIEP5PkD6wwl37aRck+1fna3uhc5hdOPh/SMzeTcZ6L0TWYgHrW21TMKDtmmx+W04Xc2bhrwJW/fdAPs6F2hYOL0e9CQMi74gMQpCkQ+0opge81YW754kijcbiueMDZT3DzyOV1Fsh0PRpHXhw0VfWtYPMYwqx2f+5BgZbRX6Okj419jiZNL4XwaGbNUPFrB5YFkKlxa8RdMVn9Keai8r7dinOZMSbE5Wj8T90McojM4YMPqwg9slfCXfnwJ7Zw3w8k/tnNaFDxBOEYUL23Mq2IJ8H638Jzar0vgBICvhBbmVyM0Yjz/+b58oVokTFhMwAh/fp4K16LQtTteHCYqItz0naY2t4Rp9ZRvluis3oGvxLBHMpV3/YYqEbmxmqpayEuWPaIsYhGfM4pb9to4/lQooRZtHyEcVpXotfXLphyAYWC8Lu9mDeDEtJS8MHIZHTYg03/ND0nilKEv6DFA6GnIK0ivvgXSSfU1fNdpw1D1Bngjt8SzhwLGV6D7iapwtwgV1n/eJlTJ87VRsFNfCrb0yFh51qZ4EJmTGk4J86ksUtl07VgapQMt5o+1luc0Pw/VaXurr2spHX9LJTZFaWejOMbGvNpUIlIRqoErtgdGIEWUO9YgwZQXEUj6vIRjL91yB0JrbTdW9RqDyDLlm0bDOa4Cl7mI/PegSpR0GdhwPC9Af/5JP6E/WusJwp7pDHsbz4nJHqaWMdUeQJ8/uwghlW5zEohDicygtNdJKOcgDoLkXbhebbvlz5RUC6aCLBcQUV9BEpFBMQKs7gAm/hj+bYCp6qQtdpORtpA6AT+zRA4bH2jHCOTEgP/XpeEBFE7cYAtKtvcJxU3YAcYQho/xUWVax1hlwH8YLszX0g2IpvphrwOV+7qdwGuE2MytiMclOQ/OK9LDzUnFe3rRCB8nGSTyPUtt0roBTlGULbY7R2Czcxu+JHYZSvjYBxRFqXNscrhahy1iZ35eTeVNQzvvMv9TsiWNM0DvcaCSEI4KOleSlLyKQD7kmTkawX9eZyw0vi8vMPaEklpGrmIPoQ5nGX9resY/opM/kPDjUNtvN+HbOXqcERPpHCWLmsL4QnxaDGFzCagct31K8H+bcM7mUD0SEJf0yLHVNivAiQNPFLNxf3v1KRvGDioknQk3rYgFrA2KUK3d2gaOHjMSwZg9zrr10sW9eMdJFJ8boza/tHCfLlQ0fFU+CPJ0oElb6oz9oR4Pvd3n1imVWCvHcR2QOmmfxSVE5V3Kv76KXCm/
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SJ0PR18MB3980.namprd18.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(4022899009)(376014)(38070700021)(7053199007)(8096899003);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: pybaDm9lPg8qVz9bK55CJ7Gj8WGU+QiTp99gGhJM38KNqH7d95+Rci5S6DG4cdARKjE36Cryi0fC72OPbVXhfpVRW1FYJJ9pL46DBbLCvzYaPLvoTeSlqGDS4UioaFx8JRSkxD+E7+SxNXzZMozuhinvtCkJK9Fk0ItO533DlVCHBLOXhl9EODCrwx3L64f0VdUZF8QxeONWtEX5Ngv+QHjoRtanj2+54Brd4ZNvm0cb929qfKDG5oOAQZYSluI6aRIHqkEvKd615oLOX149mgRM7NQ/KppQrvwzMDPrZH2PESP5t5eIuZTtdKo3rkahXGtvRcnWZgeq86PaDfGqykxlOguvPfasxvCiAay9K91aB3J0PuAaHdqH53j0ynKcsCkkcSdVbK10hX169X/OPEktrPJaDTlBshcT2MNWMnNjEYzvPKIt/QKDYh0DLqOyvR+4Gu9rRIa1S5D/4OYl8yvf3qevWfmYYsUTJmDdMlPhWx+C+NJmY+i8DW5alrQN74ypB4tXiDujRfLDnucgRl1VZZVRkzBT1hMaRxeF2CcvqiQlCi+wyzu8Ypj3zZ3NAzHxSWEMKhcqgkgDYS4RqopMDbC0vNjBCMWIYXR6hhZ42dO+8n56XU8MQQhL4vPFIooM5dabzV3nyuuvTyNQObFYQ+JTIGlrpLMnF0aRxwYpe15/I2BHijh/sd4WyraMTzzSckVX6rawQqngwVb6uZSvCdfRLudMH3M8++0/4Zq/tvGjeHaM4+cso4BGTjfzd5XOO/4miFE7yq/uTE5ly419elkvhnsGdMDiPBCWMEKJ0qjVQ6EJVZYEGVAilxhcM0CQs23Z9XxkfQROVV9zyrvHAzeR0zAbTNcZPbNawR2uOXdPyyFeo+XcVyaZ3JlENu8GSiKDHDssjzmhw+WTnbckJ5qIUsw4BiJdg4QddYHM5eA+TPOaiQHZiThtR9U0uiRyK5+6kxB4jINXHC/5EHIHo1Oh8eE0+5NMRK1RcI4mavK7S1F1M7ahryjhHbLwjF7C8zElQobmwNvnTXF0w1qORWSlW2TxkUyzo6jrYFAfQDasTeBBdvnk5LkU9CAaH7EX8hNngVdUKXQR5iGsyFA0XeTpqsGzd6rs8gE3vQYUvDdtzUd46LoaqPyKh/qbNzEQHbL0yonfO0/Eld4nJ5jzDrS3MSKd0zRQPJ8EIO0RSc1yLnt6d9EL1SlH6TgGXM49OXBoB+SMcN5zItPnUMDBbb+ygeCj15OQMksT7ohkD3xS4uUS4ZHG5NLzjKCdy/FBwfWzrMsblrcMk8CdO/9sv1WEQyhAFa8yJUobIU6BWPD0KaDamu55eDsMwiXb2lOBB6Nlr4I0C6dYJGz6CvoYCyoCs5UlWZMP50VmqKnmw5Xj1mfiHkHvRkaoxJ/HsY8eMsGrKeyvZ7z2Pdls/wJ+qdrahQKjI5WsdGMhSaBTVLAh6AMJGJQ0GqdvS0eeLePIVIVfpU26mNotK7S5Xk6QwiTS5TLwy9EbfFXWlklWFkSy1uQIKp43LqB3/fIoVZH0Kjc7CBY5nQSeKK6WM8Ov56EafMKuWyqBQ84oPxw8b2wqm5fRnoPojvFL7PBE
Content-Type: multipart/alternative; boundary="_000_SJ0PR18MB3980A51855A22122B9A37D97C1E6ASJ0PR18MB3980namp_"
MIME-Version: 1.0
X-OriginatorOrg: arrcus.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR18MB3980.namprd18.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d1605efb-416a-4bf3-3762-08de01136414
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Oct 2025 17:53:12.8217 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 697b3529-5c2b-40cf-a019-193eb78f6820
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: gDxNlRSTARJOwWSogcbNeu1dST4cHAxlasL5i0ijKzRX7x70hDCdbiWMgwSYhAOhHmvX8k7MjRHqN0dkeV9k/A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ2PR18MB5713
Message-ID-Hash: OXCSVNF5VF3UGAV2EUTQVZXCIXNFIZRK
X-Message-ID-Hash: OXCSVNF5VF3UGAV2EUTQVZXCIXNFIZRK
X-MailFrom: keyur@arrcus.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-idr-vpn-prefix-orf.all" <draft-ietf-idr-vpn-prefix-orf.all@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [secdir] Re: [Idr] draft-ietf-idr-vpn-prefix-orf-20 early Secdir review
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/1vdIZcpoHzlu9dykOsJ2kJ3HmVc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>
Hi Scott, Thanks for the draft review. Can you please confirm if version 22 addresses all your concerns? Best Regards, Keyur From: Wei Wang <weiwang94@foxmail.com> Date: Wednesday, September 3, 2025 at 11:03 PM To: Scott Kelly <scott@hyperthought.com>, secdir <secdir@ietf.org> Cc: draft-ietf-idr-vpn-prefix-orf.all <draft-ietf-idr-vpn-prefix-orf.all@ietf.org>, idr <idr@ietf.org> Subject: Re: [Idr] draft-ietf-idr-vpn-prefix-orf-20 early Secdir review Hi Scott, Thanks for your comments! Please see my inline replies with [WW]. Best Regards, Wei Original ________________________________ From: Scott Kelly via Datatracker <noreply@ietf.org> Date: 2025年9月4日 03:59 To: secdir <secdir@ietf.org> Cc: draft-ietf-idr-vpn-prefix-orf.all <draft-ietf-idr-vpn-prefix-orf.all@ietf.org>, idr <idr@ietf.org> Subject: [Idr] draft-ietf-idr-vpn-prefix-orf-20 early Secdir review Document: draft-ietf-idr-vpn-prefix-orf Title: VPN Prefix Outbound Route Filter (VPN Prefix ORF) for BGP-4 Reviewer: Scott Kelly Review result: Has Issues I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This is an early review of an experimental draft. This document defines an experimental Outbound Route Filter (ORF) called the VPN Prefix ORF. A number of acronyms are used without definition, including RBI, PE, and ASBR. VRF is used in the abstract, and then later defined in the "Terminology" section, but the others were not defined there. I'd suggest expanding all acronyms on first use.[WW]: We will add all acronyms we used in this draft to the "Terminology", and expand all acronyms on the first use in -v21. Section 4 page 5 says "In order to more finely control VPN routing, when not all VRFs on a PE that are interested in VPN routes with a specific RD exceed the limit, the PE MUST NOT send a VPN Prefix ORF entry." This sentence doesn't make sense to me.[WW]: The core meaning of this sentence is: A PE must "reject routes on demand" --- it will only reject a specific type of routes (those carrying a particular RD) when all VRFs that require this type of routes can no longer accommodate them. As long as there is even one VRF that can still accommodate such routes, the PE must not reject them. Only in this way can it "achieve more refined control over VPN routes" and avoid unnecessary route loss. Section 6 page 15 says "Optional TLVs: carry the potential additional information to give the extensibility of the VPN Prefix ORF mechanism. Its format is shown in Figure 6. If one or more TLV(s) are not well formed, they should be ignored" -- a little further down, it says "According to [RFC5291], if any of the fields of a VPN Prefix ORF entry in the message contains an unrecognized value, the whole specified ORF previously received is removed." Should there be a difference between handling of "not well formed" vs. "unrecognized"? What does "not well formed" mean? I found this a little confusing. [WW]: We will modify the "not well formed" to "unrecognized" in -v21. And to keep the context consistency, the content will be modified as follow: "Optional TLVs: carry the potential additional information to give the extensibility of the VPN Prefix ORF mechanism. Its format is shown in Figure 6. If one or more TLV(s) are unrecognized, the whole VPN Prefix ORF entry SHOULD be removed." The Security Considerations section says "This draft does build upon [RFC5291]. A BGP speaker will maintain the VPN Prefix ORF entries in an ORF-Policy table, this behavior consumes its memory and compute resources. To avoid the excessive consumption of resources, [RFC5291] specifies that a BGP speaker can only accept ORF entries transmitted by its interested peers." The security considerations in RFC5291 simply state that it adds no security considerations beyond those of RFC4271 (BGP), and I was unable to find anything about resource consumption or interested peers in 5291 -- so I'm not sure what to make of this reference. It might be good to explicitly state that this draft adds no new security considerations beyond those of 5291. [WW]: We will make this modification in -v21. _______________________________________________ Idr mailing list -- idr@ietf.org To unsubscribe send an email to idr-leave@ietf.org [EXTERNAL]
- [secdir] draft-ietf-idr-vpn-prefix-orf-20 early S… Scott Kelly via Datatracker
- [secdir] Re: [Idr] draft-ietf-idr-vpn-prefix-orf-… Wei Wang
- [secdir] Re: [Idr] draft-ietf-idr-vpn-prefix-orf-… Keyur Patel