IETF Logo Mail Archive

Re: [secdir] SECDIR review of draft-ietf-bess-pta-flags-02.txt

Eric C Rosen <erosen@juniper.net> Mon, 25 April 2016 20:25 UTC

Return-Path: <erosen@juniper.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EBE512D545; Mon, 25 Apr 2016 13:25:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lytKxMjUfWVJ; Mon, 25 Apr 2016 13:25:35 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0752.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:752]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F37212D5E8; Mon, 25 Apr 2016 13:25:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=junipernetworks.onmicrosoft.com; s=selector1-juniper-net; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=QyKt6mmtLHIDjFaTvvWNBnxKuGcGbvyqgP/KVtd21uc=; b=LJE/0Y/KDU+n+mtm1OYzkOICNbjaw0kswQG1311+JjN9dY1HN6LpJ7S3SDw5r8eYs/pyEiGUgVmMjlnZdStJX0B1+1oputLVQnUIM5hsNG9jVdhfBQB2/ZEAiLDc/9b3BuNo0dn168aP2n5rw1RXVsUkxeemy1Ih0wkDOYXmCZU=
Authentication-Results: juniper.net; dkim=none (message not signed) header.d=none;juniper.net; dmarc=none action=none header.from=juniper.net;
Received: from [172.29.35.186] (66.129.241.12) by CO2PR05MB794.namprd05.prod.outlook.com (10.141.226.19) with Microsoft SMTP Server (TLS) id 15.1.477.8; Mon, 25 Apr 2016 20:25:14 +0000
To: Christian Huitema <huitema@huitema.net>, iesg@ietf.org, secdir@ietf.org, draft-ietf-bess-pta-flags.all@ietf.org
References: <033501d19e81$1697ec40$43c7c4c0$@huitema.net> <e1c75234-498c-4db2-a76f-faf86ccef7fc@juniper.net> <045801d19f27$818c46d0$84a4d470$@huitema.net>
From: Eric C Rosen <erosen@juniper.net>
Message-ID: <45cc2319-d1c9-976a-ece1-0697a623e21c@juniper.net>
Date: Mon, 25 Apr 2016 16:25:10 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.0
MIME-Version: 1.0
In-Reply-To: <045801d19f27$818c46d0$84a4d470$@huitema.net>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [66.129.241.12]
X-ClientProxiedBy: BY2PR0601CA0002.namprd06.prod.outlook.com (10.163.62.12) To CO2PR05MB794.namprd05.prod.outlook.com (10.141.226.19)
X-MS-Office365-Filtering-Correlation-Id: e2c7185b-f6ba-45be-ac2a-08d36d47b641
X-Microsoft-Exchange-Diagnostics: 1; CO2PR05MB794; 2:rABGBFGfTmOQlhCXOWMThPqj4N2Qmdh5sjHfGmoeW0sEKQxKgERDLebST46JFn04pwJax63XcvSnl6G8S/RMlY9hOFWwACHVkScvnJ+grPeMB+gMBKe3A5Jsgm2NkTRIwNB4uzENVlZK7U36lXYkH3pmqiYk9yDhWsir+N444BnwrCvYWRainGljNeb7N+LQ; 3:+FKsIgU8iNlmu3oleQh3lE/HZOZEU757sIR7Gt1zmlV2npBAJBobYDRay8TPqcs2w+V1Jyc9WLBJNaDbwElizXQPoIAvYjxBhbuwnhkIQoFZFDkuTlnjV5mlX8KsOFAD; 25:ELKjcq18M6VdB6JUB0/jXIeQcj2nZVcYHHmiQWeS/XUGm9BXFvrCfpANlFuG8O89HJGN0mp/gv3U4HRwYBDUHCyG31TMGKKxjI5aExzYrkwG9KzVllQ3EhRkXDez06Qp/LBIzZto9QRZ2DYHNBC+vkFIXpEw1oB02iwiF7CqIa+ibmZ2Mbn7wMyOQq/j3MxNS+WNC1Wmjbc3B2tHfqazdcCj1TKOpnYoSNqtUJ9hm0fMy8vMaN7dAZhYe66kd/SpdS5O26/MmuFBF/kNvahf38AMzR2szJskmZrQTOPh+NSkHtEbLF9gqbKjHceoQ+/R+qW0L9Tg2kvyKIV1l2OlkQ==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CO2PR05MB794;
X-Microsoft-Exchange-Diagnostics: 1; CO2PR05MB794; 20:zrV8W/8QnhKeouTgoHj4OiBuRM0uZWMSPGj1m4v2coPWWQ3/3aE4VtJVUIUbhaNZWBCGU/h87aI4GhuhJ3YSdcIgB2lEP+oJ1FE1GDt393fYrm17FkmiCbybr5bmMuGabEtx+OjblfnGKC5Inyrv7NSwrv9qHV9psWUgFmoPW5n7oDVo8jgAshkmWS89+nAkyB5u6b0JeP3DR9/bS3mfIc929ofwXy91ksfOeK2fuPLlLQcgElMQiAhbX53iHkichIlMqJL68S6zoSPt8jap6GTy3T6R31VrZdemM304AuJvhNFS8HvHU8gT+JvxuzULXCLOHLbHeAAZwE2bb5uLM4P0GLau3vtqoeuUpm6BhNkggxiyNu0vufnUNIV+Ew4ZXUk4TgeYKR+1ALBytaC767acUqkUkANtl8LPZ5Jme28wJUOAphPb/nOvoZiDgTeXV/o4XHpEUOVY8Y9iNmSryGavAPEJ66mC1O5JPHqzpG4qx9JYxPQbmW8DH+pc2lD1; 4:u1bZWngZ3JsetBIgWVCvqT5kHivlz3f7gYv3NJ/C7JzGFc7BV8fc+uENKPft8A6rPZW+FYHIabL6xyVDYmyS/DzOw01t3DL193sbK23ZCUCrMyoJLahAUNOg7+4jOxGTZQzQET5IlPdRlK+cP4xKjnFTsXnBRtBLgHHvzh/N3Min8JfzS5MfNQBAkRjRRNgWVs9phzKoVaGofBbs4OQTGA97LMyO8Orp8gkYejOuArSHahKfsx0glnQP+am6Unjf5u2ab1eTjlFqy1MEk8Xy1ul2PFJeQZ8kE+ZxINY14R39rJLQrS1swyHK+D37xJzFvs153uUsDpckRfHDWzqh3rZ0w54V09dh6Ge+OpxH+6lS861QnRyTS8siuE2h1iJsN/PcamD5LOoevmRjioIX3+40UV39vPNi6HJvNUkMQwo=
X-Microsoft-Antispam-PRVS: <CO2PR05MB7941896BE60465BFA0E0E22D4620@CO2PR05MB794.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(9101521072)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026); SRVR:CO2PR05MB794; BCL:0; PCL:0; RULEID:; SRVR:CO2PR05MB794;
X-Forefront-PRVS: 0923977CCA
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(4630300001)(6049001)(6009001)(24454002)(377454003)(83506001)(5008740100001)(2950100001)(65806001)(3846002)(50466002)(23746002)(65956001)(1096002)(66066001)(5004730100002)(42186005)(47776003)(6116002)(31686004)(33646002)(76176999)(50986999)(54356999)(92566002)(586003)(2906002)(2201001)(230700001)(4001350100001)(81166005)(86362001)(31696002)(230783001)(107886002)(36756003)(5001770100001)(77096005)(189998001)(64126003)(65826006); DIR:OUT; SFP:1102; SCL:1; SRVR:CO2PR05MB794; H:[172.29.35.186]; FPR:; SPF:None; MLV:sfv; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; CO2PR05MB794; 23:HCQO9ewPwCfIbJQ3By7y2qqrIlp5qmWVWkChNKPcwACXU0nKqDShqqkzEhiGr2SIDSoGWQ1+0rrzIlL2aro/ndgcWzfLXluodpJVJOszKBE3FA3AnOC28t4hiQ4kn3x3hmPgyI46hYOXW1O2sfFkm4KMwq1BgY9ar5VK4wZeFSn5pKWBbfvwhTWAqzhRfD4mweUWBXyq2WODm3jRD2DO2P6tKl1Y5itKi5mmMltkshqdx75PSazaoijR/AwVsiV0Fn5VlHs+xDn9MTxXtHcObIubvHDC9LS7x+XHdQvSt4I5fj3nZlFUFkkP7O6kMbCcDqdMuer4hUkxFtdTu+T1rmPQ3uz0w5C+8Rnhez4IMFzvUz1m5G69CCLtKFo8r3qjUfaCAaRh4Lx6ydl3GNAGRFtr0LKjXFVYL/RjmySYQYUj0I6QlIf7EE0/vubeX10qDslNPA6FDJvY7fM+Bl680gcZJ3KwowXdc01mpmId+VycDrcEWYkvzsD1HmHVApCy9QcE6sfiUO25acVqHBoKy9Nb51lOR69RTRQCnnYZIE0yr7DM9ZLPoRYQISwAiaARXO2Hmn+qQ/ogZbmFws9El2fpiJRJRR8f+AvIVwle3qxqEzSqrT2VAl3/qeDdlCVwFPASla2mDBCz56r0uXqRiCWvHomZ6VoRpZCgxNJOmPoCI6yVEk4wT8OX0XwG+JFGxK0PIANK4x3IHXggY1M/YK4dtcrdLagU0hrR9PPLCoyp8A9bgU2enBC9XG/sRxF4YH9YllikYYQZYU+jLfPPHhM2UXemzXzOnFni4shqPTpPFGj4p+LAXm17hnwX27L5V7Gz5M1hPyh30k17uJQzqO3fziz87ZFxCRqzjkRfx5mItHBGkH6HBuLV8RMg6V8bh++R9Uh+W79n8IaZR/MIitSRLqe3MvKQDpTxuHgfx992HdOJF3mEpJ9r9rgCMUWYTGgrUypBS6LpONatGpNcwcSvYn8BdFI/wZXJZ+z1xUxUB6eUPDx45jCeEQW22zKf2+6s+cGPQPNMKcEaAFRUB99R/AmjJICbz0+2Yx5JOJFvF4RC7SDxB4iGvDora9Or
X-Microsoft-Exchange-Diagnostics: 1; CO2PR05MB794; 5:O81g0gaDlCIKQTYj8NTrlP37DXB76US0i/7O0OzoYSjsGwCDwaAPOynr8+AJObgrAZcPGAtLu55xKobcHJAG+CKsFJ7mMF8uJwK+B4MNJ8bwMwEQMLbVDrEeeFFFpNHO97O3ARPddH7RkmxvWCgcFg==; 24:yAk50PhnhbPnf+M7a7LbN9rGJrC7eraeo+sny8tMZ1jBTzETVc1IXj1ZDcdxD7Zdjn79kqX9SgiY0mvOyGE6Z5tUG/fhYEnnyPryfIZBtzg=; 7:pzBuP9y5oUCj3pS5N6GFVQRB5eV9HZrlY5VKNNEQg9irGYBrJGSRER6o+fSj/pAvv+DtqED9foEdgdQ7OheOQYL2tNYsAxNyMbG9A2tLG85m4YFF8i5zlUltiYNJ8EjBpcH5F+BIUOQIRvSALr95Aznl53WshP+2mLOQ6ykxQIg=
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Apr 2016 20:25:14.8172 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO2PR05MB794
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/490neafm23FhQOS38AxPSRXoBsI>
Subject: Re: [secdir] SECDIR review of draft-ietf-bess-pta-flags-02.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2016 20:25:37 -0000

On 4/25/2016 3:20 PM, Christian Huitema wrote:
> Don't routers have to relay these extensions to BGP-adjacent routers? In
> that case, are they supposed to blindly relay the extensions that they don't
> understand? Are they supposed to reset the corresponding flags to zero, or
> just leave them as is? It is probably obvious for you, but these things are
> often better said than just implied.

Both the "PMSI Tunnel" attribute and the "Additional PMSI Tunnel 
Attribute Flags" Extended Community are defined to be BGP transitive 
attributes.  This means that any BGP speaker that doesn't understand one 
of these attributes would just pass it along unchanged.

If a BGP speaker understands the attributes, but does not understand 
some of the flags, it would not be correct for it to reset the flags.  
The flags might have edge-to-edge (ingress-to-egress or 
egress-to-ingress) significance, and it might not be necessary for 
intermediate routers to understand them.  I will add a statement saying 
that, by default, flags that are not understand SHOULD be left 
unchanged.  (Saying "by default" leaves open the possibility that 
someone might configure a policy to clear certain bits.)

There are cases (discussed in RFCs 6514 and 7524) where the PMSI Tunnel 
attribute is modified as an UPDATE is propagated.  I'll add some text 
pointing out that if the original PMSI Tunnel attribute had the 
extension flag set, but the modified one does not, then the "Additional 
PMSI Tunnel Attribute Flags" Extended Community MUST be removed.

v2.23.0 | Report a Bug | By Email