Re: [secdir] SECDIR review of draft-ietf-bess-pta-flags-02.txt

"Christian Huitema" <huitema@huitema.net> Tue, 26 April 2016 17:10 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6D1612D54D for <secdir@ietfa.amsl.com>; Tue, 26 Apr 2016 10:10:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TVYg__6PR4vR for <secdir@ietfa.amsl.com>; Tue, 26 Apr 2016 10:10:39 -0700 (PDT)
Received: from xsmtp06.mail2web.com (xsmtp06.mail2web.com [168.144.250.232]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB52512D530 for <secdir@ietf.org>; Tue, 26 Apr 2016 10:10:39 -0700 (PDT)
Received: from [10.5.2.35] (helo=xmail10.myhosting.com) by xsmtp06.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1av6Ux-0007KW-4s for secdir@ietf.org; Tue, 26 Apr 2016 13:10:38 -0400
Received: (qmail 5786 invoked from network); 26 Apr 2016 17:10:05 -0000
Received: from unknown (HELO huitema2) (Authenticated-user:_huitema@huitema.net@[131.107.147.60]) (envelope-sender <huitema@huitema.net>) by xmail10.myhosting.com (qmail-ldap-1.03) with ESMTPA for <draft-ietf-bess-pta-flags.all@ietf.org>; 26 Apr 2016 17:10:04 -0000
From: Christian Huitema <huitema@huitema.net>
To: 'Eric C Rosen' <erosen@juniper.net>, iesg@ietf.org, secdir@ietf.org, draft-ietf-bess-pta-flags.all@ietf.org
References: <033501d19e81$1697ec40$43c7c4c0$@huitema.net> <e1c75234-498c-4db2-a76f-faf86ccef7fc@juniper.net> <045801d19f27$818c46d0$84a4d470$@huitema.net> <45cc2319-d1c9-976a-ece1-0697a623e21c@juniper.net>
In-Reply-To: <45cc2319-d1c9-976a-ece1-0697a623e21c@juniper.net>
Date: Tue, 26 Apr 2016 10:10:03 -0700
Message-ID: <00cc01d19fde$7a1de270$6e59a750$@huitema.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJ4tIhog5CnxYH6q0cOrVpsm7GB3QHgxMhnAejMR8oB1gh11Z4hVtFg
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/gA25zd1Oc59TBDI4i7ybAjPD4Lg>
Subject: Re: [secdir] SECDIR review of draft-ietf-bess-pta-flags-02.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Apr 2016 17:10:41 -0000

On Monday, April 25, 2016 1:25 PM, Eric C Rosen wrote:
> 
> On 4/25/2016 3:20 PM, Christian Huitema wrote:
> > Don't routers have to relay these extensions to BGP-adjacent routers?
> > In that case, are they supposed to blindly relay the extensions that
> > they don't understand? Are they supposed to reset the corresponding
> > flags to zero, or just leave them as is? It is probably obvious for
> > you, but these things are often better said than just implied.
> 
> Both the "PMSI Tunnel" attribute and the "Additional PMSI Tunnel Attribute
> Flags" Extended Community are defined to be BGP transitive attributes.
This
> means that any BGP speaker that doesn't understand one of these attributes
> would just pass it along unchanged.
> 
> If a BGP speaker understands the attributes, but does not understand some
of
> the flags, it would not be correct for it to reset the flags.
> The flags might have edge-to-edge (ingress-to-egress or
> egress-to-ingress) significance, and it might not be necessary for
intermediate
> routers to understand them.  I will add a statement saying that, by
default,
> flags that are not understand SHOULD be left unchanged.  (Saying "by
default"
> leaves open the possibility that someone might configure a policy to clear
> certain bits.)
> 
> There are cases (discussed in RFCs 6514 and 7524) where the PMSI Tunnel
> attribute is modified as an UPDATE is propagated.  I'll add some text
pointing
> out that if the original PMSI Tunnel attribute had the extension flag set,
but the
> modified one does not, then the "Additional PMSI Tunnel Attribute Flags"
> Extended Community MUST be removed.

Works for me, thanks.

-- Christian Huitema