Re: [sfc] Early review draft-ietf-sfc-nsh
"Carlos Pignataro (cpignata)" <cpignata@cisco.com> Thu, 21 September 2017 12:47 UTC
Return-Path: <cpignata@cisco.com>
X-Original-To: sfc@ietfa.amsl.com
Delivered-To: sfc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C18A1342E7 for <sfc@ietfa.amsl.com>; Thu, 21 Sep 2017 05:47:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.519
X-Spam-Level:
X-Spam-Status: No, score=-14.519 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id St_RNaDRplxh for <sfc@ietfa.amsl.com>; Thu, 21 Sep 2017 05:47:32 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31A011330B1 for <sfc@ietf.org>; Thu, 21 Sep 2017 05:47:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=82000; q=dns/txt; s=iport; t=1505998052; x=1507207652; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=kKiiW1yyk6e2VDNOXHtJaHWDJ/yMw5dFbMXnGBq/Yv4=; b=L+fcieVBMEYpgVJENKBT3gnZfNtevSNAJkBgQGhDTwbws41u2Seu3IYK eB4rbLOqKPeYUMfalM+jDR1TqqIqRLSnQ6t2qjgkRCbtNCoZDhoFpQ8K6 V9qmMwcTj01+D9ZvzfcFVqwvfdShQaNi1r63Doi22JFHfgQD/g/7HpwDo s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CjAABAtMNZ/5ldJa1cGQEBAQEBAQEBAQEBBwEBAQEBgy0tZG4nB4NviiCPeIF0iECNag6CAQMKGAEKhRgCGoN5PxgBAgEBAQEBAQFrKIUYAQEBAQMBARgBCARABwQHDAQCAQgOAwEDAQEhAQYDAgICHwYLFAMGCAIEDgUbiTRMAxUQpnSBbTqHNA2DPgEBAQEBAQEBAQEBAQEBAQEBAQEBARgFgyuBYiCBUYFkK4FwgQ2CWYFmJB8QIYJbL4IxBYoPBo4yiBA8AodbiASEd4ITgW+DfIN+hwKMYYgwAhEZAYE4AR84QUx3FUkSAYUGHIFndgGILoEQAQEB
X-IronPort-AV: E=Sophos;i="5.42,425,1500940800"; d="scan'208,217";a="296050828"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by rcdn-iport-9.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 21 Sep 2017 12:47:30 +0000
Received: from XCH-RTP-008.cisco.com (xch-rtp-008.cisco.com [64.101.220.148]) by rcdn-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id v8LClTcj027410 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 21 Sep 2017 12:47:29 GMT
Received: from xch-rtp-020.cisco.com (64.101.220.160) by XCH-RTP-008.cisco.com (64.101.220.148) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Thu, 21 Sep 2017 08:47:29 -0400
Received: from xch-rtp-020.cisco.com ([64.101.220.160]) by XCH-RTP-020.cisco.com ([64.101.220.160]) with mapi id 15.00.1263.000; Thu, 21 Sep 2017 08:47:28 -0400
From: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
To: Med Boucadair <mohamed.boucadair@orange.com>
CC: James N Guichard <james.n.guichard@huawei.com>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "Paul Quinn (paulq)" <paulq@cisco.com>, "sfc@ietf.org" <sfc@ietf.org>
Thread-Topic: [sfc] Early review draft-ietf-sfc-nsh
Thread-Index: AQHTMLsSqoZIGRErdkS+KbebYim9zKK82t6AgAAEeYCAABTqgIABNZsAgAAKggCAAAZ9AIAABHkAgADyTQCAAF+CAA==
Date: Thu, 21 Sep 2017 12:47:28 +0000
Message-ID: <65C0A290-C73E-40A5-B41C-4E0C4181BDAB@cisco.com>
References: <CAHbuEH5Nu4mp+eAAuT-4aGwAkkhYw=8=dd96fFiqgybDykym4A@mail.gmail.com> <B0267CF5-FB30-4EF8-A9BC-A86FB97FAE29@cisco.com> <CAHbuEH6LCwDGg+inEEmG6Yyf290CMrKTWk1kxHhpC4v219agRg@mail.gmail.com> <6971D34B-DC0E-4C3E-B412-3C2F8FAE5704@cisco.com> <CAHbuEH42obn8RZ3gyBTWjZXb9r28Ax2A41GeFd6UvAbVE_ZH=g@mail.gmail.com> <43ED911F-2174-4930-A9BE-1B2A81CD03E9@cisco.com> <CAHbuEH6j9c4tapG-Yb_f9iopFok1KteDUocRjqRkWogDpfrVJg@mail.gmail.com> <BF1BE6D99B52F84AB9B48B7CF6F17DA3F18C03@SJCEML701-CHM.china.huawei.com> <787AE7BB302AE849A7480A190F8B93300A046CB0@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93300A046CB0@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.118.116.133]
Content-Type: multipart/alternative; boundary="_000_65C0A290C73E40A5B41C4E0C4181BDABciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sfc/CEiRzlLpM8y2VrBWRmU2tw-KbBQ>
Subject: Re: [sfc] Early review draft-ietf-sfc-nsh
X-BeenThere: sfc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Service Chaining <sfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sfc>, <mailto:sfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sfc/>
List-Post: <mailto:sfc@ietf.org>
List-Help: <mailto:sfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sfc>, <mailto:sfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Sep 2017 12:47:36 -0000
Hi, Med, I fully agree with you. However, I did go through the whole document making sure we were always using “transport encapsulation”. Frankly, I did find a few places where normalizing and cleaning the terminology helped a lot. I’ll post those changes before next week (I want to make some updates to the security considerations as well, and then release). I also agree that, in theory, we do not need to re-describe the layering and all the pieces exist in RFC 7665 and in the NSH spec. I do not mind erring on the side of extra clarity for the uninitiated reader. I will ask you to check out the forthcoming revision -22. Thanks! — Carlos Pignataro, carlos@cisco.com<mailto:carlos@cisco.com> “Sometimes I use big words that I do not fully understand, to make myself sound more photosynthesis." On Sep 21, 2017, at 3:05 AM, mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com> wrote: Jim, all, I do understand the confusion that is induced by "transport" in the NSH document. Using another term would fix this, sure. But, we need to keep in mind that NSH spec is referring to RFC7665 which uses "transport" extensively. IMHO, the following figure from RFC7665 is very helpful to understand the SFC layering, including the notion of outer-transport encapsulation. +----------------+ +----------------+ | SFC-aware | | SFC-unaware | |Service Function| |Service Function| +-------+--------+ +-------+--------+ | | SFC Encapsulation No SFC Encapsulation | SFC | +---------+ +----------------+ Encapsulation +---------+ |SFC-Aware|-----------------+ \ +------------|SFC Proxy| | SF | ... ----------+ \ \ / +---------+ +---------+ \ \ \ / +-------+--------+ | SF Forwarder | | (SFF) | +-------+--------+ | SFC Encapsulation | ... SFC-enabled Domain ... | Network Overlay Transport | _,....._ ,-' `-. / `. | Network | `. / `.__ __,-' `'''' Ideally, we don't even need to re-describe the layering in the NSH spec given that the draft delimits its scope clearly: The NSH is the SFC encapsulation required to support ^^^^^^^^^^^^^^^^^^^^^^^^ the Service Function Chaining (SFC) architecture (defined in RFC7665). Cheers, Med -----Message d'origine----- De : sfc [mailto:sfc-bounces@ietf.org] De la part de James N Guichard Envoyé : mercredi 20 septembre 2017 18:38 À : Kathleen Moriarty; Carlos Pignataro (cpignata) Cc : Paul Quinn (paulq); sfc@ietf.org<mailto:sfc@ietf.org> Objet : Re: [sfc] Early review draft-ietf-sfc-nsh Hi Kathleen, I am not quite clear as to exactly what is confusing with the existing text (-21 version). Quoting from section 1: The Network Service Header (NSH) specification defines a new protocol and associated encapsulation for the creation of dynamic service chains, operating at the service plane. The NSH is designed to encapsulate an original packet or frame, and in turn be encapsulated by an outer transport (which is used to deliver the NSH to NSH-aware network elements), as shown in Figure 1: +------------------------------+ | Transport Encapsulation | +------------------------------+ | Network Service Header (NSH) | +------------------------------+ | Original Packet / Frame | +------------------------------+ Figure 1: Network Service Header Encapsulation This states that the NSH is designed to encapsulate the original packet/frame (read IP packet or Ethernet frame) and then in turn be carried by an outer transport. The figure clearly shows that the outer transport in this context is "Transport Encapsulation". The draft then goes on to describe what NSH is and then in section 4 more detail is provided on the transport encapsulation. Now reading section 4 it starts by saying: Once the NSH is added to a packet, an outer encapsulation is used to forward the original packet and the associated metadata to the start of a service chain. Is the confusion caused by section 1 & 4 text saying "outer encapsulation" or "outer transport" rather than "Transport Encapsulation" ? If so that is easily fixed :-) Thanks! Jim -----Original Message----- From: sfc [mailto:sfc-bounces@ietf.org] On Behalf Of Kathleen Moriarty Sent: Wednesday, September 20, 2017 12:22 PM To: Carlos Pignataro (cpignata) <cpignata@cisco.com<mailto:cpignata@cisco.com>> Cc: Paul Quinn (paulq) <paulq@cisco.com<mailto:paulq@cisco.com>>; sfc@ietf.org<mailto:sfc@ietf.org> Subject: Re: [sfc] Early review draft-ietf-sfc-nsh Hi Carlos, Please look at the text in the current document. It only says transport in the text I quoted. The diagram also only says transport. Drafts need to be clearly written to be broadly understood and the way the text is now, it is not. I think cleaning it up a bit will lift some of the security concerns as some are addressed prior to NSH seeing the IP packet or frame. Your response helps, but please take the time to look through the document to see how it can be clarified so one does not have the questions I and others have raised. Thank you, Kathleen On Wed, Sep 20, 2017 at 11:59 AM, Carlos Pignataro (cpignata) <cpignata@cisco.com<mailto:cpignata@cisco.com>> wrote: Hi, Kathleen, Thank you for asking explicitly. This document used to have explicit “NSH Encapsulation Examples”, but were taken out (at the AD’s request) based on the argument that “everyone would like to have their encapsulation”. We can always bring them back if desired, even within a non-normative appendix. As I follow your questions, I will try my best to answer and clarify. I am not sure which “bunny trail” took the conversation here, but perhaps a couple of top-post clarifications might help: 1. “Original Packet/Frame” -> the terminology Packet/Frame, as commonly used, denotes an IP packet or an Ethernet frame. 2. The outer "Transport Encapsulation” does *not* mean TCP. It uses the word “Transport” as transport profile, an encapsulation that transports, not as TCP. GRE is one example of a transport encapsulation, not TCP as a “L4 Transport Layer protocol”. In point #2, GRE is the Transport that NSH uses between SFFs/SFs. And further, since NSH is Transport Encapsulation agnostic, we are talking about potentially a broad set of protocols… I’d encourage us to not attempt to classify them in OSI Layers. I can see that some of this might not be totally clear if scanning through the document, but it is clear for an implementor. See Table 1 and Table 3 for examples (Transport column) I hope this helps set clarifying context, see inline for more specific details... On Sep 20, 2017, at 11:21 AM, Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com<mailto:Kathleen.Moriarty.ietf@gmail.com>> wrote: Hi Carlos, It's a start, but should be more specific. The specifics are in the document, even examples as per Tables 1 and 3. What are the original packets/frame - is this link layer or network or both? These are the packets or frames incoming into a classifier, original, then NSH is imposed, then a transport encapsulation is imposed. It seems like both from the diagram, but is that really the case? Yes, it is both. Really the case. Then for the transport encapsulation, is this layer 3 or 4? I believe it is a source of headache and confusion to think about OSI layers… what layer is IP-in-IP? And an MPLS Pseudowire transporting Ethernet? Or an IPv6/L2TPv3 pseudowire transporting TDM? The wording that precedes this is a bit confusing (here for reference): The Network Service Header (NSH) specification defines a new protocol and associated encapsulation for the creation of dynamic service chains, operating at the service plane. The NSH is designed to encapsulate an original packet or frame, and in turn be encapsulated by an outer transport (which is used to deliver the NSH to NSH-aware network elements), as shown in Figure 1: Does the explanation above help? I am not sure how to best answer… because I do not find it confusing. This text is the result of reviewers asking for clarity, and then acknowledging that the paragraph above brought that clarity. Normally, the higher layers are encapsulated, What is higher and lower? And for what definition of “Normally”? What’s a Tunnel? but this wording describes just the opposite. It says the packet/frame at layer 2/3 (just going from the normal uses of packet and frame to assume layer 3/2). Correct. IP packet, Ethernet Frame. NHS encapsulates that, and then is encapsulated by a transport layer 3/4? No. Where does it say “Transport Layer”? Note that “Network Transport”, and “Transport Encapsulation” are terms coming from RFC 7665. And to be clear: many RFCs use “Transport Encapsulation” or a variation of that (Encapsulation for Transport, Transport-independent Encapsulation, etc.) See Table 1 and Table 3, Transport column, for examples. If you can clarify this text or make it clear that you really intended to do this odd encapsulation, that would help a lot. Hopefully my explanation helps. Understanding the layers this all happens at is very important. If NSH is the trigger for the layer 3/4 transport, how can security be applied? Or is it addressed by a prior 3/4 encapsulation by the original packet/frame? Thanks, Kathleen — Carlos Pignataro, carlos@cisco.com<mailto:carlos@cisco.com> On Tue, Sep 19, 2017 at 4:53 PM, Carlos Pignataro (cpignata) <cpignata@cisco.com<mailto:cpignata@cisco.com>> wrote: Hi, Kathleen, Thanks for the clarification. Regarding: is that the layering needs to be specifically stated to clearly Like this? https://tools.ietf.org/html/draft-ietf-sfc-nsh-21#section-1 +------------------------------+ | Transport Encapsulation | +------------------------------+ | Network Service Header (NSH) | +------------------------------+ | Original Packet / Frame | +------------------------------+ Figure 1: Network Service Header Encapsulation I think if you laid this out nicely and clearly showed where transport security is addressed at another layer (out-of-scope), it would go a long way. Hopefully the above (existing) figure and text is clear. In that case: One idea is to categorize the paragraphs in the Security Considerations to make those relations more clear. — Carlos Pignataro. On Sep 19, 2017, at 3:38 PM, Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com<mailto:Kathleen.Moriarty.ietf@gmail.com>> wrote: Thanks for the responses. I'm going to top post as I thin the main point of my review is that the layering needs to be specifically stated to clearly scope the problem space for NSH security considerations. The draft as-written is not clear and as a result, security reviews are very difficult. I think if you laid this out nicely and clearly showed where transport security is addressed at another layer (out-of-scope), it would go a long way. Although the draft improved a bit from the previous version, I think a careful review and edit pass would do a lot of good, specifically around clarity of the problem space and solution. The questions I asked were a result of lack of clarity in the draft. Thanks, Kathleen On Tue, Sep 19, 2017 at 3:22 PM, Paul Quinn (paulq) <paulq@cisco.com<mailto:paulq@cisco.com>> wrote: Hi, Thank you for the review. Please see some comments inline below. Paul On Sep 18, 2017, at 4:15 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com<mailto:kathleen.moriarty.ietf@gmail.com>> wrote: Hello, At Alia's request, I did an early review of draft-ietf-sfc-nsh. Here are some initial comments and I may have more when the draft is revised and is in for IESG review. I appreciate your efforts addressing the comments received to date. I hope you find these suggestions as helpful improvements to the document and clarity of NSH security concerns. Section 1 - The intended scope in the introduction should also include mention of multi-tenancy. This changes the security requirements and is very important to note. Section 1.4 - 5. Transport Agnostic: The NSH is encapsulation-independent, meaning it can be transported by a variety of protocols. An appropriate (for a given deployment) encapsulation protocol can be used to carry NSH-encapsulated traffic. This transport may form an overlay network and if an existing overlay topology provides the required service path connectivity, that existing overlay may be used. Is there a preferred transport so you could specify a recommended transport security protocol? PQ> There is not. In fact at the AD’s request sample transports were removed to ensure that there was no implied preference. Therefore, an operator can select their preferred transports, including — as per the security considerations section — ones that provide encryption. Section 2, 3rd sentence: Subsequently, an outer encapsulation is imposed on the NSH, which is used for network forwarding. Knowing more about this would help to understand options or if there is another draft that addresses this outer encapsulation that is imposed and the transport security requirements that go along with it. PQ> Since NSH defines no preferred transport(s), the security of the selected transport is left to the transport standard. So, for example, if an operator elects to use the NVO3 defined protocol, then the operator has explicitly selected that overlay. Transport may be hop to hop, and there might not be encryption of this header if the application uses an encrypted transport encapsulated in this layer. In any case, it seems integrity protection is a requirement for a multi-tenant environment. Could the COSE MAC function fit the bill since it is intended for concise formats? https://datatracker.ietf.org/doc/rfc8152 JOSE produced a similar function with JSON, but it would be slightly larger. Section 7.1: The following paragraph implies that anything less than a 5-tuple isn’t useful and that you intend to use traffic content when available. This is concerning. Can’t you use a 2-tuple? What if IPsec transport mode were in use, is this solution dead in the water? Regardless of the source, metadata reflects the "result" of classification. The granularity of classification may vary. For example, a network switch, acting as a classifier, might only be able to classify based on a 5-tuple, while a service function may be able to inspect application information. Regardless of granularity, the classification information can be represented in the NSH. If a 2-tuple is possible, could you add that in as an example instead of or in addition to the 5-tuple? PQ> The 5-tuple was used only as an example that is commonly understood in the context of network device classification. The sentence: "The granularity of classification may vary.” addresses 2, 3, 4, n-tuple classification. Further, that point is reinforced: “Regardless of granularity, the classification information can be represented in the NSH." Section 7.1 This text comes too late in the draft and I recommend making a clear statement in the introduction that session encryption to protect the data in transit relies on the application/service sending/receiving the data and not the SFC. I made this point previously and am glad to see some text, but think it would be much better to state this early in the draft. Touching upon protections for data streams versus meta data would both be important (layers for traffic and associated protections). If it’s meta data, do they need to rely on IPsec and having a 2-tuple be the minimum? When is that applied? Is there meta data that could be sensitive if TLS was in place and a 5-tuple is visible (perhaps the existence of communication is sensitive). Are there other considerations for metadata and data that need to be stated up front and put out-of-scope for SFC? I’m asking these questions as providing these answers could show that the risk is constrained. Depending on the information carried in the metadata, data privacy considerations may need to be considered. For example, if the metadata conveys tenant information, that information may need to be authenticated and/or encrypted between the originator and the intended recipients (which may include intended SFs only). The NSH itself does not provide privacy functions, rather it relies on the transport/overlay layer. An operator can select the appropriate transport to ensure confidentiality (and other security) considerations are met. Metadata privacy and security considerations are a matter for the documents that define metadata format. PQ> Are you suggesting that application layer confidentially be addressed in this draft? NSH “plays nicely” with standard encryption transports, therefore allowing operators to “secure” the path. Going up the stack from that seems to be outside the scope of NSH and inconsistent with other protocol requirements. Other comments: I’d like to see; https://tools.ietf.org/html/draft-mglt-sfc-security-environment-req-02 Published before this document and then have that as a reference. One of the comments I made previously was to list out the layering and protections expected on data and NSH. This has been done in the security environment draft, section 4 should be referenced: Section 4 provides an overall description of the SFC environment with the introduction of the different planes (SFC Control Plane, the SFC Management Plane, the Tenant's user Plane and the SFC Data Plane). PQ> As I mentioned on another thread: a secure environment draft is not related to NSH per se. This is a very important point for anyone reviewing for security as are the environment security requirements. The security environment requirements draft still needs a little more work from a quick read, but helps a lot. I need to finish reading the security environment draft. -- Best regards, Kathleen _______________________________________________ sfc mailing list sfc@ietf.org<mailto:sfc@ietf.org> https://www.ietf.org/mailman/listinfo/sfc -- Best regards, Kathleen _______________________________________________ sfc mailing list sfc@ietf.org https://www.ietf.org/mailman/listinfo/sfc -- Best regards, Kathleen -- Best regards, Kathleen _______________________________________________ sfc mailing list sfc@ietf.org<mailto:sfc@ietf.org> https://www.ietf.org/mailman/listinfo/sfc _______________________________________________ sfc mailing list sfc@ietf.org https://www.ietf.org/mailman/listinfo/sfc
- [sfc] Early review draft-ietf-sfc-nsh Kathleen Moriarty
- Re: [sfc] Early review draft-ietf-sfc-nsh Joel M. Halpern
- Re: [sfc] Early review draft-ietf-sfc-nsh Carlos Pignataro (cpignata)
- Re: [sfc] Early review draft-ietf-sfc-nsh Thomas Nadeau
- Re: [sfc] Early review draft-ietf-sfc-nsh Paul Quinn (paulq)
- Re: [sfc] Early review draft-ietf-sfc-nsh Kathleen Moriarty
- Re: [sfc] Early review draft-ietf-sfc-nsh Carlos Pignataro (cpignata)
- Re: [sfc] Early review draft-ietf-sfc-nsh Kathleen Moriarty
- Re: [sfc] Early review draft-ietf-sfc-nsh Carlos Pignataro (cpignata)
- Re: [sfc] Early review draft-ietf-sfc-nsh Kathleen Moriarty
- Re: [sfc] Early review draft-ietf-sfc-nsh Carlos Pignataro (cpignata)
- Re: [sfc] Early review draft-ietf-sfc-nsh James N Guichard
- Re: [sfc] Early review draft-ietf-sfc-nsh Kathleen Moriarty
- Re: [sfc] Early review draft-ietf-sfc-nsh mohamed.boucadair
- Re: [sfc] Early review draft-ietf-sfc-nsh Carlos Pignataro (cpignata)
- Re: [sfc] Early review draft-ietf-sfc-nsh Kathleen Moriarty