Re: [trill] RtgDir review: draft-ietf-trill-directory-assisted-encap-02

Donald Eastlake <> Fri, 27 October 2017 02:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E892813F60E; Thu, 26 Oct 2017 19:30:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.45
X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PV4xMKRCnlE6; Thu, 26 Oct 2017 19:30:10 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4003:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5579C13F4F2; Thu, 26 Oct 2017 19:30:10 -0700 (PDT)
Received: by with SMTP id h6so8842877oia.10; Thu, 26 Oct 2017 19:30:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=vtGj9cBZ47OFsR43DUcilxQH5DbuLYO7GVdGq/V6LVo=; b=WuSQLA1nV1aKJKzHZOpg3IzF23Zuy7UqKM3svCHQN3ZZzNppF5VtEIlMPhG2Z2/mli x07HuGBmhS4Rb0a8nALuqIVYGxt/DIRR/eDzjFgzgDyLZA6Q6uw1AxrYG2uBUfZtN3or MABBYoRQYdyZSpNa0fwRLi/MefUf+fbl/OGlafnts2/4PwzoLhPBPsZvigf/eGEeGOBI A9oYxr9YigVPfWTB784nSENcn5/adfp48w5a/K82H28PEN2Bz3qhQI0F2QDS0QTnaYKp r73pKG9h9eM+AydLcLakrVls/tYZ2VIVujp0Ku5+ZRgyknIE2q2OzQId21nlHb0ditFy 1T7g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=vtGj9cBZ47OFsR43DUcilxQH5DbuLYO7GVdGq/V6LVo=; b=PARat+Rx9MfNEAW5b1YAhjE5it7ahFfJzoDFQep3LIoA06Pp7TG+PDbhalCq9Vzh74 HkdjUnK3j6hCeWjF8PmhH6OtbHtnArJJaxO6PHKZ6Fxmg2pb70+Jek1Ztg896p3TYQi/ 23KDjKdJaGVlr43CpIhKfCwLqriwraOOpGEDAwSx+aLoeRTTsXACPg0zGHY6SycOZhvr d01kcdWUSWF6cjXJTDLQPbpF2kXRbNo30IKD3FuSgIt+omIKGNUU/aTnn5ToI5jQFsiT BirxrulEmDntnHUglFUDuOKjllzFaX14VbQBf+D2+n1dwa6qY/vB2j57XjqkiiMLvvfS INOQ==
X-Gm-Message-State: AMCzsaVC+VViTKFR39GjinHUJfgfwnEHW3ZWjpJCpMdEKBnzdKAd24Ju cFjzVK8dwkV2ZvA8r2bPg9PggzoZvLlP4ruV9kmX/FrA
X-Google-Smtp-Source: ABhQp+TF4tQsH7Kvm7iHQXXwB3lX9Ztry+B01C7PaTIHrSx0KuUPWO/1UYT92uoePnmjsnczvkTKl/JzXhgJaCahKtE=
X-Received: by with SMTP id q1mr3916412otg.33.1509071409268; Thu, 26 Oct 2017 19:30:09 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Thu, 26 Oct 2017 19:29:53 -0700 (PDT)
In-Reply-To: <>
References: <>
From: Donald Eastlake <>
Date: Thu, 26 Oct 2017 22:29:53 -0400
Message-ID: <>
To: Ben Niven-Jenkins <>
Cc: "<> (" <>, "" <>,, "" <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [trill] RtgDir review: draft-ietf-trill-directory-assisted-encap-02
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Developing a hybrid router/bridge." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 27 Oct 2017 02:30:13 -0000

Hi Ben,

Thanks for your review. It appears that is was not responded to in a
timely fashion. Apologies on behalf of the authors.

(Your review was of the -02 version. The current version is -05.)

On Sun, Apr 24, 2016 at 4:28 AM, Ben Niven-Jenkins
<> wrote:
> Hello,
> I have been selected as the Routing Directorate reviewer for this
> draft. The Routing Directorate seeks to review all routing or
> routing-related drafts as they pass through IETF last call and IESG
> review. The purpose of the review is to provide assistance to the
> Routing ADs. For more information about the Routing Directorate,
> please see
> Although these comments are primarily for the use of the Routing
> ADs, it would be helpful if you could consider them along with any
> other IETF Last Call comments that you receive, and strive to
> resolve them through discussion or by updating the draft.
> Document: draft-ietf-trill-directory-assisted-encap-02.txt
> Reviewer: Ben Niven-Jenkins
> Review Date: 21 April 2016
> Intended Status: Proposed Standard
> Summary:
> I have significant concerns about this document and recommend that
> the Routing ADs discuss these issues further with the authors.

Hopefully the changes made between the version -02 you reviewed and
the current -05 have made some improvements and, based on your
comments and WG LC comments, further improvements can be made.

> Comments:
> Overall this is not the easiest document to read although some of
> that might be due to my lack of background in TRILL and its
> terminology.
> Major Issues:
> 1) The document has an Intended Status of Proposed Standard, however
> it does not contain any RFC2119 keywords and does not seem to make
> any normative statements about required behaviour which I would have
> expected in a Proposed Standard.

Well, in version -05 there is at least one keyword instance.
Furthermore, I don't know that such keywords need to always be used
when an implementation requirement level is being specified. That
said, we could see if additional RFC 2119 keywords are warranted.

> 2) Section 4: If I understand correctly the TRILL-EN spoofs the
> Ingress RBridge edge node's nickname in the source address field of
> the TRILL header. Is this likely to introduce problems? E.g. if
> RBridges will accept & forward frames that have their own source
> address in, does it perpetuate routing loops or present security
> considerations that the document should discuss?

TRILL goes to great lengths to avoid loops and has a hop count in the
TRILL header so that, should there be a transient loop, a TRILL packet
in that loop (i.e., an encapsulated frame) will be discarded. In the
potentially more dangerous case of multi-destination packets, as
compared with known unicast, where copies could multiply due to forks
in the distribution tree, a Reverse Path Forwarding Check is used to
discard packets that appear to be on the wrong link or when there is
disagreement about the distribution tree.

Security Considerations should probably say more on this.

> Section 8 on Security Considerations also looks very light on
> text. If you are allowing TRILL-ENs to spoof RBridge source
> addresses (which I think you are, see comment above) I think you
> should have a discussion about that somewhere in the document.

I agree that some further discussion is needed in the Security
Considerations section.

> Minor Issues:
> 1) Section 3. I am not sure what Figure 2 is trying to convey and it
> is not referred to by the main text. Is it required?

Figure 2 is intended to show the header of a pre-encapsulated frame
going from a TRILL-EN to an edge TRILL switch. If it is retained in
the draft, there should be clarifying text that references it.

> 2) Section 3 says:
>    Editor's note: [Directory] has defined Push and Pull methods for edge
>    RBridges to get directory mapping information. The Pull Model is
>    relative simple for TRILL-EN to implement (see Section 9). Pushing
>    Directory information requires some reliable flooding mechanism, like
>    the one used by IS-IS, between the edge RBridge and the TRILL
>    encapsulating node.
> which gives me the impression the authors prefer pull and discourage
> push as it would require something extra like IS-IS.

That note no longer exists in the draft. Also the "[Directory]" draft
referred to has been issued as RFC 8171 and the draft should be
updated to reflect that.

> However, Section 4 says
>    The TRILL-EN learns this nickname by listening
>    to the TRILL IS-IS Hellos from the Ingress RBridge.
> which makes me think if the TRILL-EN is running IS-IS for hellos, is
> pushing the directory such an obstacle?

That text refers to snooping on IS-IS messages, not running IS-IS.

There are problems with using IS-IS, designed for communication
between routers (Intermediate Systems) and the end station
implementing pre-encapsulation as described in this draft.  At first
throught, you might want is an extension of ES-IS but the Memorandum
of Understanding between the IETF and ISO/IEC only covers IS-IS, not
ES-IS. So TRILL has specified a "TRILL ES-IS" in Section 5 of RFC
8171. However, even then, push uses ESADI [RFC7357], which involves
encapsulation and VLAN/FGL scoping and which would need to be extended
for end stations so push is out of scope for this document.

> Is whether the directory is pulled or pushed something this document
> needs to discuss at all? If it does need to discuss push vs pull,
> should the document be stronger and make a clearer recommendation on
> which method should be used (or implemented by default) to aid with
> interoperability?

The reasons for using push or pull or some sort of hybrid are
discussed in RFC 8171. The -05 version of the Directory Assisted TRILL
Encapsulation document only covers pull.

> 3) Section 5.1 states
>    setting TRILL boundary at aggregation
>    switches that have many virtualized servers attached can limit the
>    number of RBridge nodes in a TRILL domain, but introduce the issues
>    of very large MAC&VLAN<->RBridgeEdge mapping table to be maintained
>    by RBridge edge nodes and the necessity of enforcing AF ports.
>    Allowing Non-RBridge nodes to pre-encapsulate data frames with TRILL
>    header makes it possible to have a TRILL domain with a reasonable
>    number of RBridge nodes in a large data center. All the TRILL-ENs
>    attached to one RBridge are represented by one TRILL nickname, which
>    can avoid the Nickname exhaustion problem.
> As I understand it TRILL-ENs pre-encapsulate packets that they send,
> but when receiving packets the RBridge attached to the TRILL-EN
> decapsulates the TRILL packet and forwards it to the TRILL-EN
> “natively” (without TRILL encapsulation), as stated in section 3:
>    When a TRILL frame arrives at an RBridge whose nickname matches with
>    the destination nickname in the TRILL header of the frame, the
>    processing is exactly same as normal, i.e. as specified in [RFC6325]
>    the RBridge decapsulates the received TRILL frame and forwards the
>    decapsulated frame to the target attached to its edge ports.
> Therefore all the RBridges still need to maintain a very large
> "MAC&VLAN<->RBridgeEdge mapping table”? If that is the case, what
> advantage does this approach give over the “base case” of setting
> TRILL boundary at aggregation switches?

With pre-encapsulation, although edge RBridges need to learn local MAC
addresses so they can de-capsulate, they do not need to learn the
typically much larger number of remote MAC address because they do not
need to encapsulate. This should be explained more clearly.

> 4) Section 7 on Manageability Considerations only states that in
> order for the solution to work requires the availability of a
> directory service, which seems a bit redundant when the entire
> document is about "Directory Assisted TRILL Encapsulation”. Is this
> section required?

I agree that the Manageability Considerations section should have
some material added concerning configuration or be dropped.

 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA

> Regards
> Ben