Hi Benjamin, Thanks for your review and comments. I have posted -08 revision.
Please see zzh> below. -----Original Message----- From: BESS <[email protected]> On Behalf Of Benjamin Kaduk via Datatracker Sent: Wednesday, May 19, 2021 9:25 PM To: The IESG <[email protected]> Cc: Matthew Bocci <[email protected]>; [email protected]; [email protected]; [email protected]; [email protected] Subject: [bess] Benjamin Kaduk's No Objection on draft-ietf-bess-mvpn-msdp-sa-interoperation-07: (with COMMENT) [External Email. Be cautious of content] Benjamin Kaduk has entered the following ballot position for draft-ietf-bess-mvpn-msdp-sa-interoperation-07: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://urldefense.com/v3/__https://www.ietf.org/iesg/statement/discuss-criteria.html__;!!NEt6yMaO-gk!RpGeWZCeZBAreMzivXrQ0bVoJONE8ErGwazuYm6GFz0p3HbPN0W63F57Og8D0TOo$ for more information about DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-bess-mvpn-msdp-sa-interoperation/__;!!NEt6yMaO-gk!RpGeWZCeZBAreMzivXrQ0bVoJONE8ErGwazuYm6GFz0p3HbPN0W63F57OtPmQe7y$ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- This looks like a nice, simple way to improve the interoperation scenarios. All my comments are relatively minor (and most are explicitly classified as nits). Section 2 Section "14. Supporting PIM-SM without Inter-Site Shared C-Trees" of [RFC6514] specifies the procedures for MVPN PEs to discover (C-S,C-G) via MVPN Source Active A-D routes and then send (C-S,C-G) C-multicast routes towards the ingress PEs, [...] Just to check my understanding: when we say "send (C-S,C-G) C-multicast routes toward the ingress PEs", does that refer to the "Source Tree Join C-multicast route"s that RFC 6514 describes? Would it be helpful to write it out using the same terminology? Zzh> Yes. Fixed. Section 3 When an MVPN PE advertises an MVPN SA route following procedures in [RFC6514] for the "spt-only" mode, it SHOULD attach an "MVPN SA RP- address Extended Community". [...] I don't really understand why this is only a "SHOULD". If the whole point of this document is to let MVPN S-A announcements get propagated out to MSDP, it seems required, and people who don't care about that scenario can ignore the document entirely; they don't need SHOULD vs MUST to get out of it. Zzh> That's reasonable. Fixed. In addition to procedures in [RFC6514], an MVPN PE may be provisioned to generate MSDP SA messages from received MVPN SA routes, with or When would something that implements the rest of this document not be expected to generate MSDP SA messages in such a manner? (That is, why use "may be"?) zzh> "may be provisioned" wording is just because it is not a protocol behavior but an operator choice - it is about whether the procedures in this document is used or not per an operator's choice. I don't know what's the best way to go with this. I am fine with changing it to the following if necessary: In addition to procedures in [RFC6514], MVPN PE MUST generate MSDP SA messages from received MVPN SA routes if it has MSDP sessions to non-PE MSDP peers, with or without local MSDP policy control. Section 4 I'm always a little wary of claims of "no additional security considerations", though in many cases there are no *significant* new security considerations, even if there are some considerations that are new. In this case, we have the option of using the local RP address for the C-G when constructing a MSDP SA message (when the EC is not present in the MVPN SA NRLI), and since this causes different nodes in the MVPN to see different RPs for the group, it's not immediately clear that there are no relevant security considerations from having different views of the RP. What is the behavior when different nodes are using different RPs? Zzh> That should not cause security concerns. Zzh> MSDP propagtes (s,g) information to distributed RPs so that receiving RPs are able to join to the sources. Zzh> The RP address in the MSDP messages are only used for RPF purpose - such that the MSDP messages are distributed in a tree format. Even if two PEs advertise with different RP address for the same (s,g), others MSDP speakers will be able to pick just one to use. (There is also the fact that the address of the RP is now sent to a larger population by virtue of being in the new BCP EC, which should cause us to consider if there are any privacy considerations from the broadedend information distribution. I don't see anything noteworthy, though.) zzh> W/o this feature, the MSDP speakers will need to peer with each other at overlay, and the RP addresses will be exchanged among them anyway, so there should be no concern with privacy. RFC 6514's security considerations section mentions (by section number, not name) that for the spt-only mode implementations should have an upper bound on the number of SA A-D routes. IIUC, the mechanisms in this document do not change relative resource consumption in a way that might require the specific value of the upper bound to change, but please confirm. Zzh> Correct. It actually reduces the number of the SA A-D routes. The security considerations for RFC 3618 mandate implementation of TCP-MD5, which is a bit dated. Should we say anything about TCP-AO (RFC 5925) here? Zzh> That should be outside the scope of this document. We're just adding a missing link between MVPN and MSDP. Section 7.2 While RFC 3618 is not specifically cited in any location that would require it to be classified as normative, I think that it should be classified as normative, and thus presumably that more references to it should also be added where the normative use of MSDP is mentioned in the text. Zzh> OK, I changed it to normative, and added reference to it at the first time MSDP is mentioned. NITS Section 1 Familiarity with MVPN and MSDP protocols and procedures is assumed. Some terminologies are listed below for convenience. References for MVPN and MSDP would go well here. Zzh> Yes. Section 2 similar to MSDP Source-Active messages [RFC3618]. For a VPN, one or more of the PEs, say PE1, either act as a C-RP and learn of (C-S,C-G) via PIM Register messages, or have MSDP sessions with some MSDP peers and learn (C-S,C-G) via MSDP SA messages. [...] Since we specified "say PE1", we should probably take the "one" branch of "one or more" and use "has" and "learns" for singular/plural agreement. Zzh> Done. corresponding (C-*,C-G) state learnt from its CE. PE2 may also have MSDP sessions for the VPN with other C-RPs at its site, but [RFC6514] does not specify that it advertises MSDP SA messages to those MSDP I suggest s/it/PE2/ just to avoid any doubt. Zzh> done. which are redundant and unnecessary. Also notice that the PE1-PE2 MSDP session is VPN-specific, while the BGP sessions over which the MVPN routes are advertised are not. I suggest s/VPN-specific/used only for a single MVPN/ Zzh> Since "VPN-specific" is used in the next paragraph and "used only for a single MVPN" does not read well there, I added "(only for a single VPN") after the first "VPN-specific". o VPN extranet mechanisms can be used to propagate (C-S,C-G) information across VPNs with flexible policy control. Is RFC 7900 a good reference for "VPN extranet"? I had to look it up... Zzh> RFC 7900 is for MVPN. Here it is only about the general (not MVPN specific) policy-based control how routes are propagated/exchanged across the VPNs. I added 2764 as reference here. contain the source and group. MSDP requires the RP address information in order to perform peer-RPF. Therefore, this document I'd suggest expanding RPF on first use. Zzh> RFC 3618 does not expand RPF either. Does it really help to change it to "peer Reverse Path Forwarding"? RPF should be familiar to multicast people, and for others "reverse path forwarding" may still be confusing? Zzh> For now I just added "MSDP" to say "MSDP peer-RPF". Section 3 attach the EC), the local RP address for the C-G is used. In that case, it is possible that the receiving PE's RP for the C-G is actually the MSDP peer to which the generated MSDP message is I suggest s/receiving PE's RP/RP inserted into the MSDP SA message/. Zzh> Done. from before. The previously advertised MSDP SA message with the older RP address will be timed out. I guess technically it's the state that the older message induced that times out, not the message itself. Zzh> Ok fixed. direction - upon receiving an MVPN SA route in a VPN generate corresponding MSDP SA and advertise to MSDP peers in the same VPN. "generate a"; "advertise it" Zzh> Fixed. Zzh> Thanks! Zzh> Jeffrey _______________________________________________ BESS mailing list [email protected] https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/bess__;!!NEt6yMaO-gk!RpGeWZCeZBAreMzivXrQ0bVoJONE8ErGwazuYm6GFz0p3HbPN0W63F57Omxs5xMo$ Juniper Business Use Only _______________________________________________ BESS mailing list [email protected] https://www.ietf.org/mailman/listinfo/bess
