Hi Robert
On Sat, Feb 12, 2022 at 4:23 PM Robert Raszuk <[email protected]> wrote:
> Gyan,
>
> Section 5.3 and 5.4 cover GRT option and 5.3 using RFC 5549 next hop
>> encoding. In this case using GRT transport underlay layer now carry’s the
>> customer routes and that is what Warren and Andrew concern is as far as BGP
>> leaks.
>>
>
> I would have the same concern so would VPN customers. No one is selling L2
> or L3 VPN service to them distributing their reachability in the global
> routing table. They can do that all by themselves and there is lot's of
> really solid tools or products to do that already without being locked to a
> single telco.
>
Gyan> MPLS provides the capability for GRT native routing SAFI 1 as well
as SAFI 128, so in my opinion both should be supported by SRV6 as operators
look to use SRv6 for a variety of use cases. That’s my point as there
should be complete feature parity between MPLS and SRv6 as to AFI / SAFI
support. Global Internet routing would not be the best use case for SAFI 1
GRT due to the attack vector - agreed, but enterprise networks with
internal customers where there is a trust level is a huge use case.
>
> So when GRT is used the same edge filtering protection mechanisms used
>> today for MPLS and SR-MPLS would apply to SRv6 for GRT use case.
>>
>
> Not possible. It is not about filtering ... it is all about using globally
> routable SAFI vs private SAFIs to distribute customer's reachability, IMO
> that should still be OTT only.
>
Gyan> As SRv6 source node is requirement to encapsulation with IPv6
outer header and decapsulation at egress PE for SRv6-BE and SRv6-TE path
steering the security issue brought up related to 5.3 and 5.4 is not an
issue requiring filtering per RFC 8402. So routable and private SAFI
scenario would be the same now due to encapsulation overlay for both. Do
you agree ?
>
> I don’t think we are saying 5.3 or 5.4 should not be allowed but just to
>> tighten up verbiage as far securing the domain.
>>
>
> BGP filtering or policy is in hands of many people. As has been proven you
> can not tighten them strong enough not to leak. The only natural way to
> tighten them is to use different plane to distribute private information
> what in this context means at least different BGP SAFI.
>
> So no - I do not agree with your observations.
>
Gyan> I am not promoting use of SAFI 1 however I SRv6 should provide
complete parity with MPLS to support both SAFI 1 and 128. There are plenty
of use cases for SAFI 1 and it should be supported with SRv6.
>
> However I am for providing overlay reachability over global IPv6 Internet
> to interconnect customer sites. But routing within those sites should not
> be traversing Internet routers and using SAFI 1.
>
> Rgs,
> Robert.
>
> --
<http://www.verizon.com/>
*Gyan Mishra*
*Network Solutions A**rchitect *
*Email [email protected] <[email protected]>*
*M 301 502-1347*
_______________________________________________
BESS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/bess
