Hello, Just noticed draft-ymbk-l3vpn-origination-01.txt ...
Few follow-up questions to new version: 1. Section "5.2. Provider/ASBR Based Validation/Authentication" indicates possible validation at the ASBR. First clearly it is not possible to do that in option C which I think the draft should mention. In option C you could try to describe such validation on EBGP peering VPNvX RRs. Assuming option-B (or option-C on RRs) how do I set validation policy (based on what value and parameter) that only some VPN customer's routes will be subject for validation ? Same for PEs where subset of VPN customers request validation. Or is the draft discussing only option-A ASBRs ? 2. How much the NLRI validation on the ASBR option B or PE helps if RTs could have been mangled on the way and validated or not routes will end up going to wrong VPN sites ? Draft says: "ASBR2 is the trusted provider with whom CE1 has collaborated." How can one validate on ASBRs (or remote PEs) in the CE based key allocation scheme ? What happens if two VPN customers with overlaping IP addresses will choose the same keys on their CEs ? Note that CEs NLRI do not have notion of RDs and that ingress PEs convert IPv4 NLRIs from CE to VPNv4 NLRIs on PEs adding RD. How can the signature be possibly meaningful anywhere else that on the end PE's VRF or in the end site CE ? 3. In case of validating on the PEs or CEs how does one handle extranets ? Is the plan to share my keys with all extranet partners or use different key per each extranet VPN - case of per CE validation ? How would it work for PE based validation ? How would I carry multiples keys if VPN chooses not to share his secret with some of his extranets ? How do you associate a L3OPA to RTs ? Is the assumption in the draft that such validation is to happen in the VPNvX space on during/past the import the VRFs ? 4. How would service provider be able to inject his own prefixes into VPN sites for offering value add services (example VoIP gateway addresses) if customer chooses CE based validation ? 5. How do I propagate the result of ASBR or PE based validation to the VPN site if such (say multihomed) site is connected to SP not via BGP but via an IGP ? Many thx .. R. On Thu, Oct 18, 2012 at 5:15 AM, Robert Raszuk <[email protected]> wrote: >> the keys are arbitrary. you can get ecerts from macdonalds for all >> the spec cares. > > If this is so what is so novel about your draft if compared with already > existing for over 10 years L3VPN WG below document ? > > http://tools.ietf.org/html/draft-ietf-l3vpn-auth-00 > > ? > > Thx, > R.
