Gyan, MPLS is never sent in SAFI 1.
Thx, R. On Sun, Feb 13, 2022 at 5:47 AM Gyan Mishra <hayabusa...@gmail.com> wrote: > Hi Robert > > On Sat, Feb 12, 2022 at 4:23 PM Robert Raszuk <rob...@raszuk.net> wrote: > >> Gyan, >> >> Section 5.3 and 5.4 cover GRT option and 5.3 using RFC 5549 next hop >>> encoding. In this case using GRT transport underlay layer now carry’s the >>> customer routes and that is what Warren and Andrew concern is as far as BGP >>> leaks. >>> >> >> I would have the same concern so would VPN customers. No one is selling >> L2 or L3 VPN service to them distributing their reachability in the global >> routing table. They can do that all by themselves and there is lot's of >> really solid tools or products to do that already without being locked to a >> single telco. >> > > Gyan> MPLS provides the capability for GRT native routing SAFI 1 as well > as SAFI 128, so in my opinion both should be supported by SRV6 as operators > look to use SRv6 for a variety of use cases. That’s my point as there > should be complete feature parity between MPLS and SRv6 as to AFI / SAFI > support. Global Internet routing would not be the best use case for SAFI 1 > GRT due to the attack vector - agreed, but enterprise networks with > internal customers where there is a trust level is a huge use case. > >> >> So when GRT is used the same edge filtering protection mechanisms used >>> today for MPLS and SR-MPLS would apply to SRv6 for GRT use case. >>> >> >> Not possible. It is not about filtering ... it is all about using >> globally routable SAFI vs private SAFIs to distribute customer's >> reachability, IMO that should still be OTT only. >> > > Gyan> As SRv6 source node is requirement to encapsulation with IPv6 > outer header and decapsulation at egress PE for SRv6-BE and SRv6-TE path > steering the security issue brought up related to 5.3 and 5.4 is not an > issue requiring filtering per RFC 8402. So routable and private SAFI > scenario would be the same now due to encapsulation overlay for both. Do > you agree ? > >> >> I don’t think we are saying 5.3 or 5.4 should not be allowed but just to >>> tighten up verbiage as far securing the domain. >>> >> >> BGP filtering or policy is in hands of many people. As has been proven >> you can not tighten them strong enough not to leak. The only natural way to >> tighten them is to use different plane to distribute private information >> what in this context means at least different BGP SAFI. >> >> So no - I do not agree with your observations. >> > > Gyan> I am not promoting use of SAFI 1 however I SRv6 should provide > complete parity with MPLS to support both SAFI 1 and 128. There are plenty > of use cases for SAFI 1 and it should be supported with SRv6. > >> >> However I am for providing overlay reachability over global IPv6 Internet >> to interconnect customer sites. But routing within those sites should not >> be traversing Internet routers and using SAFI 1. >> >> Rgs, >> Robert. >> >> -- > > <http://www.verizon.com/> > > *Gyan Mishra* > > *Network Solutions A**rchitect * > > *Email gyan.s.mis...@verizon.com <gyan.s.mis...@verizon.com>* > > > > *M 301 502-1347* > >
_______________________________________________ BESS mailing list BESS@ietf.org https://www.ietf.org/mailman/listinfo/bess