4-Octet AS Specific BGP Extended Community
draft-ietf-l3vpn-as4octet-ext-community-03

[Ballot discuss]
[This text repeats issues raised in Steve Kent's secdir review, which does not appeared
to have received an answer.  Please include him in any followup emails; his address is
Stephen Kent ]

The Security Considerations for this document need to be expanded.  The current text
states:

5. Security Considerations

  All the security considerations for BGP Extended Communities apply
  here.

I assume that the intent of this text was to point to RFC 4360, and originally intended
to simply request a inclusion pointer.  As a  general rule, I support Security Considerations
by reference.  Unfortunately, RFC 4360 provides yet another indirection and the reference
is empty.

From RFC 4360:

8.  Security Considerations

  This extension to BGP has similar security implications as BGP
  Communities [RFC1997].

  This extension to BGP does not change the underlying security issues.
  Specifically, an operator who is relying on the information carried
  in BGP must have a transitive trust relationship back to the source
  of the information.  Specifying the mechanism(s) to provide such a
  relationship is beyond the scope of this document.

And from RFC 1997:

Security Considerations

  Security issues are not discussed in this memo.

The authors need to write a meaningful Security Considerations section
addressing BGP Extended Communities, or find a prior documents that
already explores the topic.

This text should also apply to draft-ietf-l3vpn-v6-ext-communities,
where I am entering a parallel discuss.

[Ballot discuss]
[This text repeats issues raised in Steve Kent's secdir review, which does not appeared
to have received an answer.  Please include him in any followup emails; his address is
Stephen Kent ]

The Security Considerations for this document need to be expanded.  The current text
states:

5. Security Considerations

  All the security considerations for BGP Extended Communities apply
  here.

I assume that the intent of this text was to point to RFC 4360, and originally intended
to simply request a inclusion pointer.  As a  general rule, I support Security Considerations
by reference.  Unfortunately, RFC 4360 provides yet another indirection and the reference
is empty.

From RFC 4360:

8.  Security Considerations

  This extension to BGP has similar security implications as BGP
  Communities [RFC1997].

  This extension to BGP does not change the underlying security issues.
  Specifically, an operator who is relying on the information carried
  in BGP must have a transitive trust relationship back to the source
  of the information.  Specifying the mechanism(s) to provide such a
  relationship is beyond the scope of this document.

And from RFC 1997:

Security Considerations

  Security issues are not discussed in this memo.

The authors need to write a meaningful Security Considerations section addressing BGP Extended Communities, or find a prior documents that already explores the topic.
(This text will also apply to draft-ietf-l3vpn-v6-ext-communities,
where I am entering a parallel discuss.)

[Ballot discuss]
A lovely short draft, thanks!

Updating my Discuss to provide a bit more clarity. (Sorry about the first version!)

Although the IANA section creates a registry for the transitive and non-transitive extended communities, it doesn't call out the information specific to the interpretation of the Local Administrator sub-field.

The I-D says for the  Local Administrator sub-field that...
    The format and meaning of the value encoded in
    this sub-field should be defined by the sub-type of the commu-
    nity.

This could mean one of two things...

- That the format and meaning is independent of the AS number even
  though the value is dependent on the AS number. In this case I
  think it would be worth having the registry discuss the format and
  meaning of the Local Administrator sub-field. And in this case the
  FCFS assignment rule seems a bit lax.

- The format and meaning is dependent on the AS number. In other words
  the parse of the Local Administrator field is dependent first on the
  AS number and then on the community sub-type. If this is the case,
  more explanation needs to be added to the I-D.

[Ballot discuss]
A lovely short draft, thanks!

Hopefully this question can be resolved either by an email response or a tiny mod to the I-D.

Why doesn't this draft create a registry for the community sub-types?

I know the I-D does not define any values, but it does say for the  Local Administrator sub-field that...
    The format and meaning of the value encoded in
    this sub-field should be defined by the sub-type of the commu-
    nity.

This could mean one of two things...

- That the format and meaning is independent of the AS number even
  though the value is dependent on the AS number. In this case I
  think it would be worth creating the registry ready to be populated.
  In particular, the rules for assignment should be specified.

- The format and meaning is dependent on the AS number. In other words
  the parse of the Local Administrator field is dependent first on the
  AS number and then on the community sub-type. If this is the case,
  more explanation needs to be added to the I-D.

[Ballot comment]
Section 5., paragraph 1:
>    All the security considerations for BGP Extended Communities apply
>    here.

  It would be useful to provide a reference.

[Ballot comment]
Please consider the comments from the Gen-ART Review by Ben Campbell
  on 2009-Jun-30.
 
  Are there missing words in Abstract?
  >
  > "...allows to carry 4 octet autonomous system numbers"

  There's no motivational text in the Introduction. A paragraph
  describing (very briefly) why you would want 4 octet extended
  communities might be helpful.

[Ballot discuss]
This is a DISCUSS-DISCUSS that I plan to clear after we discuss the issue on mail or in the meeting and I understand what I may be missing.

> 3. Considerations for two-octet Autonomous Systems

  As per [RFC4893], a two-octet Autonomous System number can be con-
  verted into a 4-octet Autonomous System number by setting the two
  high-order octets of the 4-octet field to zero.

  As a consequence, at least in principle an autonomous system that
  uses a two-octet Autonomous System number could use either two-octet
  or four-octet AS specific extended communities. This is undesirable,
  as both communities would be treated as different, even if they had
  the same Sub-Type and Local Administrator values.

  Therefore, for backward compatibility with existing deployments, and
  to avoid inconsistencies between two-octet and four-octet specific
  extended communities, autonomous systems that use two-octet
  Autonomous System numbers SHOULD use two-octet AS specific extended
  communities rather than four-octet AS specific extended communities.

What is the reason the SHOULD in the last paragraph is not a MUST? Are there any justified exception cases that should be considered (maybe also described)?

IANA Last Call comments:

registry "Border Gateway Protocol (BGP) Data Collection Standard Communities"
located at http://www.iana.org/assignments/bgp-extended-communities
create a new sub-registry "Four-octet AS Specific Extended Community"
Initial contents of this sub-registry will be:

Registry Name: Four-octet AS Specific Extended Community
Reference: [RFC-l3vpn-as4octet-ext-community-03]
Range Registration Procedures
----------------------------------------- ------------------------------
0x0200-0x02ff Transitive communities First Come First Served
0x4200-0x42ff Non-transitive communities First Come First Served

Registry:
Type Value Name Reference
------------ --------------------------------------- --------
0x0202 four-octet AS specific Route Target [RFC-l3vpn-as4octet-ext-community-03]
0x0203 four-octet AS specific Route Origin [RFC-l3vpn-as4octet-ext-community-03]

We understand the above to be the only IANA Actions for this document.

PROTO writeup by Danny McPherson:

    (1.a)  Who is the Document Shepherd for this document?  Has the
          Document Shepherd personally reviewed this version of the
          document and, in particular, does he or she believe this
          version is ready for forwarding to the IESG for publication?

    The Document Shepherd is myself (Danny McPherson). I believe that
    the 01 version is ready for forwarding to the IESG for publication
    on the Internet Standards Track.

    (1.b)  Has the document had adequate review both from key WG members
          and from key non-WG members?  Does the Document Shepherd have
          any concerns about the depth or breadth of the reviews that
          have been performed?

    The document passed the L3VPN WG Last Call, although we received
    no comments on the document during the Last Call.  It was also
    Last Called in the IDR WG because of the proximity to IDR work.
    No outstanding comments exist.

    (1.c)  Does the Document Shepherd have concerns that the document
          needs more review from a particular or broader perspective,
          e.g., security, operational complexity, someone familiar with
          AAA, internationalization or XML?

    No.

    (1.d)  Does the Document Shepherd have any specific concerns or
          issues with this document that the Responsible Area Director
          and/or the IESG should be aware of?  For example, perhaps he
          or she is uncomfortable with certain parts of the document, 
or
          has concerns whether there really is a need for it.  In any
          event, if the WG has discussed those issues and has indicated
          that it still wishes to advance the document, detail those
          concerns here.  Has an IPR disclosure related to this 
document
          been filed?  If so, please include a reference to the
          disclosure and summarize the WG discussion and conclusion on
          this issue.

    No.

    (1.e)  How solid is the WG consensus behind this document?  Does it
          represent the strong concurrence of a few individuals, with
          others being silent, or does the WG as a whole understand and
          agree with it?

    There were no objections during the WG Last Call on the document,
    and the utility of the specification is both obvious and intuitive.

    (1.f)  Has anyone threatened an appeal or otherwise indicated 
extreme
          discontent?  If so, please summarise the areas of conflict in
          separate email messages to the Responsible Area Director. 
(It
          should be in a separate email because this questionnaire is
          entered into the ID Tracker.)

    No.

    (1.g)  Has the Document Shepherd personally verified that the
          document satisfies all ID nits?  (See
          http://www.ietf.org/ID-Checklist.html and
          http://tools.ietf.org/tools/idnits/).  Boilerplate checks are
          not enough; this check needs to be thorough.  Has the 
document
          met all formal review criteria it needs to, such as the MIB
          Doctor, media type and URI type reviews?

    The boilerplate for the document needs to be updated, the authors
    have no issues with the new boilerplate and will submit a new 
revision
    when the I-D submission window is re-opened.  No other concerns 
exist.

    (1.h)  Has the document split its references into normative and
          informative?  Are there normative references to documents 
that
          are not ready for advancement or are otherwise in an unclear
          state?  If such normative references exist, what is the
          strategy for their completion?  Are there normative 
references
          that are downward references, as described in [RFC3967]?  If
          so, list these downward references to support the Area
          Director in the Last Call procedure for them [RFC3967].

    The document split its references. There are no normative
    references that are not published, so there should be no
    issues here.

    (1.i)  Has the Document Shepherd verified that the document IANA
          consideration section exists and is consistent with the body
          of the document?  If the document specifies protocol
          extensions, are reservations requested in appropriate IANA
          registries?  Are the IANA registries clearly identified?  If
          the document creates a new registry, does it define the
          proposed initial contents of the registry and an allocation
          procedure for future registrations?  Does it suggest a
          reasonable name for the new registry?  See [RFC2434].  If the
          document describes an Expert Review process has Shepherd
          conferred with the Responsible Area Director so that the IESG
          can appoint the needed Expert during the IESG Evaluation?

    The document contains IANA consideration section.  To the best
    of my knowledge the IANA considerations are consistent with the
    rest of the document.  The document does create a new registry
    titled "Four-octet AS Specific Extended Community" and the
    contents of that registry are clearly identified.

    (1.j)  Has the Document Shepherd verified that sections of the
          document that are written in a formal language, such as XML
          code, BNF rules, MIB definitions, etc., validate correctly in
          an automated checker?

    No section of this document is written in a formal language.

    (1.k)  The IESG approval announcement includes a Document
          Announcement Write-Up.  Please provide such a Document
          Announcement Write-Up?  Recent examples can be found in the
          "Action" announcements for approved documents.  The approval
          announcement contains the following sections:

          Technical Summary
              Relevant content can frequently be found in the abstract
              and/or introduction of the document.  If not, this may be
              an indication that there are deficiencies in the abstract
              or introduction.

    This document defines a new type of BGP extended community
    ([RFC4360]) - four-octet AS specific extended community. This type 
of
    extended community is similar to the two-octet AS specific extended
    community, except that it can carry a four octets autonomous system
    number.

          Working Group Summary
              Was there anything in WG process that is worth noting? 
For
              example, was there controversy about particular points or
              were there decisions where the consensus was particularly
              rough?

    This document is a product of L3VPN WG. There were no comments
    on the document during the WG Last Call, nor were than any from
    the IDR WG.

          Document Quality
              Are there existing implementations of the protocol?


    Not to my knowledge, or that of the primary author, but my
    knowledge is limited.


              Have a significant number of vendors indicated their plan
              to implement the specification?

    I do not know.

              Are there any reviewers that merit special mention as
              having done a thorough review, e.g., one that resulted
              in important changes or a conclusion that the document
              had no substantive issues?

    Not to the best of my knowledge, or that of the author, but the
    document is a straightforward extension of the existing extended
    communities RFC. So, with this in mind one should not expect to
    have any substantive issues with the document.

              If there was a MIB Doctor, Media Type or other expert
              review, what was its course (briefly)?  In the case of
              a Media Type review, on what date was the request posted?

    Nope, none of the above.

PROTO writeup by Danny McPherson:

    (1.a)  Who is the Document Shepherd for this document?  Has the
          Document Shepherd personally reviewed this version of the
          document and, in particular, does he or she believe this
          version is ready for forwarding to the IESG for publication?

    The Document Shepherd is myself (Danny McPherson). I believe that
    the 01 version is ready for forwarding to the IESG for publication
    on the Internet Standards Track.

    (1.b)  Has the document had adequate review both from key WG members
          and from key non-WG members?  Does the Document Shepherd have
          any concerns about the depth or breadth of the reviews that
          have been performed?

    The document passed the L3VPN WG Last Call, although we received
    no comments on the document during the Last Call.  It was also
    Last Called in the IDR WG because of the proximity to IDR work.
    No outstanding comments exist.

    (1.c)  Does the Document Shepherd have concerns that the document
          needs more review from a particular or broader perspective,
          e.g., security, operational complexity, someone familiar with
          AAA, internationalization or XML?

    No.

    (1.d)  Does the Document Shepherd have any specific concerns or
          issues with this document that the Responsible Area Director
          and/or the IESG should be aware of?  For example, perhaps he
          or she is uncomfortable with certain parts of the document, 
or
          has concerns whether there really is a need for it.  In any
          event, if the WG has discussed those issues and has indicated
          that it still wishes to advance the document, detail those
          concerns here.  Has an IPR disclosure related to this 
document
          been filed?  If so, please include a reference to the
          disclosure and summarize the WG discussion and conclusion on
          this issue.

    No.

    (1.e)  How solid is the WG consensus behind this document?  Does it
          represent the strong concurrence of a few individuals, with
          others being silent, or does the WG as a whole understand and
          agree with it?

    There were no objections during the WG Last Call on the document,
    and the utility of the specification is both obvious and intuitive.

    (1.f)  Has anyone threatened an appeal or otherwise indicated 
extreme
          discontent?  If so, please summarise the areas of conflict in
          separate email messages to the Responsible Area Director. 
(It
          should be in a separate email because this questionnaire is
          entered into the ID Tracker.)

    No.

    (1.g)  Has the Document Shepherd personally verified that the
          document satisfies all ID nits?  (See
          http://www.ietf.org/ID-Checklist.html and
          http://tools.ietf.org/tools/idnits/).  Boilerplate checks are
          not enough; this check needs to be thorough.  Has the 
document
          met all formal review criteria it needs to, such as the MIB
          Doctor, media type and URI type reviews?

    The boilerplate for the document needs to be updated, the authors
    have no issues with the new boilerplate and will submit a new 
revision
    when the I-D submission window is re-opened.  No other concerns 
exist.

    (1.h)  Has the document split its references into normative and
          informative?  Are there normative references to documents 
that
          are not ready for advancement or are otherwise in an unclear
          state?  If such normative references exist, what is the
          strategy for their completion?  Are there normative 
references
          that are downward references, as described in [RFC3967]?  If
          so, list these downward references to support the Area
          Director in the Last Call procedure for them [RFC3967].

    The document split its references. There are no normative
    references that are not published, so there should be no
    issues here.

    (1.i)  Has the Document Shepherd verified that the document IANA
          consideration section exists and is consistent with the body
          of the document?  If the document specifies protocol
          extensions, are reservations requested in appropriate IANA
          registries?  Are the IANA registries clearly identified?  If
          the document creates a new registry, does it define the
          proposed initial contents of the registry and an allocation
          procedure for future registrations?  Does it suggest a
          reasonable name for the new registry?  See [RFC2434].  If the
          document describes an Expert Review process has Shepherd
          conferred with the Responsible Area Director so that the IESG
          can appoint the needed Expert during the IESG Evaluation?

    The document contains IANA consideration section.  To the best
    of my knowledge the IANA considerations are consistent with the
    rest of the document.  The document does create a new registry
    titled "Four-octet AS Specific Extended Community" and the
    contents of that registry are clearly identified.

    (1.j)  Has the Document Shepherd verified that sections of the
          document that are written in a formal language, such as XML
          code, BNF rules, MIB definitions, etc., validate correctly in
          an automated checker?

    No section of this document is written in a formal language.

    (1.k)  The IESG approval announcement includes a Document
          Announcement Write-Up.  Please provide such a Document
          Announcement Write-Up?  Recent examples can be found in the
          "Action" announcements for approved documents.  The approval
          announcement contains the following sections:

          Technical Summary
              Relevant content can frequently be found in the abstract
              and/or introduction of the document.  If not, this may be
              an indication that there are deficiencies in the abstract
              or introduction.

    This document defines a new type of BGP extended community
    ([RFC4360]) - four-octet AS specific extended community. This type 
of
    extended community is similar to the two-octet AS specific extended
    community, except that it can carry a four octets autonomous system
    number.

          Working Group Summary
              Was there anything in WG process that is worth noting? 
For
              example, was there controversy about particular points or
              were there decisions where the consensus was particularly
              rough?

    This document is a product of L3VPN WG. There were no comments
    on the document during the WG Last Call, nor were than any from
    the IDR WG.

          Document Quality
              Are there existing implementations of the protocol?


    Not to my knowledge, or that of the primary author, but my
    knowledge is limited.


              Have a significant number of vendors indicated their plan
              to implement the specification?

    I do not know.

              Are there any reviewers that merit special mention as
              having done a thorough review, e.g., one that resulted
              in important changes or a conclusion that the document
              had no substantive issues?

    Not to the best of my knowledge, or that of the author, but the
    document is a straightforward extension of the existing extended
    communities RFC. So, with this in mind one should not expect to
    have any substantive issues with the document.

              If there was a MIB Doctor, Media Type or other expert
              review, what was its course (briefly)?  In the case of
              a Media Type review, on what date was the request posted?

    Nope, none of the above.