Interoperation between Multicast Virtual Private Network (MVPN) and Multicast Source Directory Protocol (MSDP) Source-Active Routes
RFC 9081
Yes
No Objection
Note: This ballot was opened for revision 06 and is now closed.
Alvaro Retana No Objection
The MSDP reference (rfc3618) should be Normative.
Erik Kline (was Abstain) No Objection
Francesca Palombini No Objection
John Scudder No Objection
Thanks for this short document! I have a few questions and comments, below. 1. Section 3 The MVPN PEs that act as customer RPs or have one or more MSDP sessions in a VPN (or the global table in case of GTM) are treated as an MSDP mesh group for that VPN (or the global table). In the rest of the document, it is referred to as the PE mesh group. It MUST NOT include other MSDP speakers, and is integrated into the rest of MSDP On first reading I had difficulty following “it MUST NOT include other MSDP speakers“. You mean, MSDP speakers from another VPN, right? It didn’t come together for me until I reread it and realized the referent of “it“ is “the PE mesh group“. Anyway, this confused at least one reader, it might stand a little rewording. (Replacing “it” with “The PE mesh group” in the last sentence would do the trick.) 2. Section 3 In addition to procedures in [RFC6514], an MVPN PE may be provisioned to generate MSDP SA messages from received MVPN SA routes, with or without local policy control. If a received MVPN SA route is to trigger MSDP SA message, There are a couple things wrong with the preceding clause. First, it’s either missing an article before “MSDP” as in “trigger an MSDP SA message” or possibly “message” is supposed to be pluralized as in “trigger MSDP messages”. Second and more troublesome, that “if... is to trigger” seems wrong, that’s normally a construct which would introduce a precondition but that’s not what happens. Can you reword this? Do you mean “if a received MVPN SA route triggers an MSDP SA message”? it is treated as if a corresponding MSDP SA message was received from within the PE mesh group and normal MSDP procedure is followed (e.g. an MSDP SA message is advertised to other MSDP peers outside the PE mesh group). Your use of “e.g.”, meaning “for example”, implies other things could happen instead as a result of normal MSDP procedure, and this is just a for-instance. Right? Just checking. The (S,G) information comes from the (C-S,C-G) encoding in the MVPN SA NLRI and the RP address comes from the "MVPN SA RP-address EC" mentioned above. If the received MVPN SA route does not have the EC (this could be from a legacy PE that does not have the capability to attach the EC), the local RP address for the C-G is used. In that case, it is possible that receiving PE's RP for the C-G is actually the MSDP peer to which “The receiving PE’s” the generated MSDP message is advertised, causing the peer to discard it due to RPF failure. To get around that problem the peer SHOULD use local policy to accept the MSDP SA message. That sounds pretty gross considering the MSDP state is built dynamically (isn’t it?) but ok. An MVPN PE MAY treat only the best MVPN SA route selected by BGP route selection process (instead of all MVPN SA routes) for a given “The BGP route selection process” (C-S,C-G) as a received MSDP SA message (and advertise corresponding MSDP message). In that case, if the selected best MVPN SA route does “The corresponding”
Lars Eggert No Objection
All comments below are about very minor potential issues that you may choose to address in some way - or ignore - as you see fit. Some were flagged by automated tools (via https://github.com/larseggert/ietf-reviewtool), so there will likely be some false positives. There is no need to let me know what you did with these suggestions. Section 2, paragraph 9, nit: > rce Active route using an Extended Community so this information can be share > ^^^^^^^^^ Use a comma before 'so' if it connects two independent clauses (unless they are closely connected and short). Section 2.1, paragraph 2, nit: > ation for the "rpt-spt" mode is outside of the scope of this document. In th > ^^^^^^^^^^ This phrase is redundant. Consider using "outside".
Martin Duke No Objection
Murray Kucherawy No Objection
The shepherd writeup asks "Why is this the proper type of RFC?" but the answer to this question is missing.
Robert Wilton No Objection
Thanks Qin for the OPSDIR review.
Roman Danyliw No Objection
Section 4. Editorial. OLD This document extends this capability in the reverse direction - upon receiving an MVPN SA route in a VPN generate corresponding MSDP SA and advertise to MSDP peers in the same VPN. NEW This document extends this capability in the reverse direction - upon receiving an MVPN SA route in a VPN, the PE generates a corresponding MSDP SA and advertises it to MSDP peers in the same VPN.
Éric Vyncke (was Discuss) No Objection
Thank you Alvaro for explaining to me that MSDP is IPv4-only so this document must be IPv4-only as well. I am now clearing my previous DISCUSS ballot. Thanks to the authors, WG, and doc shepherd for the work done (though the text is very hard to read, quite dense, and little context is given). Regards -éric
(Martin Vigoureux; former steering group member) Yes
(Benjamin Kaduk; former steering group member) No Objection
This looks like a nice, simple way to improve the interoperation scenarios. All my comments are relatively minor (and most are explicitly classified as nits). Section 2 Section "14. Supporting PIM-SM without Inter-Site Shared C-Trees" of [RFC6514] specifies the procedures for MVPN PEs to discover (C-S,C-G) via MVPN Source Active A-D routes and then send (C-S,C-G) C-multicast routes towards the ingress PEs, [...] Just to check my understanding: when we say "send (C-S,C-G) C-multicast routes toward the ingress PEs", does that refer to the "Source Tree Join C-multicast route"s that RFC 6514 describes? Would it be helpful to write it out using the same terminology? Section 3 When an MVPN PE advertises an MVPN SA route following procedures in [RFC6514] for the "spt-only" mode, it SHOULD attach an "MVPN SA RP- address Extended Community". [...] I don't really understand why this is only a "SHOULD". If the whole point of this document is to let MVPN S-A announcements get propagated out to MSDP, it seems required, and people who don't care about that scenario can ignore the document entirely; they don't need SHOULD vs MUST to get out of it. In addition to procedures in [RFC6514], an MVPN PE may be provisioned to generate MSDP SA messages from received MVPN SA routes, with or When would something that implements the rest of this document not be expected to generate MSDP SA messages in such a manner? (That is, why use "may be"?) Section 4 I'm always a little wary of claims of "no additional security considerations", though in many cases there are no *significant* new security considerations, even if there are some considerations that are new. In this case, we have the option of using the local RP address for the C-G when constructing a MSDP SA message (when the EC is not present in the MVPN SA NRLI), and since this causes different nodes in the MVPN to see different RPs for the group, it's not immediately clear that there are no relevant security considerations from having different views of the RP. What is the behavior when different nodes are using different RPs? (There is also the fact that the address of the RP is now sent to a larger population by virtue of being in the new BCP EC, which should cause us to consider if there are any privacy considerations from the broadedend information distribution. I don't see anything noteworthy, though.) RFC 6514's security considerations section mentions (by section number, not name) that for the spt-only mode implementations should have an upper bound on the number of SA A-D routes. IIUC, the mechanisms in this document do not change relative resource consumption in a way that might require the specific value of the upper bound to change, but please confirm. The security considerations for RFC 3618 mandate implementation of TCP-MD5, which is a bit dated. Should we say anything about TCP-AO (RFC 5925) here? Section 7.2 While RFC 3618 is not specifically cited in any location that would require it to be classified as normative, I think that it should be classified as normative, and thus presumably that more references to it should also be added where the normative use of MSDP is mentioned in the text. NITS Section 1 Familiarity with MVPN and MSDP protocols and procedures is assumed. Some terminologies are listed below for convenience. References for MVPN and MSDP would go well here. Section 2 similar to MSDP Source-Active messages [RFC3618]. For a VPN, one or more of the PEs, say PE1, either act as a C-RP and learn of (C-S,C-G) via PIM Register messages, or have MSDP sessions with some MSDP peers and learn (C-S,C-G) via MSDP SA messages. [...] Since we specified "say PE1", we should probably take the "one" branch of "one or more" and use "has" and "learns" for singular/plural agreement. corresponding (C-*,C-G) state learnt from its CE. PE2 may also have MSDP sessions for the VPN with other C-RPs at its site, but [RFC6514] does not specify that it advertises MSDP SA messages to those MSDP I suggest s/it/PE2/ just to avoid any doubt. which are redundant and unnecessary. Also notice that the PE1-PE2 MSDP session is VPN-specific, while the BGP sessions over which the MVPN routes are advertised are not. I suggest s/VPN-specific/used only for a single MVPN/ o VPN extranet mechanisms can be used to propagate (C-S,C-G) information across VPNs with flexible policy control. Is RFC 7900 a good reference for "VPN extranet"? I had to look it up... contain the source and group. MSDP requires the RP address information in order to perform peer-RPF. Therefore, this document I'd suggest expanding RPF on first use. Section 3 attach the EC), the local RP address for the C-G is used. In that case, it is possible that the receiving PE's RP for the C-G is actually the MSDP peer to which the generated MSDP message is I suggest s/receiving PE's RP/RP inserted into the MSDP SA message/. from before. The previously advertised MSDP SA message with the older RP address will be timed out. I guess technically it's the state that the older message induced that times out, not the message itself. direction - upon receiving an MVPN SA route in a VPN generate corresponding MSDP SA and advertise to MSDP peers in the same VPN. "generate a"; "advertise it"