RE: Secdir last call review of draft-ietf-teas-rsvp-egress-protection-09

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Rifaat,

    Thank you much for your time and your valuable comments.
    Answers to your questions are inline below with prefix [HC].
    Would you mind reviewing them to see if they address the issues?

Best Regards,
Huaimo
-----Original Message-----
From: Rifaat Shekh-Yusef [mailto:rifaat.ietf@xxxxxxxxx] 
Sent: Tuesday, February 20, 2018 12:28 PM
To: secdir@xxxxxxxx
Cc: draft-ietf-teas-rsvp-egress-protection.all@xxxxxxxx; ietf@xxxxxxxx; teas@xxxxxxxx
Subject: Secdir last call review of draft-ietf-teas-rsvp-egress-protection-09

Reviewer: Rifaat Shekh-Yusef
Review result: Has Issues

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

   "A backup egress MUST be configured on the ingress of an LSP to
   protect a primary egress of the LSP if and only if the backup egress
   is not indicated in another place."

Can you define "another place"? Is it the "primary egress"? others?
 
[HC] Yes. Another place in this context is the primary egress. 
We will update the document accordingly as below:
   "A backup egress MUST be configured on the ingress of an LSP to
   protect a primary egress of the LSP if and only if the backup egress
   is not configured on the primary egress."



   "To protect a primary egress of an LSP, a backup egress MUST be
   configured on the primary egress of the LSP to protect the primary
   egress if and only if the backup egress is not indicated in another
   place."   

Can you define "another place"? Is it the "ingress"? others?
   
[HC] Yes. Another place in this context is the ingress. 
We will update the document accordingly as below:
   "To protect a primary egress of an LSP, a backup egress MUST be
   configured on the primary egress of the LSP to protect the primary
   egress if and only if the backup egress is not configured on the 
   ingress."



   "Note that protecting a primary egress of a P2P LSP carrying service
   traffic through a backup egress requires that the backup egress trust
   the primary egress for the information received for a service label
   as UA label."
   
Can you elaborate on this statement? 
How would the backup egress trust the primary egress?

[HC] The information may be sent to the backup egress from the 
"primary egress" through another protocol such as BGP. The backup egress
need to  make sure that the "primary egress" that another protocol uses 
is the same primary egress to be protected. 
The backup egress may check whether the remote end of the BGP session 
is the primary egress if BGP is used to send the information to the 
backup egress from the "primary egress".
We will update the document accordingly as below:
  "Note that protecting a primary egress of a P2P LSP carrying service
   traffic through a backup egress requires that the backup egress make
   sure that the "primary egress" sending the backup egress the information 
   on a service label as UA label through another protocol such as BGP is 
   the same primary egress to be protected."


Regards,
 Rifaat






[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux