IETF Logo Mail Archive

Re: [babel] Babel filtering: routing policies

Mahesh Jethanandani <mjethanandani@gmail.com> Fri, 23 August 2019 02:05 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED998120170 for <babel@ietfa.amsl.com>; Thu, 22 Aug 2019 19:05:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rs0PryvdgDlr for <babel@ietfa.amsl.com>; Thu, 22 Aug 2019 19:05:45 -0700 (PDT)
Received: from mail-pf1-x441.google.com (mail-pf1-x441.google.com [IPv6:2607:f8b0:4864:20::441]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BFF912011B for <babel@ietf.org>; Thu, 22 Aug 2019 19:05:45 -0700 (PDT)
Received: by mail-pf1-x441.google.com with SMTP id f17so5300201pfn.6 for <babel@ietf.org>; Thu, 22 Aug 2019 19:05:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=bBcZYee0OKjO2Ney8fS5qqBYl/Rt75BXZEAcgdWN9JA=; b=tm4rhnH6pJ6ay271waFOxllCrZVE/BiaKrYbGo1Df9buU9GHAgT07sn4/sxO/nsbWV mF8wOS1qg8Ysd/LmvB9++tR/IWyqEEXHiH5Rq/6CFcr5jLRWydVikt6jNOInJ6jTn5/t pcNL7AnTSnwYIY6UYRcjLAkJwrCuib9ZSSNN0VNFMersq4cipHW5mu5dqLwq0MrDP5rT zSChnLVB14pk40CMJVvs+bE3BThBHeSXaaJJGSyCZ8NG56yLhTRx3ZRN93m8ox9tYaFn wmm7nJkdOMpf78Xk1JZOv0iLCQmp5cwzazaHWdPfHp1oqjS7+bxMhk02HXqr4Lpeizd2 m+Jw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=bBcZYee0OKjO2Ney8fS5qqBYl/Rt75BXZEAcgdWN9JA=; b=DKDYpYHGPY4HKeL2K5mi5uvV1KxDiH31QXLiLPF/x19FGrRAa69zfqo95v3CixVXvI d2IMhkpVQ3Gf+C7LsgCLRKbdmB5lYNKT2INxyxZOvFR9fx44GP3V0tbmezXTOK2asd++ 9QwaoyStjnml9ffHIZPPn1izZyqKlRki8QnnJfwzMApTFLdSS5KdmSWrBie3HhDBZtLt CZl0UES0qOOp7YNfCeEaCAyuzs92pozqm5tPY4IKps8KXPIbPrw/1vc5OkskioXSJq32 1vNtOcMrxsxobFZVLp2yMMD6u+hUZxv7MsLNJjrXOYLzsMJaCKP+7KV7n/b8+GpDMxeY qXJg==
X-Gm-Message-State: APjAAAU7rnVhO4NsWi0Btl+sv0TqC7z3jUK8WlWXwIavGrx4Johj1tfj l8r6i92CrsE0//UeR1fK8+A=
X-Google-Smtp-Source: APXvYqyXsAHxThsd1EnEL/3UrkNqZKWg1l2lwewxNUKrK7SSjukoLfYJUe/2FpLk8g7Er92BmC4fPw==
X-Received: by 2002:a65:684a:: with SMTP id q10mr1832374pgt.417.1566525944517; Thu, 22 Aug 2019 19:05:44 -0700 (PDT)
Received: from [10.33.122.240] ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id i124sm752201pfe.61.2019.08.22.19.05.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 22 Aug 2019 19:05:43 -0700 (PDT)
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Message-Id: <D659D3AF-B73D-417F-9751-3CD4DE36B4E2@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_A77D74D0-189F-49AB-B921-D1FBC5B3E248"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Thu, 22 Aug 2019 19:05:42 -0700
In-Reply-To: <87lfwn5d3d.wl-jch@irif.fr>
Cc: babel@ietf.org, Barbara Stark <bs7652@att.com>
To: Juliusz Chroboczek <jch@irif.fr>
References: <87lfwn5d3d.wl-jch@irif.fr>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/Dhs7DBJv9S3Aw5Gnd-9p8ImLXhk>
Subject: Re: [babel] Babel filtering: routing policies
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2019 02:05:48 -0000

Hi Juliusz,

Following up on this e-mail to understand how to implement the routing policies for Babel.

> On Jul 24, 2019, at 2:36 PM, Juliusz Chroboczek <jch@irif.fr> wrote:
> 
> Dear Barbara, dear Mahesh,
> 
> All distance-vector routing protocols, including BGP and Babel,
> intrinsically support flexible routing policies.  In the Babel community,
> we consider the way of defining such policies as an implementation
> feature, and they are not part of the protocol definition.
> 
> The following therefore applies to babeld, the "reference" implementation.
> 
> In babeld, we speak about filter chains.  A route goes through each filter
> in a filter chain at four points in Babel:
> 
>  "in" chain, when the route is learnt from a neighbour;
>  "install" chain, when the route is installed in the kernel;
>  "redistribute" chain, when the route is learnt from the kernel;
>  "out" chain, when the route is announced to a neighbour.

In order to make sure we are talking the same language, would you say a given chain is equivalent of a “defined set” as defined by draft-ietf-rtgwg-policy-model <https://tools.ietf.org/html/draft-ietf-rtgwg-policy-model-06>? I understand that these are babel specific, so I will extend the policy model to add these chains as “defined sets". I am also assuming that there is one instance of each chain (or defined set). In other words, we are not looking at multiple “in” chains, as an example.

> 
> When a filter chain is applied, the individual filters in a chain are
> checked, and the first filter that applies to the route is executed.
> A filter can perfrom the following actions:
> 
>  "allow" -- pass the route unchanged, equivalent to "metric 0";
>  "deny" -- drop the route;
>  "metric nnn" -- add nnn to the metric value.
> 
> There exist other actions, more specialised -- see the manual page for
> details.

I see two more, src-prefix and table. Is there more?

> 
> Babeld implements a rich language for matching routes -- it can match on
> next-hop address, on destination prefix, on destination prefix length, on
> the router-id of the originating router, etc.  Again, see the manual page
> for details.

I am looking at the following conditions (in the routing policy model language) specified in the man page.

       ip prefix
              This entry only applies to routes in the given prefix.

       eq plen
              This entry only applies to routes with a prefix length equal to plen.

       le plen
              This entry only applies to routes with a prefix length less or equal to plen.

       ge plen
              This entry only applies to routes with a prefix length greater or equal to plen.

       src-ip prefix
              This entry only applies to routes with a source prefix in the given prefix.

       src-eq plen
              This entry only applies to routes with a source prefix length equal to plen.

       src-le plen
              This  entry  only  applies  to  routes with a source prefix length less or equal to
              plen.

       src-ge plen
              This entry only applies to routes with a source prefix length greater or  equal  to
              plen.

       neigh address
              This  entry only applies to routes learned from a neighbour with link-local address
              address.

       id id  This entry only applies to routes originated by a router with router-id id.

       proto p
              This entry only applies to kernel routes with kernel protocol number p.  If neither
              proto  nor  local  is  specified, this entry applies to all non-local kernel routes
              with a protocol different from "boot".

       local  This entry only applies to local addresses.

       if interface
              For an input filter, this specifies the interface over which the route is  learned.
              For  an  output  filter,  this  specifies  the  interface  over which this route is
              advertised.  For a redistribute statement, this specifies the interface over  which
              the route forwards packets.
Note, the policy module defines a default set of conditions like prefix sets, so some of your examples should be take care of with them.

Anything else that I am missing?

> 
> Examples
> ========
> 
> ## Default filters
> 
>    in allow
> 
>    out allow
> 
>    redistribute local allow
>    redistribute deny
> 
>    install allow
> 
> These are the default chains if no filters are defined, and are suitable
> for a mesh node with no attached prefixes.  They say that babeld is
> promiscuous (it learns all routes and announces all routes), it only
> redistributes local node addresses, and installs any routes that it learns
> unchanged.
> 
> ## Traditional router
> 
>  redistribute proto 2 allow
>  redistribute deny
> 
> This overrides the default to not redistribute any local addresses, but to
> redistribute any locally attached prefixes.  This is the default behaviour
> or a traditional router.
> 
> ## Traditional router with redistribution
> 
>  redistribute proto 2 allow
>  redistribute proto 11 metric 32384
>  redistribute deny
> 
> This says to additionally redistribute any routes learned from
> Zebra/Quagga/FRR, but to attach them with a higher metric -- Babel routes
> will thus be preferred to FRR routes.
> 
> ## Stub router
> 
>  redistribute proto 2 allow
>  redistribute deny
> 
>  out ip 192.168.42.0/24 allow
>  out ip 2001:db8:4242::/48 allow
>  out deny
> 
> This says to learn routes promiscuously, but to only reannounce routes in
> the given prefixes.  This is typical of a stub router, that only announces
> routes in the local prefixes.
> 
> ## Default router
> 
>  out ip 0.0.0.0/0 le 0 allow
>  out ip ::/0 le 0 allow
>  out deny
> 
> This router only announces default routes.
> 
> ## IPv6 border router
> 
>  in ip ::/0 allow
>  in deny
> 
>  out if eth0 ip 2001:db8:4242::/48 le 48 allow
>  out if eth0 deny
> 
>  out if eth1 ip 2001:db8:5757::/48 le 48 allow
>  out if eth1 deny
> 
> This router sits at the interface between two networks, and only announces
> a route summarising a whole network to the other network.  This reduces
> the amount of traffic, at the cost of non-optimal routing.
> 
> ## Ignoring bad routers
> 
>  in if eth0 nh fe80::1 deny
>  in router-id 12:34:56:78:9a:bc deny
>  in allow
> 
> This router ignores routes from a given next hop as well as routes
> originated by a given router-id.  This can be used to temporarily
> blackhole a mis-configured router, before it is fixed.
> 
> -- Juliusz
> 
> 
> 
> 

Mahesh Jethanandani
mjethanandani@gmail.com

v2.23.0 | Report a Bug | By Email