[bess] Re: Questions about route selection in draft-ietf-bess-evpn-dpath-00

"Jorge Rabadan (Nokia)" <jorge.rabadan@nokia.com> Mon, 24 June 2024 12:04 UTC

Return-Path: <jorge.rabadan@nokia.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CA13C1840D9; Mon, 24 Jun 2024 05:04:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.254
X-Spam-Level:
X-Spam-Status: No, score=-2.254 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nokia.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JL-qdkH04vJc; Mon, 24 Jun 2024 05:04:30 -0700 (PDT)
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2048.outbound.protection.outlook.com [40.107.93.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 097A4C14F70C; Mon, 24 Jun 2024 05:04:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CvYskhyRsA+kmCs58PQqHtgNP+mrv+xVJlx+B4TaJMYeWi14NvRnPfxbOieGniuMCjiauTfOmDj0LPhOUgi2hbF5LxybTW49BIQcaHnY2mVXpZUDV0FYH+wJDq06fCBZyoyomphiQUfirQtC6myhhdvFBvYYdxHguEnvqQ1pfHEXRJEXEH0KjsWUbnDqmfzfv64wNH3Oc0IclMAgvYaX6S5LRwY0latg9qsrGS5e2+NnmPtOYodiGvx3ERt6wRpUVROnIMQjoKBrYcbDPWSDoi8fFLfaQRmbTTBnQMtbZCEOKxoXd8Rw8rv28yN1WLzZMuRZ1mdjLQV1/aLv1WIJOQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=VcRo1Lh/tH61IXE+JK7qBlocCU/QVGR8k6IVGiPwQfU=; b=hbQUoWshmza2RuFkgLY/SZSzBMfNrB89rJQILB0U203y2wvfFdlZMxqyzpvRvLhNal0b+lvt6qkQfWrECO0waxWgHGk5XPAuyku53bvYXeStv3y5Pkj4CJVaOpNE8hZX7jzfLrbl2LUZ+Aqs3px2if4vUfLYoc5uXbdU61WnGOuAnLm+ggSaYlwvBH1kyEcz+4GYSGJVzolFOYZfgJNMESW3GeBClzS2NEkC+HtLzI6uejp/lf4fV1BcSgC9Jbz7JVuEhQyP1kYHAXvRfg4YbSahM9wwBygNRQSu8qQK83TGyISvbbQc8NGJY84F5Ud+jnksRUBsFOFqo+8Fo9qfFA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nokia.com; dmarc=pass action=none header.from=nokia.com; dkim=pass header.d=nokia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VcRo1Lh/tH61IXE+JK7qBlocCU/QVGR8k6IVGiPwQfU=; b=TxxmUMU8QDYOc8EGQT1lL2Zi+pLhDfJtWXi5JalyJrImc7ACRHROKsq8vMRDUYliODROGCIg+gWLXS49Q8/Z8R1JH63HRUapMZPuRRuw7TGqn1ZgA0+qLNkKKCb7jXZA7DCmN2VjhU2VGe2DHd5CcGNtU+Af2JLrU2MgJMAjRoawBfS02djIHrDjbH2axUtpOQfWSMaaOdy6gXjiSa2GUW2wKgyQKN6CAB7My/WieFYp2dSAtCk//3wt3U9YIqAie/7YqjxLI0flIVXTXZM19B/1/ovgTfamHiDfldTnXkJvyVFzwC2sODUuIzdcpAEpbYlaJ4+gccFRPZqrIbvtyQ==
Received: from SA1PR08MB7215.namprd08.prod.outlook.com (2603:10b6:806:1a9::17) by SJ0PR08MB7681.namprd08.prod.outlook.com (2603:10b6:a03:3f6::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7698.26; Mon, 24 Jun 2024 12:04:27 +0000
Received: from SA1PR08MB7215.namprd08.prod.outlook.com ([fe80::b10c:f208:adaa:c369]) by SA1PR08MB7215.namprd08.prod.outlook.com ([fe80::b10c:f208:adaa:c369%5]) with mapi id 15.20.7698.025; Mon, 24 Jun 2024 12:04:27 +0000
From: "Jorge Rabadan (Nokia)" <jorge.rabadan@nokia.com>
To: Jeffrey Haas <jhaas@pfrc.org>
Thread-Topic: Questions about route selection in draft-ietf-bess-evpn-dpath-00
Thread-Index: AQHalyCq9AQexxDeYEWJDJ5E8gj1nbHNqbB+gAg7UYCAATTOYQ==
Date: Mon, 24 Jun 2024 12:04:00 +0000
Message-ID: <SA1PR08MB72156E91C0567D85031C5895F7D42@SA1PR08MB7215.namprd08.prod.outlook.com>
References: <171206184624.18356.7891001527073621519@ietfa.amsl.com> <20240425145537.GA12879@pfrc.org> <SA1PR08MB721526C32B8FDC49EFF57C13F7CE2@SA1PR08MB7215.namprd08.prod.outlook.com> <20240623162307.GB21586@pfrc.org>
In-Reply-To: <20240623162307.GB21586@pfrc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nokia.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR08MB7215:EE_|SJ0PR08MB7681:EE_
x-ms-office365-filtering-correlation-id: c3b3a98a-f951-421d-b48b-08dc9445cbb0
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230037|376011|1800799021|366013|38070700015;
x-microsoft-antispam-message-info: 32zMuhSf8A7AeNzO7vqRhr1ThYxbqjpvn33LmbmvQHQCqcIVe56zxK9zKFEtXaPw+4LkV9plF9gZIIHpbUOQGtLP7Gk5kgWLhMK7OESgprWMpoPy8FHmjPRwE2JwdW5TfSHamOgesc/tujJAIKToxIwknOozigBuhvCZtHHRR2YSFUw8HMvF3cMyAC37gwODX7F/Zl1tvfV0qdEg6URSIEbEaefl2GmVy5+GwbRJHQdCiXc+IhjIzsum3zR2uUtZ8eACgoW8uP/P3yHvyGIB4z+VdmYxFguCO7jx4ak9RXCYA583z2vCu3JJmDmhT/q63IZV/jo7Hp1dxgxF/IHZyVTRUii0BGK3IdL5r9WFBcTUyEPLjbaZsu9Yy8fsGm5xGHusxZGHp35vVotPkXuVYvZlSELxFnoTzUsXU77EKy7zethwBh55H3QpjRA/VhUHjcxv1amUyZcM5C5RWjHunwH0wVqLpAY8Q3nFah+fxyWYCPIjxZAnhCOES1cSt+T0uTJCCcemQJo4wDoDOOmvwHp3/uNjW8fxuifPZ7/aeMPuybcopWuf2HLJNh4irbjAka9RmQByT4HCYDmbsqDy9CMARpWy1wL63XI5jTxx3Tjg7Uf5PQyaOsvoQddtCgqvfGXvI1bse+ZyIBP9GyrtWlgKitv0CPD0EnONuPcqPwhe/r0GHekABqODwHSVoXbtOXKypN9aa12r5KzrPqu5ArVEGAZ1XDWBHgp4pPOqNYNbE6b+XX3AhAcTBqhcBZQVskuM6iqOv3orQVLYhLFowoAUYny7jroOkXwTA9XVrMzXydMAM/O+LONCRc6R7AeeFSpMtoCBR2S+HXFHDLyLD/9R/BtOwOXTxcbxo6eOPzYbnAQ3qRnl97fjdvzeoutocSygL2H1Jd3ONeA0f+CJhwwI+9rE53LB6grCfcoaz69M9PscWJwZQjq5urjOQr8XEo51UP/4+CggxPSo5CDRJDciUNrkXCZX4bTP19tPQGtFN/SVEeXLzOZPxMezDQuWPlfeW52re7PGSIAUXbrkEF74halQfcjRR5r+WorspBmhxivLn74MNy5ZtojJnww8GapBaM/j1OnVMNXSeL2FNjhRvMMCXLIkoFDvtUOxeWaIVeXUIv0/1p1CXh8+l+6p/764Gm8tdC59I3cct4DRcaKhU3fTLgU3yi+ysLPxicEK6EiHyOHVFbdIL6USTgBnFhCUQ21K+CEPXXY5LemZOJ0IU1d4Qqw4BmVrBgpsYWyevKjB4Tv5DYsEhdyYixhd8Ry6Y8C2YO6yrFw5Y2hxkGaKqCO6+1u5IFxl9zbERdDhrhTJ7L9PMVNKxA8EUrtO
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1PR08MB7215.namprd08.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230037)(376011)(1800799021)(366013)(38070700015);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: LzlFRPnd+TVQd95YWL/yrbhIEUzxn2s4zF5dFtFjc73kpVSVw7QqWVGVcrzPAISOocyjAF9QW0uolSN54WFGU7Xp+4vILj9Q50EVsHqDtawA84jESdd7iOxO/Vu0chevlRrLmuAOo65rk3clA5jW996G2e/f1Wpb1i0zp9voR7DogS1jbeFHPUmsKv/gaT+xMij7iat/dfCqX3M//GjPqV11qKvOzQ6qVSsgG4HUz52ibxDDlWxEo+yBjRsK0YJ5100KJlkjp+S+MVqAehzHi49K3PcQfB7dOLxQMzjMJbJ7meU+4Y7gbdKM3cOZivIh3vM6DdshZQO9jgSQUxA+y1xy4fkTn7+0uekFB+HyVnGKiiozcJzxcDqXABXahG9YQFlK54mbSIRQKs0B7vw1/LSRd191FG8UjHnqbXd6bNNJiM+lAHwekOSLrphocbXfU5nxumBnHv9yrkr28XYFe00nwRUnpvQCdHe0Rd1T4R3RMs3rPs1XVjvaf/sH4p541neKU/LktgIPwuY6+0rYFKhiHBo/gg5Njmgl0dGBNtSXngnnURwJzlU7Mpb0rsrCrpkr7tcFPuRmhvJ7jkP3HoB3uxDizbXakAbSOONz/do9Si/1vZK4O+qpNGRufZFyyhaMcjzDo3MpgRnAxBe17jLAE347ym2VnCrw43+5602ffxWep5s8KQ7+KiLBfPKAhv92c9gCDc8WsXB1ERvqiXMBPI00Q/36LPpI9rrJXXtRK4Js5LHRu9uiqW+gSj5jibis2GZNFiKCkiC6WfSCpMCFn+/yJRa3b1Obj3sAhL0TgDqWdU1wmHGHuntnbtKpv1IhjBCSqlX6Vy6w5Q8Inw5X2JdvFWOAsMBTiVv35oGciUAn2VFORPjmPBTPsdLygxId7I3jv1aPRYfLxBCiL7U3g31tR+jVC2DBiKm/EkwTTZZ7JrT33HZrcWvkhdZdekEjwUDi8ALHDK/ZE2VSN4ounAjJ/4qnB0V/EH+iv9C2mdLDPz2g6hr7L4A/Bfe/mfEX/cH4M1PLpZ+rSBQgI7yu5PVo6xI+F13QgB1rb1k8IL5Zq0ywrYzLmcnebxqRseRVkM2bf7htURikr5cuZMpxQwFlbvfm2PIrcsQLfhrYQupRjFuLlTDbmJPD/VCeixhxuSosUEomJB33UdbIl0nZXyP9Q7N9P9vmthcP9Y+JsKCUYin4mZeQ8zZreeNkflfZUp668dHSAmsOBU1v0zEnydVTeF6/YFxgIwIGZey0hrRTRTWB3ZHYsdstf76YGUVYJr8tmDeOfk6GjGJTgtxB2/QcWP5QRNLwWyxmRcQjBsw8bCD1KOGswMZBg/OuJdJSIIPMo1mzhG8ZlrKTZj54UOB3y137g0SjRWo0Cfn3qxcfb+juKzXT95xhkRQlIFXiEg8pRRYSEl2pm0Xbjtizb/3s+cUwnp/9GtQGnPOcq5FeBG/GXIW/0U5evA3qaJjJyj80Tp2Lt/NHPcbLWhXJnqRMBXs8mokUiRUFgzsDMikA0LqpWZJ+zeH1k5yZfuKF2ez/ynx6dA0nHoSt3UAswL0d4lXHdfAzVO/1Tv6ZgTSSI8r+EIHyws43GCRR
Content-Type: multipart/alternative; boundary="_000_SA1PR08MB72156E91C0567D85031C5895F7D42SA1PR08MB7215namp_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR08MB7215.namprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c3b3a98a-f951-421d-b48b-08dc9445cbb0
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jun 2024 12:04:27.0161 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: rKRr4jnqm2CQRmf1r1TMrmCyNzOgZiUScnDBW9sbb4ux4bXr8vgrYVEA9dTjmvyOOIfW9vQw5wd5EshQT67Fcw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR08MB7681
Message-ID-Hash: QFQ2SCH3RK43U2DZZPWDLDJ4YW5PESNH
X-Message-ID-Hash: QFQ2SCH3RK43U2DZZPWDLDJ4YW5PESNH
X-MailFrom: jorge.rabadan@nokia.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-bess.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-bess-evpn-dpath@ietf.org" <draft-ietf-bess-evpn-dpath@ietf.org>, "bess@ietf.org" <bess@ietf.org>, "idr-chairs@ietf.org" <idr-chairs@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [bess] Re: Questions about route selection in draft-ietf-bess-evpn-dpath-00
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/9LnCh1PwGtuXHeZUHVhLVadE3eI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Owner: <mailto:bess-owner@ietf.org>
List-Post: <mailto:bess@ietf.org>
List-Subscribe: <mailto:bess-join@ietf.org>
List-Unsubscribe: <mailto:bess-leave@ietf.org>

Hi Jeff,

We published version 01, to address most of your concens.

Please see some additional comments in-line.


From: Jeffrey Haas <jhaas@pfrc.org>
Date: Sunday, June 23, 2024 at 9:23 AM
To: Jorge Rabadan (Nokia) <jorge.rabadan@nokia.com>
Cc: draft-ietf-bess-evpn-dpath@ietf.org <draft-ietf-bess-evpn-dpath@ietf.org>, bess@ietf.org <bess@ietf.org>, idr-chairs@ietf.org <idr-chairs@ietf.org>
Subject: Re: Questions about route selection in draft-ietf-bess-evpn-dpath-00

CAUTION: This is an external email. Please be very careful when clicking links or opening attachments. See the URL nok.it/ext for additional information.



Jorge,

I'm responding to the second part of the point since it covers my concern:


On Tue, Jun 18, 2024 at 01:35:09PM +0000, Jorge Rabadan (Nokia) wrote:
> > In section 4.1, the cited rules for route selection change are:
> >
> > :    If none of the tie-breaking rules up to (and including) rule 5
> > :    produces a single route, the router compares the D-PATH attribute in
> > :    the remaining candidate routes:
> > :
[...]
> > A consequence of this second step is that the configured domain ID, when
> > routes are redistributed between domains, becomes a "hard yank" to influence
> > routes to pick a specific domain.
[...]
> > This is somewhat similar to taking BGP's BGP Identifier check at the *end*
> > of the route selection process and moving it near to the top.  I suspect
> > this is not what you want.
> [jorge] Yes, that’s the intent.

Huh.  Well, I'm glad I'm at least I'm understanding this.

I suspect this is a Bad Idea.  So, consider this flagging it as a concern
that I'd suggest BESS discuss and that the AD's conciser in their review.

Part of my motivation for discussing the BGP Identifier as a tie-breaker is
that service providers are known to play games with this bit of BGP
configuration in circumstances solely to try to capture traffic when route
selection otherwise falls to this point of the Decision Process.

For normal BGP, it's so low in the list that if it's a major concern, there
are plenty of other ways to bias the traffic using route selection.

However, as documented for EVPN IPVPN procedures, this means that in
inter-provider scenarios you're encouraging people to play games with the
values they use in order to bias route selection, and thus traffic.  Unlike
normal BGP, it's high enough that there's very little tooling to avoid this.

As discussed in the prior mail, while the D-PATH values are "opaque" but
have common configuration practice, that practice may not be enough to avoid
such games.

I understand that for this D-PATH feature that the providers should be
"mutually cooperating" and thus this may be a trivial or even silly concern.
But if it ever becomes competing providers, this becomes a conversation
about money.

[jorge] ok, I think ask the chairs for 5 minutes at IETF120 to discuss this and bring awareness. For the moment we can leave it as is, since there are implementations doing this. Thanks for the discussion.
Note that in the case of MAC/IP routes imported in MAC-VRFs, there are more tools than the ones given in RFC4271 to influence selection. See draft-ietf-bess-rfc7432bis-09<https://datatracker.ietf.org/doc/html/draft-ietf-bess-rfc7432bis-09#name-best-path-selection-for-mac>
The presence of the DGW extended community or the MAC mobility ext community will be evaluated even before the higher degree of preference (which goes before the D-PATH evaluation).


> > Other issues:
> >
> > "numerically lower" isn't clear with respect to a domain-id, especially
> > with regard to the ISF_SAFI_TYPE component of it.  Is that used?
> [jorge] no, it is not used. The text refers to the domain-ID which is excluding the ISF_SAFI_TYPE. But if you think it is not clear, we can add some text of course.
> > Ignoring
> > that, is the result the same as running C's memcmp() on the two six byte
> > values?
> [jorge] yes, that was the idea. We can clarify.

It'd be helpful if you did.  I'm glad I came to the appropriate conclusion
as a semi-informed reader, but for these sorts of steps having the algorithm
explicitly written out can remove doubt.
[jorge] hopefully the text makes it better now:

“Then routes with the numerically lowest left-most Domain-ID are preferred (only the Domain-ID is compared, and not the ISF_SAFI_TYPE). Hence, routes not tied for the numerically lowest left-most Domain-ID are removed from consideration. When comparing two Domain-IDs, the two six byte values are compared starting with the Global Admin field. The lowest value in the first differing byte between the two six byte values, is considered to belong to the "numerically lowest Domain-ID"”


> > As discussed in the context of the ipvpn interworking draft, changing route
> > selection after the fact is messy and could in some cases lead to
> > inconsistent selection within a network.  However, for the route types that
> > this procedure is recommended for, have you convinced yourselves that
> > inconsistent selection is fine?  Or will your recommendation be, similar to
> > the ipvpn interworking draft, that the entire deployment must be upgraded to
> > support the new procedure?
> [jorge] we can add similar text with regards to upgrades if the WG thinks so, but this is a more constrained environment. There is no leaking into any family that facilitate the attribute escape, and the GWs only redistribute MAC/IP routes in the case of EVPN L2 ELAN, and AD per EVI routes in the case of EVPN VPWS. So I don’t think we as authors have any concern, but I agree with your points that we need to provide text warning the implementer about the potential consequences of inconsistent best path selection.

Some explicit text would be appreciated.  While escape isn't expected, we're
partially having some of this review because escape has been observed from
existing implementations.
[jorge] OK, added some text in the security considerations section, and also in section 4. We can always improve it at a later version.
Thank you Jeff!
Jorge


-- Jeff