IETF Logo Mail Archive

Re: [bess] WG Last Call for draft-ietf-bess-evpn-inter-subnet-forwarding-03

Nabeel Cocker <nabeel@nuagenetworks.net> Sat, 18 February 2017 04:53 UTC

Return-Path: <nabeel@nuagenetworks.net>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D67E129478 for <bess@ietfa.amsl.com>; Fri, 17 Feb 2017 20:53:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nuagenetworks-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uocx8T0nU9Ku for <bess@ietfa.amsl.com>; Fri, 17 Feb 2017 20:53:31 -0800 (PST)
Received: from mail-qk0-x233.google.com (mail-qk0-x233.google.com [IPv6:2607:f8b0:400d:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71E1212948C for <bess@ietf.org>; Fri, 17 Feb 2017 20:53:31 -0800 (PST)
Received: by mail-qk0-x233.google.com with SMTP id u25so60737249qki.2 for <bess@ietf.org>; Fri, 17 Feb 2017 20:53:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nuagenetworks-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=bs7Mgu4iPvM8VBTRC6DP2jrngLwUPgl+WUtStd84W/8=; b=U5tg0f5JP58pZftQqbYslekYluTQOucGoHx5DAnKZwwhuSwpmwGVr/3IWFsCZqjRRz ALZH/46X04CR9Tb2QziF9xGPpw5Ll6qkZ7xxYIafJZv68zZG1fXUa5vG/YGr2Yodso75 KMRAi1J3LaVCIOmGyMG/nl52ly6JLDptypnJhoR2GraQ/7yC3gW9fGIeqgSAWdySQQub +vnNI49Jelk7NFEG1gahyo4JrAf73K/m1Z25MfxFIjma5riUBibkdxo/QHadINrXp6Wm FcxgYvcawyaTFcRqXV2pEUnkVPHR7mCRcxellrGNCxywfVUIZcEUFF7Deg8wos6fOD7e k5JQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=bs7Mgu4iPvM8VBTRC6DP2jrngLwUPgl+WUtStd84W/8=; b=N5HGP/OsdCaXaV6T/xyL98ar+Fp658FaS8kykNh+OBVe7KVAa7KZ/Z46s9/APDbV7+ d2LD6TI6SiML8MlXjCfPKKzcrUs0iTFGgYnGGDvig4jZJJkMtCB8CRT8Y0v0pQupJ9GF 9Vq3votXRmktr/EhCAu3NfNPztaG7QOLlanpGtCAivdil8+W2FeBRGkAD8i6g1QTP7cj X6onuJAwoCXoDbEVODj0qnw+9gFsMFE88p5GnWgB7svcr5sNyVQJc02HXvK0zbI6MZ7R nNUIlcIhJ+KxZrbEsrmfP06J65+YnfKJs6l0g4dTMS4MFwdUb9puuzZuCAzYft0q6avL H48g==
X-Gm-Message-State: AMke39lciLNQAA9WdUCuwsgQ80IuBmTrsiWWfc3nIoriU/VZ4k70rwoGCRnaI/nJTQ2pTwT3
X-Received: by 10.55.99.139 with SMTP id x133mr10440435qkb.317.1487393610343; Fri, 17 Feb 2017 20:53:30 -0800 (PST)
Received: from [10.0.1.34] (ool-2f1250fb.dyn.optonline.net. [47.18.80.251]) by smtp.gmail.com with ESMTPSA id k18sm7849936qtc.12.2017.02.17.20.53.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Feb 2017 20:53:29 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: Nabeel Cocker <nabeel@nuagenetworks.net>
X-Mailer: iPhone Mail (14D27)
In-Reply-To: <D4CC888A.1CBFC2%sajassi@cisco.com>
Date: Fri, 17 Feb 2017 23:53:29 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <7006BC63-F0C1-4DBA-B4E0-391982CBAF08@nuagenetworks.net>
References: <89d9ab4e-309f-d7f5-a2b7-ac79a663618b@nokia.com> <DM5PR05MB314525CD2AF52FA0A0FA6848D45D0@DM5PR05MB3145.namprd05.prod.outlook.com> <D4CC888A.1CBFC2%sajassi@cisco.com>
To: "Ali Sajassi (sajassi)" <sajassi@cisco.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/CHecIdqUZqPtxIHVEmOfXvWrbiw>
Cc: "Jeffrey (Zhaohui) Zhang" <zzhang@juniper.net>, Martin Vigoureux <martin.vigoureux@nokia.com>, BESS <bess@ietf.org>
Subject: Re: [bess] WG Last Call for draft-ietf-bess-evpn-inter-subnet-forwarding-03
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Feb 2017 04:53:33 -0000

Support

Regards,
Nabeel

> On Feb 17, 2017, at 5:25 PM, Ali Sajassi (sajassi) <sajassi@cisco.com> wrote:
> 
> Hi Jeffrey,
> 
> Thanks for your comments, please refer inline for my responses ...
> 
> On 2/17/17, 10:42 AM, "BESS on behalf of Jeffrey (Zhaohui) Zhang"
> <bess-bounces@ietf.org on behalf of zzhang@juniper.net> wrote:
> 
>> Hi,
>> 
>> I have the following nits/questions/comments. This email is only about
>> the asymmetric section  - I may send another one about symmetric section.
>> 
>> "inter-subnet switching" is confusing. Shouldn't it be "inter-subnet
>> routing" instead of "intra-subnet switching"? While it's EVPN aware, it
>> still goes through routing first.
> 
> The term ³switching² applies to both L2 and L3; whereas, the term
> ³bridging² applies to only L2 and the term ³routing² applies to only L3.
> 
>> 
>> Isn't requirement R1 covered by R2?
> 
> Yup, will remove R1.
> 
>> 
>>  This is an environment where all NVEs to which an EVPN instance could
>>  potentially be attached (or moved)
>> 
>> Strike the "(or moved)"?
> 
> OK.
> 
>> 
>>> From RFC 7432:
>> 
>> 10.1.  Default Gateway
>>  ...
>>  The IP Address field of the MAC/IP Advertisement route is set to the
>>  default gateway IP address for that subnet (e.g., an EVPN instance).
>>  For a given subnet (e.g., a VLAN or EVPN instance), the default
>>  gateway IP address is the same across all the participant PEs. The
>>  inclusion of this IP address enables the receiving PE to check its
>>  configured default gateway IP address against the one received in the
>>  MAC/IP Advertisement route for that subnet (or EVPN instance), and if
>>  there is a discrepancy, then the PE SHOULD notify the operator and
>>  log an error message.
>> 
>> This draft:
>> 
>>  2. Each NVE of a given EVPN instance uses its own default gateway IP
>>  and MAC addresses, and these addresses are aliased to the same
>>  conceptual gateway through the use of the Default Gateway extended
>>  community as specified in [EVPN], which is carried in the EVPN MAC
>>  Advertisement routes. On each NVE, this default gateway IP/MAC
>>  address correspond to the IRB interface connecting the MAC-VRF of
>>  that EVI to the corresponding IP-VRF.
>> 
>> The above 2nd model seems to be conflicting with RFC 7432?
> 
> 
> Thanks for catching it. The 2nd case is supposed to be ³the same IP
> anycast address but different MAC addresses" - ie, the two use cases in
> this draft correspond to the two uses cases in section 10.1 of RFC 7432.
> So, the new text reads as follow:
> 
> ³2. Each NVE of a given EVPN instance uses the same anycast default
> gateway IP address but its own MAC address. These MAC addresses are
> aliased to the same anycast default gateway IP address through the use of
> the Default Gateway extended community as specified in [EVPN], which is
> carried in the EVPN MAC/IP Advertisement routes. On each NVE, this default
> gateway IP address along with its associated MAC addresses correspond to
> the IRB interface connecting the MAC-VRF of that EVI to the corresponding
> IP-VRF.²
> 
> 
>> Also, what does "this default gateway" refer to? Each NVE's "own default
>> gateway" or "the same conceptual gateway"?
> 
> Default gateway with respect to TS¹s as mentioned in the 2nd para of
> section 3.1
> 
> 
>> Is it that besides their own default gateway, an additional common
>> gateway is advertised using that extended community? If so, what's the
>> purpose to call those different IP addresses on the IRB interfaces
>> "default gateway"? I assume the hosts will be using the common gateway
>> address?
> 
> This comment should be already addressed by above clarification.
> 
>> 
>>  It is worth noting that if the applications that are running on the
>>  TS's are employing or relying on any form of MAC security, then the
>>  first model (i.e. using anycast addresses) would be required to
>>  ensure that the applications receive traffic from the same source MAC
>>  address that they are sending to.
>> 
>> Why is that? As long as an NVE changes the source MAC to the one it sends
>> in the ARP reply, it should work even with the 2nd model?
> 
> If it changes, yes but if it doesn¹t change it, it creates issue for MAC
> security. Modified the paragraph to provide further clarification:
> 
> "It is worth noting that if the applications that are running on the TS's
> are employing or relying on any form of MAC security, then either the
> first model (i.e. using anycast MAC address) should be used to ensure that
> the applications receive traffic from the same IRB interface MAC address
> that they are sending to, or if the second model is used, then the IRB
> interface MAC address MUST be the one used in the initial ARP reply for
> that TS."
> 
> 
>> 
>> 3.2 Heterogeneous Environment
>> 
>>  .. Even though policies
>>  among multiple subnets belonging to same tenant can be simpler,
>> 
>> s/simpler/simple/?
> 
> Done.
> 
>> 
>>  ... Therefore, there can be a mixed environment where an NVE
>>  performs inter-subnet switching for some EVPN instances and the L3GW
>>  for others.
>> 
>> For the above sentence, it helps a lot if the last part reads "and the
>> L3GW performs inter-subnet switching for other EVPN instances".
> 
> Done.
> 
>> 
>> 4.1 Among EVPN NVEs within a DC
>> 
>>  ... It also rewrites the source MAC address with its IRB
>>  Interface MAC address.
>> 
>> Need to make it clear that the above mentioned IRB interface is for the
>> destination subnet. Same issue in 4.2.
> 
> Changed it to:
> 
> "It also rewrites the source MAC address with its IRB Interface MAC
> address for the destination subnet.²
> 
>> 
>> For section 4.2, the processing on the ingress and egress NVE is no
>> different from 4.1; the processing on the ASBRs is vanilla EVPN
>> forwarding and not specific to inter-subnet forwarding at all; therefore,
>> 4.2 is not really needed? Additionally, the section is about "w/o GW",
>> yet the text talks about ingress/egress Gateway. It's better to replace
>> Gateway with ASBRs.
> 
> Changed ³GW" in the diagram to ³ASBR².
> 
>> 
>> 4.3 Among EVPN NVEs in Different DCs with GW
>> 
>>  ... It also rewrites the
>>  source MAC address with its own IRB Interface MAC address.
>> 
>> Similar to 4.1, the above needs to be clear that it's the IRB interface
>> for the subnet between the NVE and the GW. More below on this.
> 
> Done. Added "for the destination subnet (i.e., the subnet between NVE1 and
> GW1)."
> 
>> 
>>  ... This implies that the GW1 needs to keep the remote
>>  host MAC addresses along with the corresponding EVPN labels in the
>>  adjacency entries of the IP-VRF table (i.e., its ARP table).    
>> 
>> Does that mean GW1 needs to keep all type-2 IP/MAC addresses that GW2
>> learns from NVEs in DC2?
> 
> Yes it does.
> 
>> Also does that mean GW1 and GW2 must be attached to all subnets?
> 
> That¹s correct.
> 
>> If so, between the source NVE and its local GW, when the source NVE
>> route the traffic to the GW, I assume it's the destination subnet's IRB
>> interface's mac address that will be used as the source mac address,
> 
> Correct. It is NVE1¹s destination subnet¹s IRB interface MAC address.
> 
>> and GW1's IRB mac address for the destination subnet is used as the dst
>> mac address. It is true that an NVE may have the same system mac address
>> for all its IRB interfaces, but it's good to point out which IRB is used
>> (and if different IRB mac address is used, things will still work out).
> 
> I update the section 4.3. Please take a look at it (refer to the
> attachment) and let me know if you have any further comments.
> 
>> 
>> Also, while each subnet is attached to each NVE, the IP routing process
>> (e.g. TTL decrement) happens twice - first on the source NVE and then on
>> the source GW. That's probably OK, but better point out all these details.
> 
> TTL decrement is given when IP lookup is performed at each hop.
> 
>> 
>> 4.5 Use of Centralized Gateway
>> 
>>  In this scenario, the NVEs within a given data center need to forward
>>  traffic in L2 to a centralized L3GW for a number of reasons: a) they
>>  don't have IRB capabilities or b) they don't have required policy for
>>  switching traffic between different tenants or security zones.
>> 
>> For b), do we configure IRB on those non-centralized gateways at all? I
>> assume not (even though the NVE could support IRB) - It's better to be
>> clear.
> 
> Yes, no IRB configuration. I added a sentence.
> 
>> 
>> I'll send a follow up email about the symmetric section.
> 
> OK. It sounds good.
> 
> Cheers,
> Ali
> 
>> 
>> Thanks.
>> 
>> Jeffrey
>> 
>>> -----Original Message-----
>>> From: BESS [mailto:bess-bounces@ietf.org] On Behalf Of Martin Vigoureux
>>> Sent: Monday, February 13, 2017 5:07 PM
>>> To: BESS <bess@ietf.org>
>>> Subject: [bess] WG Last Call for
>>> draft-ietf-bess-evpn-inter-subnet-forwarding-03
>>> 
>>> Hello Working Group,
>>> 
>>> This email starts a Working Group Last Call on
>>> draft-ietf-bess-evpn-inter-subnet-forwarding-03 [1] which is considered
>>> mature and ready for a final working group review.
>>> Note that this call is longer than usual because we are pushing two
>>> correlated documents together.
>>> 
>>> Please read this document if you haven't read the most recent
>>> version yet, and send your comments to the list, no later than
>>> *5th of March*.
>>> Note that this is *not only* a call for comments on the document; it is
>>> also a call for support (or not) to publish this document as a Proposed
>>> Standard RFC.
>>> 
>>> *Coincidentally*, we are also polling for knowledge of any IPR that
>>> applies to draft-ietf-bess-evpn-inter-subnet-forwarding, to ensure that
>>> IPR has been disclosed in compliance with IETF IPR rules (see RFCs 3979,
>>> 4879, 3669 and 5378 for more details).
>>> 
>>> *If* you are listed as a document author or contributor of
>>> draft-ietf-bess-evpn-inter-subnet-forwarding-03 please respond to this
>>> email and indicate whether or not you are aware of any relevant IPR.
>>> 
>>> Note that, as of today, no IPR has been disclosed against this document
>>> or its earlier versions.
>>> 
>>> We are also polling for knowledge of implementations of part or all of
>>> what this document specifies. This information is expected as per [2].
>>> Please inform the mailing list, or the chairs, or only one of the
>>> chairs.
>>> 
>>> Thank you,
>>> M&T
>>> 
>>> [1]
>>> 
>>> https://datatracker.ietf.org/doc/draft-ietf-bess-evpn-inter-subnet-forwar
>>> ding/
>>> [2]
>>> https://mailarchive.ietf.org/arch/msg/bess/cG3X1tTqb_vPC4rg56SEdkjqDpw
>>> 
>>> _______________________________________________
>>> BESS mailing list
>>> BESS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/bess
>> 
>> _______________________________________________
>> BESS mailing list
>> BESS@ietf.org
>> https://www.ietf.org/mailman/listinfo/bess
> 
> <draft-ietf-bess-evpn-inter-subnet-forwarding-03.txt>
> _______________________________________________
> BESS mailing list
> BESS@ietf.org
> https://www.ietf.org/mailman/listinfo/bess

v2.23.0 | Report a Bug | By Email