IETF Logo Mail Archive

Re: [bess] Benjamin Kaduk's Discuss on draft-ietf-bess-datacenter-gateway-11: (with DISCUSS and COMMENT)

Adrian Farrel <adrian@olddog.co.uk> Thu, 22 July 2021 18:13 UTC

Return-Path: <adrian@olddog.co.uk>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4510C3A0C55; Thu, 22 Jul 2021 11:13:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gw7aeVBGBs4u; Thu, 22 Jul 2021 11:13:08 -0700 (PDT)
Received: from mta5.iomartmail.com (mta5.iomartmail.com [62.128.193.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AA783A0C43; Thu, 22 Jul 2021 11:12:55 -0700 (PDT)
Received: from vs4.iomartmail.com (vs4.iomartmail.com [10.12.10.122]) by mta5.iomartmail.com (8.14.4/8.14.4) with ESMTP id 16MICqE4027919; Thu, 22 Jul 2021 19:12:52 +0100
Received: from vs4.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AEB874604B; Thu, 22 Jul 2021 19:12:52 +0100 (BST)
Received: from vs4.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A1AAF4604A; Thu, 22 Jul 2021 19:12:52 +0100 (BST)
Received: from asmtp1.iomartmail.com (unknown [10.12.10.248]) by vs4.iomartmail.com (Postfix) with ESMTPS; Thu, 22 Jul 2021 19:12:52 +0100 (BST)
Received: from LAPTOPK7AS653V ([84.93.103.107]) (authenticated bits=0) by asmtp1.iomartmail.com (8.14.4/8.14.4) with ESMTP id 16MICpGl019840 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 22 Jul 2021 19:12:52 +0100
Reply-To: adrian@olddog.co.uk
From: Adrian Farrel <adrian@olddog.co.uk>
To: 'Benjamin Kaduk' <kaduk@mit.edu>
Cc: 'The IESG' <iesg@ietf.org>, draft-ietf-bess-datacenter-gateway@ietf.org, bess-chairs@ietf.org, bess@ietf.org, 'Matthew Bocci' <matthew.bocci@nokia.com>
References: <162191416295.8400.1863947061330586900@ietfa.amsl.com> <029e01d75404$df5dd570$9e198050$@olddog.co.uk> <20210721171848.GF88594@kduck.mit.edu>
In-Reply-To: <20210721171848.GF88594@kduck.mit.edu>
Date: Thu, 22 Jul 2021 19:12:50 +0100
Organization: Old Dog Consulting
Message-ID: <02c101d77f25$2fc13e30$8f43ba90$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQHEVVNu0WLsdURlsFTMfc0myKTQGwKXnRB6AY6RlHmrVAe/gA==
Content-Language: en-gb
X-Originating-IP: 84.93.103.107
X-Thinkmail-Auth: adrian@olddog.co.uk
X-TM-AS-GCONF: 00
X-TM-AS-Product-Ver: IMSVA-9.1.0.2034-8.6.0.1017-26300.002
X-TM-AS-Result: No--7.334-10.0-31-10
X-imss-scan-details: No--7.334-10.0-31-10
X-TMASE-Version: IMSVA-9.1.0.2034-8.6.1017-26300.002
X-TMASE-Result: 10--7.333600-10.000000
X-TMASE-MatchedRID: DuKherWvI/vxIbpQ8BhdbPHkpkyUphL9IenJde9O8yqjEIt+uIPPOHHJ dVMZw6tLhZxpzQ2YiyyJ58EUpbYjInChPHB61wQjRTO9mhIXG42X3dHCCeCwWvVmME8a4kNKYoP vJaaCHRQzOxQAU9FLMWJVhVlmIdkl8ZInNKqp2wCM8B/7Yt30tWl5nVxdmJvHPHWfnPgNcxv18b DWdD3lPz9+N2aY5q/cprgkIrBH1/vBBJREZwyRwrzgL/eLACDEyeUl7aCTy8gmkzW4G6tuRT88n yn5HOwByR4vuIAZpDIQC3jpG25YyAOPKROgEivfypiC33/79mc5yt7EbyBrlkvEK4FMJdoqEMjD scz85YUToiOSoApYdADQf6p7vuQpUzgzJz5OsKHpb07+ixvwecuWKfKj6RUPzjHW4C7K8n/NGTJ OxT0QtbP5vO06P3FoXSj4oZ3/fRWoL3anvMFdUxFnPs2NvAjSq7EA7ghxJpYtferJ/d7AbyHuaz 6lVHW3zFzAoAIAqP7yf5NFbXKEM866BgIQlQw1kWxQHYJOliAXyU2CxtlxbzFBFiCLXfBC+sFAb iUc5V0qC7fAD+ufTvUEGUOHP9Yi9CjGbizOhkiecgASc+pqBQRsBMbTTgAP6vSPFR1XeicYijGH xpmrmXR/VsDAAbSbAAiFhRpKKW3CfVIFjo47qQuLP4ROdWHVcV3n4J/0zUP18H7gy96lDBY87z8 kSc5ZBXW7Bvonl8cLbigRnpKlKZvjAepGmdoOFsaj5pKm30rE7sWX8irHEmYVbQnSFn2zFipYaM wKS+ese5Pm9YLjAMIew0QlfIYowtdBA0E7OF0yw7S5eLcEZdlh1NRulMYz5D9smqVBD9yilnnVD ECPd/H7AvsTxZMb7DafdH0+BI7qCyYebl7X7A==
X-TMASE-SNAP-Result: 1.821001.0001-0-1-12:0,22:0,33:0,34:0-0
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/DUWEU7TVjMwBYxU8mUflYlXRvQI>
Subject: Re: [bess] Benjamin Kaduk's Discuss on draft-ietf-bess-datacenter-gateway-11: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jul 2021 18:13:15 -0000

> Picking up (belatedly) where I left off in my initial reply...

Thanks, Ben.

>>> Section 5
>>>
>>>   for a prefix X, then each GW computes an SR TE path through that site
>>>   to X from each of the currently active GWs, and places each in an
>>>   MPLS label stack sub-TLV [RFC9012] in the SR Tunnel TLV for that GW.
>>>
>>> I don't think I understand why each (egress) GW has to (re)compute
>>> the path through the site to X for each of the GWs at the site -- can't
>>> it just take the sub-TLV it got from the peer and re-propagate it?
>> 
>> Oh, it doesn't have to recompute it *if* it is present (i.e. if it got it from
>> the peer). But that part of the path might not be present (that is, the 
>> sub-TLV might not be present) because:
>>     a. the ingress might not have visibility into the egress site beyond simple
>>          reachability 
>>     b. the ingress might not care 
>>     c. the ingress might want to let the egress site make subtle reactive
>>         choices according to local conditions
>> IMHO it would be unusual for the tail end of the path to be specified in
>> this way.
>
> (Disclaimer: this is not an important topic and I'm happy to drop it for
> expediency if desired.)  I am not sure that my point came across as
> intended.  The text here seems to be about what the egress GW does when it
> advertises the "union of all tunnel encapsulation information" route
> externally.  My understanding/expectation was that each egress GW would be
> able to just take the bits it got from auto-discovery (internal) routes and
> squish them together.  As you note, the ingress may not care or need the
> details of the path within the egress site from GW to prefix X, and so I
> don't understand why the advertising egress GW would go to the trouble of
> computing a route from the other GWs in its site to prefix X.  If such a
> route was needed, the other GW in the site would be better placed to
> compute such a route and include it in the auto-discovery route anyway.

I think you may have misunderstood Section 5. 
Firstly, the case you are looking at is behind a cascaded "if".
But also, it doesn't say that each GW computes paths from each other gateway to the destination. It only says that each GW computes a path from itself to the destination. Each GW then encodes that path as MPLS SID stack, puts it in an MPLS label stack sub-TLV inside the SR tunnel TLV. And, of course, that means that when a GW advertises the reachability on behalf of the other GWs to the site, it will pick up those routes and advertise them as well.

>>> Section 6
>>>
>>> [The topic of which sites are allowed to send in the site's native encapsulation seems
>>> related to questions of what an "SR Domain" is and what boundary security it has.  I
>>> think that the other ADs are basically covering this topic, though, so am not sure there
>>> is much more to say here.]
>>>
>>>   If the GWs for a given site are configured to allow remote GWs to
>>>   send them a packet in that site's native encapsulation, then each GW
>>>   will also include multiple instances of a Tunnel TLV for that native
>>>   encapsulation in externally advertised routes: one for each GW and
>>>   each containing a Tunnel Egress Endpoint sub-TLV with that GW's
>>>   address.  [...]
>>>
>>> Does this implicitly require that all the GWs of the site have the same configuration
>>> for whether or not to allow native encapsulation from remote GWs?  How would
>>> things degrade if a mixed configuration did happen to occur?
>> 
>> This applies GW by GW since the tunnels lead to a GW, and the path has
>> selected the tunnels. So, the sender knows.
>> 
>> If a gateway is configured to not allow native encapsulation, then it will
>> receive packets in some other encapsulation that it does understand,
>> and it will convert them to the site's native encapsulation. 
>> 
>> Note that the GW is part of the site, so it really (really) needs to
>> understand the native encapsulation in the site!
>> 
>> Note also that (of course?) a GW that receives packets in an
>> encapsulation it doesn't understand (and hasn't advertised that it
>> understands) will drop the packets (just like any other data plane
>> node will discard packets with an unknown encapsulation).
>> 
>> Well, there is a case where a GW advertises that it understands
>> an encapsulation, but actually doesn't understand it. That is at
>> best a bug, and at worst a purchasing error.
>
> Okay.  So if there is an issue here at all (not entirely clear) it's just
> an editorial one about "the GWs for a given site" vs "any GWs for a given
> site", and "each GW" vs "each such GW" (or similar).

I'm pretty sure that the text is clear enough here. 
I suppose it is the site that is configured, and all gateways act the same way.
So we could have
   If a site is configured to allow remote GWs send packets to the site in
   the site's native encapsulation, then each GW to the site will also 
   include multiple instances of a Tunnel TLV for that native encapsulation
   in externally advertised routes: one for each GW and each containing a
   Tunnel Egress Endpoint sub-TLV with that GW's address.  [...]

I'll make that change if you think it is important.

Cheers,
Adrian

v2.23.0 | Report a Bug | By Email