Re: [bess] [EXTERNAL] Re:[EXTERNAL] Re:[EXTERNAL] Re: Discussion on rfc7432bis and draft-rabadan-bess-evpn-inter-domain-opt-b

[Alexander Vainshtein <Alexander.Vainshtein@rbbn.com>]

Hi Yubao,
The scenario in which MAC-VRFs  that locally represent the same EVI in different nodes may have severe implications on the EVPN operation.
E.g., consider the scenario in which:

  1.  An EVI that implements LAN-based service interface:
     *   Is instantiated in 3 nodes – PE-1, PE-2 and PE-3,
     *   Is attached to single-homed Ethernet Segments in PE-1 and PE2
     *   MAC-VRFs that locally represent this EVI in PE-1 and PE-2 use the same RD.
  2.  Initially, MAC-VRF in PE-1 locally learns reachability to a certain MAC address M from the single-homed Ethernet Segment to which it is attached and advertises reachability of this MAC address in an EVPN MAC/IP Advertisement (Type 2) route. Both the ESI and Ethernet Tag ID field in the NLRI of this route would be set to all zeroes
  3.  Both PE-2 and PE-3 receive and install this route in the FDB of their MAC-VRFs
  4.  At some stage, MAC address M moves to a different customer site and is locally learned by the MAC-VRF in PE-2 from the single-homed Ethernet Segment to which it is attached. As the result
     *   PE-2 advertises reachability of M advertises reachability of this MAC address in an EVPN MAC/IP Advertisement (Type 2) route and attaches a MAC Mobility Extended Community with increased sequence number to this route.
     *   MP-BGP PE-3 receives this route, and notes that the comparable fields of its NLRI (RD, ES, Ethernet Tag ID, MAC address and IP address (if present)  match these fields of a route that it has received from PE-1 because MAC-VRFs in PE-1 and PE2 have been assigned with the same RD. In this case BGP performs the path selection process<https://datatracker.ietf.org/doc/html/rfc4271#section-9.1> to decide which of these two routes with the same |destination” should be used.

                                                               i.      If BGP decides that the route that has been advertised by PE-1 is preferable to the route advertised by PE-2 (e.g., if the IGP cost from PE3 to PE-1 happens to be less than the IGP cost from PE-3 to PE-2) the route advertised by PE-2 will be silently ignored.

                                                             ii.      Therefore, MAC-VRF in PE-3 will not update its FDB, and any traffic it locally receives with Destination MAC address M will be blackholed.

To me this means that, in the case of EVPN, it is really important to guarantee that MAC-VRFs that locally represent the same EVI in different PEs are assigned with different RDs.

Encoding of Route Distinguishers has been defined in Section 4.2 of RFC 4364<https://datatracker.ietf.org/doc/html/rfc4364#section-4.2> . This document states that with Type 1 RDs:

1.       The Administrator subfield is a 4-octet IP address (making it an IPv4 address) state

2.       If this address belongs to the public IPv4 address space, it must have been assigned by the appropriate authority. To me (and, AFAIK, to others) this means that this IP address has been assigned to node in which the VRF (or MAC-VRF) resides.

3.       Usage of addresses from the private IP address space is strongly discouraged.
These definitions guarantee that RDs assigned to VRFs (and MAC-VRFs) residing in different PEs will be always different.

With Type 0 and Type 2 RDs the same document states that the Administrator subfield must be a 2-octet (with Type 0 RDs)  or a 4-octet (with Type 2 RDs) Autonomous System Number.
If this number is from the publics AS Number space, it must have been assigned by the appropriate authority while usage AS Numbers from the private space is strongly discouraged. To me (and, AFAIK, to others) this means that this AS Number has been assigned to the AS containing the node in which the VRF (or MAC-VRF) resides, and, therefore would be the same for all  the nodes within the same AS. Therefore, there are no guarantees that VRFs (or MAC-VRFs) that locally represent the same EVI in different nodes would use different RDs.

Please note also that both RFC 7432 and of 7432bis draft pay special attention to the so-called “Unique VLAN EVPN scenario” and define special procedures for deriving both the RD and the RT of all the MAC-VRFs that locally represent such an EVPN instance from the VLAN ID value associated with this EVPN.  AFAIK, many implementations have explicitly incorporated this mechanism in their implementations so tha the operators using these implementations, only confiure the same “EVPN ID” value (the same in all the PEs whener this EVPN instance is instantiated) and letting the PEs to auto-derive both the RDs and RTs of the corresponding MAC-VRFs. This scheme has been also adopted by the authors of the (expired) EVPN YANG data model draft<https://tools.ietf.org/html/draft-ietf-bess-evpn-yang-07>.

The bottom line:

  1.  I do not see any operational advantage in assigning Type 0 or Type 2 RDs to MAC-VRFs, and I see quite a few potential pifalls with such usage.
  2.  Therefore:
     *   I think that both the restriction to just Type 1 RDs in EVPN per ES Ethernet A-D routes and recommendation to assign Type 1 RDs for MAC-VRFs should be retained in 7432bis
     *   I also suggest adding a recommendation in 7432bis to use the same IP address in the Administartor subfield of Type 1 RDs of all EVPN routes advertised by a specific PE.

Regards,
Sasha

From: wang.yubao2@zte.com.cn <wang.yubao2@zte.com.cn>
Sent: Tuesday, May 16, 2023 7:07 AM
To: Alexander Vainshtein <Alexander.Vainshtein@rbbn.com>
Cc: draft-rabadan-bess-evpn-inter-domain-opt-b@ietf.org; rfc7432bis@ietf.org; bess@ietf.org; jorge.rabadan@nokia.com
Subject: [EXTERNAL] Re:[EXTERNAL] Re:[EXTERNAL] Re: [bess] Discussion on rfc7432bis and draft-rabadan-bess-evpn-inter-domain-opt-b




Hi Sasha,



When a MAC-VRF use a type 1 RD,  is it expected that the RD of the EVPN Instance has differnet RD on different PE? When a MAC-VRF use a type 2 RD,  is it expected that the RD of the EVPN Instance has the same RD on different PE?

In many deployment, whether the RD of the EVPN Instance has different RD-value on different PE is independent of the RD-type.

The RD of A-D per ES route is limited to type 1 RD just because orther RD-types are assumed that they will have the same value for a specified EVI on different PEs.

Is my understanding correct?



Another way is constructing each A-D per ES route separately by using the RD of corresponding MAC-VRF, as described in draft-rabadan-bess-evpn-inter-domain-opt-b.



Thanks,

Yubao




原始邮件
发件人：AlexanderVainshtein
收件人：王玉保10045807;
抄送人：draft-rabadan-bess-evpn-inter-domain-opt-b@ietf.org;rfc7432bis@ietf.org;bess@ietf.org;jorge.rabadan@nokia.com<mailto:draft-rabadan-bess-evpn-inter-domain-opt-b@ietf.org;rfc7432bis@ietf.org;bess@ietf.org;jorge.rabadan@nokia.com>;
日 期 ：2023年05月15日 21:24
主 题 ：RE: [EXTERNAL] Re:[EXTERNAL] Re: [bess] Discussion on rfc7432bis and draft-rabadan-bess-evpn-inter-domain-opt-b
Hi Yubao,
Can you please clarify what you mean by “another way to construct A-D per ES route has been in sight”?

From my POV using Type 1 RDs in all types of EVPN routes has multiple advantages – starting from the fact that it prevents RRs suppressing routes advertised by different PEs as part of the BGP path selection process. (The same actually applies for VPN-IP routes as well). IMHO and FWIW the operators should be discouraged from using other RD types even when it is not already prohibited.
The bottom line: For the record I strongly oppose the proposal to relax the limitation on RDs in EVPN per ES Ethernet A- (Type 1) routes that exists from the -00 revision of the EVPN draft<https://clicktime.symantec.com/15sLvSXvBP3UBnNF1aJvo?h=BDT5-g37Z7iFFy2u11jpjIstNkzW3RH-WmA8ATBcgNM=&u=https://datatracker.ietf.org/doc/html/draft-ietf-l2vpn-evpn-00%23section-10.1.2>.

Regards,
Sasha

From: wang.yubao2@zte.com.cn<mailto:wang.yubao2@zte.com.cn> <wang.yubao2@zte.com.cn<mailto:wang.yubao2@zte.com.cn>>
Sent: Monday, May 15, 2023 3:56 PM
To: Alexander Vainshtein <Alexander.Vainshtein@rbbn.com<mailto:Alexander.Vainshtein@rbbn.com>>
Cc: draft-rabadan-bess-evpn-inter-domain-opt-b@ietf.org<mailto:draft-rabadan-bess-evpn-inter-domain-opt-b@ietf.org>; rfc7432bis@ietf.org<mailto:rfc7432bis@ietf.org>; bess@ietf.org<mailto:bess@ietf.org>; jorge.rabadan@nokia.com<mailto:jorge.rabadan@nokia.com>
Subject: [EXTERNAL] Re:[EXTERNAL] Re: [bess] Discussion on rfc7432bis and draft-rabadan-bess-evpn-inter-domain-opt-b




Hi Sasha,



Thanks for your helpful notes.

There is only one method to determine the RD of A-D per ES routes in the original years of RFC7432, but now there are at least two methods to determine the RD of A-D per ES routes.

If it is the only reason why RFC7432 restrict the RD of A-D per ES route to type 1 RD, maybe it is a good chance for the restriction to be relaxed, because another way to construct A-D per ES route has been in sight.

The original way can still be “RECOMMENDED”while other ways don't have to be forbidden. Maybe we can say that it is out of the scope of rfc7432bis (but not forbidden).



If RFC7432 is not revised, people who decide not to assign Type 1 RDs to  MAC-VRFs should bear the consequences in mind, including non-applicability of the solution suggested in Section 3.1.2 of the EVPN Inter-Domain Option B draft<https://clicktime.symantec.com/15siFALMfJ21KxF7rKwJX?h=a68vMaID3OjatSV90lFuCgmEvl0FrxLZtiXQdb2gyNY=&u=https://datatracker.ietf.org/doc/html/draft-rabadan-bess-evpn-inter-domain-opt-b%23section-3.1.2>, as you point out in another mail. But when RFC7432 is revised and rfc7432bis is still a draft, I think it will be better to take new scenarios into account.



Especially on a RR node,  according to RFC7432 or current rfc7432bis, a RR has to discard the A-D per ES routes which don't have a type 1 RD, but a RR is not responsible for selecting different RD for different set of route-targets at all. A RR has no difficulty to permit a A-D per ES route with other RD-type to pass through, while it has to discard it according to current rfc7432bis.



Thanks,

Yubao




原始邮件
发件人：AlexanderVainshtein
收件人：王玉保10045807;
抄送人：draft-rabadan-bess-evpn-inter-domain-opt-b@ietf.org;rfc7432bis@ietf.org;bess@ietf.org;jorge.rabadan@nokia.com<mailto:draft-rabadan-bess-evpn-inter-domain-opt-b@ietf.org;rfc7432bis@ietf.org;bess@ietf.org;jorge.rabadan@nokia.com>;
日 期 ：2023年05月15日 16:09
主 题 ：RE: [EXTERNAL] Re: [bess] Discussion on rfc7432bis and draft-rabadan-bess-evpn-inter-domain-opt-b
Yubao,
Please note that an EVPN PE that s attached to a MH ES, generally speaking, has to generate multiple per-ES A-D routes with the ESI of this MH ES in their NLRI.
This happens because:

1.       The set of these routes, in its entirety, must carry the Route Targets of all the EVI that are local attached to this MH ES

2.       The number of Route Targets that can be caried in a single BGP Update message is limited.

For BGP path selection process not to suppress some of these routes, these routes in this set must include different RDs in their NLRI.
Since the set of these routes changes dynamically as new EVIs are attached to/detached from the MS EH in question, these RDs have to be auto-generated by the PE itself.
This, in its turn requires usage of Type 1 RDs because these can be auto-generated by the PEs while remaining globally unique.

The bottom line: Restriction of RDs used in the NLRI of per-ES Ethernet A-D routes cannot be relaxed.

Hope this helps.

Regards,
Sasha

From: BESS <bess-bounces@ietf.org<mailto:bess-bounces@ietf.org>> On Behalf Of wang.yubao2@zte.com.cn<mailto:wang.yubao2@zte.com.cn>
Sent: Monday, May 15, 2023 10:40 AM
To: jorge.rabadan@nokia.com<mailto:jorge.rabadan@nokia.com>
Cc: draft-rabadan-bess-evpn-inter-domain-opt-b@ietf.org<mailto:draft-rabadan-bess-evpn-inter-domain-opt-b@ietf.org>; rfc7432bis@ietf.org<mailto:rfc7432bis@ietf.org>; bess@ietf.org<mailto:bess@ietf.org>
Subject: [EXTERNAL] Re: [bess] Discussion on rfc7432bis and draft-rabadan-bess-evpn-inter-domain-opt-b




Hi Jorge,



I think the description in draft-rabadan-bess-evpn-inter-domain-opt-b is OK. But I don't know why the RD of AD per ES route is limited to type 1 RD. That's why I talk about this together with rfc7432bis.

If the scenario from draft-rabadan-bess-evpn-inter-domain-opt-b has shown out that it will be useful for the RD-type of AD per ES route being consistence with MAC-VRF RD, I think maybe it is not necessary for rfc7432bis to keep these restraints unchanged. I notice that you are also a co-author of rfc7432bis, how do you think from the viewpoint of rfc7432bis?



Thanks,

Yubao




原始邮件
发件人：JorgeRabadan(Nokia)
收件人：王玉保10045807;draft-rabadan-bess-evpn-inter-domain-opt-b@ietf.org;rfc7432bis@ietf.org;
抄送人：bess@ietf.org<mailto:bess@ietf.org>;
日 期 ：2023年05月13日 00:23
主 题 ：Re: Discussion on rfc7432bis and draft-rabadan-bess-evpn-inter-domain-opt-b
Hi Yubao,

Thanks for reviewing the document.
I don’t see any conflicting information:


1.       On one hand the use of type 1 RD for MAC-VRF is RECOMMENDED in rfc7432bis, which means that normally people will have a type 1 RD in MAC-VRFs. If you don’t follow that strong recommendation for the MAC-VRF RD, you can’t use the documented solutions in 3.1.2 or 3.1.3

2.       On the other hand draft-rabadan-bess-evpn-inter-domain-opt-b is documenting some existing solutions, but not specifying or imposing any in particular.

So I don’t think there is conflicting information. But if you still think we should clarify that in draft-rabadan-bess-evpn-inter-domain-opt-b we’ll be happy to do it.

Thanks.
Jorge

From: wang.yubao2@zte.com.cn<mailto:wang.yubao2@zte.com.cn> <wang.yubao2@zte.com.cn<mailto:wang.yubao2@zte.com.cn>>
Date: Friday, May 12, 2023 at 4:54 AM
To: draft-rabadan-bess-evpn-inter-domain-opt-b@ietf.org<mailto:draft-rabadan-bess-evpn-inter-domain-opt-b@ietf.org> <draft-rabadan-bess-evpn-inter-domain-opt-b@ietf.org<mailto:draft-rabadan-bess-evpn-inter-domain-opt-b@ietf.org>>, Jorge Rabadan (Nokia) <jorge.rabadan@nokia.com<mailto:jorge.rabadan@nokia.com>>, rfc7432bis@ietf.org<mailto:rfc7432bis@ietf.org> <rfc7432bis@ietf.org<mailto:rfc7432bis@ietf.org>>
Cc: bess@ietf.org<mailto:bess@ietf.org> <bess@ietf.org<mailto:bess@ietf.org>>
Subject: Discussion on rfc7432bis and draft-rabadan-bess-evpn-inter-domain-opt-b

CAUTION: This is an external email. Please be very careful when clicking links or opening attachments. See the URL nok.it/ext for additional information.





Hi Authors,



It seems that draft-rabadan-bess-evpn-inter-domain-opt-b has conflicting discription with rfc7432 about the RD-type of AD per ES routes:



Section 3.1.3 of draft-rabadan-bess-evpn-inter-domain-opt-b-00:   "If that is the case, now the A-D per ES routes can use the route distinguisher assigned to the EVPN Instance (or VRF), which is the same one used by the routes type 2 or 5 for the EVI."

Section 8.2.1 of rfc7432bis: "The Route Distinguisher MUST be a Type 1 RD [RFC4364].  The value field comprises an IP address of the PE (typically, the loopback address) followed by a number unique to the PE."



The RD of EVI is not always a Type 1 RD but rfc7432 says that the RD of AD per ES route MUST be a Type1 RD. If it is not necessary to prevent other RD-types from being used in AD per ES routes, is it better for rfc7432bis to change the "MUST" to "MAY" ?  I think such change is also compatible.



Thanks,

Yubao



Notice: This e-mail together with any attachments may contain information of Ribbon Communications Inc. and its Affiliates that is confidential and/or proprietary for the sole use of the intended recipient. Any review, disclosure, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please notify the sender immediately and then delete all copies, including any attachments.



Notice: This e-mail together with any attachments may contain information of Ribbon Communications Inc. and its Affiliates that is confidential and/or proprietary for the sole use of the intended recipient. Any review, disclosure, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please notify the sender immediately and then delete all copies, including any attachments.



Notice: This e-mail together with any attachments may contain information of Ribbon Communications Inc. and its Affiliates that is confidential and/or proprietary for the sole use of the intended recipient. Any review, disclosure, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please notify the sender immediately and then delete all copies, including any attachments.