Re: [bess] Benjamin Kaduk's Discuss on draft-ietf-bess-evpn-bum-procedure-updates-11: (with DISCUSS and COMMENT)

["Jeffrey (Zhaohui) Zhang" <zzhang@juniper.net>]

Hi Ben,

I have posted -012 revision. It should address most of your comments.

https://www.ietf.org/rfcdiff?url2=draft-ietf-bess-evpn-bum-procedure-updates-12.txt

Please see zzh2> below for both the DISCUSS and COMMENT points below.

-----Original Message-----
From: Benjamin Kaduk <kaduk@mit.edu>
Sent: Thursday, October 21, 2021 11:08 PM
To: Jeffrey (Zhaohui) Zhang <zzhang@juniper.net>
Cc: The IESG <iesg@ietf.org>; draft-ietf-bess-evpn-bum-procedure-updates@ietf.org; bess-chairs@ietf.org; bess@ietf.org; EXT-zzhang_ietf@hotmail.com <zzhang_ietf@hotmail.com>
Subject: Re: Benjamin Kaduk's Discuss on draft-ietf-bess-evpn-bum-procedure-updates-11: (with DISCUSS and COMMENT)

[External Email. Be cautious of content]


Hi Jeffrey,

On Thu, Oct 21, 2021 at 02:11:01PM +0000, Jeffrey (Zhaohui) Zhang wrote:
> Hi Ben,
>
> Thanks for your review and comments. Let me first address the DISCUSS point below and then follow up with another email on other points.

Sure, that sounds good.

> -----Original Message-----
> From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
> Sent: Thursday, October 21, 2021 1:50 AM
> To: The IESG <iesg@ietf.org>
> Cc: draft-ietf-bess-evpn-bum-procedure-updates@ietf.org; bess-chairs@ietf.org; bess@ietf.org; EXT-zzhang_ietf@hotmail.com <zzhang_ietf@hotmail.com>; EXT-zzhang_ietf@hotmail.com <zzhang_ietf@hotmail.com>
> Subject: Benjamin Kaduk's Discuss on draft-ietf-bess-evpn-bum-procedure-updates-11: (with DISCUSS and COMMENT)
>
> [External Email. Be cautious of content]
>
>
> Benjamin Kaduk has entered the following ballot position for
> draft-ietf-bess-evpn-bum-procedure-updates-11: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://urldefense.com/v3/__https://www.ietf.org/blog/handling-iesg-ballot-positions/__;!!NEt6yMaO-gk!S0XsefTxpcM08Cegf69h1Kt6chs_TkO5AGOfS5hXEhy1jFTSKNgIn4vlXZV7E-lH$
> for more information about how to handle DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-bess-evpn-bum-procedure-updates/__;!!NEt6yMaO-gk!S0XsefTxpcM08Cegf69h1Kt6chs_TkO5AGOfS5hXEhy1jFTSKNgIn4vlXVyyzOC6$
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> I'm not sure whether the Leaf A-D route (route type specific field) as
> specified by this document is guaranteed to have a unique
> interpretation (§3.3).  It's supposed to start with the "route key",
> which is just the route-type-specific field of the PMSI route that
> triggered the Leaf A-D route.  That makes the route key variable length
> (as stated), and this variation is clearly achieved given that even the
> Per-Region I-PMSI A-D route and S-PMSI A-D route defined in this
> document have different length and layout.  I'm not sure what
> information is expected to be available to bound and determine the
> length of this "route key" field, other than "not the rest of the
> stuff".  "The rest of the stuff" is the originator's address and length
> thereof, but the length is in the middle of the structure, so even if we
> start parsing from the back we still can't distinguish reliably between
> a 4-byte IPv4 address and a 16-byte IPv6 address.  It seems that the
> Originator's Addr Length would need to be the last field in order to
> provide a unique interpretation, with "parse backwards" used to extract
> the Originator's Address, and "the rest of the stuff" being the route
> key that can be matched to the triggering PMSI route.  Is there some
> other procedure or contextual information available that ensurs a unique
> interpretation of this data?  Looking at RFCs 6514 and 7117, it does not
> seem like this document has some key change that renders it
> fundamentally different in this regard, so I mostly assume that the
> received route can be disambiguated somehow; I just don't know what that
> way is.
>
> Zzh> All routes have the following format:
>
>                     +-----------------------------------+
>                     |    Route Type (1 octet)           |
>                     +-----------------------------------+
>                     |     Length (1 octet)              |
>                     +-----------------------------------+
>                     | Route Type specific (variable)    |
>                     +-----------------------------------+
> Zzh> For a Leaf A-D route, its "Route Type specific" part is the triggering PMSI route's NLRI, so it explodes into the following (the three lines marked with '*' are the triggering PMSI).
>
>                    Route Type 11 (Leaf A-D)
>                    Length (of the entire Leaf A-D route NLRI)
>                    * Route Type x (for the triggering PMSI route)
>                    * Length (of the PMSI route NLRI)
>                    * Route Type specific (for the PMSI route)
>                    Originator's Addr Length (for the Leaf A-D route)
>                    Originator's Addr (for the Leaf A-D route)
>
> Zzh> With the above, there should be no problem parsing the NLRI?

Thanks for writing it out like that.

In a sense the triggering NLRI is "self-describing" because it has its own
type and length information; that internal structure does allow for the
location of the Originator's Addr Length field to be determined and the
rest of the Leaf A-D route to be parsed.  (And any given route type is
presumably going to have a fixed internal structure, though not necessarily
a fixed-length internal structure, which also helps ensure a unique
interpretation.  The triggering route has to be parsed itself, after all!)

So in short, there is no protocol issue here, though we might want to think
about whether to include the "expanded version" of the diagram you show
above in the document itself, to avoid any other readers getting confused
in the same way that I did.

Zzh2> If it's ok with you, I'd like to not include the "expanded version". The Leaf A-D NRLI embedding the entire triggering PMSI NLRI started in RLI6514 (MVPN) and have been used extensively. I did add " Its NLRI embeds the entire NLRI of the triggering PMSI A-D route" in the terminology section.

I will update my ballot position in the datatracker now, and wait for any
additional reply to the comment portion of the ballot.

Zzh2> Thanks! More below on the COMMENTs.

Thanks again,

Ben

> Zzh> Thanks.
> Zzh> Jeffrey
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Section 1
>
>    It is expected that audience is familiar with EVPN and MVPN concepts
>    and terminologies.  For convenience, the following terms are briefly
>
> Please provide references for EVPN and MVPN that would serve as entry
> points for gaining such familiarity.  E.g., RFCs 7432 and 6513/6514.

Zzh2> You're right. I had added references to where the terms are listed, but I should also added references for EVPN/MVPN in general.

>
>    explained.
>
> I suggest including PMSI Tunnel Attribute in this list, especially since
> RFC 6514 does not actually use the PTA acronym.
>

Zzh2> Added.

> Section 2.1
>
>    There is a difference between MVPN and VPLS multicast inter-as
>    segmentation.  For simplicity, EVPN will use the same procedures as
>    in MVPN.  All ASBRs can re-advertise their choice of the best route.
>
> While it is defensible to rely on the stated expectation that the reader
> is familiar with EVPN and MVPN concepts (hmm, which does not actually
> include VPLS concepts?), it would be appreciated to include some
> indication of the nature of the difference, before stating which variant
> EVPN will use.

Zzh2> I added VPLS to the "familiar" list 😊
Zzh2> I also added a reference to " 5.1.  Changes to Section 7.2.2 of [RFC7117]" to indicate the difference.

>
>    For inter-area segmentation, [RFC7524] requires the use of Inter-area
>    P2MP Segmented Next-Hop Extended Community (S-NH-EC), and the setting
>    of "Leaf Information Required" L flag in PTA in certain situations.
>    Either of these could be optional in case of EVPN.  Removing these
>
> "Could be"?  It sometimes is and sometimes isn't?  When is it still
> mandatory?

Zzh2> This is in the "descriptive" part of the document. Later in the normative part, I do have the following:

https://datatracker.ietf.org/doc/html/draft-ietf-bess-evpn-bum-procedure-updates-11#section-6.3

   ... this document specifies that RBRs change the BGP
   next hop when they re-advertise I/S-PMSI A-D routes and do not use S-
   NH-EC.

https://datatracker.ietf.org/doc/html/draft-ietf-bess-evpn-bum-procedure-updates-11#section-6.4

   ... To be consistent with the inter-as case, the ingress PE does
   not set the L flag in its originated I-PMSI A-D routes, and
   determines the leaves based on the BGP next hops in its received
   I-PMSI A-D routes, as specified in Section 5.2.

>
> Section 2.1.1
>
>    For example, an MVPN/VPLS/EVPN network may span multiple providers
>    and Inter-AS Option-B has to be used, in which the end-to-end
>
> Is this "option (b)" of §7.2 of RFC 7117?  Regardless, a specific
> reference seems in order.

Zzh2> Yes; but it started in MVPN (6513/6514) though not officially called as "option (b)". To make it simple I just removed the wording:

       For example, an MVPN/VPLS/EVPN network may span multiple providers
       and the end-to-end provider
       tunnels have to be segmented at and stitched by the ASBRs.

>
>    Another advantage of the smaller region is smaller BIER sub-domains.
>    In this new multicast architecture BIER [RFC8279], packets carry a
>
> RFC 8279 was published just about four years ago.  Does that still
> qualify as "new"?  (I honestly am not sure, given the distribution of
> time from -00 to RFC.)

Zzh2> Good point 😊 It's still new in that its deployment is hindered by the fact that new hardware is needed. I changed to the following:

   Another advantage of the smaller region is smaller BIER [RFC8279]
   sub-domains. With BIER, packets carry a BitString ...

>
> Section 3
>
>    The "Route Type specific" field of the type 9 and type 10 EVPN NLRIs
>    starts with a type 1 RD, whose Administrator sub-field MUST match
>    that of the RD in all non-Leaf A-D (Section 3.3) EVPN routes from the
>    same advertising router for a given EVI.
>
> Is the requirement really so specific as "everything except Leaf A-D"?
> What if some new type is allocated that also doesn't start with an RD?
> Is it safe to say that any type that does have an RD must meet this
> criterion?

Zzh2> I added "current" wording 😊

>
> Section 4
>
>    The optional optimizations specified for MVPN in [RFC8534] are also
>    applicable to EVPN when the S-PMSI/Leaf A-D routes procedures are
>    used for EVPN selective multicast forwarding.
>
> Are we going to need a
> draft-ietf-something-bum-procedure-further-updates in another five years
> to perform the same type of "gap filling" that this document is doing
> for how RFC 7432 referred to the RFC 7117 procedures?

Zzh2> Well the MVPN/EVPN procedures keep evolving so if it's warranted maybe another -bis version of this document will happen in the future 😊
>
> Section 5.1
>
>    The above VPLS behavior requires complicated VPLS specific procedures
>    for the ASBRs to reach agreement.  For EVPN, a different approach is
>    used and the above quoted text is not applicable to EVPN.
>
> What about the text we didn't quote, that places MUST-level requirement
> on the "best route selection procedures" that determine whether a given
> ASBR re-advertises the route within its own AS?

Zzh2> Basically procedures in RFC7117 related to the electing that ASBR will not be used for that purpose.

>
>       "The PMSI Tunnel attribute MUST specify the tunnel for the segment.
>       If and only if, in order to establish the tunnel, the ASBR needs to
>       know the leaves of the tree, then the ASBR MUST set the L flag to
>       1 in the PTA to trigger Leaf A-D routes from egress PEs and
>       downstream ASBRs. It MUST be (auto-)configured with an import RT,
>       which controls acceptance of leaf A-D routes by the ASBR."
>
> It seems like we might want to make some further statement about what
> scope that import RT is expected to limit acceptance of the route to.

Zzh2> Do you mean the following?

       This RT is IP address specific.  The Global Administrator field
       of this RT MUST be set to the IP address carried in the Next Hop
       field of all the S-PMSI A-D routes advertised by this PE (if the
       PE uses different Next Hop fields, then the PE MUST be
       (auto-)configured with multiple import RTs, one per each such
       Next Hop field).  The Local Administrator field of this Route
       Target MUST be set to 0.

Zzh2> It's already in RFC7117 so not repeated in this document. I can add if that's necessary.

>
> Section 5.2
>
>    considered as leaves (as proxies for those PEs in other ASes).  Note
>    that in case of Ingress Replication, when an ASBR re-advertises IMET
>    A-D routes to IBGP peers, it MUST advertise the same label for all
>    those for the same Ethernet Tag ID and the same EVI.  When an ingress
>
> This seems like an eminently reasonable thing to require.  I wonder if
> it's worth saying a little more about why it is required, though -- what
> breaks if you don't do this?

Zzh2> I thought only SHOULD requires text explain what happens if it is not done 😊
Zzh2> If they did not advertise the same label, then the ingress PE will send multiple copies to the ASBR.

>
>    PE builds its flooding list, multiple routes might have the same
>    (nexthop, label) tuple and they MUST only be added as a single branch
>    in the flooding list.
>
> I'm not entirely confident that I could implement this behavior for the
> flooding list right now.  On the other hand, I also haven't written any
> BGP code, so maybe it's expected that I couldn't implement it, but it
> still seems like this might be glossing over some details.

Zzh2> Basically a PE builds its forwarding state (referred to as flooding list here) used to replicate traffic. Each replication branch maps to a (nexthop, label) tuple. If you receive multiple routes with the same tuple, only one branch will be added. This should be a natural result, but a MUST is used here to be sure.

>
> Section 5.3
>
>    o  An egress PE sends Leaf A-D routes in response to I-PMSI routes,
>       if the PTA has the L flag set (by the re-advertising ASBRs).
>
> I don't think I understand the parenthetical.  Which previous text is it
> intending to refer to?

Zzh2> While an ingress PE does not set the L flag, it may be set by an ASBR when the route is re-advertised.

>
> Additionally, while we mention in the first paragraph of §5.2 the RFC
> 7432 requirement to not set the L flag in IMET A-D routes, I don't see
> where we lift that requirement for the segmented procedures.  The change
> in §5.1 to let the ASBR set the L flag does not seem constructed in a
> way that lifts the requirement from §11.2 of RFC7432.

Zzh2> PEs still don't set the L flag. They don't need the L flag (to trigger Leaf AD routes) for leaf tracking purpose.

>
>    To address this backward compatibility problem, the following
>    procedure can be used (see Section 6.2 for per-PE/AS/region I-PMSI
>    A-D routes):
>
> Can be used, but is in no way mandatory, not even to implement?  That's
> rather surprising.

Zzh2> The intention is that if there is no backward compatibility issue to worry about an implementation may choose not to implement the procedure (of course if a deployment does have backward compatibility issue then that implementation will not be able to be deployed there).
Zzh2> I changed to:

    If this backward compatibility problem need to be addressed, the following
    procedures MUST be used ...

>
>    o  The ASBRs in an AS originate per-region I-PMSI A-D routes and
>       advertise to their external peers to advertise tunnels used to
>       carry traffic from the local AS to other ASes.  Depending on the
>
> This may or may not just be a grammar nit: *what* do the ASBRs advertise
> to their external peers to advertise tunnels?  (Are we just missing
> "them" for "advertise them"?)

Zzh2> Missing "them" added.

>
> Section 6.3
>
>    [RFC7524] specifies the use of S-NH-EC because it does not allow ABRs
>    to change the BGP next hop when they re-advertise I/S-PMSI A-D routes
>
> I failed to find any place where RFC 7524 used the string "S-NH-EC", and
> suggest writing out "Segmented Next-Hop Extended Community" somewhere.

Zzh2> It's in Section 2.1 of this document:

   For inter-area segmentation, [RFC7524] requires the use of Inter-area
   P2MP Segmented Next-Hop Extended Community (S-NH-EC),

>
> Section 9
>
> I would posit that at least some of the security considerations from RFC
> 6513 are relevant here, in addition to the (already mentioned) 6514
> considerations.

Zzh2> Added.

>
> Section 12.1
>
> I do not think that RFC 7988 needs to be classified as normative; we
> reference it only once, in an example; RFCs 4875 and 6388 are used in
> the same way for the same example, but are classified as informative.

Zzh2> While they're all only referenced in the following:

   Different providers may use different tunnel technologies (e.g.,
   provider A uses Ingress Replication [RFC7988], provider B uses RSVP-
   TE P2MP [RFC4875] while provider C uses mLDP [RFC6388]).

Zzh2> there are additional text about Ingress Replication in section 5 - that's the difference that led to the normative reference. But I changed it to informative.

>
> Section 12.2
>
> I don't see what's different between RFCs 6513 and 6514 to make the
> latter normative while the former is informative -- they are referenced
> in largely the same places, and often.

Zzh2> OK I made both normative.

>
> NITS
>
> Abstract
>
>    This document specifies procedure updates for broadcast, unknown
>    unicast, and multicast (BUM) traffic in Ethernet VPNs (EVPN),
>
> I'd suggest NEW:
>
>  This document specifies updated procedures for handling broadcast,
>  unknown unicast, and multicast (BUM) traffic in Ethernet VPNs (EVPN),
>
Zzh2> Changed.

> Section 1
>
>    o  IMET A-D route [RFC7432]: Inclusive Multicast Ethernet Tag A-D
>       route.  The EVPN equivalent of MVPN Intra-AS I-PMSI A-D route.
>
> I would say that a de novo explanation is likely to be of more general
> applicability than a dense MVPN reference.  Perhaps "Advertised by PEs
> to enable reception of BUM traffic for a given VLAN" or similar?

Zzh2> The main point is establish the equivalence between IMET route and I-PMSI route, and then the purpose of IMET route is explained via I-PMSI route.

>
>    o  SMET A-D route [I-D.ietf-bess-evpn-igmp-mld-proxy]: Selective
>       Multicast Ethernet Tag A-D route.  The EVPN equivalent of MVPN
>       Leaf A-D route but unsolicited and untargeted.
>
> Likewise, this might be something like "Advertised by PEs to indicate
> that the indicated BUM traffic should be sent to the advertising PE."
>
> Section 2
>
>    [RFC7117] specifies procedures for Multicast in Virtual Private LAN
>    Service (VPLS Multicast) using both inclusive tunnels and selective
>    tunnels with or without inter-as segmentation, similar to Multicast
>    VPN (MVPN) procedures specified in [RFC6513] and [RFC6514].
>
> s/to Multicast/to the Multicast/

Zzh2> Fixed.

>
> Section 2.1.1
>
>    Segmentation can also be used to divide an AS/area to smaller
>    regions, so that control plane state and/or forwarding plane state/
>
> s/to smaller/into smaller/

Zzh2> Changed.

>
> Section 4
>
>    of egress PEs for selective forwarding with BIER).  An NVE proxies
>    the IGMP/MLD state that it learns on its ACs to (C-S,C-G) or
>    (C-*,C-G) SMET routes and advertises to other NVEs, and a receiving
>
> I think s/and/that it/

Zzh2> Changed.

>
>    NVE converts the SMET routes back to IGMP/MLD messages and send them
>
> s/send/sends/

Zzh2> Fixed.

>
> Section 5.3
>
>    o  An ingress PE uses the Next Hop instead of Originating Router's IP
>       Address to determine leaves for the I-PMSI tunnel.
>
> It was not previously required to use Originating Router's IP Address,
> so maybe s/instead of/and not use/.

Zzh2> Changed.

>
> Section 6.1
>
>    changes the next hop to its own address and changes PTA to specify
>    the tunnel type/identification in the neighboring region 3.  Now the
>
> I'm not sure that we ever explicitly named the region.  We implicitly do
> in the following figure that says "segment 3", but the number and string
> "region" don't seem paired anywhere directly.

Zzh2> It's first mentioned in 2.1 as following:

   [RFC7524] assumes that segmentation happens at area borders.
   However, it could be at "regional" borders, where a region could be a
   sub-area, or even an entire AS plus its external links (Section 6).

Zzh2> I now refer to section 6.1 specifically instead of section 6 in the above paragraph.
Zzh2> I do see where the confusion comes from. The diagram is for "inter-as" not "inter-region" (I now have that clarified); but the text says that in that diagram, you can have the regions to include inter-as links so now you'd have fewer segments (one segment for each region).

>
> Section 6.2
>
>    propagated to other regions.  If multiple RBRs are connected to a
>    region, then each will advertise such a route, with the same route
>    key (Section 3.1).  Similar to the per-PE I-PMSI A-D routes, RBRs/PEs
>
> Mention of route key seems to be in §3.3, not 3.1.

Zzh2> I meant "Region ID" (and Ethernet Tag ID). Changed.

>
> Section 6.3
>
>    NH-EC.  The advantage of this is that neither ingress nor egress PEs
>    need to understand/use S-NH-EC, and consistent procedure (based on
>    BGP next hop) is used for both inter-as and inter-region
>    segmentation.
>
> s/consistent/a consistent/

Zzh2> Fixed.

>
> Section 7
>
>    including Ingress Replication.  Via means outside the scope of this
>    document, PEs know that ESI labels are from DCB and existing multi-
>    homing procedures work as is, whether a multi-homed Ethernet Segment
>    spans across segmentation regions or not.
>
> I'm not sure this is a well-formed sentence.  Is it supposed to be a
> list?  Or just two things that PEs know OOB: (ESI labels are from
> existing multi-homing procedures work as is) and (whether or not a
> multi-homed Ethernet Segment spans across segmentation regions)?

Zzh2> I changed to the following:

   ... PEs know that ESI labels are from DCB and then existing multi-
   homing procedures work as is (whether a multi-homed Ethernet Segment
   spans across segmentation regions or not)

zzh2> Thanks a lot for your detailed review and comments!
Zzh2> Jeffrey
>
>
>
>
> Juniper Business Use Only

Juniper Business Use Only