[bess] Re: Questions about route selection in draft-ietf-bess-evpn-dpath-00
"Jorge Rabadan (Nokia)" <jorge.rabadan@nokia.com> Mon, 24 June 2024 14:14 UTC
Return-Path: <jorge.rabadan@nokia.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EC62C14F749; Mon, 24 Jun 2024 07:14:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.253
X-Spam-Level:
X-Spam-Status: No, score=-2.253 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nokia.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lMTR3j5rn9cy; Mon, 24 Jun 2024 07:14:19 -0700 (PDT)
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2069.outbound.protection.outlook.com [40.107.93.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23A28C14F614; Mon, 24 Jun 2024 07:14:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=npZpURj6SxVYzqRqqO9HdDvCDcElgvPhaRuIHraveyzY9FLSszkz+IHCFwjffrGwx9lVUkjPqQKpA/TbetixEFUSr/grLv+T1pfFo0VcHtWcCJ16ZZkFLHABFW6xsFDzVWvJLIb3SA+GTkBaid3gKDkSAUsL0u5D+GTj78NqWoFBkYrEvH46MuR9N2i5Ei+mvwUqIb+pcR/On8Fd/3r4UXPckNRqJzotwq/F4I4yl7SPEHokygWBBa+23wW01PAzdSfi9AlUKl7gbc7KhFlWw1QFtIDjiMhhkx1nXPArqBPj2keCx3GN9pS6jENlM3zeFM/gH/fkaiXqx7aJIaZ40Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hePTjV6EDEfEni67g+IAYipvstO0lxQKAH95Kg190i4=; b=Q2EUfAVwWwn2cXtS6uQN/k+7A7S1JZuxo1xHLnEM2XR7aWtcTSLQCudvFK0Ehk1xWGiforTpeHiDeHWb8PZ1giftiD0xUN4cqH1pF707Lj89Xv2UahFA5LldMsGFxO4TkTOL28ahd9olLB9O593mr860EV4WMXKJ959teMdm4JVv684jMJ8JAdmXOGHDZ1jiKL7YYnZmVC3zhpA9gwqX/iYJKtjXLq8LS8rBIqBFS/jCD5shKSLBmqE0R5ioOIGIr/7Z1+stUcZNffcwWJFW3vPiYlHtw/wEi2hsiLELrwoVANnLeHwkR/1ZvfUVqi+FFJc6AfHmbhwnONyO1IZ8MQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nokia.com; dmarc=pass action=none header.from=nokia.com; dkim=pass header.d=nokia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hePTjV6EDEfEni67g+IAYipvstO0lxQKAH95Kg190i4=; b=LEPESy0j9r9oAEHLozxA2YwDn2EYOp38WW2xLn7/YQzjVH8lSxDKSN2MKRlxx0lY0L6WY1x9nfPB5MLRdwQ4RDy3k9UZSfppYrecBWhljj24KD1aJtBbdS2aucAzYTDllkJ0nTnLnvoTJX9jrflIYzYNzm73pgjKrJAxoJcNPOmCOWZtW1mVg2FnUgS07StMyELrI5HcT/jmccTNX5L6x5V4YkXnbay3ERURYiXJjDA+ZReg+Lw2idyQtXXnTwA05ZOobKqfW8oyaIgFpAEuR2I2WLoLed/wqF12gqhNep8RfLgSqPe2cjz0rS9LLjX+Auouoqq9PwjDfitiYiFRkg==
Received: from SA1PR08MB7215.namprd08.prod.outlook.com (2603:10b6:806:1a9::17) by MWHPR08MB10277.namprd08.prod.outlook.com (2603:10b6:303:283::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7677.38; Mon, 24 Jun 2024 14:14:16 +0000
Received: from SA1PR08MB7215.namprd08.prod.outlook.com ([fe80::b10c:f208:adaa:c369]) by SA1PR08MB7215.namprd08.prod.outlook.com ([fe80::b10c:f208:adaa:c369%5]) with mapi id 15.20.7698.025; Mon, 24 Jun 2024 14:14:16 +0000
From: "Jorge Rabadan (Nokia)" <jorge.rabadan@nokia.com>
To: Jeffrey Haas <jhaas@pfrc.org>
Thread-Topic: Questions about route selection in draft-ietf-bess-evpn-dpath-00
Thread-Index: AQHalyCq9AQexxDeYEWJDJ5E8gj1nbHNqbB+gAg7UYCAATTOYYAAMDGAgAAB+gc=
Date: Mon, 24 Jun 2024 14:14:16 +0000
Message-ID: <SA1PR08MB72150FE876F07D6E93F3B07CF7D42@SA1PR08MB7215.namprd08.prod.outlook.com>
References: <171206184624.18356.7891001527073621519@ietfa.amsl.com> <20240425145537.GA12879@pfrc.org> <SA1PR08MB721526C32B8FDC49EFF57C13F7CE2@SA1PR08MB7215.namprd08.prod.outlook.com> <20240623162307.GB21586@pfrc.org> <SA1PR08MB72156E91C0567D85031C5895F7D42@SA1PR08MB7215.namprd08.prod.outlook.com> <6DC6F763-4931-4C87-B0E6-941884DBD05F@pfrc.org>
In-Reply-To: <6DC6F763-4931-4C87-B0E6-941884DBD05F@pfrc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nokia.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR08MB7215:EE_|MWHPR08MB10277:EE_
x-ms-office365-filtering-correlation-id: 7bb92e6d-cc21-481c-5f34-08dc9457ee5b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230037|366013|376011|1800799021|38070700015;
x-microsoft-antispam-message-info: Cm4U9f6uyHa++n9l5jGQ8DU6/pq1J5rRGh3JbYRMrpTgXSUNZJAUyd61DcC/YJ/FTNsliThCVatmNzlc4XnV3/Kb+e7flYW94XceeYqz89AdbvVpbrGn50Tv5zN5o1LDk3DOjPp/Uv4PkNFEacLTx2e5ZF2orIJME+NrKMtus9SQGwUDxzLkp3QM1c+S0ZOHg/OXQzHAgNiIGWlSgPbuz2fEPOF5JIisFuePeyjLXIYbIYLrLAOzDUl+pmsLoRMQ7+p411AyA+ULHbeUrSLMGiWxKoO8UNoKmRhtBtbfn2JZx2pRcyIbRNrRmx7i02eM5yTO/UriziZCgTlU/BakHCMYnKUp7nEQsMhx9TPZwTlrGwLe1XKGltgu29ms9FvzYMxS2EoFDrX+QCVrUgY6SBF1ZjDMv3RJd+/7TSCBbLeQqd2qjkHdNqrXejd0DWMFkxUKJ8OP0zMlHoBmHTH4JVhh5svz4D0XfX6ZsVqVJ3+HR3fvuUBeSv3uYrYCzn7DBJ7yrPAZbDQ6qV31mRvuzEetCBQI7cz8NWVQceSASbFqEZDUlU5GPXhtaUbgjzuUh1NcMPVL1RXx4FmPF91GWNQ3VkJJKB9UhqchP8M9k0WHQnej+40s/MjsFLEN8PFwmaVr0lZPpoP3r+gdtsLxLaxdKOB1F1dOzJ4Hmn0ZbgpJxb3yYmoj+UdZ78tXP5p7ffbGEPXGCjphI47cCihxcXj7K8ss2Sk4hFqaOgCxou5JoPNjvVE32sR243kzXmf2QvqTwn4cjXCCwkJn2H/4q2zYG4QmFoUv2ovGpivhZc7SacpVuBFFjOEjAa4Ns72/s1wwYklWPyqWtn7YG1OsY7Gc8RM83iI60yQS0I/LXMbnZxesk3kmmeeCwOl7WPInMTCDpp9ADQ2tnTJCWmBkbyrC2Yi1NQZrBM3v+VAiIngmdkERVDHqvlHznNAcp5ndMEGdgXtUzHxmjLR994Y9ovouBZDVmboBQ/ihypg2t9TGvjppoyEt8+xXNqLBihXMAmxY59ZiIif4XRjG5pLVnXL4PVfBm9SKAv44zX511Ot/tfOb8ORu12pwXwAOkgZWPP70wgrpSQn2K/ZixiV1jh1uYRsgB8DWJ5j5u4wpXhrg99jVb21M5PPeKo5FGZU3z0CN3F6MIo3wkpZ+T4O1Yj5TwlkldNvXTY7OFfpRtsxDSUJEPyk0pWWSXvHe2xlZIUJEVyRROH7Z1oNu2TJ0SqNa8fBTrT7XKgASweGLuiKOyN3Zu8v/mHJVlK0qWdNk1hZvICXn+iMe9aaRjWBRLwWThHJsYFoNpCUz4AeMInh7NxvY+uMurAsWn8dTFJ+t
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1PR08MB7215.namprd08.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230037)(366013)(376011)(1800799021)(38070700015);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: aa1SGzSjZmieZ7l+Mqv0GUuBn/yYaHbS0FQQarsa/SKVG9JxTekN069+ym8d1ADCyVj4N/UzAlgCk9/eX1OVOMQhrIKI6JtFvd/mxpYa805NxP4mJjEZSpDi9pK2n4YfjzScO3eq3fAtG5d+gYs5KrUMUJP1CM6bmiqiLk0bmh3FyUgV1ZAElJEWVNCjKbfh6fNhyHWCJHAP0w6fEC2xecvBWkjCCmAtbY3A7pkWZJgAXPg7XW4A6ifozPab2Rx2oT8lKsx79jCAlHvGYMFIqV2VnQL7OjNHkIrUtgneUjtNa1qhtFCBCsFRTSGgm58WP/k7VMDzeAcukmcFbkMaxt+fCYgy2mNP2Xv5zI2VRrlvZ0ziEMl6zNkQecs7EmefB/ZAu84uKccMzj0nf9lbTVU/t1ryp3UgD67fY0AwzqyxuRPeWFBNNyEGs/JcYWkaBwdI8suPpzWEakjaCVgOAQ/lrECfirR+cpsqB8fEVWcdqwZuFNgfZf63U6KTxXvFVUNXPwpxVodJw5hHDLaqVszXmF+4O+Vjaf0sFMabRP7+lIflc7qspWhPnQAyY4C5FsAiOH1YPvJSNon7CLwxiXy/Cg5PEMFGTwhKEndwQ2C5fsWWQi0UulMOezMEsUTYIyedCBCqD+fYSeB+/dzfmzjXCnREcF57NgZajGCptDxIlju13umTfhjFtasyqj1u31qQpmQtXJaVJhVpo6tA8IFu/UaRKqc4IAlehOQ/B3M8VjJV5bszCHim0v+vxTAGXiRhNmRhCnAky386Gw3AFPKOjUmACJ/oSJd/f7qy/cMZanenwL8t+UqeUTYAyQEhexEoDR+0yLa6c3qNODR98mBqap5Kk4zTV+1rGVhb9ko2BiSqH+veLRrrxNgSZzPjuPfgwcdv33lgtYOGJ5HlRHViAhR59olCGpw96hEHyKjmuxvQ09S5UKwlb3FBwkCC1mtnvKO2PhGYhTMdXuSJz2qENaP5FeHCN6p+jTZ/AyDbGFACgPLKX3Fyisrl5lSmrUxP4B7o2ZpRKp2AKbdE0e1YmY2vKX1MpGO26qDUM8PRn5xS84DTGlKS1hoJoMMBb8WYTSnaz40Z35MklPSQlc0QYqrboTbS8MDTucsuzzF0z0bu73eSZLCIjwIxcoqBglxvqkSkCsN0+ZDExMtAP3FubWJmqsvsF1uXQjCf4Y6SnOcsmO9mGA2XanYibTMrUQls5ZIl1mUV2q8kiwGe4RzAKW5fmuhbo1LkmLhUAYx0M+Ox0ADgGz4zLxUfivFvgM8LloTqeqw2cKZfqr8k4gXcx8w+QhOOLz5YrINbivleR6Wtl3AviUBCxPADOdQ9extap9+sHbni7OeB8P6wuY8FR/2xwqc/X1EW4bXi8kOhJJFn3a5bCVokjkTZPlf81OtxPYmiM43fjvqzqnVETYL9kk0t9BxUo6cYmjiG23WXZq94U4PHJs3Dai5d9O8CTVQnjEOE1L1V5969NSfAmXseVAq3nBILmshp85Uwv1b2fURF7kmDtq5P6Lb+d7Cv9XI00oMEki4rKnfP1/l8+yfiYK752Yd9hVUOZ2qDEZmVAtrZo7oY3lv5rL6od+fw2yBkststVceK1eGmbJHmfw==
Content-Type: multipart/alternative; boundary="_000_SA1PR08MB72150FE876F07D6E93F3B07CF7D42SA1PR08MB7215namp_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR08MB7215.namprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7bb92e6d-cc21-481c-5f34-08dc9457ee5b
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jun 2024 14:14:16.1547 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 97vJD2Vrti+qWB5PF0Dpf4urhXEInrgYcrWDdYkyynVMFISwn+5zRpq7TIX2u6Tj9dJzZtt0KLatv1iR4pk82A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR08MB10277
Message-ID-Hash: YL6PNI44BVU44WYQKXAFZFIFYWLTHQLX
X-Message-ID-Hash: YL6PNI44BVU44WYQKXAFZFIFYWLTHQLX
X-MailFrom: jorge.rabadan@nokia.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-bess.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-bess-evpn-dpath@ietf.org" <draft-ietf-bess-evpn-dpath@ietf.org>, "bess@ietf.org" <bess@ietf.org>, "idr-chairs@ietf.org" <idr-chairs@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [bess] Re: Questions about route selection in draft-ietf-bess-evpn-dpath-00
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/c___9yKwUh_IzacvLbW7SPZ2JbE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Owner: <mailto:bess-owner@ietf.org>
List-Post: <mailto:bess@ietf.org>
List-Subscribe: <mailto:bess-join@ietf.org>
List-Unsubscribe: <mailto:bess-leave@ietf.org>
Hi Jeff, Some explicit text would be appreciated. While escape isn't expected, we're partially having some of this review because escape has been observed from existing implementations. [jorge] OK, added some text in the security considerations section, and also in section 4. We can always improve it at a later version. Part of the additional text you've added is this: "As an additional security mechanism, a PE following this specification that receives an EVPN route from a non-upgraded PE should discard the route via policy if the route contains the D-PATH attribute." How do you tell if the PE is "non-upgraded"? Note that such considerations were part of the reason I urged the dpath authors towards a BGP capability. :-) Note that this is for layer 2 routes that are NOT redistributed to any PE-CE protocol or any other AFI/SAFI, and the D-PATH is generated/modified exclusively by the Gateways. The gateways are typically redundant and upgraded in pairs, and they are well known in an EVPN domain. So the non-upgraded gateways are well known and if needed, it should be easy to apply a policy for routes coming from them with D-PATH. We can go through the scenarios as we did for the dpath draft, but we are confident this is a controlled walled garden layer 2 environment. The additional text is hardening the implementation in case it is needed as per your suggestion. When you say “escape has been observed from existing implementations” I assume you meant “existing implementations of dpath for ISF routes (IP reachability)”, and not for layer-2 routes, right? The text in this document indicates that this is only for routes imported in layer 2 FIBs. Thanks! Jorge From: Jeffrey Haas <jhaas@pfrc.org> Date: Monday, June 24, 2024 at 6:40 AM To: Jorge Rabadan (Nokia) <jorge.rabadan@nokia.com> Cc: draft-ietf-bess-evpn-dpath@ietf.org <draft-ietf-bess-evpn-dpath@ietf.org>, bess@ietf.org <bess@ietf.org>, idr-chairs@ietf.org <idr-chairs@ietf.org> Subject: Re: Questions about route selection in draft-ietf-bess-evpn-dpath-00 CAUTION: This is an external email. Please be very careful when clicking links or opening attachments. See the URL nok.it/ext for additional information. Jorge, On Jun 24, 2024, at 8:04 AM, Jorge Rabadan (Nokia) <jorge.rabadan@nokia.com<mailto:jorge.rabadan@nokia.com>> wrote: I understand that for this D-PATH feature that the providers should be "mutually cooperating" and thus this may be a trivial or even silly concern. But if it ever becomes competing providers, this becomes a conversation about money. [jorge] ok, I think ask the chairs for 5 minutes at IETF120 to discuss this and bring awareness. For the moment we can leave it as is, since there are implementations doing this. Thanks for the discussion. I'll try to be available for that discussion. However, as usual, bess has conflicts with other work of interest for me. It'd be helpful if you did. I'm glad I came to the appropriate conclusion as a semi-informed reader, but for these sorts of steps having the algorithm explicitly written out can remove doubt. [jorge] hopefully the text makes it better now: “Then routes with the numerically lowest left-most Domain-ID are preferred (only the Domain-ID is compared, and not the ISF_SAFI_TYPE). Hence, routes not tied for the numerically lowest left-most Domain-ID are removed from consideration. When comparing two Domain-IDs, the two six byte values are compared starting with the Global Admin field. The lowest value in the first differing byte between the two six byte values, is considered to belong to the "numerically lowest Domain-ID"” This works. Some explicit text would be appreciated. While escape isn't expected, we're partially having some of this review because escape has been observed from existing implementations. [jorge] OK, added some text in the security considerations section, and also in section 4. We can always improve it at a later version. Part of the additional text you've added is this: "As an additional security mechanism, a PE following this specification that receives an EVPN route from a non-upgraded PE should discard the route via policy if the route contains the D-PATH attribute." How do you tell if the PE is "non-upgraded"? Note that such considerations were part of the reason I urged the dpath authors towards a BGP capability. :-) -- Jeff
- [bess] I-D Action: draft-ietf-bess-evpn-dpath-00.… internet-drafts
- [bess] Questions about route selection in draft-i… Jeffrey Haas
- [bess] Re: Questions about route selection in dra… Jorge Rabadan (Nokia)
- [bess] Re: Questions about route selection in dra… Jeffrey Haas
- [bess] Re: Questions about route selection in dra… Jorge Rabadan (Nokia)
- [bess] Re: Questions about route selection in dra… Jeffrey Haas
- [bess] Re: Questions about route selection in dra… Jorge Rabadan (Nokia)
- [bess] Re: Questions about route selection in dra… Jeffrey Haas
- [bess] Re: Questions about route selection in dra… Jorge Rabadan (Nokia)