Re: [bess] draft-hao-bess-inter-nvo3-vpn-optionc

[John E Drake <jdrake@juniper.net>]

Lucy,

That presupposes that the group likes either of the two proposed solutions in your draft.  

Yours Irrespectively,

John

> -----Original Message-----
> From: BESS [mailto:bess-bounces@ietf.org] On Behalf Of Lucy yong
> Sent: Friday, November 20, 2015 11:49 AM
> To: EXT - thomas.morin@orange.com; Henderickx, Wim (Wim);
> bess@ietf.org
> Subject: Re: [bess] draft-hao-bess-inter-nvo3-vpn-optionc
> 
> Share my 2 cent.
> 
> Cloud providers want to tunnel its customer traffic through DC (AS)BR.
> Option C is a way to realize it. Both solutions summarized by Thomas have no
> change on WAN VPN side and seamlessly work with WAN VPN option C.
> However, to support either solution, DC has to do some enhancement on DC
> BR or ToR switch, etc, which dictates to different implementations within a
> DC. Option C pro and con remains regardless what implementation is used in
> a DC.
> 
> Two solutions should not coexist in one DC (does not make a sense), but it
> does not matter if one DC operator prefers to use one solution and another
> DC prefers to use another solution. Since there are many cloud providers
> today, it is worth for the WG to document both solutions and point out the
> implementation requirements on impacted components. Then, up to
> vendors and operators to select a solution for their DC.
> 
> It does not make a sense for us to vote which solution is better here because
> a better solution for a DC depends on many factors.
> 
> 
> Lucy
> 
> 
> 
> 
> 
> -----Original Message-----
> From: BESS [mailto:bess-bounces@ietf.org] On Behalf Of
> thomas.morin@orange.com
> Sent: Friday, November 20, 2015 3:02 AM
> To: Henderickx, Wim (Wim); bess@ietf.org
> Subject: Re: [bess] draft-hao-bess-inter-nvo3-vpn-optionc
> 
> 2015-11-19, Henderickx, Wim (Wim):
> > WH> I vote for a an evolution of switches/TORs that have proper
> > support for this. I hope some HW vendors of TOR chips shime in, but I
> > am told the MPLS solution is possible in the next generation chips
> > they are working on.
> 
> Well, it looks like the key questions are:
> - when would ToR chips support MPLS/MPLS/UDP ?  (the generation that has
> been released recently but not present in most shipping ToRs yet, the next
> one ?)
> - do we want an interim VXLAN-based solution ? (that will involve at best a
> performance penalty with existing chips, and at worse impossible to
> implement -- we haven't seen clear information in this thread)
> 
> -Thomas
> 
> 
> >> Zhuangshunwan  :
> >>>
> >>> Hi Diego,
> >>>
> >>> Thanks for your comments. Pls see inline with [Vincent].
> >>>
> >>> Vincent
> >>>
> >>> *发件人:*BESS [mailto:bess-bounces@ietf.org] *代表 *Diego Garcia
> del Rio
> >>> *发送时间:*2015年11月18日14:25 *收件人:*bess@ietf.org *主题
> :*Re: [bess]
> >>> draft-hao-bess-inter-nvo3-vpn-optionc
> >>>
> >>> Some comments from my side, I think the draft makes quite a few
> >>> assumptions on specific implementation details that are way too
> >>> general to be considered widely available. Most of the TOR devices
> >>> today already pay a double-pass penalty when doing routing of
> >>> traffic in/out of vxlan-type tunnels. Only the newest generation can
> >>> route into tunnels without additional passes. And are definitively
> >>> limited in being able to arbitrary select UDP ports on a per tunnel
> >>> basis. In fact, most are even limited at using more than one VNID
> >>> per "service" of sorts. [Vincent]: Yes, the new generation BCM
> >>> chipset has already supported VXLAN routing without additional
> >>> passes. For OVS/TOR, VXLAN encapsulation is more popular than
> >>> MPLSoGRE/UDP, and has better performance. The IP-addressed based
> >>> implementation which would, I assume, imply assigning one or more
> >>> CIDRs to a loopback interface on the ASBR-d is also quite arbitrary
> >>> and does not seem like a technically "clean" solution. (besides
> >>> burning tons of IPs). As a side-note, most PE-grade routers i've
> >>> worked with were quite limited in terms of IP addresses used for
> >>> tunnel termination and it wasn't that just a simple pool can be
> >>> used. [Vincent]: I think the larger VTEP IP address range on ASBR-d
> >>> has no limitations.
> >>> For the hardware on ASBR-d, it has capability to terminate multiple
> >>> VXLAN tunnels with arbitrary destination VTEP IP addresses. Wim's
> >>> mentions on cases where the Application itself, hosted in a
> >>> datacenter, would be part of the option-C interconnect, was
> >>> dismissed without much discussion so far, while, if we look in
> >>> detail at the type of users which will even consider a complex
> >>> topology like model-C its most likely users and operators very
> >>> familiar with MPLS VPNs in the WAN. Those type of operators will
> >>> most likely be very interested in deploying MPLS or WAN-grade
> >>> applications (i.e., virtual-routers or other
> >>> VNFs) in the DC and thus its highly likely that the interconnect
> >>> would not terminate at the NVE itself but rather the TS (the virtual
> >>> machine). Also, the use of UDP ports at random would imply quite
> >>> complex logic on the ASBR-d IMHO. Im not saying its impossible, but
> >>> since the received packet now not only has to be received on a
> >>> random (though locally chosen) UDP port and this information
> >>> preserved in the pipeline to be able to do the
> >>> double-tunnel-stitching, it sounds quite complex. I am sure someone
> >>> in the list will mention this has already been implemented
> >>> somewhere, and I won't argue with that. And let's not even bring
> >>> into account what this would do to any DC middlebox that now has to
> >>> look at vxlan over almost any random port. We have to go back to the
> >>> "is it a 4 or is it a 6 in byte x" heuristics to try to guess
> >>> whether the packet is vxlan or just something entirely different
> >>> running over IP. [Vincent]: Using NP or multi-core CPU hardware
> >>> technology, it can be implemented although deeper packet inspection
> >>> is needed to perform UDP port and MPLS stitching. In general I feel
> >>> the proposed solution seems to be fitting of a specific use-case
> >>> which is not really detailed
> >>> in the draft and does not describe   a solution that would
> >>> "elegantly" solve the issues at hand. It just feels like we're using
> >>> any available bit-space to stuff data into places that do not
> >>> necesarily belong. Yes, MPLS encapsulations on virtual switches are
> >>> not yet fully available, and there can be some performance penalty
> >>> on the TORs, but the solutions are much cleaner from a control and
> >>> data plane point of view. Maybe I'm too utopic. [Vincent]: I think
> >>> pure VXLAN solution has its scenario, it's general rather than
> >>> specific. We can't require all OVS/NVEs support VXLAN + MPLSoGRE at
> >>> the same time. Best regards, Diego
> >>> --------------------------------------------------------------------
> >>> -------------
> >>>
> >>>
> Hi,
> >>> The problem we are trying to solve is to reduce data center
> >>> GW/ASBR-d's forwarding table size, the motivation is same as
> >>> traditional MPLS VPN option-C. Currently, the most common practise
> >>> on ASBR-d is to terminate VXLAN encapsulation, look up local routing
> >>> table, and then perform MPLS encapsulation to the WAN network.
> >>> ASBR-d needs to maintain all VM's MAC/IP. In Option-C method, only
> >>> transport layer information needed to be maintained at GW/ASBR-d,
> >>> the scalability will be greatly enhanced. Traditonal Option-C is
> >>> only for MPLS VPN network interworking, because VXLAN is becoming
> >>> pervasive in data center, the solution in this draft was proposed
> >>> for the heterogeneous network interworking. The advantage of this
> >>> solution is that only VXLAN encapsulation is required for OVS/TOR.
> >>> Unlike Wim's solution, east-west bound traffic uses VXLAN encap,
> >>> while north-south bound traffic uses MPLSoGRE/UDP encap. There are
> >>> two solutions in this draft: 1. Using VXLAN tunnel destination IP
> >>> for stitching at ASBR-d. No data plane modification requirements on
> >>> OVS or TOR switches, only hardware changes on ASBR-d. ASBR-d
> >>> normally is router, it has capability to realize the hardware
> >>> changes. It will consume many IP addresses and the IP pool for
> >>> allocation needs to be configured on ASBR-d beforehand. 2. Using
> >>> VXLAN destination UDP port for stitching at ASBR-d. Compared with
> >>> solution 1, less IP address will be consumed for allocation. If UDP
> >>> port range is too large, we can combine with solution 1 and 2. In
> >>> this solution, both data plane modification changes are needed at
> >>> OVS/TOR and ASBR-d. ASBR-d also has capability to realize the
> >>> hardware changes. For OVS, it also can realize the data plane
> >>> changes. For TOR switch, it normally can't realize this function.
> >>> This solution mainly focuses on pure software based overlay network,
> >>> it has more scalability. In public cloud data center, software based
> >>> overlay network is the majority case. Whether using solution 1 or 2
> >>> depends on the operators real envionment. So I think our solution
> >>> has no flaws, it works fine.
> >>> Thanks, weiguo ________________________________ From: BESS
> >>> [bess-bounces@ietf.org <mailto:bess-bounces@ietf.org>] on behalf of
> >>> John E Drake [jdrake@juniper.net <mailto:jdrake@juniper.net>]
> >>> Sent: Wednesday, November 18, 2015 2:49 To: Henderickx, Wim (Wim);
> >>> EXT - thomas.morin@orange.com <mailto:thomas.morin@orange.com>;
> BESS
> >>> Subject: Re: [bess] draft-hao-bess-inter-nvo3-vpn-optionc Hi, I
> >>> think Wim has conclusively demonstrated that this draft has fatal
> >>> flaws and I don’t support it.  I also agree with his suggestion that
> >>> we first figure out what problem we are trying to solve before
> >>> solving it. Yours Irrespectively, John From: BESS
> >>> [mailto:bess-bounces@ietf.org <mailto:bess-bounces@ietf.org>] On
> >>> Behalf Of Henderickx, Wim (Wim) Sent: Tuesday, November 17, 2015
> >>> 12:49 PM To: EXT - thomas.morin@orange.com
> >>> <mailto:thomas.morin@orange.com>; BESS Subject: Re: [bess]
> >>> draft-hao-bess-inter-nvo3-vpn-optionc — Snip — No, the spec as it is
> >>> can be implemented in its VXLAN variant with existing vswitches
> >>> (e.g. OVS allows to choose the VXLAN destination port, ditto for the
> >>> linux kernel stack). (ToR is certainly another story, most of them
> >>> not having a flexible enough VXLAN dataplane nor support for any
> >>> MPLS-over-IP.) WH> and how many ports simultaneously would they
> >>> support? For this to work every tenant needs a different VXLAN UDP
> >>> destination port/receive port. There might be SW elements that could
> >>> do some of this, but IETF defines solutions which should be
> >>> implemented across the board HW/SW/etc.
> >>> Even if some SW switches can do this, the proposal will impose so
> >>> many issues in HW/data-plane engines that I cannot be behind this
> >>> solution. To make this work generically we will have to make changes
> >>> anyhow. Given this, we better do it in the right way and guide the
> >>> industry to a solution which does not imply those complexities.
> >>> Otherwise we will stick with these specials forever with all
> >>> consequences (bugs, etc). - snip - From:
> >>> "thomas.morin@orange.com
> >>>
> <mailto:thomas.morin@orange.com><mailto:thomas.morin@orange.com
> >>> <mailto:thomas.morin@orange.com>>" <thomas.morin@orange.com
> >>>
> <mailto:thomas.morin@orange.com><mailto:thomas.morin@orange.com
> >>> <mailto:thomas.morin@orange.com>>> Organization: Orange Date:
> >>> Tuesday 17 November 2015 at 01:37 To: Wim Henderickx
> >>> <wim.henderickx@alcatel-lucent.com
> >>> <mailto:wim.henderickx@alcatel-
> lucent.com><mailto:wim.henderickx@alc
> >>> atel-lucent.com
> >>>
> >>>
> <mailto:wim.henderickx@alcatel-lucent.com>>>, BESS <bess@ietf.org
> >>> <mailto:bess@ietf.org><mailto:bess@ietf.org
> >>> <mailto:bess@ietf.org>>> Subject: Re: [bess]
> >>> draft-hao-bess-inter-nvo3-vpn-optionc Hi Wim, WG, 2015-11-16,
> >>> Henderickx, Wim (Wim): 2015-11-13, Henderickx, Wim (Wim): Thomas,
> we
> >>> can discuss forever and someone need to describe requirements, but
> >>> the current proposal I cannot agree to for the reasons explained.
> >>> TM> Well, although discussing forever is certainly not the goal, the
> >>> reasons for rejecting a proposal need to be thoroughly understood.
> >>> WH> my point is what is the real driver for supporting a plain VXLAN
> >>> data-plane here, the use cases I have seen in this txt is always
> >>> where an application behind a NVE/TOR is demanding option c, but
> >>> none of the NVE/TOR elements.
> >>> My understanding is that the applications  are contexts where
> >>> overlays are present is when workloads (VMs or baremetal) need to be
> >>> interconnected with VPNs. In these contexts, there can be reasons to
> >>> want Option C to reduce the state on ASBRs. In these context, its
> >>> not the workload (VM or baremetal) that would typically handle VRFs,
> >>> but really the vswitch or ToR. WH2> can it not be all cases:
> >>> TOR/vswitch/Application. I would make the solution flexible to
> >>> support all of these not? 2015-11-13, Henderickx, Wim (Wim): TM> The
> >>> right trade-off to make may in fact depend on whether you prefer:
> >>> (a) a new dataplane stitching behavior on DC ASBRs (the behavior
> >>> specified in this draft) or
> >>> (b) an evolution of the encaps on the vswitches and ToRs to support
> >>> MPLS/MPLS/(UDP or GRE) WH> b depends on the use case I don't get
> >>> what you mean by "b depends on the use case". WH> see my above
> >>> comment. If the real use case is an application behind NVE/TOR
> >>> requiring model C, than all the discussion on impact on NVE/TOR is
> >>> void. As such I want to have a discussion on the real
> >>> driver/requirement for option c interworking with an IP based
> >>> Fabric. Although I can agree than detailing requirements can always
> >>> help, I don't think one can assume a certain application to dismiss
> >>> the proposal. WH> for me the proposal is not acceptable for the
> >>> reasons explained: too much impact on the data-planes I wrote the
> >>> above based on the idea that the encap used in MPLS/MPLS/(UDP or
> >>> GRE), which hence has to be supported on the ToRs and vswitches.
> >>> Another possibility would be service-label/middle-label/Ethernet
> >>> assuming an L2 adjacency between vswitches/ToRs and ASBRs, but this
> >>> certainly does not match your typical DC architecture. Or perhaps
> >>> had you something else in mind ? WH> see above. The draft right now
> >>> also requires changes in existing TOR/NVE so for me all this
> >>> discussion/debate is void. No, the spec as it is can be implemented
> >>> in its VXLAN variant with existing vswitches (e.g. OVS allows to
> >>> choose the VXLAN destination port, ditto for the linux kernel
> >>> stack). (ToR is certainly another story, most of them not having a
> >>> flexible enough VXLAN dataplane nor support for any MPLS-over-IP.)
> >>> WH> and how many ports simultaneously would they support? WH> and
> >>> depending on implementation you don’t need to change any of the
> >>> TOR/vswitches. Does this mean that for some implementations you may
> >>> not need to change any of the TOR/vswitches, but that for some
> >>> others you may ? WH> any proposal on the table requires changes, so
> >>> for me this is not a valid discussion See above, the proposal in the
> >>> draft does not necessarily need changes in vswitches. Let me take a
> >>> practical example : while I can quite easily see how to implement
> >>> the procedures in draft-hao-bess-inter-nvo3-vpn-optionc based on
> >>> current vswitch implementations of VXLAN, the lack of
> >>> MPLS/MPLS/(UDP, GRE) support in commonplace vswitches seems to
> me as
> >>> making that alternate solution you suggest harder to implement. WH>
> >>> I would disagree to this. Tell me which switch/TOR handles multiple
> >>> UDP ports for VXLAN ? I mentioned _v_switches, and many do support a
> >>> variable destination port for VXLAN, which is sufficient to
> >>> implement what the draft proposes. -Thomas From: Thomas Morin
> >>> <thomas.morin@orange.com
> >>>
> <mailto:thomas.morin@orange.com><mailto:thomas.morin@orange.com
> >>> <mailto:thomas.morin@orange.com>>> Organization: Orange Date:
> >>> Friday 13 November 2015 at 09:57 To: Wim Henderickx
> >>> <wim.henderickx@alcatel-lucent.com
> >>> <mailto:wim.henderickx@alcatel-
> lucent.com><mailto:wim.henderickx@alc
> >>> atel-lucent.com
> >>>
> >>>
> <mailto:wim.henderickx@alcatel-lucent.com>>>
> >>> Cc: "bess@ietf.org <mailto:bess@ietf.org><mailto:bess@ietf.org
> >>> <mailto:bess@ietf.org>>" <bess@ietf.org
> >>> <mailto:bess@ietf.org><mailto:bess@ietf.org
> >>> <mailto:bess@ietf.org>>> Subject: Re: [bess]
> >>> draft-hao-bess-inter-nvo3-vpn-optionc Hi Wim, I agree on the
> >>> analysis that this proposal is restricted to implementations that
> >>> supports the chosen encap with non-IANA ports (which may be hard to
> >>> achieve for instance on hardware implementations, as you suggest),
> >>> or to context where managing multiple IPs would be operationally
> >>> viable. However, it does not seem obvious to me how the alternative
> >>> you propose [relying on 3-label option C with an
> >>> MPLS/MPLS/(UDP|GRE) encap] addresses the issue of whether the
> encap
> >>> behavior is supported or not (e.g. your typical ToR chipset possibly
> >>> may not support this kind of encap,  and even software-based
> >>> switches may not be ready to support that today).
> >>> My take is that having different options to adapt to various
> >>> implementations constraints we may have would have value. (+ one
> >>> question below on VXLAN...) -Thomas 2015-11-12, Henderickx, Wim
> >>> (Wim): On VXLAN/NVGRE, do you challenge the fact that they would be
> >>> used with a dummy MAC address that would be replaced by the right
> >>> MAC by a sender based on an ARP request when needed ? Is the above
> >>> the issue you had in mind about VXLAN and NVGRE ? WH> yes I you
> >>> don't mind me asking : why do you challenge that ?
> >>>
> 
> __________________________________________________________
> __________________________________________________________
> _____
> 
> Ce message et ses pieces jointes peuvent contenir des informations
> confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites
> ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez
> le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les
> messages electroniques etant susceptibles d'alteration, France Telecom -
> Orange decline toute responsabilite si ce message a ete altere, deforme ou
> falsifie. Merci
> 
> This message and its attachments may contain confidential or privileged
> information that may be protected by law; they should not be distributed,
> used or copied without authorization.
> If you have received this email in error, please notify the sender and delete
> this message and its attachments.
> As emails may be altered, France Telecom - Orange shall not be liable if this
> message was modified, changed or falsified.
> Thank you.
> 
> _______________________________________________
> BESS mailing list
> BESS@ietf.org
> https://www.ietf.org/mailman/listinfo/bess
> _______________________________________________
> BESS mailing list
> BESS@ietf.org
> https://www.ietf.org/mailman/listinfo/bess