IETF Logo Mail Archive

Re: [Gen-art] Genart last call review of draft-ietf-idr-bgp-open-policy-18

Alexander Azimov <a.e.azimov@gmail.com> Wed, 05 January 2022 22:35 UTC

Return-Path: <a.e.azimov@gmail.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DC1E3A0127; Wed, 5 Jan 2022 14:35:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uLHLf6v8T66I; Wed, 5 Jan 2022 14:35:32 -0800 (PST)
Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 114833A0125; Wed, 5 Jan 2022 14:35:32 -0800 (PST)
Received: by mail-pj1-x102b.google.com with SMTP id y16-20020a17090a6c9000b001b13ffaa625so5866297pjj.2; Wed, 05 Jan 2022 14:35:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XHZbVwieVoKfEOhHCIHkrgbcevCychK0pZPtLz5sMWY=; b=Th0OG58bz9EXZemVPhkKqioAyLzmDkndNYIFwoNifqXzdy4jXwi3GMCinYoXBClm2h 44/DQ7pQdGUHqAYrfybLjbgdJ43y3xexLV5pX2awxEnFXN9ZYPYwtx/R58u9eYc4nens 0IlS/jITeUSRUWCsl1VnVkP5RVAkMUeslnzTA6dqB/rgXRwub8MeMXB8Yp8iYkmJB8yl sYyhWuyuX3PV6Du+YzpoNXG2TcBNpcFdfQj5nsxgZhrKEvkZxvEjfSvgKPCzZKTautgq zbKLChMvsHW3JxV8MbpRJhYk4kp5Q5GKGP6kJL/W8voegqkchBVSfD25fhiO5eF2Fb7x SQJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XHZbVwieVoKfEOhHCIHkrgbcevCychK0pZPtLz5sMWY=; b=2D2acoTx0NlbpOJOKgFwVZKdAhX93WTH94QNQ07ynhKwS0h5Oe2IoiaZ0jTgondqoe 7T1x0OGP7E6K+FSiISfdwemS13/hwlIxWA8fYySisGZd1m0IbbriQiTNMYRmSzhUvu06 0KqUQjvrTZ0CTKa+DQyLhyw6xZoBpXVA33gXB7CjY2TY1tNRL3KlVw8ioEqIFwTBTacB qv7frJ9MDg7FoGCoyek4VL6EepH8jCZKmxBkJY6yGp4Ux25nQUZewCuhtLlwQBeAVGfX r8U43DJPfCm1wc34pqG64S0FcOcgpKufSM0sZ82dSKoE7IbXqlfCU56fHX8IuLCKx1BC QghQ==
X-Gm-Message-State: AOAM533QREzaESHr52Tw+NzxGIrYr9PqR2WKcGzEvs0r5ZUU2HmuzDJF Ism0n4j8N4e9ca4Hge35ZK6NLOMOFfiWPyRlRbE=
X-Google-Smtp-Source: ABdhPJzwM13cETX5di89ts8AGoV2PFoekrihD2hbuRFOSVSPM3G1DUrAsWO2lsDVgee/v1BMGCz9g03/zjfjyXVGujQ=
X-Received: by 2002:a17:902:aa0c:b0:149:aa24:3e3d with SMTP id be12-20020a170902aa0c00b00149aa243e3dmr26273250plb.8.1641422130429; Wed, 05 Jan 2022 14:35:30 -0800 (PST)
MIME-Version: 1.0
References: <164013488006.27197.13873644386825552452@ietfa.amsl.com> <CAMMESsx35+gC7CP9ox+U-QsT8Dxkv3=Du8VRq_cprMsEc5PCyQ@mail.gmail.com> <CABNhwV30nrqJ-mOpniso6c=rJpFi0zQX93BWaQKJvKNVcrMNAw@mail.gmail.com> <SA1PR09MB8142D79278F793814694AD40844A9@SA1PR09MB8142.namprd09.prod.outlook.com> <CABNhwV0cGhp1pW24mzJvtOoaGDYM2ypBtTn_--L-0dNRmFhSUA@mail.gmail.com> <SA1PR09MB8142DBB76926B62226E7BB6D844B9@SA1PR09MB8142.namprd09.prod.outlook.com> <CAMMESswPLViBv_hcAWyzhrfYsXGn3uZhWVXEP4AHy=8YQRgCpw@mail.gmail.com>
In-Reply-To: <CAMMESswPLViBv_hcAWyzhrfYsXGn3uZhWVXEP4AHy=8YQRgCpw@mail.gmail.com>
From: Alexander Azimov <a.e.azimov@gmail.com>
Date: Thu, 06 Jan 2022 01:35:19 +0300
Message-ID: <CAEGSd=B66-KiUdRh5vL=zFK_=58JLo7h1K1r_OOB2U+5mQD8tw@mail.gmail.com>
To: Alvaro Retana <aretana.ietf@gmail.com>
Cc: Gyan Mishra <hayabusagsm@gmail.com>, "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>, "draft-ietf-idr-bgp-open-policy.all@ietf.org" <draft-ietf-idr-bgp-open-policy.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "idr@ietf.org" <idr@ietf.org>, "gen-art@ietf.org" <gen-art@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000002c48b05d4dd5f2f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/s9yHBz1f3mL32M03s7PlvMBsaso>
Subject: Re: [Gen-art] Genart last call review of draft-ietf-idr-bgp-open-policy-18
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jan 2022 22:35:34 -0000

Alvaro,

Since I was pushing adding the ingress rules into the peering relation
definition I will try to answer your comments.

чт, 6 янв. 2022 г. в 00:33, Alvaro Retana <aretana.ietf@gmail.com>:

> On January 5, 2022 at 12:12:14 PM, Sriram, Kotikalapudi wrote:
>
>
> Sriram:
>
> Hi!
>
>
> > [KS/AA]: That is interesting. We did already enhance the Role
> descriptions
> > [KS/AA]: as follows to add the import policy verbiage (to the already
> > [KS/AA]: existing export policy) in Sec. 2 of v-19 to be uploaded:
>
> Route leaks are created by the (incorrect) advertisement of routes.
> Defining egress rules is then in line with the subject of this
> document.
>

It's true. But the incorrect or absent ingress rules are responsible for
route leak propagation.
The OTC tries to address both problems: prevent networks from leaking
prefixes and stop route leak propagation if it happens.


> OTOH, ingress rules are not.  Also, the ingress behavior is tied in
> the draft to the OTC attribute (and not directly to the role).
>

Here we try to define peering relations. These definitions are not strictly
bound to OTC mechanics, and IMO it doesn't bring any contradiction.
Today the ingress policy by Providers and Peers is done by generating
prefix lists from AS-SETs. In an ideal situation, it should be equal to
customer cone which is prefixes originated by Customer and its Customers.


> The result is that the updated text is not consistent with the
> behavior already defined elsewhere.  For example, using the Provider
> role:
>
>
> > Old text:
> ...
> > Provider: MAY propagate any available route to a Customer.
> >
> ...
> > New text:
> ...
> > Provider: May propagate any available route to a Customer. May
> > accept routes originated by the Customer or its Customers; all
> > other routes from the Customer must not be accepted.
>
> [Besides loosing the normative language...]
>
> A strict interpretation of the text (routes originated by a Customer
> can be accepted) is in contradiction with this text in §4:
>
>    1.  If a route with the OTC Attribute is received from a Customer or
>        RS-Client, then it is a route leak and MUST be considered
>        ineligible (see Section 1.1).
>
> Note that this text doesn't talk about the origin, but it qualifies
> the policy based on the OTC attribute.


The definition of peering relations is followed by the next phrase:

   A BGP speaker may apply policy to reduce what is announced, and a
   recipient may apply policy to reduce the set of routes they accept.

So, the Provider/Peer may accept routes from the customer cone of
Customer/Peer respectively.
If OTC is set, it signals that the route was leaked, such routes MUST be
rejected, even if coming from the customer cone.

Have I missed your point?

All this is to say that the expected ingress behavior, which depends
> on the OTC attribute, is already defined elsewhere and there's no need
> to change the role definition.
>

These edits emerged when I tried to formally define Complex/Sibling
relations. The sole propagation rule isn't enough to distinguish it from
other types of peering relations.
New text (full version):

   Provider:  May propagate any available route to a Customer.  May
      accept routes originated by Customer or its Customers; all other
      routes from Customer must not be accepted.

   Customer:  May propagate any route learned from a Customer, or
      locally originated, to a Provider; all other routes must not be
      propagated.  May accept any available route received from a
      Provider.

   Route Server (RS):  May propagate any available route to a Route
      Server Client (RS-Client).  May accept routes originated by RS-
      Client or its Customers; all other routes from RS-Client must not
      be accepted.

   RS-Client:  May propagate any route learned from a Customer, or
      locally originated, to an RS; all other routes must not be
      propagated.  May accept any available route received from RS.

   Peer:  May propagate any route learned from a Customer, or locally
      originated, to a Peer, all other routes must not be propagated.
      May accept routes originated by Peer or its Customers; all other
      routes from Peer must not be accepted.

   Sibling:  May propagate any available route to a Sibling.  May accept
      any available route received from a Sibling.

If you suggest that the formal definition of Sibling relations doesn't
improve the readability I will revert these changes and keep propagation
rules only.

-- 
Best regards,
Alexander Azimov

v2.23.0 | Report a Bug | By Email