Re: [Idr] draft-wang-idr-vpn-routes-control-analysis (was Re: rd-orf problem clarification at the local level)

Jeffrey Haas <jhaas@pfrc.org> Thu, 25 February 2021 14:01 UTC

Return-Path: <jhaas@slice.pfrc.org>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C4333A1A38; Thu, 25 Feb 2021 06:01:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mPIcgcESKdjt; Thu, 25 Feb 2021 06:01:24 -0800 (PST)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id 3383E3A1A37; Thu, 25 Feb 2021 06:01:23 -0800 (PST)
Received: by slice.pfrc.org (Postfix, from userid 1001) id 1FDDE1E3D0; Thu, 25 Feb 2021 09:21:56 -0500 (EST)
Date: Thu, 25 Feb 2021 09:21:55 -0500
From: Jeffrey Haas <jhaas@pfrc.org>
To: Aijun Wang <wangaj3@chinatelecom.cn>
Cc: 'Aijun Wang' <wangaijun@tsinghua.org.cn>, draft-wang-idr-rd-orf@ietf.org, idr@ietf.org
Message-ID: <20210225142155.GA27005@pfrc.org>
References: <FD5D3158-FA7D-4C57-932D-4A0A421621F3@chinatelecom.cn> <00d501d70906$f4625de0$dd2719a0$@tsinghua.org.cn> <20210224212137.GE18618@pfrc.org> <00a801d70b2b$cae5b530$60b11f90$@chinatelecom.cn>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <00a801d70b2b$cae5b530$60b11f90$@chinatelecom.cn>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/-02Fpo-Y5oUY3XrBmxa8KALRXeM>
Subject: Re: [Idr] draft-wang-idr-vpn-routes-control-analysis (was Re: rd-orf problem clarification at the local level)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2021 14:01:26 -0000

Aijun,

On Thu, Feb 25, 2021 at 12:07:49PM +0800, Aijun Wang wrote:
> > In the prior discussions, it was clear that remediation was trying to be
> > done on a per-RD basis.  The text in this draft seems to be a larger scope
> > than that; perhaps per VPN (and thus route-target?).  Is that your
> > intention?
> [WAJ] Yes. We are considering to add RT information to the current RD-ORF
> semantic, to identify/control the "excessive routes" in more granular. 

Thanks for the clarification.  That expands the scope of the original
discussion, but might be helpful for the solution.

> > For a route reflector, it would require that all possible receivers for a
> > RD/RT have no interest in the routes, and that the source of the routes is
> > clearly directional.  BGP does not provide such a distribution graph.
>
> [WAJ] " all its downstream BGP peers can't or don't want to process it"
> means RR receives the RD-ORF messages for the same set of VPN routes from
> all of its clients. This can be achieved by RR

For my point, consider a trivial case:

PE1 --- RR --- PE2

PE2 is the source of the excess routes.
PE1 is the impacted router.
RR has only PE1 and PE2 as peers.

By your current text, RR can only do something if PE1 and PE2 say they're
not interested.

It can be observed here that if we have exactly one peer left, we could
signal to that one peer.

I suspect your intent is to cover situations where you can distinguish PE
routers from solely internal route distributuion infrastructure, such as
route reflectors.  So, using a slighly more interesting topology:

PE1 --- RR1 --- RR2 --- PE2

PE2 is the source of the excess routes.
PE1 is the impacted router.
RR1 has only PE1 as a PE device.

If PE1 signals to RR1 that it isn't interested in the offending routes, RR1
may propagate the filter.

The issue here is that BGP does not specifically distinguish whether an
attached BGP Speaker is a PE or not.  The protocol doesn't help you make
this determination.

> > In a network using RT-Constrain without a default RT-Constrain route, such a
>>  graph potentially exists.
> [WAJ] RT-Constrain can only express explicitly "what I want" and the
> distributed graph. It can't express explicitly "what I don't want" now, also
> the distribution-block graph. Is that right?

That is correct.  But consider the following example:

        PE3
         |
PE1 --- RR1 --- RR2 --- PE2

PE2 is the source of the excess routes for VPN RT-A.
PE1 is the impacted router.
RR1 has PE1 and PE3 as attached PE routers.
All routers are configured to use RT-Constrain
PE1 and PE2 source RT-Constrain routes for RT-A.  PE3 does not.

If PE1 signals to RR1 that it isn't interested in the offending routes, and
that signal not only includes the offending RD, but also the matching RTs,
RR1 can determine that there are no further interested receivers for that
RD+RT and propagate that to RR2.

RT-Constrain provides the ability to figure out what the interested
receivers are for a VPN defined by a route-target.  This provides a
restricted subset of the attached routers for propagation purposes.

-- Jeff