Re: [Idr] are the Tunnel Encap Attribute in a BGP UPDATE applicable to all the NLRI listed in the MP_REACH_NLRI path attribute?

John Scudder <jgs@juniper.net> Tue, 22 October 2019 20:37 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A74331200A4 for <idr@ietfa.amsl.com>; Tue, 22 Oct 2019 13:37:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xkRJXJB_OIwK for <idr@ietfa.amsl.com>; Tue, 22 Oct 2019 13:37:12 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D5F3120096 for <idr@ietf.org>; Tue, 22 Oct 2019 13:37:12 -0700 (PDT)
Received: from pps.filterd (m0108162.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id x9MKaMHo013654; Tue, 22 Oct 2019 13:37:05 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=FMu/cVwZsc1yKAFR1j4ecKu773hJ/+xxoOme5iyixVc=; b=USeL1YH7HvVR+YNHdvfCsLbzUtDXdtTChe4EykkVuXAHXdN2obAkJGYIi8LzdmvZYBDm MkmBxlSJOFuLwzW31Ry9svje+ZatlrFR03fO8ImP653ZT4EHhVBuBd0d/wo9DHopvXbT 5ZEtob7g1l5a/tw48nUE+u2yXSLze/hO5H3KY/Ch35hB6ApNeZUONyNxydyqc6Nm3Ggl p6QcRCJ6xiScI7KY5HJbj+PXd+U2stGC5u1ElsjN/+ABo1cdJ4XenmFLCoWZTMZzCO4t rBnMEA/IU4poAWi1Fnksa+I6ne2+lzzWVSf/j1nu79OWFZ/MPd/UBojK4mmy9eKEAquN gA==
Received: from nam01-sn1-obe.outbound.protection.outlook.com (mail-sn1nam01lp2052.outbound.protection.outlook.com [104.47.32.52]) by mx0b-00273201.pphosted.com with ESMTP id 2vsq84sw07-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 22 Oct 2019 13:37:05 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=l9p4jK58HeHhfha+9nC/filcYUiCeEh535bJNls8OUGijWtZWwoF89O/sP4TGOiqKZbBiOwEjWgbq77k/3+iD92ZrXL+lfG0aPExwg1q54+3NZMGdqU8u+sIVPwhiEO3AGfWh7o9NN67TY33JwFJd65klyPsVFGR8izsEswxBA4/7D1s7huLyfl/DrLVEjGKlWjOvjk5h78P5bb1bJjRygn0l9D9GhQ5+I4oqjtiRoBkBWn04OTtXyzjf+68cqBG3oemz8FF+ksJgJd+4jjhp/jNLWZw0/w5Aya7cZB7ipVmzYJptpYUa9ScWCmmC578dFhuuyn2nbWTqbbMm9u7Qw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FMu/cVwZsc1yKAFR1j4ecKu773hJ/+xxoOme5iyixVc=; b=bSx+suesxPXiHF4EFEvYhSZF8C1qmwrSXl9rQCSjSGGqfHsgprSBAP7dS5OPhSK2ABPmNCWEOo4NiEkeI63R6F1RoCSwLWuuY1nn5gzdgM4/GXmvWs8cn1e2B1Bh0m4LOXgxqIAhspXFwj89+icpl3VcQacXg5q9TEe7z4unS8AGvNZwFSncNq0HwJNpvmA4ai3B/BBZPWEmW1rCas/hou7jW9ws/qvmImh4OifTHMgml7UjkZIY21Sa4mPv2Yjd1cO0QbctSBDT3H0Y5uWl7Iw3U5Qa8ksljYtmsC34iA6lv08NZswxB/wCJpxuHwBKrm0kk+WsOzcseZbE3/gePw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
Received: from SN6PR05MB4127.namprd05.prod.outlook.com (52.135.66.161) by SN6PR05MB4557.namprd05.prod.outlook.com (52.135.75.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2387.17; Tue, 22 Oct 2019 20:37:02 +0000
Received: from SN6PR05MB4127.namprd05.prod.outlook.com ([fe80::482d:8a68:ea5d:1e44]) by SN6PR05MB4127.namprd05.prod.outlook.com ([fe80::482d:8a68:ea5d:1e44%5]) with mapi id 15.20.2387.016; Tue, 22 Oct 2019 20:37:02 +0000
From: John Scudder <jgs@juniper.net>
To: Linda Dunbar <linda.dunbar@futurewei.com>
CC: Hares Susan <shares@ndzh.com>, "idr@ietf.org" <idr@ietf.org>
Thread-Topic: are the Tunnel Encap Attribute in a BGP UPDATE applicable to all the NLRI listed in the MP_REACH_NLRI path attribute?
Thread-Index: AdWJEt32Ku83RKAYSwSXotnJM+oxhQABNNUq
Date: Tue, 22 Oct 2019 20:37:02 +0000
Message-ID: <SN6PR05MB4127F3598BDEDB31EA4B0B67AA680@SN6PR05MB4127.namprd05.prod.outlook.com>
References: <BN8PR13MB26289AA01B54327E0B86553B85680@BN8PR13MB2628.namprd13.prod.outlook.com>
In-Reply-To: <BN8PR13MB26289AA01B54327E0B86553B85680@BN8PR13MB2628.namprd13.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_9784d817-3396-4a4f-b60c-3ef6b345fe55_Enabled=True; MSIP_Label_9784d817-3396-4a4f-b60c-3ef6b345fe55_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_9784d817-3396-4a4f-b60c-3ef6b345fe55_SetDate=2019-10-22T20:37:01.645Z; MSIP_Label_9784d817-3396-4a4f-b60c-3ef6b345fe55_Name=Juniper Business Use Only; MSIP_Label_9784d817-3396-4a4f-b60c-3ef6b345fe55_ContentBits=0; MSIP_Label_9784d817-3396-4a4f-b60c-3ef6b345fe55_Method=Standard;
x-originating-ip: [66.129.241.14]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 4208abca-c192-490d-849c-08d7572f981c
x-ms-traffictypediagnostic: SN6PR05MB4557:
x-microsoft-antispam-prvs: <SN6PR05MB4557FBB712E63279800BA5D8AA680@SN6PR05MB4557.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 01986AE76B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(346002)(396003)(39860400002)(376002)(136003)(199004)(129404003)(189003)(76176011)(66446008)(486006)(229853002)(4743002)(316002)(99286004)(14444005)(19627405001)(66066001)(54906003)(19627235002)(105004)(6916009)(76116006)(476003)(446003)(11346002)(3846002)(6116002)(5660300002)(7520500002)(52536014)(15650500001)(26005)(102836004)(7696005)(2906002)(66476007)(6506007)(66556008)(66946007)(186003)(53546011)(64756008)(74316002)(6436002)(4326008)(25786009)(55016002)(54896002)(256004)(66574012)(33656002)(236005)(9686003)(81166006)(71190400001)(478600001)(71200400001)(81156014)(6246003)(14454004)(86362001)(8676002)(7736002)(8936002); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR05MB4557; H:SN6PR05MB4127.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2TNXlWQR25vIZgYJZYarGF9ltla/6LWYsmZ0fEo5shAWuwZBerQwQ2zkjXSZWrmBeZhOCgU8FYpsUTaRhE0FkLk14yUC2g09VRwlpnL3ss8eKUg+MK0IU2/dBeKf1y4EkNbpbNzz8vGwDsBcpCytOxGlwaan226TToCzyJH58lOb0n8jtkscrfQsPPGjQLny04gFe7HugWsgkmufwCWR3pnoOHQDqm73Fj1wKfRTrxcA7WNdB3TykSIMDNnK/kRwPKjGvBRTHIgC2q9ehB0nB8IvG7se7Qt1j0XrDineHfL126tGhYmJdePmNn3Wyov6WymgOswXwzdQofa6CrUOgZtJ69F2jPHJsIY79qaKVgJIGsTh3YFUlg5/6UMkiefWHDDWKwc0s/lbv1V2MGhftq87UY7yfKBGXoMp/k5vTyDEW8y3ScPS0OWvSUbKmROJ
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_SN6PR05MB4127F3598BDEDB31EA4B0B67AA680SN6PR05MB4127namp_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 4208abca-c192-490d-849c-08d7572f981c
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Oct 2019 20:37:02.2120 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: d5qAzROU8rrpjjcyIPFQzT949JYZ/r2j/9lzaxnZaoFima9Vh+myVWLoFaH18cBv
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR05MB4557
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,1.0.8 definitions=2019-10-22_06:2019-10-22,2019-10-22 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 malwarescore=0 lowpriorityscore=0 bulkscore=0 adultscore=0 clxscore=1015 mlxscore=0 impostorscore=0 suspectscore=0 priorityscore=1501 phishscore=0 spamscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1908290000 definitions=main-1910220175
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/2CZnboclvxpEG1Zp_FI0py6NLz0>
Subject: Re: [Idr] are the Tunnel Encap Attribute in a BGP UPDATE applicable to all the NLRI listed in the MP_REACH_NLRI path attribute?
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Oct 2019 20:37:15 -0000

Hi Linda,

Per my recollection, and without checking back in the draft:


  1.  Yes.
  2.  Yes, although if I recall correctly there's a special case that lets you leave out the address in the case when address == next_hop, which is true in your example.
  3.  Yes, although you can avoid re-advertisement of the full set of affected NLRI by having R2 advertise a secondary loopback (let's call it R2') such that 10.1/16 and 10.2/16 have R2' as their next hop, and R2' has R2 as its next hop and carries the tunnel-encap attribute. If you use that approach, then only R2' needs to be re-advertised if the underlying tunnel changes. The two /16 NLRI recurse twice to get to the tunnel. This is described in the draft, I forget exactly where.

Regards.

--John
________________________________
From: Linda Dunbar <linda.dunbar@futurewei.com>;
Sent: Tuesday, October 22, 2019 1:27 PM
To: John Scudder <jgs@juniper.net>;
Cc: Hares Susan <shares@ndzh.com>;; idr@ietf.org <idr@ietf.org>;
Subject: are the Tunnel Encap Attribute in a BGP UPDATE applicable to all the NLRI listed in the MP_REACH_NLRI path attribute?


John,



Thank you very much for the explanation.



Just want to confirm my understanding:



Assume we have :  R1  ----- R2

where R2 is the next hop for 10.1.x.x/16 and  10.2.x.x./16

and R2 supports both GRE and VxLAN encapsulation.



R2 would send a BGP UPDATE with the following path attributes:



        Path Attribute - MP_REACH_NLRI    (Type Code=14)

  Next hop network address : R2

  Network layer reachability information:

10.1.x.x/16

10.2.x.x./16



        Path Attribute – Tunnel-Encap    (Type Code=23)

Tunnel-Type = VxLAN

Tunnel Endpiont Sub-TLV (4 octets for AS, 2 octets for Address family, Address?) /* is  the actual address = R2?*/

VxLAN’s MAC address sub-TLV

Tunnel-Type = GRE

Tunnel Endpiont Sub-TLV (4 octets for AS, 2 octets for Address family, Address?) /* is  the “Address” = R2?*/

GRE subTLV /*



Question:

  1.  does it mean that all the tunnel types listed in the Type-code =23 (Tunnel-Encap) are applicable to all the NLRIs in the update?
  2.  Does R2 appeal multiple times as “Tunnel Endpoint Sub-TLV”  under each Tunnel-Type?
  3.  When there are changes to the tunnel information carried by TUNNEL Path attributes, does it mean all the NLRI has to be repeated?



Thank you very much,



Linda Dunbar



From: John Scudder <jgs@juniper.net>;
Sent: Friday, October 11, 2019 12:39 PM
To: Linda Dunbar <linda.dunbar@futurewei.com>;
Cc: Hares Susan <shares@ndzh.com>;
Subject: Re: Can one Destination Address appear in both Tunnel Encap Attribute and in MP_REACH_NLRI ?



In thinking about this further, I have a guess as to where the disconnect may be occurring. Let me try:



We use BGP updates to advertise reachability for given destinations. Let us recall the definition in RFC 4271:



   Route

      A unit of information that pairs a set of destinations with the

      attributes of a path to those destinations.  The set of

      destinations are systems whose IP addresses are contained in one

      IP address prefix carried in the Network Layer Reachability

      Information (NLRI) field of an UPDATE message.  The path is the

      information reported in the path attributes field of the same

      UPDATE message.



So, when a router is trying to forward a packet towards destination D, and it matches against its FIB, as far as BGP is concerned the prefixes in its FIB are derived exclusively from the NLRI portion of the BGP updates it’s received. The associated next hops are derived from the NEXT_HOP attribute, or from the tunnel-encaps attribute.



Addresses found within any attribute that is not NLRI, are not used as destinations.



Part of my confusion about your question comes from your use of the term “are in”, as in “prefixes … are in … the tunnel encapsulation attribute”. I don’t think there is a field in the tunnel encapsulation attribute that can even encode a prefix (other than a /32 IPv4 “prefix” or a /128 IPv6 “prefix”). So a prefix can’t be physically in the attribute. A prefix can be “in” a tunnel in the sense of, the prefix is in the NLRI and the tunnel attribute is in the same update as that NLRI, and therefore the prefix is logically paired with the tunnel according to section 5 of the draft.



HTH,



—John





On Oct 11, 2019, at 12:34 PM, Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>> wrote:



John,



Thank you very much for the explanation.



My question is:

If prefixes A, B, and C are in tunnel T in the tunnel encapsulation attribute under Next Hop R2, can Prefixes A, B, C also appear under the NLRI field under Next Hop R2? Assuming that R2 is the next hope for prefixes A, B, C and R2 supports tunnel T encapsulations (say GRE, VxLAN, etc.).



When R1 receives this Update with both NLRI (Code 14) and Tunnel Encapsulation attribute (code 23), does it mean R1 can use either plain forwarding or the tunnel T forwarding for the prefixes A, B, C?





Thank you.



Linda





From: John Scudder <jgs@juniper.net<mailto:jgs@juniper.net>>
Sent: Thursday, October 10, 2019 7:58 PM
To: Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>>
Cc: Hares Susan <shares@ndzh.com<mailto:shares@ndzh.com>>
Subject: Re: Can one Destination Address appear in both Tunnel Encap Attribute and in MP_REACH_NLRI ?



Hi Linda,



This is a quick reply, without referring to the draft since it’s getting late here but I want to answer. That said, I’m reasonably confident.



- The tunnel encapsulation attribute does NOT replace the “Network Layer Reachability Information” field of MP_REACH_NLRI. It is its own path attribute.

- So yes, it is listed at the same level as MP_REACH_NLRI (Code Point 14) in the Path Attributes lists.

- You can think of the tunnel encapsulation attribute as being kind of a replacement for the NEXT_HOP in the update. So, let’s say the update contains prefixes A, B, and C in the NLRI field, and tunnel T in the tunnel encapsulation attribute. This means packets for prefixes A, B, and C should be forwarded through tunnel T. (Actually I think it is “must be forwarded” but there may be some exception allowing fallback to regular forwarding if the tunnel type isn’t supported, I forget.)



Hope this helps.



—John




On Oct 10, 2019, at 6:59 PM, Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>> wrote:



John and Sue,



Do you know the answer to my question? Can you get the authors to respond to my question posted on the list?



Thank you very much.



Linda



From: Linda Dunbar
Sent: Wednesday, October 09, 2019 3:26 PM
To: idr@ietf.org<mailto:idr@ietf.org>; draft-ietf-idr-tunnel-encaps@ietf.org<mailto:draft-ietf-idr-tunnel-encaps@ietf.org>
Subject: Can one Destination Address appear in both Tunnel Encap Attribute and in MP_REACH_NLRI ?



Dear authors:

draft-ietf-idr-tunnel-encaps specifies the The Tunnel Encapsulation attribute as an optional transitive BGP Path

attribute, with code point 23.

Does it mean Tunnel Encapsulation Attribute is listed at the same level as MP_REACH_NLRI (Code Point 14) in the Path Attributes lists shown in the following captured packets from Wireshark? If a Destination address is already listed in the MP_RACH_NLRI, is it listed again in the Tunnel Encap subTLV (if it can be reached via some tunnel, such as VxLAN/GRE/?





<image004.png>





Does the Tunnel Encapsulation Attributes have the same fields as MP_REACH_NLRI (RFC4760)?

Or the Tunnel Encapsulation Attributes is the “Network Layer Reachability Information” field of MP_REACH_NLRI?



<image006.png>





Thank you very much,



Linda Dunbar




Juniper Business Use Only