Re: [Idr] https://tools.ietf.org/html/draft-wang-idr-rd-orf-00
Robert Raszuk <robert@raszuk.net> Fri, 17 July 2020 09:43 UTC
Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B67F53A15E1 for <idr@ietfa.amsl.com>; Fri, 17 Jul 2020 02:43:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_FACE_BAD=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qsglJmobmpuu for <idr@ietfa.amsl.com>; Fri, 17 Jul 2020 02:43:23 -0700 (PDT)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF9033A15E2 for <idr@ietf.org>; Fri, 17 Jul 2020 02:43:22 -0700 (PDT)
Received: by mail-ed1-x52e.google.com with SMTP id d18so7176327edv.6 for <idr@ietf.org>; Fri, 17 Jul 2020 02:43:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aRNNM/lmB9wixMv4ChPk8x165CBSZO6k7ntxTEjAl6A=; b=Uu0FfNu0wPGdycOcNvCkxWzkAt6CqmJouSTmLdkoQSsYDCACJeCb61/Yklg+akG1TZ Pr6UuPsb1+zTbelS+LKpp+5B7onetPrsJfIggjpx1LSoIzEvlamo0Cu8DU4dreIhw4wW hT3m9BTll+msDivRnrzh5NlqaA8PZHeULMCjpQp/FVRD9FF1VNYZgdu4wNzhZ3UkvEBJ LusFbRU3pKEpNIpS4X+8/gnp4zbuxg4iKDtF7iFyPMm/46qi2l81Vq4Zfel+Z4UwitQ2 yY76XkEwVT525Jlm+cpIZ4tQgfIAcq2h8usnTXiNWatQJLWpxcIMuLpWYLVOSBXx4qpx 48tQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aRNNM/lmB9wixMv4ChPk8x165CBSZO6k7ntxTEjAl6A=; b=qMUqFXZAbssMXA70r8ZYhUktHPZ6pLaAreUEqOvqRCeTaTXokrrt/r/iSqhJhbGqld L+Cn7A7RXlJ2Rfajrm+R0n7SFbet/5QCHnXe1hGPz5VhZEyijuICB++O4vcgdPI7rjc4 omC8EAoaxSIsBwKMSkUp/X+jJR23i9hqHkDW9mEg670Jkp6oHxfW61cutX+nbhvG/ofR Xd3/ih0AUS7RFAB/0w/yEKoMm42fGiYGAAVHE/VO9SZJso3YLYIUt6vYijNrDUGXjzMJ 7fBtYbeerjpvDDAfvXGeQ0INmUrkrKVu4bp3ktQyuoD62YyP3Ukii27XSgH+b7AhZxza uq1g==
X-Gm-Message-State: AOAM5337R3uSP/2Nn4etuVdGK7R7Oeh3IAV8zVhw31amRZR89VXjapq8 7abewoz7MvGl52WBf2MdGUDh/Bs8o+z0I6dIBbepGA==
X-Google-Smtp-Source: ABdhPJyFjkRDm4rfbeHK3JVrM65+BPyip4K4fKIiyVAlCVUmFMeIF65TrGQ7MkypJofa7wWUIX2SLColtMMziGMVFQw=
X-Received: by 2002:aa7:dd14:: with SMTP id i20mr8725704edv.41.1594979001231; Fri, 17 Jul 2020 02:43:21 -0700 (PDT)
MIME-Version: 1.0
References: <CAOj+MMH_CefbH639OVs==ts4C_7rf4W1d+pUN+Wb+im5+gNfFg@mail.gmail.com> <003c01d65b1a$777b60a0$667221e0$@tsinghua.org.cn> <CAOj+MMEBTbD9nKH8s2a4VJOCGT2itSUTZOc1tRQnOdTBHtsFeA@mail.gmail.com> <007501d65b4f$4990d1e0$dcb275a0$@chinatelecom.cn> <CAOj+MMGQFcKvmYT3SXsXnXT-SQpzsjZRQtoxZhpNe2WA-TgT_A@mail.gmail.com> <BYAPR11MB3207E4C80AE4563F3A8AD0C1C07F0@BYAPR11MB3207.namprd11.prod.outlook.com> <CAOj+MMG4Bw5sKE4WRRG5cssqGAgqP_jX+NaJ6_OnDhdPM5rTuA@mail.gmail.com> <BYAPR11MB3207B46C0198DD2836778EF0C07F0@BYAPR11MB3207.namprd11.prod.outlook.com> <000501d65bf5$6bbe7f50$433b7df0$@tsinghua.org.cn>
In-Reply-To: <000501d65bf5$6bbe7f50$433b7df0$@tsinghua.org.cn>
From: Robert Raszuk <robert@raszuk.net>
Date: Fri, 17 Jul 2020 11:43:12 +0200
Message-ID: <CAOj+MMFt=GbL7f7s7mxHD7R1QVQjm+ktvJeUVWY3DZZ3Q69Zng@mail.gmail.com>
To: Aijun Wang <wangaijun@tsinghua.org.cn>
Cc: "Jakob Heitz (jheitz)" <jheitz=40cisco.com@dmarc.ietf.org>, Jeff Tantsura <jefftant.ietf@gmail.com>, Aijun Wang <wangaj3@chinatelecom.cn>, "idr@ietf. org" <idr@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cb04c905aa9ffc9b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/2Tdh48nqTdLH4gbgNm75gKdS-Bo>
Subject: Re: [Idr] https://tools.ietf.org/html/draft-wang-idr-rd-orf-00
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jul 2020 09:43:26 -0000
Hi Aijun, >From our POV, the user of the address-prefix ORF will pay more attention to > the prefix itself > First the "user" is the implementation ... hope you are not expecting real operator to inject such ORF entries when "overflow" happens. Let's also observe that In L3VPNs_PREFIX = RD + IPv4_PREFIX For example, we can refer to https://tools.ietf.org/html/rfc7543 (Covering > Prefixes Outbound Route Filter for BGP-4), the minLen, maxLen and host > address encoding do not include the RD(when comparing the received route, > the receiver needs to add 64 to minLen/maxLen) > Incorrect. The RFC says: o the route prefix length is greater than or equal to the CP-ORF Minlen plus 64 (i.e., the length of a VPN Route Distinguisher); Note: ==equal== So that means that at least RD must be compared. Actually, the RD-ORF message will be regenerated between every BGP session, not propagate directly back to the upstream, as that done in BGP Update messages. Then, every regeneration point(RR/ASBR) can control whether or not send the newly generated RD-ORF to the upstream. In scenarios that when not all of PEs are overwhelmed by routes from this specified VPN, the RR/ASBR can constraint the sending of the RD-ORF policy to the source. "Regeneration" follows propagation. This is exactly why we defined RTC so all loop free properties are still met. ORF is point to point. Or do you mean that when RR receives the RD-ORF from sending PE it will not propagate till an operator pushes a new configuration to propagate this further. If so have you even considered timing of those events ? The edge between CE and PE is one control point to restrict the prefixes number, but we can’t rely solely on it, especially in the Option-B/Option-C interconnection scenario. Using RD-ORF mechanism, we can prevent the overwhelmed VPN prefixes in one AS to influence PEs in another AS, and also the PEs within same AS(when they exchange routes via RR) The reason for the occurrences of overwhelmed VPN prefixes may be misconfiguration on one PE, or being attacked from the outside of network, or other unforeseeable events. ORF means installing additional route filter outbound from a BGP speaker as instructed by the peer. I do not see how any Option-B or worse Option-C peer will allow different AS to push some VPN prefix filter on his infrastructure. Unless both are under the same administration - but then you can use prefix limit. Again I do not support your assertion that RD is more granular then RT for this purpose. It all depends how given operator designed the RT and/or RD allocations. As mentioned for a given VPN importing VRF copies prefixes and *ovverrides* incoming RD with local one. So just think what happens if that specific VRF "overflows" but there is many sources of original pre-import routes all with different RDs. If anything in this space I would rather see us perhaps trying to automate prefix limit per RT (in this case it would be export RTs carried with the routes not import RTs). Thx, R.
- [Idr] https://tools.ietf.org/html/draft-wang-idr-… Robert Raszuk
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Robert Raszuk
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… UTTARO, JAMES
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Robert Raszuk
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Jakob Heitz (jheitz)
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Robert Raszuk
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Jakob Heitz (jheitz)
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Robert Raszuk
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Jeff Tantsura
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Robert Raszuk
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… UTTARO, JAMES
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Robert Raszuk
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Jakob Heitz (jheitz)
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Jakob Heitz (jheitz)
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Robert Raszuk
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Robert Raszuk
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… UTTARO, JAMES
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang