Re: [Idr] Adoption call for draft-heitz-idr-wklc-02 (3/9 to 3/23)

Gyan Mishra <hayabusagsm@gmail.com> Mon, 15 March 2021 22:33 UTC

Return-Path: <hayabusagsm@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F10673A1153 for <idr@ietfa.amsl.com>; Mon, 15 Mar 2021 15:33:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 83Xb6s8-2UUo for <idr@ietfa.amsl.com>; Mon, 15 Mar 2021 15:33:42 -0700 (PDT)
Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4F853A114D for <idr@ietf.org>; Mon, 15 Mar 2021 15:33:42 -0700 (PDT)
Received: by mail-pj1-x1034.google.com with SMTP id gb6so9582804pjb.0 for <idr@ietf.org>; Mon, 15 Mar 2021 15:33:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bL3NRXr5QmIyHSLomA/p6iD5u2mw+9CmuA3PfLHnFKw=; b=jdZYNcscQWw09C/YJ4vWhluSq4YaZqzRNQJjTmdK12Mv2Xds/TtggEjY7y5AVW1otX ZUbryfZ7yzsdNC+pNnMu3DbyPF2o1C3+5ot4qJSiMbsn3IjVXNFOea7OZ/LCTBEsTXrl NA8xt3pR3oNxWz8c2aGi/vZ7qcqF/nWxA9z/ANQdTsVJwBxqTbYfBHgeGSY2RzwRqfwa Te1V5AvhTzyC1j0TpHcV98IkU3V9NCE18MSyNd+tAE7xubp2W9qfIWbslFHwBjaFMK94 1iKdOU4aTgWlWfvtNY/PCFJm9iwiyPMoVYYG+q2RpLLwp1w+O6qIL5vsacTiXFUSgvx4 E8AQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bL3NRXr5QmIyHSLomA/p6iD5u2mw+9CmuA3PfLHnFKw=; b=Fs/yLH2RjhEhTV0yC4F8DeZGvT3UmIS24dJ0066608eSSSZOsxkl2xY4GrE2xYug8r Tp76GJPNkuL7xtid6rftI7RgiDJu2RyNrFO5YWX0A19SPBh2Y6lxp1KwwTxiCobn5+2v fGDTtGXgA4xFSBd2hXQArUeef/Chd+z5ngqhBBWUfVJ1n/GAljwWuB0IZA1bPitdRN0V qvCbRWIa+9E47k8xqenAl/Mi9j2aY5VbiFWswpZn2VK/B5WkeBPP2YKdkvjGiB5xhgUv XvuHnEl8W5CJd2xHENmfqKPxUxfcsVdN82eWKkUUbkf2QfgYixiz+DxXghN18gbbL7Dl jE3Q==
X-Gm-Message-State: AOAM5309sueRKybIJVi1TgNbULdw5i8QZWoF3SUFRf3dQ/n+odxX2soH BPM5TitOq6wpYKGeiP0EIqtI+SLFhysubMGnOmw=
X-Google-Smtp-Source: ABdhPJwGdMOkvyqn/2+L5Qlm5SxwUeda0VBL3/U+3Wy0NW8tjFV+4UUpJvcWCnnuCw3IFfSH16+4P+FOWwmKOGoa0yE=
X-Received: by 2002:a17:90b:2358:: with SMTP id ms24mr1363119pjb.132.1615847621167; Mon, 15 Mar 2021 15:33:41 -0700 (PDT)
MIME-Version: 1.0
References: <BYAPR11MB3207CF86CF2FBD56CA3EAD66C0919@BYAPR11MB3207.namprd11.prod.outlook.com> <CBFDE565-E501-4344-BF6C-53A541D50391@tsinghua.org.cn> <012b01d7170f$7ec90310$7c5b0930$@tsinghua.org.cn> <BYAPR11MB3207D4E973EE9ED170687E1EC06F9@BYAPR11MB3207.namprd11.prod.outlook.com> <015601d7171a$036be470$0a43ad50$@tsinghua.org.cn> <CAH1iCiqy3uu0SF2i9TyTRwCdt2d2Ud9+nUCtRG+vc2E-gwfLPQ@mail.gmail.com> <000501d71940$e9b87420$bd295c60$@tsinghua.org.cn> <BYAPR11MB320799969ECFDA66B32F2BBBC06C9@BYAPR11MB3207.namprd11.prod.outlook.com>
In-Reply-To: <BYAPR11MB320799969ECFDA66B32F2BBBC06C9@BYAPR11MB3207.namprd11.prod.outlook.com>
From: Gyan Mishra <hayabusagsm@gmail.com>
Date: Mon, 15 Mar 2021 18:33:30 -0400
Message-ID: <CABNhwV1UotP6Zc-YhvbBbj0XDiH-nnu3raUH9c0agVJ6B-D32A@mail.gmail.com>
To: "Jakob Heitz (jheitz)" <jheitz=40cisco.com@dmarc.ietf.org>
Cc: Aijun Wang <wangaijun@tsinghua.org.cn>, Brian Dickson <brian.peter.dickson@gmail.com>, IETF IDR <idr@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000788ed205bd9ad783"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/4kCmagv1RCY80BggVdf_ojI4tdQ>
Subject: Re: [Idr] Adoption call for draft-heitz-idr-wklc-02 (3/9 to 3/23)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Mar 2021 22:33:46 -0000

Hi Jacob

I have a few questions related to the draft.

Do you think it would make sense to make this an experimental draft and as
it matures in testing the leak mitigation we can advance to standards track.


The WKLC format change reason as you stated to flip flop the global and
local part as per GROW leak detection proposal to use the WKLC to primary
goal of community usage would be for “route leak detection” and per the
leak draft as you stated the reason for the global and local part flip flop
is so that the field is prevent the legitimate AS from having the same AS
field as the leak routes signaling and tagging.

https://tools.ietf.org/html/draft-ietf-grow-route-leak-detection-mitigation-04

Is this draft updating RFC 8092 and if it is not it is really confusing for
any reader as it does seem that it is being updated to this new format.

How would legitimate traffic use RFC 8092 format and non legitimate use
this new draft format of RFC 8092 is being updated.

Also how can you maintain 2 completely different formats for large
communities one for legitimate following RFC 8092 and one for leak draft
using flip flopped fields.  Or is RFC 8092 being updated and this is a new
format being proposed.  We should state if this draft is updating RFC 8092.

Also in Section 2 encoding the Data fields are not defined as global or
local.  Are the three fields open and not defined maybe to used for global
or local at the operators discretion?

It appears the leak draft defined the 10 byte 3 data fields as NN1:NN2:ASN
however your draft keeps it wide open for the operator to whatever it
chooses for the 10 byte field.   Would that make the RegEx match
complicated and break RegEx matching as now you don’t know what field is
what do you don’t know what to match on.  I can see the advantage idea of
the flexibility of not defining the 3 data fields but I am not sure that
work with RegEx matching.

In thread was mentioned 2 ASN fields mentioned by Brian which does seem
strange.  Usually the ASN data field is set to the originator ASN that is
doing the marking.

So from RFC 8092 to this proposal to account for the route leaking issue
solution WKLC we go from 3 data fields and 12 bytes ASN:NN1:NN2 to 3 data
fields 10 bytes NN1:NN2:ASN using the first two bytes for flags and WKLC
byte.

In the draft in some spots it says the 10 bytes data field is for WKLC but
can’t it be used for any large community usage.

The goal of RFC 8092 was to make the data field larger for 4 byte ASNs but
does not specifically addressing WKLC.

All of these questions need to be made more clear in this draft before it
can be adopted.

The leak draft proposes one format idea for WKLC format, however  I don’t
understand why we are jumping from a standards perspective on this one idea
to flip flop the format or make it open with no defined structure as a
solution to mitigate the route leaking.

The leak detection draft lacks guidance as to why this DO format was chosen
and does not propose any other ideas or options for leak mitigation.

In the leak draft section 3 of community versus attribute and I agree that
a new path attribute would be the way to go but as stated that would
require code upgrades and longer lead time for operators to implement.

It does seem like a rush to get something pushed out as a stop gap measure
“standards bandaid” without thoroughly thinking through all the nuances and
possible ramifications of this flip flop or open ended concept.

I agree that some thought was put into the solution comparing drop leak
detection versus deprioritization and I agree the RFC 8092 LC is the best
method for the solution at this point, but I am not convinced on the
flip/flop format DO community style for route leak mitigation.  Also we
stated how would RegEx match work if you don’t know which field is the
global field and the high field is the local field.  I cannot see this
working.

As with RegEx you can match on any digit in the RFC 8092 style AS:NN1:NN2
versus the flip/flop idea NN1:NN3:AS.

In the draft as the fields are open ended, how are we calculating that WKLC
uses the number of ASNs listed below.

   The range of AS numbers currently unallocated by IANA is 399,261 to
   4,199,999,999.  The WKLC reserves 67,108,864 AS numbers.  That still
   leaves 4,132,491,874 unallocated AS numbers.  For comparison, there
   are 94,968,317 AS numbers reserved for private use.  Thus, the number
   of ASNs reserved for WKLCs is considered insignificant.


As all communities to date have always follows the AS:NN Global:Local part
I am not sure  why the drastic change in format.




Kind Regards


Gyan

On Mon, Mar 15, 2021 at 1:30 AM Jakob Heitz (jheitz) <jheitz=
40cisco.com@dmarc.ietf.org> wrote:

> *[WAJ] Yes, there are abundant range for the 32 bit ASN space, but my main point is that your draft doesn’t state the reason to reserve 1/64 32-bit ASN space(*4093640704 (0xF4000000) to 4160749567 (0xF7FFFFFF)*).  *
>
>
>
> [JH] Aijun. I'm glad you agree that there is still abundant space to
> allocate ASNs.
>
> The reason to reserve space is explained in the introduction.
>
> It is to prevent WKLCs from having the same Global Administrator field as
> a legitimate AS trying to distribute its LC.
>
>
>
> Regards,
>
> Jakob.
>
>
>
> *From:* Aijun Wang <wangaijun@tsinghua.org.cn>
> *Sent:* Sunday, March 14, 2021 7:14 PM
> *To:* 'Brian Dickson' <brian.peter.dickson@gmail.com>
> *Cc:* Jakob Heitz (jheitz) <jheitz@cisco.com>om>; 'IETF IDR' <idr@ietf.org>
> *Subject:* RE: [Idr] Adoption call for draft-heitz-idr-wklc-02 (3/9 to
> 3/23)
>
>
>
> Hi, Brian:
>
>
>
> Based on your intention, I think you should consider to redefine the
> encoding of LC, not only well-known LC.
>
> Even for the redefinition of LC encoding, you should also state clearly
> the potential advantages.
>
>
>
> More detail replies are inline below.
>
>
>
> Best Regards
>
>
>
> Aijun Wang
>
> China Telecom
>
>
>
> *From:* Brian Dickson <brian.peter.dickson@gmail.com>
> *Sent:* Saturday, March 13, 2021 2:14 AM
> *To:* Aijun Wang <wangaijun@tsinghua.org.cn>
> *Cc:* Jakob Heitz (jheitz) <jheitz@cisco.com>om>; IETF IDR <idr@ietf.org>
> *Subject:* Re: [Idr] Adoption call for draft-heitz-idr-wklc-02 (3/9 to
> 3/23)
>
>
>
>
>
>
>
> On Fri, Mar 12, 2021 at 12:31 AM Aijun Wang <wangaijun@tsinghua.org.cn>
> wrote:
>
> Hi, Jakob:
>
>
>
> *From:* Jakob Heitz (jheitz) <jheitz@cisco.com>
> *Sent:* Friday, March 12, 2021 3:45 PM
> *To:* Aijun Wang <wangaijun@tsinghua.org.cn>
> *Cc:* idr@ietf.org
> *Subject:* RE: [Idr] Adoption call for draft-heitz-idr-wklc-02 (3/9 to
> 3/23)
>
>
>
> 1.      It is small, not huge as explained in the draft.
>
> *[WAJ] When compared to the 22 well-known community, “67,108,864 AS
> numbers” is too large.  I am worrying the unnecessary reservation may
> prevent the allocation of the unallocated AS-number for other purposes.*
>
>
>
> The range of reserved ASNs occupies two bits of the upper 8 bits, plus the
> entirety of the the next 24 bits in its range.
>
> This represents a single value from the 6-bit portion of the ASN space, or
> exactly 1/64 of the 32-bit ASN space.
>
> Given that the current usage for ASNs is 2^16 for the 16-bit ASNs, plus
> less than 7 bits out of the upper 16 bit range, that is roughly 64/65536 or
> about 1/1000.
>
> This still leaves well over 31/32 of the potential ASN space, so I believe
> your worry is unjustified.
>
> *[WAJ] Yes, there are abundant range for the 32 bit ASN space, but my main point is that your draft doesn’t state the reason to reserve 1/64 32-bit ASN space(*4093640704 (0xF4000000) to 4160749567 (0xF7FFFFFF)*).  *
>
>
>
> 2. It got updated and I missed it when I updated my draft. Thanks for
> catching it.
>
> 3. I don't understand your question. Can you expand?
>
> *[WAJ] why not take the approach directly as that descried in  *
> https://tools.ietf.org/html/draft-ietf-grow-route-leak-detection-mitigation-04.
> ?
>
> *That is to say, for each potential well-known large community, reserve
> one value for the “Global Administrator” part of the large community, and
> defined the associated data for the other two local parts. Transitive or
> non-transitive can be defined accordingly. *
>
> *Currently, you define “WKLC ID” as the large community type. From the
> definition of large community(RFC8092), the “Global Administrator” part
> will be divided into 256 groups, each group will have 2^16 number, that is
> 2^16 well-known large communities? *
>
> *I know you want to leave some field to the data part, but this arises
> some confusion when your proposed encoding is different from the original
> definition of RFC8092.*
>
>
>
> The logic for this is as follows:
>
> The initial use case is to establish a structured value of TBD1:TBD2:ASN
> for the route-leak-detection-mitigation (as that draft explains).
>
> The TBD2 is a single value out of a 32-bit range which will be in its own
> (new) registry. Having a registry allows for future uses in the context of
> TBD1, allowing new kinds of LC's in this bigger registered range.
>
> *[WAJ] You should state also the reason that such sub-registry under one
> well-known LC.  Describe some examples may be helpful.  DO community is one
> example, but there still also no more explanation.*
>
>
>
> However, the router implementations, for the most part, permit filtering
> of LCs on the basis of 3 32-bit values, where either literal values or
> wildcards can be used.
>
> Having the elements be aligned on the 32-bit boundary, and having TBD1 and
> TBD2 be fixed values, permits LC matching using a patterns of either
> TBD1:TBD2:* (wild-card), or TBD1:TBD2:ASN (explicit ASN match).
>
> In other words, this structure choice is forced by router implementations,
> and really not appropriate to second-guess. It isn't up for negotiation, as
> this is a necessary requirement for the first use case.
>
>
>
> BTW: Both of these patterns (fixed single value and wild-card of lower
> 32-bit value) are required to implement the GROW draft you referenced.
>
>
>
> Having said that, this is the first out of up to 255 WKLCs, and the
> maximum benefit to other potential uses for WKLC is achieved by making the
> maximum (reasonable) number of octets available for those other WKLCs,
> specifically 10 octets of undefined structure.
>
>
>
> In particular, it is possible that other WKLCs require two ASN data values
> in their encoding (such as a source ASN and a destination ASN), and
> additional values (single bits or ranges of values) beyond that. Limiting
> the WKLC to having only single Global Administrator values and 8 octets of
> data, would be insufficient in that case.
>
>
>
> This would require re-design of WKLCs at a later date, and it may not be
> possible due to existing usage or reservations of WKLCs.
>
>
>
> By providing more octets to EACH WKLC, this problem is prevented. Making
> data allocations on power-of-two boundaries at the highest order is
> necessary up front. Attempting to expand ranges after allocations is
> possible, but may not be compatible with the power-of-two alignment
> required by future use cases of WKLC.
>
>
>
> You cannot aggregate that which was not initially allocated in a fashion
> suitable for aggregation. This was one major outcome of the IP allocation
> strategies prior to CIDR addressing for IPv4 address space. We would do
> well to learn from the mistakes of others, particularly when those mistakes
> were effectively repeated in the ASN space already (16 bits to 32 bits,
> because the initial assumption was 16 bits would be sufficient).
>
> *[WAJ] If you want to accomplish this, I think you should propose to
> change the encoding of LC, not only the well-known LC.   And, the community
> is not used to packet forwarding, what’s the necessary to aggregate?*
>
>
>
> So, in summary, the reservation of the range of ASNs is specifically to
> permit applying structure to the LC values within that range.
>
> The original LC definition is only applicable to "actual" ASNs as Global
> Administrator. RFC8092 says only "intended", and that the value "SHOULD" be
> an ASN.
>
> This is a new use case, and is the reason RFCs use "SHOULD" instead of
> "MUST".
>
> (What RFC8092 really says is, LCs where the Global Administrator value
> corresponds to an actual assigned ASN, are reserved exclusively for the
> operator of that ASN.)
>
> Since this proposal sets aside a range of ASNs as a group, the structure
> of LCs covering that range can be redefined accordingly, as long as that
> redefinition is scoped to that range of ASNs.
>
> *[WAJ] This is different from the structure of LC defined in RFC8092, in
> which only the Local part 1/local part 2 of one Global Administrator is
> operator-defined.*
>
>
>
> This is EXACTLY what this WKLC proposal is doing, and nothing more.
>
> The other draft is for the use of the first assigned WKLC values (single
> ID plus the Transitive Bit values).
>
>
>
> Hope this clarifies the usage and compatibility with other RFCs.
>
>
>
> Brian
>
>
>
>
>
> Regards,
>
> Jakob.
>
>
>
> *From:* Aijun Wang <wangaijun@tsinghua.org.cn>
> *Sent:* Thursday, March 11, 2021 11:16 PM
> *To:* Jakob Heitz (jheitz) <jheitz@cisco.com>
> *Cc:* idr@ietf.org
> *Subject:* RE: [Idr] Adoption call for draft-heitz-idr-wklc-02 (3/9 to
> 3/23)
>
>
>
> Hi, Jakob:
>
>
>
> More questions for your draft:
>
> 1.     Do we need to reserve such huge range(4093640704 (0xF4000000) to 4160749567 (0xF7FFFFFF) as you described in https://datatracker.ietf.org/doc/html/draft-heitz-idr-wklc-02#section-6 for the countable well-known large communities?
>
> 2.     There is some inaccurate description for the current reserved AS number space in https://datatracker.ietf.org/doc/html/draft-heitz-idr-wklc-02#section-4.  You can check it at https://www.iana.org/assignments/as-numbers/as-numbers.xhtml. The unallocated AS range is 401309-4199999999, not at described in your draft “The range of AS numbers currently unallocated by IANA is 399,261 to 4,199,999,999.”
>
> 3.     What’s the necessary to group such WKLC via the WKLC ID?
>
>
>
> Best Regards
>
>
>
> Aijun Wang
>
> China Telecom
>
>
>
> *From:* idr-bounces@ietf.org <idr-bounces@ietf.org> *On Behalf Of *Aijun
> Wang
> *Sent:* Wednesday, March 10, 2021 9:38 PM
> *To:* Jakob Heitz (jheitz) <jheitz@cisco.com>
> *Cc:* idr@ietf.org
> *Subject:* Re: [Idr] Adoption call for draft-heitz-idr-wklc-02 (3/9 to
> 3/23)
>
>
>
> Yes, if we reserve some 4-bytes AS range, then your concerns will not
> happen.
>
> The well-known large community need just be allocated from this reserved
> range. That’s all.
>
> Do we need other definitions in your draft then?
>
> Aijun Wang
>
> China Telecom
>
>
>
> On Mar 10, 2021, at 21:18, Jakob Heitz (jheitz) <jheitz@cisco.com> wrote:
>
> 
>
> Consider if there is a real AS that uses 4,093,640,704 as its ASN.
>
> And if this AS were to send a large community of its own.
>
> It would put its ASN into the Global Administrator field of the LC.
>
> This ASN is 11110100000000000000000000000000 in binary.
>
> Then another AS sends a WKLC with WKLC ID 0, Transitivity 0 and Data 1 = 0.
>
> This has the same bit pattern.
>
> To avoid the clash, we need to reserve the ASNs that would clash.
>
>
>
> Regards,
>
> Jakob.
>
>
>
> *From:* Aijun Wang <wangaijun@tsinghua.org.cn>
> *Sent:* Wednesday, March 10, 2021 12:11 AM
> *To:* Jakob Heitz (jheitz) <jheitz@cisco.com>om>; 'Susan Hares' <
> shares@ndzh.com>gt;; idr@ietf.org
> *Subject:* RE: [Idr] Adoption call for draft-heitz-idr-wklc-02 (3/9 to
> 3/23)
>
>
>
> And, what the reason to assign the “111101”value in the first 6bit your
> encoding? It is not conformed to general definition of large community, in
> which the first 4-bytes is to identify the Global Administrator.
>
>
>
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>
-- 

<http://www.verizon.com/>

*Gyan Mishra*

*Network Solutions A**rchitect *



*M 301 502-134713101 Columbia Pike *Silver Spring, MD