IETF Logo Mail Archive

Re: [Idr] Adoption and IPR call for draft-wang-idr-vpn-prefix-orf-03.txt (8/16 to 8/30)

Igor Malyushkin <gmalyushkin@gmail.com> Wed, 31 August 2022 09:50 UTC

Return-Path: <gmalyushkin@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91478C14CE29 for <idr@ietfa.amsl.com>; Wed, 31 Aug 2022 02:50:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IE99CtZyapUk for <idr@ietfa.amsl.com>; Wed, 31 Aug 2022 02:50:31 -0700 (PDT)
Received: from mail-il1-x12b.google.com (mail-il1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46D94C14F73D for <idr@ietf.org>; Wed, 31 Aug 2022 02:50:09 -0700 (PDT)
Received: by mail-il1-x12b.google.com with SMTP id h14so5665285ilh.10 for <idr@ietf.org>; Wed, 31 Aug 2022 02:50:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=ierW4tV5TABLrxELw5/18jPizmPQojyXguaVtugA3QE=; b=WQCynBzaUu4J1gc+27UBYdog26dw7JwzKHF7D81pZFyYQT7BKxCs302hRBl2GwizZx S6Jk2dmEuWQUnBdb2ISZsDyXpjSffHk4jPYlzDdBm4Sj05EzTz3kXS9KcWtqPykR/3Qt wQcL0neo/Q9e7AjJNuZDNc9ewx/Tg/cn8V89HegfA0F1cTAT5K+P6rJp9PMmVdQ97b8o FIvd84mYC9qjydZ0bjWXJoFvHTWR2jyzLzlPouc0laCpFp9PyvV8JNijtgJ24nvv5/WP 1OLxMqMI4O0ZCOnnsOoiXtdfmRJYPE7z542uWMJ4NcsPl8Q3PXpSUNXNev8n5pDVoRTh qJmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=ierW4tV5TABLrxELw5/18jPizmPQojyXguaVtugA3QE=; b=yA91L0v68VvGOCmJXkL2Q8jOXdFU3bn8+actAN1+Zksp3CtXkrhrPyzto8c2TSaI9G 2yqfe9WheBu2oEvRd0Xi0bZYJF1VT0eZje2CjVpxb3w7y2hrutUts1tx4nmijWrQ4rnO brhE8gdCPLJbEsRX2AarO/3b7+rqbKQSvddJA18uWGqF0vohOIOmLmjdwYVWhb9XmOHW zglNfQa+wGVbKNdb2MEChWafKI4v93O499TcaHC5ISyrZWSFjiGL3p0ixcPXLkJiTblW YzGHzBONiCrQtUz4tIKENz0QHgkrAEl1bGv2ibWXKD456yqpVsmjranRdwrNgjIsOtFt x6VQ==
X-Gm-Message-State: ACgBeo3GyKUfVwMcuEOzQv22WWZ+ZuDGwQDbiv7N7NT81zXhwFQHibv6 9vyargF3IXokDj9Fv01ErCnTJ/h4b9TNZ+otKzDvRIKgGAbMx6Ia
X-Google-Smtp-Source: AA6agR7v0o3HREmdGI3vittMmtYXUZueZ7hoB+4jo9B0PNNfp9CInZIWb9/tR4Q0fZVQCBjGN13ZYmuWfj4nw/A8+ws=
X-Received: by 2002:a05:6e02:1946:b0:2df:2988:64fd with SMTP id x6-20020a056e02194600b002df298864fdmr13989961ilu.201.1661939408164; Wed, 31 Aug 2022 02:50:08 -0700 (PDT)
MIME-Version: 1.0
References: <20220831072731.5F2309000AF@hmail-m121149.qiye.163.com> <E413E79B-A819-48AE-9014-BDCF77ADA2EA@tsinghua.org.cn> <CAOj+MMHsNnnvhh=WZP6cw4LZY5PTy727uy3jsHqgnXfbN1R-uA@mail.gmail.com>
In-Reply-To: <CAOj+MMHsNnnvhh=WZP6cw4LZY5PTy727uy3jsHqgnXfbN1R-uA@mail.gmail.com>
From: Igor Malyushkin <gmalyushkin@gmail.com>
Date: Wed, 31 Aug 2022 11:49:56 +0200
Message-ID: <CAEfhRrwUYOUmZuaPhdF8m92iedRYeXaEpSXhUTTT5UmXFDyHqA@mail.gmail.com>
To: Robert Raszuk <robert@raszuk.net>
Cc: Aijun Wang <wangaijun@tsinghua.org.cn>, John E Drake <jdrake=40juniper.net@dmarc.ietf.org>, Sue Hares <shares@ndzh.com>, idr <idr@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000fdb1c05e7866ce4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/55lB1FGmb5KzhrZ_Y3pUN_CXs4c>
Subject: Re: [Idr] Adoption and IPR call for draft-wang-idr-vpn-prefix-orf-03.txt (8/16 to 8/30)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Aug 2022 09:50:35 -0000

Hi all,

I agree with Robert and John, I`ve expressed concerns about quotas several
times on this list. This construction is overcomplicated and unnecessary,
IMO. I know the authors` intention is to make things better in a case of a
VRF overflowing, but I want to point them to the fact that this case is
exceptional by the definition. We don`t face this problem on a daily basis.
When it happens human intervention is still required in any case. Thus, I
think we should concentrate our attention on the crux of the problem.

As I also said, I agree that we don`t need to receive routes in the case a
VRF is overflowed. We cannot exclude from the consideration the claims when
several PEs are "rogue" at the same time, so a destination PE needs to
process several groups of UPDATEs, then send ORF for every source, then
process UPDATEs with withdrawals. Multihoming is just one case from this
class. I believe it`s possible just to stop all UPDATEs for a VPN at the
same time (which the authors partially approved for the multihoming case).
Thus, we enhance a local VRF prefix limit feature without needing quotas,
source identification, and the rest of the complexity. I suggested the
authors include this option in the draft so implementors can decide which
approach is appropriate. Their favorite vendor can implement the draft with
quotas, others can do it too or not. This is not prone to interop problems
if it is inscribed well in the document.

Quotas are not only complex from the operational point of view. Although,
this is also important and frustrating. I still don`t agree that we need to
delete some routes from a VRF. Let`s imagine we have a quota for router A
on router B`s VRF of 100 routes, also there is a VRF prefix limit of 200
routes. At T1 we receive 100 routes from A, all of them are under the quota
and are valid. At T2, we receive extra routes from the A, say, 99 routes.
Router B warns ops via a logging system, but are these routes excessive?
Router B doesn`t send an ORF message because the VRF prefix limit is not
reached. At T3 we have 199 routes from the A in the VRF and receive another
group of 2 routes from the A. Now we`ve reached the limit. Router B sends
the ORF message and asks RR to withdraw of 101 route. But why? Why do these
2 routes make the previous 99 excessive? This logic is not straightforward
to me. Either don`t install routes over a quota or don`t delete them after
it. Even if we stay it in the draft future implementations won`t be easy to
understand by people.

My 2 cents.

ср, 31 авг. 2022 г. в 08:46, Robert Raszuk <robert@raszuk.net>:

> Dear Aijun,
>
> Sorry but I simply can't resist it ...
>
> On Wed, Aug 31, 2022 at 1:54 AM Aijun Wang <wangaijun@tsinghua.org.cn>
> wrote:
>
>> Hi, John:
>>
>> Glad to hear your concerns. Let me explain them to you:
>> 1) There are various reasons that the receiving PE is overflowed by the
>> excessive VPN routes. For example, the capabilities of PEs within the
>> network are different, we can’t block the source directly just solely based
>> on the request from one PE.
>>
>
>
> What you just stated above is simply the wrong thing to do in fact
> irrespective where the drop of the routes would take place in the network.
>
> If capacity of any PE does not permit serving given VPN such VPN should
> not be provisioned on such PE.
>
> Adding protocol extensions to address provisioning mistakes (not
> accidental as stated above but well thought onboarding of a VPN to a
> network) and in the same time partially breaking connectivity within
> subject VPNs should not be endorsed by any IETF WG.
>
> In fact what you have stated above is a clear proof that we do not even
> have a well defined problem statement. All we have is a solution which here
> and there in the network breaks VPN connectivity.
>
>
> > 2) For the quota setting, actually, the operator need only the per PE
> resource allocation under one VRF, and in most of
> > the situations, such per PE allocation will be same for one VPN in every
> PE
>
> You mean under each VRF on each PE.
>
> And please explain how that new number should be different from today's
> VRF prefix limit ? Why there is need to introduce new limit?
>
> Thx,
> R.
>
>> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>

v2.23.0 | Report a Bug | By Email