Re: [Idr] Adoption and IPR call for draft-wang-idr-vpn-prefix-orf-03.txt (8/16 to 8/30)

All,

I agree with Robert on abandoning the proposal – this draft adds new semantics to the RD and unneeded complexity for a problem that is already solved.

Thanks,
Acee

From: Idr <idr-bounces@ietf.org> on behalf of Robert Raszuk <robert@raszuk.net>
Date: Friday, August 26, 2022 at 8:25 AM
To: Aijun Wang <wangaijun@tsinghua.org.cn>
Cc: IDR List <idr@ietf.org>, Susan Hares <shares@ndzh.com>
Subject: Re: [Idr] Adoption and IPR call for draft-wang-idr-vpn-prefix-orf-03.txt (8/16 to 8/30)

Aijun,

Indeed this is going in circles ... So let me repeat one more time for those who came recently to this discussion.

When you are offering a LxVPN service (or even ISP Internet Transit) you sign with your customer Service Agreement when he declares the number of routes he will be sending to you.

It is clear that you better use platforms which can accommodate that service level agreement to construct the connectivity.

And the way you control/policing this is by PE-CE ingress prefix limit.

For Inter-AS again you are not to blindly accept everything, but you tightly control what is being injected into your network.

If you think what is in place today to control what is accepted to the network is not sufficient I think everyone will welcome new suggestions.

But you can not take everyone who comes in then just drop them in the middle of the flight ...

This proposal should be abandoned.

Kind regards,
Robert

On Fri, Aug 26, 2022 at 1:55 PM Aijun Wang <wangaijun@tsinghua.org.cn<mailto:wangaijun@tsinghua.org.cn>> wrote:
Hi, Igor:

What you quoted has stated the VRF Limit mechanism is not enough to alleviate the receiving router from parsing the overflowed BGP updates.
We need to push back theses overflowed routes via the VPN Prefixes ORFF mechanism, which needs the quota to judge which VPN routes breaks its threshold.
Wish the above explanation can help you get the key motivation of this draft.
Aijun Wang
China Telecom

On Aug 26, 2022, at 19:05, Igor Malyushkin <gmalyushkin@gmail.com<mailto:gmalyushkin@gmail.com>> wrote:
Hi Wei,

Thanks for your comments.

It seems we are going around the same point again and again. I understand what quota gives us, but I don't think that it is necessary (or mandatory) and that it should be a core feature of your solution. Neither draft-wang-idr-vpn-routes-control-analysis nor draft-wang-idr-vpn-prefix-orf gives us a good motivation for that (please point me to it if I'm wrong).
Let me quote draft-wang-idr-vpn-prefix-orf:

5) Configure the Maximum Prefix for each VRF on edge nodes

 When a VRF overflows, it stops the import of routes and log the extra

   VPN routes into its RIB.  However, PEs still need to parse the BGP

   updates.  These processes will cost CPU cycles and further burden the

   overflowing PE.
It does not matter for what reason a VRF`s prefix limit has been overflowed (at least I don't see any discussion in the documents about it). All we need in this case is to stop receiving routes into this VRF whatever the source of them. Maybe it is possible to describe two options in your draft? One is based on the VRF prefix limit solely and another is for its slicing by source PEs (as you see it). The first is mandatory.

пт, 26 авг. 2022 г. в 04:27, Wei Wang <weiwang94@foxmail.com<mailto:weiwang94@foxmail.com>>:
Hi Igor,
    We think the quota value should be set based on the resouce limit of the receiver device and the number of route sources(PEs) within the same VPN. The aim of the quota is to ensure the resouce is shared/used properly among the sources.
    The quota value usually be set much higher than PE-CE limit. It will certainly have enough margin to accomodate the possible future expansion and need no shrink when one or some the PEs are taken out of the VPN.

Best Regards,
Wei
------------------ Original ------------------
From: "Igor Malyushkin" <gmalyushkin@gmail.com<mailto:gmalyushkin@gmail.com>>;
Date: Thu, Aug 25, 2022 05:30 PM
To: "Aijun Wang"<wangaijun@tsinghua.org.cn<mailto:wangaijun@tsinghua.org.cn>>;
Cc: "Robert Raszuk"<robert@raszuk.net<mailto:robert@raszuk.net>>;"Wanghaibo (Rainsword)"<rainsword.wang=40huawei.com@dmarc.ietf.org<mailto:40huawei.com@dmarc.ietf.org>>;"Susan Hares"<shares@ndzh.com<mailto:shares@ndzh.com>>;"idr@ietf. org"<idr@ietf.org<mailto:idr@ietf.org>>;
Subject: Re: [Idr] Adoption and IPR call for draft-wang-idr-vpn-prefix-orf-03.txt (8/16 to 8/30)

Hi Aijun,

Thanks for the comments, please see the inline below.

чт, 25 авг. 2022 г. в 08:30, Aijun Wang <wangaijun@tsinghua.org.cn<mailto:wangaijun@tsinghua.org.cn>>:
Hi, Igor:

The setting of quota value is the matter of management issue, and should be decoupled from the control plane.
[IM] From my point of you in your specification, this is the only option.
If you select to let the source PEs advertise such value, it is possible that they change it along with their overflow VPN routes.
[IM] Well, if the limit between a source and destination PEs should be linked as you are suggesting, increasing some value for one VRF cannot be made without of review other VRFs among a common VPN. No matter if the limit is set manually on a destination PE or dynamically synced from a source. A network design should be consistent.
And from the POV of the receiver PE, before you setting the prefix limit under each VRF, you should have the well estimated quota/value from each PE or each VRF.
[IM] That is where we do not agree with each other. From my perspective, if we are talking about local PE protection then setting a limit under a VRF is a matter of the number of all VRFs under the PE and some memory limits of the PE. And the VRF limit, in this case, does not be the same as the sum of all incoming routes, it can be slightly bigger. If we see warnings (say, we've just exceeded 80%) we are considering increasing this value (if the memory limit allows it) or updating the hardware. Your suggestion requires reviewing the limits for all VRFs every time we add or remove a VRF-PE pair (not to mention configuring of these limits). And at the end of the day, you actually reach the same local memory limit. I want to remember that the solution you are suggesting actually does not depend on how we set the prefix limit for the VRF. When it is reached we just signal to stop sending.
As stated before, in most of the situation, the per <PE> or per <RD, PE> quota will be the same value, the operator will not let the design of its network too complex to operate, but the standard should provide the finer control capabilities.
 [IM] I believe the standard should provide finer control for a reason. Let's imagine that without these quotas the solution will not work, but it will.
 This is same as the usage of RD within the network. There is no scenario that the operator to allocate different RDs for one VPN on the same PE. What we often do is that we allocate different RDs for the same VPN on different PEs. Then RD is the right value to distinguish the VPNs on one PE.
 [IM] All I wanted is to point to the authors that from the parent standards POV an RD is not a unique ID for a VRF (under a single PE). Some scenarios may emerge in the future.

Best Regards

Aijun Wang
China Telecom

From: idr-bounces@ietf.org<mailto:idr-bounces@ietf.org> <idr-bounces@ietf.org<mailto:idr-bounces@ietf.org>> On Behalf Of Igor Malyushkin
Sent: Thursday, August 25, 2022 3:14 AM
To: Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>>
Cc: Wanghaibo (Rainsword) <rainsword.wang=40huawei.com@dmarc.ietf.org<mailto:40huawei.com@dmarc.ietf.org>>; Susan Hares <shares@ndzh.com<mailto:shares@ndzh.com>>; idr@ietf.org<mailto:idr@ietf.org>
Subject: Re: [Idr] Adoption and IPR call for draft-wang-idr-vpn-prefix-orf-03.txt (8/16 to 8/30)

For sure it is design-depended. If every VRF has its own RT it will work. But I think if we have a mechanism that allows us to attach several RTs to a route we are in a trouble. Guys are just typing to cover this case.

If we talk in general about a whole solution I also think that the way with the new AFI/SAFI is much better. I also don't understand the benefits behind quotas per VRF-PE pair, but if it is really worth the time I expect to see the propagation of these quotas from source PEs instead of a manual configuration. I think it can be easily introduced into a solution with the new AFI/SAFI.

ср, 24 авг. 2022 г. в 21:05, Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>>:
Igor,

RT can uniquely distinguish src vrf. It is simply a matter of proper configuration. No ned protocol extension is required.

Thx,
R.

On Wed, Aug 24, 2022 at 9:03 PM Igor Malyushkin <gmalyushkin@gmail.com<mailto:gmalyushkin@gmail.com>> wrote:
Hi Haibo,

2) It is unpractical to set the quota value for <RT>, or <RT, PE> under VRF, because RT can't uniquely distinguish one VRF on one PE.
What if a VRF has several RDs for its routes? RFC4364 and RFC4659 don't restrict this behavior and even more, it explicitly describes it. So, RD also can't uniquely distinguish one VRF. Looks like we need a different marker for all routes belonging to the same source VRF. Say, VPN ID community or something like that.

ср, 24 авг. 2022 г. в 18:26, Wanghaibo (Rainsword) <rainsword.wang=40huawei.com@dmarc.ietf.org<mailto:40huawei.com@dmarc.ietf.org>>:
Hi Sue and WG,

I support this adoption.
This draft proposes the mechanism to control the overflow of VPN routes within one VRF from influencing other VPNs on the same device automatically.

The updated contents have accommodated the suggestions and addressed the comments raised within the WG discussions. Some additional concerns can be addressed after the adoption.

I am not aware of any undisclosed IPR to this draft.

To make the actual progress of this draft, we should avoid to discuss the solved points back and forth. For example, RTC mechanism is not suitable for the scenarios that described in this adoption draft, because:
1) RTC has no any automatic detection mechanism to determine which RT should be withdrawn now.
2) It is unpractical to set the quota value for <RT>, or <RT, PE> under VRF, because RT can't uniquely distinguish one VRF on one PE.
3) It is dangerous to propagate the RT based filter rule unconditionally in the intra-domain or inter-domain wide, as that done in current RTC mechanism.

The conclusion, RTC is not the right direction to accomplish the goal.

Regards,
Haibo

From: Idr [mailto:idr-bounces@ietf.org] On Behalf Of Susan Hares
Sent: Tuesday, August 16, 2022 11:56 PM
To: idr@ietf.org<mailto:idr@ietf.org>
Subject: [Idr] Adoption and IPR call for draft-wang-idr-vpn-prefix-orf-03.txt (8/16 to 8/30)

This begins a 2 week WG Adoption call for draft-wang-idr-vpn-prefix-orf-03.txt
https://datatracker.ietf.org/doc/draft-wang-idr-vpn-prefix-orf/

The authors believe that they have addressed the concerns raised in
the previous 2 WG adoption calls.

The WG should consider if:

1) The revised text answers the previous concerns regarding
the scope of this draft?

2) Does the revised text provide a useful function for
networks?

3) Are there any additional concerns regarding the new text?

Each of the authors should send an IPR statement for
this version of the draft.

The adoption call was moved to 8/29 to 8/30 to allow questions
to be asked at the IDR interim meeting on 8/29/2022 (10am – 12pm EDT).

Cheers, Sue Hares
_______________________________________________
Idr mailing list
Idr@ietf.org<mailto:Idr@ietf.org>
https://www.ietf.org/mailman/listinfo/idr
_______________________________________________
Idr mailing list
Idr@ietf.org<mailto:Idr@ietf.org>
https://www.ietf.org/mailman/listinfo/idr
_______________________________________________
Idr mailing list
Idr@ietf.org<mailto:Idr@ietf.org>
https://www.ietf.org/mailman/listinfo/idr