Re: [Idr] [Responses for the comments during the IETF108] New Version Notification for draft-wang-idr-rd-orf-01.txt
Gyan Mishra <hayabusagsm@gmail.com> Thu, 13 August 2020 11:14 UTC
Return-Path: <hayabusagsm@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 325613A0B8D for <idr@ietfa.amsl.com>; Thu, 13 Aug 2020 04:14:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ALQIorwwJs40 for <idr@ietfa.amsl.com>; Thu, 13 Aug 2020 04:14:48 -0700 (PDT)
Received: from mail-ua1-x930.google.com (mail-ua1-x930.google.com [IPv6:2607:f8b0:4864:20::930]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8CD43A0881 for <idr@ietf.org>; Thu, 13 Aug 2020 04:14:47 -0700 (PDT)
Received: by mail-ua1-x930.google.com with SMTP id d20so1510307ual.13 for <idr@ietf.org>; Thu, 13 Aug 2020 04:14:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pP4HX2JoFOSf4Nj+fuz2NmURfiI7wC1dCjdMjHhjESA=; b=piHW+qXoklt0D4iIZW9CjOhwMHBU+3rXJqKHMFETf0Eg7AcmMmK1ENo4UzIFxdtRLN rHZZZErNFoj6fQWFzyJipw6Amkb5naUXt128NqYQmbLx0oYUVcMGt9ntKnx/oEmxjLnz XHo38hVpwUEOALTGUQWoCMljINXNe/GqVkB42sEDARTV5+qNU3PygBrlN9cEvjfSon3U yICqHxqzpRAtxEptoUBsRDrZwSZhq10d4y/KuSLOsXkn55+y9Y9pE2+b7ZqKnmJeILo6 HXBKpnxgzbs2N5U8qV5J+nv2FKYr5lkOuuhYD4lSBWfVK9y8K4GJum2v1TGYewZTRhFS yhhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pP4HX2JoFOSf4Nj+fuz2NmURfiI7wC1dCjdMjHhjESA=; b=Dh3z773Y2uATbz8b83JWPpoxLwYkMdsVDetmpCGemvYK6xR4gNvDzq4/c0QF3GSYPv 6qgRiaTIBjZebrQj1/1xu1jyuVYUnFNeAtRAnBu5oNgv1iEZ6utvnrlTnBTu6YVxg5e/ Y7UVDy2HQKBdRwiDEyGkgAp2jasBBS9f/orhmjRFWqkvmHxJJJXwv8Wk0e/SFcDXez9V 8hzeoKlmacQqteW+FP1amfHL3Entua8KAyMqWSZzU5OUqZlsOHeVVMfOCrmWJ9bRf5kA 83px6mvJWivBA+7u/E3kQOMYlBSD9AZjMuMojlku55/U5zDdMKborZTtOWPLuFXkLNUC HB2A==
X-Gm-Message-State: AOAM5327BAxKwxsrAiGN+FOyz0aP1VK/e/v4aTwWm9UFKsEF8fWwh1bO oE5mvOChxlZVqY9rEr00vS7muiv7gJMUbHLa2Go=
X-Google-Smtp-Source: ABdhPJziL05VFUHhAUYwhvPXvXRZHaqufGE4PUgtF4/FYOgHXCAB3m5KHmH8M0NGi3Hu0lPnqXI8NS1GBxr/qL9JI10=
X-Received: by 2002:ab0:c3:: with SMTP id 61mr2626232uaj.106.1597317286361; Thu, 13 Aug 2020 04:14:46 -0700 (PDT)
MIME-Version: 1.0
References: <CABNhwV0upBRPwMmjV86ZOb1HObtugY5TQ5AdTt=tzv6mS=EzJg@mail.gmail.com> <2FFFEB16-DAAC-4E8A-AD24-7880A091F46E@tsinghua.org.cn> <CABNhwV0C9tmPre4KeRe+p5F2Wokjdb46M5UnC0LjRxwXue6ccw@mail.gmail.com> <CAOj+MME=-sC30LSEi9sdMZAwN-iWi-ATR7oT0n_4KeG5-o98ZQ@mail.gmail.com> <00ae01d66c58$de4da280$9ae8e780$@tsinghua.org.cn> <CAOj+MMH47cvi4YZCrgb_tDt6ttaL7M9_TS6fdFAX6GvFxs6LGA@mail.gmail.com> <DM5PR05MB3388C9D4EC80F129F67D6934C7490@DM5PR05MB3388.namprd05.prod.outlook.com> <CABNhwV0x2Nscniw0=pdUBinWmstv8MyyqKVy9evKnSNG2zeL6Q@mail.gmail.com> <67ef32c7d3aa43419382f9398ce1dc69@att.com> <CABNhwV2iTr6P7OwDYk5oLVfrA7Zt-j3WtHSdLF4T6gHoZJ3V1g@mail.gmail.com> <009201d66eb9$cad23ff0$6076bfd0$@tsinghua.org.cn> <CAOj+MMEufX1fjFk_R19=t2P7+49oJtYQH2rVB95U70KqxLwgqg@mail.gmail.com> <003701d66ef7$6d79bac0$486d3040$@tsinghua.org.cn> <CABNhwV1m-nZScygo11m7AG6P45X6r42TY28X4yv6wr_Cc-ruqw@mail.gmail.com> <00a501d67049$c455f720$4d01e560$@tsinghua.org.cn> <00d001d67075$cb474b20$61d5e160$@tsinghua.org.cn> <CABNhwV2+xqxzY1ET6h-TUpoAQQ0HoN-z_o5XZCzhb1gnXrsm6Q@mail.gmail.com> <007501d67124$1abbb980$50332c80$@tsinghua.org.cn>
In-Reply-To: <007501d67124$1abbb980$50332c80$@tsinghua.org.cn>
From: Gyan Mishra <hayabusagsm@gmail.com>
Date: Thu, 13 Aug 2020 07:14:34 -0400
Message-ID: <CABNhwV2ZQTLWVFUSHzehM-Ee1ST-6N+t3E63uWCtMepm7ADMfA@mail.gmail.com>
To: Aijun Wang <wangaijun@tsinghua.org.cn>
Cc: John E Drake <jdrake=40juniper.net@dmarc.ietf.org>, Keyur Patel <keyur@arrcus.com>, Robert Raszuk <robert@raszuk.net>, "UTTARO, JAMES" <ju1738@att.com>, idr <idr@ietf.org>, wangw36@chinatelecom.cn
Content-Type: multipart/alternative; boundary="000000000000727d1e05acc06983"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/7iPPXjroIpFQRNb2V1Ktxi3zMkY>
Subject: Re: [Idr] [Responses for the comments during the IETF108] New Version Notification for draft-wang-idr-rd-orf-01.txt
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2020 11:14:53 -0000
On Wed, Aug 12, 2020 at 11:44 PM Aijun Wang <wangaijun@tsinghua.org.cn> wrote: > Hi, Gyan: > > > > *From:* Gyan Mishra [mailto:hayabusagsm@gmail.com] > *Sent:* Wednesday, August 12, 2020 10:56 PM > *To:* Aijun Wang <wangaijun@tsinghua.org.cn> > *Cc:* John E Drake <jdrake=40juniper.net@dmarc.ietf.org>; Keyur Patel < > keyur@arrcus.com>; Robert Raszuk <robert@raszuk.net>; UTTARO, JAMES < > ju1738@att.com>; idr <idr@ietf.org>; wangw36@chinatelecom.cn > *Subject:* Re: [Idr] [Responses for the comments during the IETF108] New > Version Notification for draft-wang-idr-rd-orf-01.txt > > > > Hi Aijun > > > > See in-line responses. > > > > Service Providers networks are built to be robust enough to carry customer > prefixes and account for flood of routes. > > > > The layers of protection are basic standard protection mechanisms for any > SP core public or private. > > > > 1. Infrastructure security ACLs on PE-CE links. > > > > 2. RTC on PE-RR to only advertise interesting RTs defined on PEs based on > import policy. > > > > 3. Per VRF maximum prefix setting based on edge node resources. > > *[WAJ] You mean to configure VRF maximum prefix on the PE-RR BGP session? > What you will do when the limit is exceeded? * > > *a) **Breaking down the BGP session with RR? Will influence other > VRFs on this PE.* > No. This is on the VRF global configuration for per VRF maximum prefix for the VRF RIB > *b) **Warning Only? The received PE will be busying to dealing the > afterward overloading routes, exacerbate the situation then?* > I think you are confusing peer maximum prefix with global VRF level maximum prefix. The warning option is there for peer maximum prefix command which is why I think you maybe confused. > 4. PE-CE edge peer maximum prefix > > > > 5. Inter AS Opt B RT level protection for rewrite or limit interesting RTs > to be accepted. > > > > The main point is the SP router infrastructure is built to account for > edge flood of prefixes intra or inter-as > > within any given edge or SP. The protection mechanisms above have address > all the issues of prefix flooding and has been the basic a used for years. > > > > Maybe first documenting actual use cases with a problem statement draft > that depicts the providers that had the problems you are describing and the > impact and why the solutions above did not resolve the issue. > > > > I think that is a first step as most all the responses on the ML are > stating that the above has historically solved the issues described. > > *[WAJ] We will add more contents in the updated draft to reflect the > response on the ML.* > > > > I am the lead architect and SME for Verizon a tier 1 carrier which carries > tremendous weight as a stakeholder worldwide and we have used these basic > standard best practices for years since the inception of MPLS IP VPNs 20+ > years ago. We have not run into any of the problems you are mentioning. > > *[WAJ] Actually, we write this draft mainly for EVPN over VxLAN/SRv6 > inter-AS scenario, where the Option-B/C will be preferred, instead of > Option-A as in MPLS-VPN. But the VPN route trashing possibilities exists > also within one AS.* > > That does make a difference and maybe you should state in the draft also I > think maybe exclude MPLS vpn. > > Thanks > > > > Gyan > > > > On Wed, Aug 12, 2020 at 2:57 AM Aijun Wang <wangaijun@tsinghua.org.cn> > wrote: > > Hi, Gyan: > > > > *From:* Gyan Mishra [mailto:hayabusagsm@gmail.com] > *Sent:* Wednesday, August 12, 2020 2:02 PM > *To:* Aijun Wang <wangaijun@tsinghua.org.cn> > *Cc:* John E Drake <jdrake=40juniper.net@dmarc.ietf.org>; Keyur Patel < > keyur@arrcus.com>; Robert Raszuk <robert@raszuk.net>; UTTARO, JAMES < > ju1738@att.com>; idr <idr@ietf.org>; wangw36@chinatelecom.cn > *Subject:* Re: [Idr] [Responses for the comments during the IETF108] New > Version Notification for draft-wang-idr-rd-orf-01.txt > > > > > > Hi Aijun > > > > Standard practice for service providers is to have Infrastructure ACLs I > call “Leaving the Kingdom” as when a packet enters or leaves the trusted > SP domain it is a requirement per security posture for providers to secure > the edge. As far as config errors, centralized NMS controller for > Restconf/Yang southbound policy push is the standard practice and that > makes for ZTP and day to to day operations configuration changes error free. > > *[WAJ] This is just the **“perimeter protection”, is useful but not > enough.* > > Gyan> I don’t understand why that does not work for you. > > > > As far as inter domain for opt B & C your control point is still your > PE-CE protecting your edges from a control plane perspective and data plane > perspective via infrastructure ACLs. The NNI inter as link with option B > is already a built in control point by design as you have to turn on > retain-route-target all and then tie to a policy for interesting RTs to > import as well as if their is an RT mismatch you have to manually via the > same protection policy perform a RT-Rewrite. > > *[WAJ] we are concerning the **“trashing routes” from interested VRFs, > not from the uninterested VRFs.* > > > > Gyan> I understand and even with the RTs imported you can still > define the per VRF maximum prefix in the RT translation case or existing > RTs on the ASBR as well as the PEs in the domain importing the routes. > > For Option C the SAFI 128 VPN control plane Is RR-RR so no RT filtering by > default but not to worry as RTC takes care of the RR-PE advertisements. > > > > I know your concern is with trashing of routes, however if you think about > it “who originates the trashing routes” ? > > > > So in this particular case it would be the provider outside of your > administrative control. > > > > If it’s the inter-as is within a single administrative domain that is one > thing but if it’s outside of the operators administrative domain and if > this issue exists with certain RTs they have trashing routes or RD. I do > see your point with opt b and c. > > > > In those cases where you had an RT or RD that had trashing routes you > could switch those to option-a back to back VRF and apply the maximum > prefix filter. > > > > So I think we have narrowed the scope of the trashing routes to inter-as > opt b or c going between administrative domains. At that layer you cannot > does the maxim prefix knob as it’s a VPN peer carrying all RTs. So all > you can do is filter on RTs. > > *[WAJ] If the **“trashing routes” from the interested VRF, filter on RTs > will erase all prefixes from this VRF?* > > Gyan> Understood, however you also have the per VRF maximum prefix that > you can set on the RTs imported from the other providers. > > I do still stand by the per VRF maximum prefix knob as the first global > control point that would be set on all PEs including the NNI inter-as > boundary PEs and that would be your first line of defense against trashing > routes. > > > > An example of how that would work is if you set the per VRF maximum to > 100,000 prefixes. Let’s say you get 1M+ prefixes on a 1000 different > VRFs and that happened all simultaneously a coincidental flood with all the > stars and moons in alignment. > > > > In that case for each VRF you would drop 900,000 routers per VPN. > > *[WAJ] But protect other VPNs in this PE from crashing.* > > Gyan> I don’t understand the crashing. Is that crashing of the router. > What would happen is the routes above the maximum would be clipped and > dropped. > > The RD-ORF or RT-ORF is still working at the RD RT VPN layer and does not > have the prefix level granularity as the PE-CE maximum prefix. > > *[WAJ] RD-ORF has the effect of PE-CE maximum prefix.* > > Understood. I think you need a study of service providers to depict why > the list of mentioned protection mechanisms won’t work for you. > > On every inter-as b c NNI if their was an RT that is thrashing you could > adjust the RT filter / RT translation policy to not permit the RT doing the > thrashing. > > > > As far as the RD-ORF the RD is used to make the prefix unique 64 bit > quantity so you can have overlapping prefixes within different VRFs unique > by the RD. As far as filtering their is no need to ever filter using RD. > That is never done in practice that I know of. So I would remove that from > the draft. The RD is usually set to auto which makes it unique within a > domain and of using a RR is required to be set to auto so that all the RDs > originated by each PE has a different RD so that they all get reflected by > the RR. Without that sub optimal routing can occur as all paths are not > reflected. In that the case of RD auto making the RD unique per VRF so > then their is no benefit from RD ORF. That being said if RR is not used > then the RD does not have to be unique pet VRF on a PE and so all VRFs > could have the same RD. > > *[WAJ] On one PE, different VRF will use different RD, or the address > spaces from different VRF has the possibilities to collide. If you can > assure the address space unique within different VRFs, what the reason to > use different VRFs then?* > > Gyan> I mis stated the RD scenario. Sorry. The RD can be the same on all > PEs within a VPN or different per PE within the same VPN on the VRF > definition. When RR is utilized the RD must be set to Auto which is the > standard practice so the the VPN routes from different PEs within the same > VPN can be reflected within the VRF which can only be possible if the RD is > different. L3 VPN does not have the option of “add path” as does SAFI 1 > so you must do RD auto for the RR route reflection to work on a per path > basis. So the RD as stated has to be different per VRF as that is what > makes the prefix unique and each prefix can have many RTs tagged to the > prefix if it is imported into many different VRFs. Your draft addresses > the RR scenario to use the RD-ORF prefix filtering feature. So now the RD > in the RR scenario now references the source per PE VPN routes advertised > to the RR and does not represent all PEs as the RD must be unique by RD > auto set to type 1 RD IP:Y. So your policy would be matching the Type 1 > RD. > > More dangerous in this case would allow you to ORF RD filter all VPNs > coming from a particular PE. > > *[WAJ] If these VPNs on this PE, uses same RD(you assure the address space > are non-overlapped), what the harm that we filtered based on RD ? These > VPNs act just like one VPN.* > > > > Gyan> See above comment > > > > That does seem quite dangerous and as it is a very unique case as RRs > are almost alway used my recommendation is to nix the ORF-RD. > > *[WAJ] RR is always used, RD is often unique for each VRF on one PE. Then > the scenarios that you described will not happen, what**’s the dangerous > then?* > > Gyan> See comments above addresses this. > > Kind Regards > > > > Gyan > > > > On Tue, Aug 11, 2020 at 9:42 PM Aijun Wang <wangaijun@tsinghua.org.cn> > wrote: > > Hi, Gyan: > > Theoretically, you are right. > > But, don’t’ you worry that if only one of the edge points being > comprised/error-configured/attacked, then all of PEs within your domain are > under risk? > > Furthermore, if you control different domains, and use Option-B/C to > provide the inter-AS VPN services, such risk/”trashing routes” can easily > spread among these domains? > > Don’t’ you think such network is too fragile? > > > > RD-ORF is the mechanism that aims to strengthen the risk resistance > capabilities. > > > > Best Regards > > > > Aijun Wang > > China Telecom > > > > *From:* Gyan Mishra [mailto:hayabusagsm@gmail.com] > *Sent:* Wednesday, August 12, 2020 3:54 AM > *To:* Aijun Wang <wangaijun@tsinghua.org.cn> > *Cc:* John E Drake <jdrake=40juniper.net@dmarc.ietf.org>; Keyur Patel < > keyur@arrcus.com>; Robert Raszuk <robert@raszuk.net>; UTTARO, JAMES < > ju1738@att.com>; idr <idr@ietf.org>; wangw36@chinatelecom.cn > *Subject:* Re: [Idr] [Responses for the comments during the IETF108] New > Version Notification for draft-wang-idr-rd-orf-01.txt > > > > Aijun > > > > If you use maximum prefix on every PE-CE peering at the edge how would the > PE-RR peering send “trashing routes”. The “trashing routes” would not be > present in the VPN RIB on the PE to send to the RR. > > > > To me that’s “Problem Solved”. > > > > Kind Regards > > > > Gyan > > > > On Mon, Aug 10, 2020 at 5:20 AM Aijun Wang <wangaijun@tsinghua.org.cn> > wrote: > > Hi, Robert: > > > > RD-ORF is mainly for restricting PE from sending trashing routes. When the > source PE receives such notification info, it should find which CE is the > real source of the routes. This is not the scope of this draft, but if > necessary, we can add some deployment consideration for this part later. > > “Prefix Limit” mechanism can only protect the edge between PE-CE, can’t > be deployed within PE that peered via RR. We should not rely solely on the > edge protection. > > > > You can also refer our discussion at > https://mailarchive.ietf.org/arch/msg/idr/d79fKMXa3HZcq6Zti5H7qnxJ1_o/ > > > > > > Best Regards > > > > Aijun Wang > > China Telecom > > > > *From:* Robert Raszuk [mailto:robert@raszuk.net] > *Sent:* Monday, August 10, 2020 5:06 PM > *To:* Aijun Wang <wangaijun@tsinghua.org.cn> > *Cc:* Gyan Mishra <hayabusagsm@gmail.com>; UTTARO, JAMES <ju1738@att.com>; > Keyur Patel <keyur@arrcus.com>; John E Drake <jdrake= > 40juniper.net@dmarc.ietf.org>; wangw36@chinatelecom.cn; idr <idr@ietf.org> > *Subject:* Re: [Idr] [Responses for the comments during the IETF108] New > Version Notification for draft-wang-idr-rd-orf-01.txt > > > > Aijun, > > > > > Using the RD-ORF can restrict the influence within one limited > scope(within one VRF, one PE, one domain or different domains) > > > > Please kindly observed that this is still not enough of granularity. > > > > As you know src VRF can have many CEs and perhaps just one of them say out > of 10 is injecting trashing routes. Then IMO penalizing reachability to all > 10 CEs instead of 1 is a very bad thing to do to your customer's VPN. > > > > RD is per VRF and not per CE and does not provide sufficient > granularity to address the protection problem you are pointing out. > > > > Also apologies if I missed it but I do not think you have sufficiently > explained what is wrong with using the prefix limit on incoming sessions to > your PE. You said this is one way. If it solves the problem why to invent > different way ? If it does not solve the problem please explain why. > > > > Thx, > R. > > > > On Mon, Aug 10, 2020 at 3:58 AM Aijun Wang <wangaijun@tsinghua.org.cn> > wrote: > > Hi, Gyan, Jim, John and Robert: > > > > Thanks for your detail analysis. > > Actually, we know the value of RTC mechanism, but it is not enough for > controlling the route limit within one VRF. > > The propagation of routes that influence the router performance can come > from different VRFs and can also come from the same VRF. > > RTC aims to solve the former problem, RD-ORF aims to solve the latter. > > > > If we depend on the local discard, as Robert proposed, the route > inconsistence can also occur. It is the sacrifice we should accept. > > Using the RD-ORF can restrict the influence within one limited > scope(within one VRF, one PE, one domain or different domains), in > controlled manner. > > RD-ORF is based on the ORF mechanism, which is transferred via P2P > message. Every node on the path can have its policy to determine whether or > not sending this filter information to the upstream BGP peer, based on its > performance criteria. > > > > Best Regards > > > > Aijun Wang > > China Telecom > > > > *From:* idr-bounces@ietf.org [mailto:idr-bounces@ietf.org] *On Behalf Of *Gyan > Mishra > *Sent:* Saturday, August 8, 2020 6:39 AM > *To:* UTTARO, JAMES <ju1738@att.com> > *Cc:* Keyur Patel <keyur@arrcus.com>; John E Drake <jdrake= > 40juniper.net@dmarc.ietf.org>; wangw36@chinatelecom.cn; Robert Raszuk < > robert@raszuk.net>; idr <idr@ietf.org> > *Subject:* Re: [Idr] [Responses for the comments during the IETF108] New > Version Notification for draft-wang-idr-rd-orf-01.txt > > > > Agreed and good points. > > > > As you said the processing is not impacting the forwarding aspect. Agreed. > > > > As RTC is SAFI 132 flood control mechanism RR to PE optimization if you > have a ton of SAFI stacked as you’ve mentioned the optimization applies > to all the SAFI stacked onto the PE to RR peering. > > > > RTC is an optimization in that respect and not a requirement as default RT > filtering rule application eliminates all accept what is explicitly > imported. > > > > I gave the IP VPN example but as you stated the RTC optimization can be > used for a variety of SAFI but is not a requirement. > > > > L3 VPN is a good example although it it does not really come into play as > much for intra domain as in general all PEs have the same VPNs defined, > however inter-as is a different story and there as that is not the case the > flooding can really be cut down as stated to interesting RTs only. > > > > Thanks > > > > Gyan > > > > On Fri, Aug 7, 2020 at 6:21 PM UTTARO, JAMES <ju1738@att.com> wrote: > > *The rationale for RTC is not to prevent paths being sent from an RR to a > PE in a L3VPN. Granted that this could be a secondary benefit when routes > are flooded from an RR towards a PE. Flooding of routes occurs in two > cases:* > > > > a. *PE is rebooting. In this case the PE is not operational so in > reality it does not matter how many paths are being sent. I have seen > millions of paths being sent to a vintage router @1999 and it rips through > these paths keeping the ones it needs for the VPNs instantiated on it and > discarding the rest. Again the PE is not up so it really does not matter.* > > b. *A VRF is added to an existing PE that is operational. In this case > the RR floods the paths towards the PE, the RE processes and keeps paths of > interest. This processing in no way affects the forwarding aspect of the > router. I have seen millions of paths flooded towards for this case and > there is no effect on forwarding.* > > > > *RTC’s assumption is that the RR topology services a set of VPNs that are > localized. As an example, if VPN A is localized to California and VPN B to > New York an RR topology that has two clusters East and West can deploy RTC > to ensure the East cluster never has to “see” the VPN B routes and the West > cluster never has to “see” the VPN A routes. * > > > > *Generally speaking VPNs are not localized in this fashion and RTC has > limited value and the downside of path hiding. Assume one wants to dual > purpose the RR as a stitcher and wants to “stitch” as subset of VPN A paths > to VPN B and vice versa.. Path hiding would prevent this.* > > > > *Where RTC makes a lot of sense to me is where the VPN is local.. > Specifically Kompella VPWS spec is by definition local where each VPN has > two members in a point to point topology and is also generally localized to > a given region/metro/LATA. Here RTC can reduce the number of paths on RRs > in a substantial manner. In the above ex all California VPWS paths are > local and there is no need to populate said paths on the East coast RRs. > This also makes sense for Kompella/VPLS, EVPN/VPLS, EVPN/VPWS, and > EVPN/FXC..* > > > > *Thanks,* > > * Jim Uttaro* > > > > *From:* Idr <idr-bounces@ietf.org> *On Behalf Of *Gyan Mishra > *Sent:* Friday, August 07, 2020 5:32 PM > *To:* John E Drake <jdrake=40juniper.net@dmarc.ietf.org> > *Cc:* Keyur Patel <keyur@arrcus.com>; wangw36@chinatelecom.cn; Robert > Raszuk <robert@raszuk.net>; idr <idr@ietf.org> > *Subject:* Re: [Idr] [Responses for the comments during the IETF108] New > Version Notification for draft-wang-idr-rd-orf-01.txt > > > > Hi Authors > > > > I agree with Roberts’s analysis as well. > > > > As pointed out by Robert this feature appears to be a dangerous addition > to the BGP specification. The concept or idea of wanting to drop routes > for select devices based on criteria that is not holistic. > > > > BGP is a holistic routing protocol and by that I mean consistent and > ubiquitous propagation of NLRI’s throughout the domain. The concept of > resource constrained nodes and creating a BGP knob for resource constrained > nodes is out of the scope of the BGP protocol. The goal and primary > purpose of BGP is to provide “reachability” a by that I mean every router > in the domain has a consistent view of the topology soft state and > identical RIB.. This is not different then the goal of an IGP to provide > next hop reachability and a consistent view of the domain meaning IGP > database synchronization. Vendors provide plenty of knobs to filer that > consistent view of the domain but those are very one off exception use > cases where that happens in both the IGP and EGP world. In the IGP world > for example take OSPF or ISIS you can as a corner case filter the IGP RIB > that is on a router with an inbound prefix filter. This is an exception to > the rule but it must be done carefully as since the LSDB is “synchronized” > every router interface on every device in the domain bust now require that > same filter implemented as the database is “synchronized” for the goal of > both IGP and EGP to provide a consistent identical view of the domain. > Similarly with EGP such as BGP iBGP intra domain filtering is not > recommended and is not built by design to so as the goal BGO is to provide > the same reachability. You can match and manipulate BGP attributes but not > filter as it will break the goal and primary purpose of BGP in the intra > domain construct of a consistent identical view throughout the domain. > > > > There is already control mechanisms built into BGP to prevent routing > loops and re-advertisements such as BGP originator-id and cluster-id and > cluster list path created for route-reflector-client originated routes to > prevent loops as well as RR side sidenon client to non client > re-advertisement controls. > > > > > > From an IP VPN framework perspective you have to understand that a PE has > RT filtering enabled by default which is the control mechanism. Their is > absolutely no need for any additional resource constrained node knob to > drop NLRI in what seems to be a random inconsistent fashion. What PE “RT > filtering” means and this is a very basic concept but and applied > directly to what you are proposing and is the grounds to stop development > of the draft. So when an RR advertises prefixes to a PE and let’s say > their are a million RTs and let’s say the PE is configured to import RT=1 > and so only one RT. So now what happens is the RR advertises 1M RTs and > the PE per “RT filtering” drops 999,999 RTs as the PE only has RT=1 > defined. > > > > This issue caused unnecessary flood of RTs that soaks up operators > bandwidth that is not necessary that are going to be dropped anyway. > > > > RTC to the rescue!! > > > > > > RTC provides a elegant function to control advertisements from RR to PE > and is very robust and sensible in that it not dropping routes randomly or > because a few nodes have a resource constraint. RTC has a well defined > purpose which is to cut down on a flood or RTs to a PE as described. > > > > So the PE-RR peering had a RTC BGP MP reach AFI/SAFI defined on each peer > SAFI 132 enabled on each PE-RR peering capability is established > send/receive state. So now what happens is the PE does an ORF to the RR > stating that I only have RT=1 defined for import which is sent in a RTC > membership report to the RR. The RR with RTC capability enabled now honors > what the PE has stated and only sends RT=1 and not 1M RTs. > > > > Hooray for RTC saves the day = Job well done > > > > This issue can be exacerbated with NNI inter-as when using option-b where > all VPN routes are propagated. In this case we have default “RT filtering > ” to the rescue to slow down the RT propagation to be done in a > controlled fashion. So by default on the RR node does not have RT > filtering enabled by default and only PEs have that feature enabled by > default. With Option-B the inter-as link is PE-PE peering connecting the > two SP domains together. So looking deeper into option-b you can set “ > retain-route-target” which now changes the default behavior and is > required for the VPN routes to be propagated. In some cases between > providers the RT does not match so a RT-rewrite is required so in that case > the rewrite policy become the RTC like filtering mechanism. In case where > RT is the same between providers we tie the “retain-route-target all” to > a RT filter “RTC like” to only accept RTs pertinent to the domain. > > > > With inter-as option C we run BGP LU for labels unicast end loopback FEC > all leaked between domains via eBGP and IBGP LU for data plane forwarding > and the control plane function vpn peer that was on the PE-PE in option-b > is RR-RR eBGP vpnv4 vpnv6 SAFI 128. Since the RR sits in the control plane > not the data plane “RT filtering” is not enabled by Default. So for the > proper end to e f LSP data plane forwarding we have to set BGP “ > next-hop-unchanged” so that the next hop attribute is now the ingress and > egress PEs between domains for the end to end LSP. So now in this case all > the SAFI 128 RTs are propagated between domains. You can apply explicit RT > filtering in this scenario but generally that is not done as opt-c used > mostly within same administrative domain or special agreement scenario > between SPs that work closely together or in M&A activity type scenarios.. > So now we still have RTC SAFI 132 eatabled PE-RR within each domain so even > if you got a quadrillion RTs on the RR-RR peering and did not want to > filter there we have RTC back to the rescue and if you only have 1M RTs > defined for import on the PE within each domain, now in a graceful > controlled fashion only 1M RTs are not advertised RR to PE within each > domain. > > > > This same concept as IP VPN is an “overlay” it applies to SR both SR-MPLS > and SRv6 as well. > > > > From an BGP architecture and designer perspective when building a “SP core” > in that standard framework where you have separation of control plane and > data plane where the RRs are dedicated control plane function and don’t > sit in the data plane where the PEs RRC clients sit at the edge sit in the > data plane for ingress to egress LSP to FEC to be built. > > > > So in a nutshell, a combination of default RT filtering on PEs, and > controlled RT advertisements via ORF RT membership via RTC we have complete > control of SAFI 128 advertisements for resource constrained nodes as it > stands today and there is absolutely no need for this draft to be > considered with IDR. > > > > I did not mention the per VRF maximum prefix knobs to control how big each > VPN gets at a micro level so we have that control mechanism as well. In > general most providers have this set as a rule of thumb per VRF maximum > which is sized accordingly to the lowest resource constrained node within > an operators network and is publish as the SLA customer agreement contract > as part of the VPN service offering. > > > > Kind Regards > > > > Gyan > > > > On Fri, Aug 7, 2020 at 8:35 AM John E Drake <jdrake= > 40juniper.net@dmarc.ietf.org> wrote: > > Hi, > > > > I agree with Robert’s analysis. There is no need to define an external > mechanism to deal with an internal node issue. > > > > Yours Irrespectively, > > > > John > > > > > > Juniper Business Use Only > > *From:* Idr <idr-bounces@i <idr-bounces@ietf.org> > > -- <http://www.verizon.com/> *Gyan Mishra* *Network Solutions A**rchitect * *M 301 502-134713101 Columbia Pike *Silver Spring, MD
- [Idr] New Version Notification for draft-wang-idr… wangw36@chinatelecom.cn
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Robert Raszuk
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Rajiv Asati (rajiva)
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Robert Raszuk
- Re: [Idr] [Responses for the comments during the … Robert Raszuk
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Robert Raszuk
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Gyan Mishra
- Re: [Idr] [Responses for the comments during the … Robert Raszuk
- Re: [Idr] [Responses for the comments during the … Gyan Mishra
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … UTTARO, JAMES
- Re: [Idr] [Responses for the comments during the … Gyan Mishra
- Re: [Idr] [Responses for the comments during the … Robert Raszuk
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Robert Raszuk
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Robert Raszuk
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Robert Raszuk
- Re: [Idr] [Responses for the comments during the … John E Drake
- Re: [Idr] [Responses for the comments during the … Gyan Mishra
- Re: [Idr] [Responses for the comments during the … UTTARO, JAMES
- Re: [Idr] [Responses for the comments during the … Gyan Mishra
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Robert Raszuk
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Gert Doering
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Gert Doering
- Re: [Idr] [Responses for the comments during the … Gyan Mishra
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Gyan Mishra
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Robert Raszuk
- Re: [Idr] [Responses for the comments during the … Gyan Mishra
- Re: [Idr] [Responses for the comments during the … Aijun Wang
- Re: [Idr] [Responses for the comments during the … Gyan Mishra