IETF Logo Mail Archive

Re: [Idr] flowspec srv6 policy

Robert Raszuk <robert@raszuk.net> Thu, 31 March 2022 09:20 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAD073A09EF for <idr@ietfa.amsl.com>; Thu, 31 Mar 2022 02:20:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.089
X-Spam-Level: *
X-Spam-Status: No, score=1.089 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MANY_SPAN_IN_TEXT=3.196, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z-c2teOHNcYN for <idr@ietfa.amsl.com>; Thu, 31 Mar 2022 02:20:27 -0700 (PDT)
Received: from mail-vk1-xa33.google.com (mail-vk1-xa33.google.com [IPv6:2607:f8b0:4864:20::a33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17DD13A0A53 for <idr@ietf.org>; Thu, 31 Mar 2022 02:20:27 -0700 (PDT)
Received: by mail-vk1-xa33.google.com with SMTP id o132so586299vko.11 for <idr@ietf.org>; Thu, 31 Mar 2022 02:20:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Uv8tSp7cwqngRd0bN5XYXE5yPIpr10QdlGhldiEXn9o=; b=DCj2klrjl+8tVPJCX4ZXiKWNiXWaX/QA0P8r1rxe8zOIodl4WibOwCX2dz0/pVmxl8 KvQw6M97JjTavJjoUu/bJimbw2m/DWmRp0SjFfatCRQpcFakhEpW0qKOvw6V8R3wc/FF 9GnnxvijdFwlEDSkY7sE2W74wCGwXmNmHe7weg4iL1kUdKRLfcl3LLa+pbR7Q6JIpGzI SNjSN99ipH/tgw/oxTC3qeA1hVtfTxNJ4eid9ilFXLV1amBxMsWSYxyMu8FVSRTQXtEj 1gE2wJrC2OybF1jpEC7S1jIiC4veeoRGRrnx5x9O1GOo4vzbfWb2+coj4ipYSnW3D1oV qv+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Uv8tSp7cwqngRd0bN5XYXE5yPIpr10QdlGhldiEXn9o=; b=DDH9LSt7SuJqnR9e/txq/E7ElUkujNQg2X+EeLUiTttKizWcWNb4WfVduEkrN+7XBq /ysG15+Vuf1nVeo3feo00E1TJ4OZuys+EFUXM2AuVhaj6+mQn+fJf1lTu4p5ScwIrUTL MKcLRNDrcTOgcsyODn38SfBHZrHDfF4QB7imZPcwuF6Crzwn3Um1vSRBf+fKLQT5eRij +Pv5vL+bV12o0ELbT7VLDHvPXXfTsIkLtbi+Aaba1QCE07Zezar9LB+iIoeLf6QERYmB Fy6Oqd+r6FrGqWgf2uNTRL33UERvAO8QuvmJ0cLpCXRkuA8uVUNELnyaJhWc988laUV5 yusg==
X-Gm-Message-State: AOAM532TQgDVqzdWUBW3Y6Uhu1yhQroqbj7bZ0KTGhH06l6Kbvy2D7hc OJT+qGkJMDkJjnKiPfCEZyA/tUvnOGCJYl1c8VngZw==
X-Google-Smtp-Source: ABdhPJwjkdwRtHRP7+fPHSUhJNpafy+Sfvar0/WoPHzeooJHiz1QegJk3IZyn0xNR3T0OzILN5TLFvuryMSbkp/GMGU=
X-Received: by 2002:a05:6122:168a:b0:343:42c2:d2fd with SMTP id 10-20020a056122168a00b0034342c2d2fdmr1722404vkl.18.1648718425567; Thu, 31 Mar 2022 02:20:25 -0700 (PDT)
MIME-Version: 1.0
References: <2b006242b98b088-0000c.Richmail.00009020260016086517@chinamobile.com> <AM0PR07MB449757263F01AB03E104D763831F9@AM0PR07MB4497.eurprd07.prod.outlook.com> <AM0PR07MB44975B9BC281D9E0ED2FAD2C83E19@AM0PR07MB4497.eurprd07.prod.outlook.com>
In-Reply-To: <AM0PR07MB44975B9BC281D9E0ED2FAD2C83E19@AM0PR07MB4497.eurprd07.prod.outlook.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Thu, 31 Mar 2022 11:21:16 +0200
Message-ID: <CAOj+MMHz6yxHu29jYmc5=TO9QXnBG=Hv9X4jOj0aLnfVR96OUg@mail.gmail.com>
To: "Henderickx, Wim (Nokia - BE/Antwerp)" <wim.henderickx@nokia.com>
Cc: 姜文颖 <jiangwenying@chinamobile.com>, "ketant.ietf" <ketant.ietf@gmail.com>, zhuangshunwan <zhuangshunwan@huawei.com>, draft-jiang-idr-ts-f <draft-jiang-idr-ts-flowspec-srv6-policy@ietf.org>, "idr@ietf.org" <idr@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000017454205db802cc2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/EuDnM7ayXElZ9K7XLav1b4fRFRE>
Subject: Re: [Idr] flowspec srv6 policy
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2022 09:20:32 -0000

All,

Just for the record ... Yes, the redirect function is very important
functionality and has been in flowspec 5575 since day one.

The only important design decision is that both Pedro and myself were of
the opinion that flow redirection or "tee" function needs to be built with
hierarchy in mind for flexibility and scaling aspects.

That is why original 5575 only allows redirection to a VRF. From there you
can handle the traffic in zoo of different ways, but you keep flowspec
protocol agnostic to those redirect destinations. Such local VRF redirect
implementation wise also can be built very efficiently and packets do not
recirculate.

I see now a lot of complexity introduced to flatten this and carry in
flowspec destinations next hops, colors, IDs ... That to me is an
indication that we are walking in the opposite direction
for questionable convenience.

I realize that this note may not change current proposals, but at min I do
recommend that when you are defining redirect a match option "ALL FROM VRF
FOO" is provided so at least those operators who will be willing to deploy
this have operational choice to use it flat or in a hierarchical manner.

Best,
Robert







On Thu, Mar 31, 2022 at 6:51 AM Henderickx, Wim (Nokia - BE/Antwerp) <
wim.henderickx@nokia.com> wrote:

> Hi,
>
>
>
> Doing a bit more digging into this I believe the difference between what
> you propose versus the flowspec-path-redirect is the fact that  you propose
> to use the color/endpoint in the BGP pkt instead of using the redirect ID
> in the flowspec NLRI
>
>
>
> Now in any case we have to upgrade the SW to support the mapping of the
> flowspec to the SR-Policy. So the difference really is using color/endpoint
> versus the redirect id (which actually also represent the same thing to map
> to the SR-Policy). Now as you pointed out the ambiguity if you have
> multiple color communities is resolved when you use the redirect id as you
> have only 1 option and as such is more safe as a mechanism. It resolves the
> ambiguity.
>
>
>
> Also given that this is a mechanism used for multiple scenario’s not only
> SR-policy we should continue down this path in my view rather than doing
> special cases. My 2 cents
>
>
>
> *From: *Henderickx, Wim (Nokia - BE/Antwerp) <wim.henderickx@nokia.com>
> *Date: *Wednesday, 30 March 2022 at 21:59
> *To: *姜文颖 <jiangwenying@chinamobile.com>, ketant.ietf <
> ketant.ietf@gmail.com>, zhuangshunwan <zhuangshunwan@huawei.com>
> *Cc: *draft-jiang-idr-ts-f <
> draft-jiang-idr-ts-flowspec-srv6-policy@ietf.org>, idr@ietf.org <
> idr@ietf.org>
> *Subject: *Re: [Idr] flowspec srv6 policy
>
> Thx for the info. It seems some people already added the SRV6 elements to
> the flow spec indirection-id
>
>
>
>
> https://datatracker.ietf.org/doc/draft-ietf0-idr-srv6-flowspec-path-redirect/
>
>
>
>
>
> *From: *Idr <idr-bounces@ietf.org> on behalf of 姜文颖 <
> jiangwenying@chinamobile.com>
> *Date: *Tuesday, 29 March 2022 at 10:49
> *To: *ketant.ietf <ketant.ietf@gmail.com>, zhuangshunwan <
> zhuangshunwan@huawei.com>
> *Cc: *draft-jiang-idr-ts-f <
> draft-jiang-idr-ts-flowspec-srv6-policy@ietf.org>, idr@ietf.org <
> idr@ietf.org>
> *Subject: *Re: [Idr] flowspec srv6 policy
>
> Hi,Thanks for your comments.
>
>
> I'm the co-author of the draft, which is rather than improving on the
> existing draft-ietf-idr-flowspec-path-redirect, here are some our
> consideration.
>
>
> 1.  The 【draft-ietf-idr-flowspec-path-redirect】 defines a new transitive
> BGP extended community. The existing network must be upgraded to support
> the new sub-TLV.
> The draft-jiang is based on the 【draft-ietf-idr-segment-routing-te-policy】
> definition and is an application instance under Flowspec. That is, FlowSpec
> routes are steer to SRv6-Policy based on (Redirect-IP, Color EC) as (N, C).
> No new TLV introduction, consistent with the existing network device
> implementation mechanism
>
>
>
> 2.  The 【draft-ietf-idr-flowspec-path-redirect】define ID-type 0 or 5,But
> there is no these IDs for SRv6-Policy,and the length of Generalized
> indirection_id field is only 32-bit and cannot hold a SRv6-Policy BSID,
> Therefore,user must assign a new 32-bit indirection_id to SRv6-Policy. In
> addition, this indirection_id is a global ID of multiple objects on one
> device, such as SR-Policy and SRv6-Policy, etc. ,  which complicates
> planning and deployment.
> Also, since the current SRv6-Policy does not have such an ID,the
> SRv6-Policy needs to be extended to support such an ID configuration, which
> increases the complexity of the implementation and does not take advantage
> of the deployed SRv6 Policy on the existing network.
> Draft-jiang fully complies with the SRv6 Policy standard, identifying an
> SRv6 Policy by the <color,endpoint> tuple, which makes good use of the
> existing deployed SRv6 Policy and requiring essentially no additional
> extensions, making it very simple to implement.
>
>
>
> BR
> Wenying Jiang
>
>
>
> ----邮件原文----
> *发**件人:*Ketan Talaulikar  <ketant.ietf@gmail.com>
> *收件人:*Zhuangshunwan  <zhuangshunwan=40huawei.com@dmarc.ietf.org>
> *抄 送**: *"draft-jiang-idr-ts-flowspec-srv6-policy@ietf.org" <
> draft-jiang-idr-ts-flowspec-srv6-policy@ietf.org>,"idr@ietf.org" <
> idr@ietf.org>
> *发**送**时间**:*2022-03-25 18:44:42
> *主**题**:*Re: [Idr] flowspec srv6 policy
>
> Hi Shunwan,
>
>
>
> It would be good to reference prior work and clarify the challenges with
> it that require the introduction of a new mechanism. Just a suggestion.
>
>
>
> Thanks,
>
> Ketan
>
>
>
>
>
> On Fri, Mar 25, 2022 at 3:35 PM Zhuangshunwan <zhuangshunwan=
> 40huawei.com@dmarc.ietf.org> wrote:
>
>
>
> Hi Wim,
>
>
>
> Some forks from Nokia Shanghai Bell had also joined the discussion
> organized by China Mobile. Yes, they had mentioned
> draft-ietf-idr-flowspec-path-redirect.
>
>
>
> In those joint discussions, we all agreed that these were 2
> non-conflicting drafts.
>
>
>
> Thanks,
>
> Shunwan
>
>
>
>
>
> *From:* Henderickx, Wim (Nokia - BE/Antwerp) [mailto:
> wim.henderickx@nokia.com]
> *Sent:* Friday, March 25, 2022 5:59 PM
> *To:* Wanghaibo (Rainsword) <rainsword.wang@huawei.com>;
> draft-jiang-idr-ts-flowspec-srv6-policy@ietf.org; idr@ietf.org
> *Subject:* Re: flowspec srv6 policy
>
>
>
> Thx for the response. My point is it is better to extend an existing
> implementation rather than trying to define something new. As such my
> comment is mainly to look  at the proposal I mentioned and augment it with
> the capabilities you wanted to add.
>
>
>
> *From: *Wanghaibo (Rainsword) <rainsword.wang@huawei.com>
> *Date: *Friday, 25 March 2022 at 10:52
> *To: *Henderickx, Wim (Nokia - BE/Antwerp) <wim.henderickx@nokia.com>,
> draft-jiang-idr-ts-flowspec-srv6-policy@ietf.org <
> draft-jiang-idr-ts-flowspec-srv6-policy@ietf.org>, idr@ietf.org <
> idr@ietf.org>
> *Subject: *RE: flowspec srv6 policy
>
> Hi Henderickx,
>
>
>
> The two drafts are used to resolve similar scenario, but with different
> solution.
>
> Document draft-ietf-idr-flowspec-path-redirect defined a path redirect
> method.
>
> But for SRv6 Policy , only ID-type 0 or 5 may be suitable. But there is no
> these IDs for SRv6-Policy.
>
> So the operator must assign a new ID for SRv6-Policy and set to exist
> SRv6-Policy. This is not intuitive.
>
>
>
> Document draft-jiang-idr-ts-flowspec-srv6-policy introduce a combination:
> redirect-ip EC+ Color EC,
>
> Then use it as (N,C) to recursive SRv6-Policy, it can reuse most exists
> implementations and is easy for operate.
>
>
>
> Regards,
>
> Haibo
>
>
>
> *From:* Idr [mailto:idr-bounces@ietf.org <idr-bounces@ietf.org>] *On
> Behalf Of *Henderickx, Wim (Nokia - BE/Antwerp)
> *Sent:* Friday, March 25, 2022 5:26 PM
> *To:* draft-jiang-idr-ts-flowspec-srv6-policy@ietf.org; idr@ietf.org
> *Subject:* [Idr] flowspec srv6 policy
>
>
>
> Regarding draft-jiang-idr-ts-flowspec-srv6-policy@ietf.org
>
>
>
> Have people looked at the following draft which does something similar
>
>
>
> https://datatracker.ietf.org/doc/html/draft-ietf-idr-flowspec-path-redirect
>
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>
>
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>

v2.23.0 | Report a Bug | By Email