Re: [Idr] https://tools.ietf.org/html/draft-wang-idr-rd-orf-00

[Aijun Wang <wangaijun@tsinghua.org.cn>]

Hi, Robert:

 

The semantic encoding of “Address Prefix ORF(RFC5292)” can cover the proposed “RD-ORF”, but their usages is different.

For the usage of “Address Prefix ORF”, please refer to https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-mt/irg-15-mt-book/irg-oubound-route-filtering.pdf, the device needs to configure the prefix list that used to notify the ORF peer. The prefix list itself does not include RD.

 

For RD-ORF, the sender needs not do such configuration, and it can’t decide the RD info in advance that leads to the overwhelmed VPN table. 

Defining the new RD-ORF type can make the route filter policy more distinctly.

 

Other detail reply are inline below.【WAJ】

 

 

Best Regards

 

Aijun Wang

China Telecom

 

From: Robert Raszuk [mailto:robert@raszuk.net] 
Sent: Friday, July 17, 2020 5:43 PM
To: Aijun Wang <wangaijun@tsinghua.org.cn>
Cc: Jakob Heitz (jheitz) <jheitz=40cisco.com@dmarc.ietf.org>; Jeff Tantsura <jefftant.ietf@gmail.com>; Aijun Wang <wangaj3@chinatelecom.cn>; idr@ietf. org <idr@ietf.org>
Subject: Re: [Idr] https://tools.ietf.org/html/draft-wang-idr-rd-orf-00

 

Hi Aijun,

 

>From our POV, the user of the address-prefix ORF will pay more attention to the prefix itself

 

First the "user" is the implementation ... hope you are not expecting real operator to inject such ORF entries when "overflow" happens. 

 

Let's also observe that In L3VPNs_PREFIX = RD + IPv4_PREFIX

 

[WAJ]  In semantic encoding, it seems true.  But in actual usage of the “Address Prefix ORF”, the RD is often be ignored.  In RFC7543, we can also see the context as “ignoring the Route Distinguisher……” in  section 3 “Processing Rules”  <https://tools.ietf.org/html/rfc7543#section-3> https://tools.ietf.org/html/rfc7543#section-3  

 

For example, we can refer to https://tools.ietf.org/html/rfc7543 (Covering Prefixes Outbound Route Filter for BGP-4), the minLen, maxLen and host address encoding do not include the RD(when comparing the received route, the receiver needs to add 64 to minLen/maxLen)

 

Incorrect. 

 

The RFC says: 

 

   o  the route prefix length is greater than or equal to the CP-ORF
      Minlen plus 64 (i.e., the length of a VPN Route Distinguisher);

 

  Note: ==equal== So that means that at least RD must be compared.   

[WAJ]   NO, The above procedures actually speak out that the RD is passed/ignored when compared.

 

Actually, the RD-ORF message will be regenerated between every BGP session, not propagate directly back to the upstream, as that done in BGP Update messages.

Then, every regeneration point(RR/ASBR) can control whether or not send the newly generated RD-ORF to the upstream.  In scenarios that when not all of PEs are overwhelmed by routes from this specified VPN, the RR/ASBR can constraint the sending of the RD-ORF policy to the source.

 

"Regeneration" follows propagation. This is exactly why we defined RTC so all loop free properties are still met. ORF is point to point. 

 

Or do you mean that when RR receives the RD-ORF from sending PE it will not propagate till an operator pushes a new configuration to propagate this further. If so have you even considered timing of those events ? 

[WAJ]   No, the operator needs not intervene this process, but the RR can have its policy to send out or not the received RD-ORF messages.

 

 

The edge between CE and PE is one control point to restrict the prefixes number, but we can’t rely solely on it, especially in the Option-B/Option-C interconnection scenario.

Using RD-ORF mechanism, we can prevent the overwhelmed VPN prefixes in one AS to influence PEs in another AS, and also the PEs within same AS(when they exchange routes via RR)

The reason for the occurrences of overwhelmed VPN prefixes may be misconfiguration on one PE, or being attacked from the outside of network, or other unforeseeable events.

 

 

ORF means installing additional route filter outbound from a BGP speaker as instructed by the peer. 

 

I do not see how any Option-B or worse Option-C peer will allow different AS to push some VPN prefix filter on his infrastructure. Unless both are under the same administration - but then you can use prefix limit. 

[WAJ]  Even under the same administration, we can’t depend on the prefix limit, because the ASBR/RR has no specific VRF route table.

Again I do not support your assertion that RD is more granular then RT for this purpose. It all depends how given operator designed the RT and/or RD allocations. 

[WAJ] Whatever the design of RD/RT, the RD is unique to one VRF, but RT is not.

 

As mentioned for a given VPN importing VRF copies prefixes and *ovverrides* incoming RD with local one. So just think what happens if that specific VRF "overflows" but there is many sources of original pre-import routes all with different RDs. 

[WAJ]  The overwhelmed PE should determines which RD or RDs leads to its overflow and send the specific RD-ORF message accordingly

 

If anything in this space I would rather see us perhaps trying to automate prefix limit per RT (in this case it would be export RTs carried with the routes not import RTs). 

[WAJ]  Prefix Limit mechanism can’t be used in Option B/C inter-AS scenarios

 

Thx,
R.