IETF Logo Mail Archive

Re: [Idr] Adoption and IPR call for draft-wang-idr-vpn-prefix-orf-03.txt (8/16 to 8/30)

Robert Raszuk <robert@raszuk.net> Tue, 23 August 2022 11:49 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F2A8C1526E3 for <idr@ietfa.amsl.com>; Tue, 23 Aug 2022 04:49:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_FACE_BAD=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WODny0OYOU8n for <idr@ietfa.amsl.com>; Tue, 23 Aug 2022 04:49:26 -0700 (PDT)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFE52C14CE27 for <idr@ietf.org>; Tue, 23 Aug 2022 04:49:25 -0700 (PDT)
Received: by mail-ed1-x529.google.com with SMTP id a22so17663903edj.5 for <idr@ietf.org>; Tue, 23 Aug 2022 04:49:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=eqJdxDlyQQUpr78Xb+4pvcepXCt9EhMhhi5/NifY258=; b=a8bTFYLD58ddDlCzXV5yct6S1Xx3CCr8TBcEDjS02P1tVz+GWKsvvYPq4lyNdY9+4i J3Dj2vM7LvjMIicrL6swYF3h6EogACmEkrS72klACroXaoa5M7y8/Tjcij7sfhyzA0iZ DpO9AC7IhGrRzMqQ7SrK2JEncnp2K4DBAsYvKyVyzVpepuxPmYACDloK9drcmzMR2FAb 0d68tXp+dLRwEJpjFMnqcx2eqtkxa3BR5amQeA+YfOltTFp/jqsP4c9U0jIKkfRONlGD qgWtb8H3eWrIBEXfPHcTQTxqatiJFd1DF1YQOewNu2duFom0YBvqcppS4EgIIXANHIwz NFZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=eqJdxDlyQQUpr78Xb+4pvcepXCt9EhMhhi5/NifY258=; b=6bgxlBYko7n8kx233t3Cas9JibEVwvF4wXyhuCd4JVd3AJUloM1R4x7zRSMLmMZSmq zlsHOyod7QmmMexDhxfrunu1SIL8QgF8wXI4k3jOs0tYqPAprAeTHY2TlqyfxQO1Xn8j MtF+kLoeXUhmZGTghim/xwC8/kT0nIBWpVVQWrHSmAp0aksqg8UDD0pkBWoYYeX7hb8p sIZ1q8m4ui6KXgefr86GPHuhvIgE0VkEw5DX/6oIEdoTXk3WmIiydtWQxnksqBwilIKn nsJ3qsCOS+I1ITdsCh+hSw09YO2GQjg1x4CsItu2eVDuI1XnKny0R8+BBkBVfkfCHbq5 jZvg==
X-Gm-Message-State: ACgBeo3qYcd/JmHCBdn/7ebcT9fmDmCnNDtqOl7E0DyWbJ3HHvgXNb0t J75oAq62EfpqrsLYoPrFHSy7L0wLzq+dVzPt2SEs1Q==
X-Google-Smtp-Source: AA6agR45aGjaiVx4Rv3YkqI8A2t+WfJYhfTkoDwkmiRnBcZt68NX/cgv+3Y77dFGuQmIlR+tgbXL99YgaC2v672Ejik=
X-Received: by 2002:a05:6402:3491:b0:446:ea7d:8d9c with SMTP id v17-20020a056402349100b00446ea7d8d9cmr3364799edc.184.1661255364230; Tue, 23 Aug 2022 04:49:24 -0700 (PDT)
MIME-Version: 1.0
References: <517EF247-76AF-4981-B33B-8A1707E0103B@tsinghua.org.cn> <CAOj+MMGvBKBL__Pk2AuAYWoiBkMeLW3eZkyp_GD-aXjEtZkJkw@mail.gmail.com> <007b01d8b693$92387190$b6a954b0$@tsinghua.org.cn> <CAOj+MMHmeSUuFy7zKBsDUECje6i-g+9e9qD2=oUkgGdcwL2fpw@mail.gmail.com> <tencent_D185B6FFEBB1CDC5CE17B30965D645B5B40A@qq.com>
In-Reply-To: <tencent_D185B6FFEBB1CDC5CE17B30965D645B5B40A@qq.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Tue, 23 Aug 2022 13:49:13 +0200
Message-ID: <CAOj+MMEQYcKoTqZKK1UpK9O11+Pm5J6Bq16KGUnkDHKtz5=OuA@mail.gmail.com>
To: 王巍 <weiwang94@foxmail.com>
Cc: Aijun Wang <wangaijun@tsinghua.org.cn>, Susan Hares <shares@ndzh.com>, "idr@ietf. org" <idr@ietf.org>, Zhuangshunwan <zhuangshunwan=40huawei.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000dde9ba05e6e72752"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/PTczRY9o3WmzDl5XO_0WyQw5JR0>
Subject: Re: [Idr] Adoption and IPR call for draft-wang-idr-vpn-prefix-orf-03.txt (8/16 to 8/30)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Aug 2022 11:49:29 -0000

First when BGP max prefix used session should get terminated with a peer.

Then Max prefix is to be used on eBGP sessions only.

Using it on IBGP is dangerous. Not a recommended configuration.

Thx,
R.


On Tue, Aug 23, 2022 at 1:39 PM 王巍 <weiwang94@foxmail.com> wrote:

> Hi Robert,
>
> The offending VPN routes are dropped because they pass the predefined
> quota threshold, it’s the similar behavior for “BGP maximum prefixes”
> mechanism.
> Before dropping, the device can also send the alarm signal to operator.
>
> Dropping them can assure the offending VPN routes does not affect the
> receiving and parsing of routes belong to other VPNs.
> The updated VPN Prefixes ORF mechanism filter the routes not solely based
> on RD or prefix.
>
> Best Regards,
> Wei
> ------------------ Original ------------------
> *From:* "Robert Raszuk" <robert@raszuk.net>;
> *Date:* Tue, Aug 23, 2022 04:46 PM
> *To:* "Aijun Wang"<wangaijun@tsinghua.org.cn>;
> *Cc:* "Susan Hares"<shares@ndzh.com>;"idr@ietf. org"<idr@ietf.org
> >;"Zhuangshunwan"<zhuangshunwan=40huawei.com@dmarc.ietf.org>;
> *Subject:* Re: [Idr] Adoption and IPR call for
> draft-wang-idr-vpn-prefix-orf-03.txt (8/16 to 8/30)
>
> Aijun,
>
> > Wish it can help for you to flip the page.
>
> I recall this thread, but it did not "flip the page".
>
> See dropping VPN routes when CE points default to a PE (very common case)
> will just result in less specific forwarding (potential loops as IBGP
> becomes inconsistent now) or at best silent drops at the PEs. Authors
> somehow forgot that it is a really bad idea and very unsafe to drop valid
> routes on IBGP.
>
> Note that non intersecting RT based drop is safe. But not per prefix or
> per RD drops !
>
> Besides if we are talking at scale to do what you are describing requires
> lots of real time per path per vrf stats. That's a CPU burden which is
> completely unnecessary.
>
> > And, the deny-focusing mechanism (VPN Prefixes ORF) acts differently
> from the allow-focus mechanism (RTC).
>
> You missed my point.
>
> While RTC today indeed expresses the list of required RTs nothing stops
> you to define RTC-like AF based propagation with deny semantics.
>
> Thx,
> Robert.
>
>
> On Tue, Aug 23, 2022 at 3:56 AM Aijun Wang <wangaijun@tsinghua.org.cn>
> wrote:
>
>> Hi, Robert:
>>
>>
>>
>> For your concerned points regarding to the ordering of path, I recommend
>> that you review again our discussion with Jeffrey Haas on various scenarios
>> at https://mailarchive.ietf.org/arch/msg/idr/uoQO8vqSA82UCrfXppFjwNbMg1A/.
>> Wish it can help for you to flip the page.
>>
>>
>>
>> And, the deny-focusing mechanism (VPN Prefixes ORF) acts differently from
>> the allow-focus mechanism (RTC). The former should be decided based on each
>> hop itself, and should not be propagated further unconditionally, as that
>> done in RTC mechanism. We don’t want to repeat the discussed points again.
>>
>>
>>
>> Best Regards
>>
>>
>>
>> Aijun Wang
>>
>> China Telecom
>>
>>
>>
>> *From:* Robert Raszuk <robert@raszuk.net>
>> *Sent:* Sunday, August 21, 2022 8:00 PM
>> *To:* Aijun Wang <wangaijun@tsinghua.org.cn>
>> *Cc:* Susan Hares <shares@ndzh.com>; idr@ietf. org <idr@ietf.org>;
>> Zhuangshunwan <zhuangshunwan=40huawei.com@dmarc.ietf.org>
>> *Subject:* Re: [Idr] Adoption and IPR call for
>> draft-wang-idr-vpn-prefix-orf-03.txt (8/16 to 8/30)
>>
>>
>>
>> Aijun,
>>
>>
>>
>> Actually I did read the -03 version of the draft and changes made
>> actually make it even less attractive.
>>
>>
>>
>> Let's first establish what is the format of the ORF message you are
>> proposing to advertise and when those optional TLVs are added ?
>>
>>
>>
>> Quote 1 - PE2 triggers the VPN  Prefix ORF message *(RD1, RT1, comes
>> from PE3)*.
>>
>>
>>
>> Quote 2 - VPN Prefix ORF entry *(RD31, RT1, RT2, comes from PE3)*
>>
>>
>>
>> Your email suggest that *"and global allocation(in this case, the source
>> PE will be attached)"*
>>
>>
>>
>> There is no clear and exhaustive definition when each defined TLV (Source
>> PE or RT) needs to be added by the node generating this new ORF message.
>>
>>
>>
>> It is fascinating that you have now added a list of RTs to the spec. We
>> argued from the beginning that a list of RTs offers a good solution for
>> such filtering and RTC RFC4684 can be used instead.
>>
>>
>>
>> More inline ...
>>
>>
>>
>> #1 - RD allocation can be per VRF or Global in a given VPN. This scheme
>> works only in the case of per VRF allocation.
>>
>> [WAJ]The proposed mechanism works both in per VRF allocation and global
>> allocation(in this case, the source PE will be attached)
>>
>>
>>
>>
>>
>> How do you handle multipaths ? How do you handle anycast ? How do you
>> determine the src PE ?
>>
>>
>>
>> Please observe that during import there is no ordering of paths. So when
>> you are just about to reach the vrf prefix limit and 95% of imported routes
>> come from PE1 suddenly the vrf prefix limit is exceeded when just a few
>> paths arrive from PE2. Are you now going to suppress those few routes as
>> they were unlucky and happened to exceed the prefix limit ?
>>
>>
>>
>>
>>
>> #3 - Use of prefix ORF can be applied where prefix is just /64 RD without
>> any new draft. The draft says:
>>
>>
>>
>>
>>
>> *Using Address Prefix ORF to filter VPN routes need to pre-
>>  configuration, but it is impossible to know which prefix may cause
>>  overflow in advance.*
>>
>>
>>
>>     .. which clearly is not correct as irrespective on the encoding you
>> need to know what RD to push.
>>
>>     Here in this context of RFC5292 PREFIX == RD == /64 PREFIX
>>
>>
>> [WAJ] This point has been discussed throughly in the first round
>> discussions. The key answer is that you cannot know in advance which RD
>> will cause the overflow VPN routes. And one more point again, current VPN
>> ORF prefixes doesn’t depend only the automatic extracted RD information.
>>
>>
>>
>> No one is saying you need to know this in advance. Sure questionable
>> source PE and RTC like list of RTs will not fit RFC5292.
>>
>>
>>
>> While we are at this, asking anyone to configure a list of <src RDs+src
>> PEs> limits on each PE is beyond even commenting on.
>>
>>
>>
>> #4 - Change of ORF list results in advertisement of ALL routes of a a
>> given AFI/SAFI to the peer.
>>
>>         That is the same irrespective if IMMEDIATE or DEFER flags are
>> set. That puts burden on the peer especially in
>>
>>         VPN cases when the number of routes may be high.
>>
>>
>> [WAJ] What you described is the current ORF mechanism. There are some
>> spaces to optimize it.
>>
>>
>>
>>
>>
>> Yes this is how ORF works.
>>
>>
>>
>> And I don't think there is any consensus to break it.
>>
>>
>>
>> Actually looking at your -03 version I have a suggestion.
>>
>>
>>
>> Forget about hacking ORF. Just use new SAFI and push those policies in
>> the new address family. Just like we did with RTC. And please do not try to
>> fix RTC :) Leave it alone and transfer your policy to new AFI/SAFI
>> advertisements.
>>
>>
>>
>> It will also be automatically transitive so you should have much better
>> coverage with that.
>>
>>
>>
>> Alternatively you may find some traction to add this into Flowspec v2
>> work.
>>
>>
>>
>> Kind regards,
>>
>> Robert
>>
>>
>>
>

v2.23.0 | Report a Bug | By Email