Re: [Idr] [spring] Error Handling for BGP-LS with Segment Routing

[Rob Shakir <robjs@google.com>]

Hi Alvaro,

Also speaking as a WG participant :-)

On Thu, Jan 3, 2019 at 1:40 PM Alvaro Retana <aretana.ietf@gmail.com> wrote:

> BGP-LS only defines a mechanism through which it may miss information, but
> not how to handle it — or maybe it does (?): by using attribute discard it
> just accepts that the information might be missing going forward…and
> doesn’t attempt to do anything.  Maybe this quote is true: "Doing Nothing
> Often Leads to the Very Best Something” — Winnie the Pooh
>

I think that it defines *something*, albeit not explicitly. Essentially, as
I read it, we're saying "when an attribute encoded by the advertising
BGP-LS source is incorrect, then BGP-LS as a system will prefer to use
partial information" (partial information, since we assume that some
information does get through, since the NLRI could be parsed).

That action may be ok in the general case…but I think that doing nothing
> may not be enough/appropriate for an application like SR, because it is
> explicitly calculating paths….
>

> The point I’m trying to bring up is not necessarily treat-as-withdraw vs.
> attribute discard…. But, first, is attribute discard
> enough/appropriate/good for a BGP-LS application such as SR?  If it isn’t,
> second, is there a different approach that would be better?  Maybe we then
> come to a point where something can change…or accept the limitations of the
> system and be clear about them.  I fully realize that I may be the only one
> who thinks there’s an issue…
>

My point was really the same... The question I was trying to raise is "what
is the alternative that you would suggest?". Other technologies that
fulfill the same role as BGP-LS (those that I described) don't take a very
different approach.

Clearly, it's bad to calculate paths with incomplete information about the
topology of the network. It's also bad to calculate zero paths because you
discarded the entire topology based on an error. We're in-between a rock
and a hard place in terms of maintaining system functionality here -- all
systems that do the same as BGP-LS are having to make some form of
compromise about which constraint (correctness, or connectivity) they are
violating.

This is why I was arguing for leaving things unchanged -- the correctness
constraint seems OK to violate by default. If there are deployments where
connectivity is the desirable constraint to violate, then reacting to the
fact that attribute-discard did occur is possible (or not configuring 7606
error handling if the implementation supports this).

Describing these compromises is, of course, a good idea. However, it's not
clear where this description would go -- we don't really have a document
that describes this overall system and how it might be implemented today.

Cheers and HNY!
r.



>
> Thanks!!
>
> Alvaro.
>
>
> On December 21, 2018 at 11:23:16 AM, Rob Shakir (robjs@google.com) wrote:
>
> Alvaro,
>
> I think this is one of the difficulties of overloading a protocol like BGP
> with different datasets -- it's not simple to say how particular attributes
> are actually going to be used within a protocol deployment. This was one of
> the things that was noted in 7606 -- i.e., I can make *any* attribute
> really affect forwarding if I write a policy that accepts/rejects some
> UPDATE based on the presence of that attribute.
>
> In general, any topology discovery mechanism (whether used in real-time or
> not) needs to define how it handles cases where it might end up with
> missing information. Let's consider what the different mechanisms for
> discovery we have are today:
>
>    - IGP listening -- in this case, if we have some malformed IS-IS TLV,
>    then we might end up discarding this information (whether it be at the
>    listening node, or a device that didn't flood it earlier in the chain) --
>    meaning that we know that we have some potential gap in the topology.
>    - Streaming telemetry -- speaking particularly to gNMI for LSDB
>    streaming encoded using the OpenConfig model, here, we are tolerant to
>    getting as much information as can be parsed, and have a way to carry
>    unknown TLVs (which might include those that cannot be successfully parsed)
>    as binary data to the external consumer. This means that the approach is
>    "as complete data as possible", but has the same characteristic that we can
>    also end up having the potential to lose data.
>    - BGP-LS with attribute discard -- this has some information loss,
>    since we'll have some attributes that could be malformed in the input data,
>    and we discard them at the receiver.
>
> It doesn't seem to me that, given the source of the data is the IGP, and
> we might have information discarded there -- that we can really guarantee
> strong consistency of an off-box view of the network, since we can't
> guarantee strong consistency across the IGP domain itself.
>
> Thus, I'm not sure that the issue that is being highlighted here actually
> makes a difference when we're considering the overall system design -- we
> always need to deal with the fact that the view of the network at the path
> computing node might not match exactly the network's current state in the
> presence of malformed protocol messages. One motivation for having the LSDB
> via streaming telemetry is the ability to provide such validation ("do all
> nodes within my IGP domain, including listeners, have a consistent view of
> the state of the network?").
>
> If the discussion is "should we adopt treat-as-withdraw vs. attribute
> discard?" -- I don't think that from the system perspective there is really
> any difference between the two in this situation. We still have the same
> potentially inconsistent view of the network.
>
> For these reasons, I'd err on leaving this unchanged in the current
> specification(s).
>
> Cheers,
> r.
>
>