IETF Logo Mail Archive

Re: [Idr] Adoption and IPR call for draft-wang-idr-vpn-prefix-orf-03.txt (8/16 to 8/30)

Gyan Mishra <hayabusagsm@gmail.com> Mon, 29 August 2022 18:37 UTC

Return-Path: <hayabusagsm@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9524EC183F87 for <idr@ietfa.amsl.com>; Mon, 29 Aug 2022 11:37:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n2OKbuUWpwwV for <idr@ietfa.amsl.com>; Mon, 29 Aug 2022 11:36:58 -0700 (PDT)
Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com [IPv6:2607:f8b0:4864:20::52b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C41C6C13630C for <idr@ietf.org>; Mon, 29 Aug 2022 11:36:58 -0700 (PDT)
Received: by mail-pg1-x52b.google.com with SMTP id v4so8448566pgi.10 for <idr@ietf.org>; Mon, 29 Aug 2022 11:36:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=4TvIkizUeCK+CSlq12xkn7qQGV5Q4TMOV0PC7ucFAGc=; b=Ibpeu91PJ5qLWYpUnlp9TNcLWoxYgLWdTnwNhou6JLQIWsxmwOIOXZX78o0NRKsgDe R6/gq/os2cb5IrU4diZ93YJD5VrOqoWv/2kGyYR4wiJj7YLj6i5PN43DQ5vD+Fdmjqu1 uUGOQFB3zP+xtXOf6XPb5peEizKpq0WJUKAqY+h4a3It1o4SXaXFzvzAcgT9XW00Oqia YP4sOIFdarfKQmcE4KAbiErEbPj/aMpQyw5ECNzF+HgK7GM+q+UjQ1iRT3cfzz2WL4P2 XTLCK9pqkvSz1Ut7SBil0GOcM5yLK9dBdoEE6YohImqQ8QnXQt5kPzAlx28xDgmAJ5Ol PbOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=4TvIkizUeCK+CSlq12xkn7qQGV5Q4TMOV0PC7ucFAGc=; b=57qBsUCjvcvR3HRMjiZcxE7PguLFPCN1OOJg+qcXt+hYuBQPr5GTcfbonEtpTxtSB1 8Wjp+54KAkbwlmkHNFqI3iKCILMz4AWQXCn2KUQuLj7xqVl7WyFpcMxJ7jBlzLnz+a9T tniTd1kbZihsqz3x9Z89uoqG08Bdbl30eGt7Gfohc6fxaPVwjeloTHFXmf2UUFQgC8Et Uoyq+VNnPY9QycA2VSVPR4/uDu2zjeO8Xkao+Ylgps9/0taILahage6k5Eo924iyy98y Q29qFk3VxWWro+h9XpLs+RZKJg9gOBwD7gp7F+Bo49xOIegmoiP4ejMmhjd1DADUcUU5 TO6Q==
X-Gm-Message-State: ACgBeo3BrI0JG2eJK5IN2fwVZSJKwsG68Q2aa86GWESYZ9u5/D7fb5OF Fu+qzgGRp1qo9OMH1G2hV+ij03/xS3PFWu2g57kDAJvA
X-Google-Smtp-Source: AA6agR6bDVVIKw2dKg3q5cQ8WRS7Z20jAs6iEqzoIeM5bDSTqoNnTeHx1t3ajzwUV7ynL52vtUNEXzNpNufPsBZmFxg=
X-Received: by 2002:a65:4d48:0:b0:421:5af6:9278 with SMTP id j8-20020a654d48000000b004215af69278mr15078860pgt.1.1661798217891; Mon, 29 Aug 2022 11:36:57 -0700 (PDT)
MIME-Version: 1.0
References: <CAOj+MMELVifgg4Yj38kyncDGYzS5fJG-43_kRc7YLwJiTPANUA@mail.gmail.com> <23D1B383-F794-402E-AB1B-D966F8F3375B@tsinghua.org.cn> <CAOj+MMGs9gU=xC0UG4Xaiv5feo2U6VFXkdAxmk6arN_bxe_mSg@mail.gmail.com> <BYAPR08MB4872E197715724FC1E853725B3769@BYAPR08MB4872.namprd08.prod.outlook.com> <CAOj+MMEY=0iQ=vBGYJ=M=Pd=3gvjZVwWCZC_XPXzXDsD-7_a6A@mail.gmail.com>
In-Reply-To: <CAOj+MMEY=0iQ=vBGYJ=M=Pd=3gvjZVwWCZC_XPXzXDsD-7_a6A@mail.gmail.com>
From: Gyan Mishra <hayabusagsm@gmail.com>
Date: Mon, 29 Aug 2022 14:36:46 -0400
Message-ID: <CABNhwV0zR+YWte146WZ6jD=-bBm_1KcAxVJrkkiiT8gMsHwcsA@mail.gmail.com>
To: Robert Raszuk <robert@raszuk.net>
Cc: Susan Hares <shares@ndzh.com>, "idr@ietf. org" <idr@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000077443405e7658c9c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/SKhyQm6C-sbT4b9-s4HSwhLufEg>
Subject: Re: [Idr] Adoption and IPR call for draft-wang-idr-vpn-prefix-orf-03.txt (8/16 to 8/30)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Aug 2022 18:37:02 -0000

Hi Robert

On Mon, Aug 29, 2022 at 5:23 AM Robert Raszuk <robert@raszuk.net> wrote:

> Sue,
>
> > You might consider that Aijun and others do not have the ability to
> quickly take the rogue PE out of the network.
>
> No one is suggesting that.
>
> The current methods to mitigate the issue are as stated number of times:
>
> * local drop of overflowing routes at the weak PE  (no new spec needed)
>
> * protection at the PE-CE boundary at the src PE (no new spec needed)
>

   Gyan> The issue historically has been with VRF maximum prefix and PE-CE
maximum prefix and that  we all agreed from the last few adoption calls is
existing mechanisms don’t suffice for this overflow issue due to the limit
for both being set to a  generic high water mark by operators taking into
account statistical multiplexing 80/20 rule and oversubscribing the limits
to avoid OPEX costs of administrative overhead of having to continually
adjust the limits.  Configuration templates are pushed via standard policy
from NMS so it’s very generically done.  So this is a real issue to be
solved and now it’s digging into the solution space to solve it as best
possible.  The issue related to RD based ORF was resolved using now a 3
tuple {RT, RD, origin  prefix) RD+TLV combo from WG feedback.  The issue
with dropping of routes related to source PE is being addressed as Aijun
pointed out with regards the clarifications on use of the quota and use of
optimization of ORF to only drop the overflowing routes not all routes.

>
> * protection at the VRF level at the src PE (no new spec needed)
>
> Then claim is now stated that operator can not control src PE. That's an
> interesting claim. We in many routing protocols assume that there is
> control within domain. For Interdomain again we should apply prefix limit
> on a per RD basis. (if they would provide a draft suggesting this I would
> highly support it).
>

   Gyan> The solution applies to intra domain and inter domain inter-as
options b and c per RD / prefix basis.

>
> Then last the issue can be clearly mitigated by network management layer.
>

   Gyan> Difficulty with management layer is detecting the overflow issue
which with protocol extension can easily be done natively with VPN ORF.

>
> Just pushing ORF to adjacent RR and not mitigating the issue is not a
> proper action.
>

    Gyan>The draft addresses both mitigation to adjacency RR as well as
upstream to source PE using the source PE TLV.

>
> Thx,
> R.
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Mon, Aug 29, 2022 at 10:29 AM Susan Hares <shares@ndzh.com> wrote:
>
>> Robert:
>>
>>
>>
>> You might consider that Aijun and others do not have the ability to
>> quickly take the rogue PE out of the network.
>>
>>
>>
>> Asking Aijun why they do not take the Rogue PE out of the network – may
>> be useful.
>>
>>
>>
>> Sue
>>
>>
>>
>> *From:* Robert Raszuk <robert@raszuk.net>
>> *Sent:* Friday, August 26, 2022 6:48 PM
>> *To:* Aijun Wang <wangaijun@tsinghua.org.cn>
>> *Cc:* Acee Lindem (acee) <acee@cisco.com>; idr@ietf. org <idr@ietf.org>;
>> Susan Hares <shares@ndzh.com>
>> *Subject:* Re: [Idr] Adoption and IPR call for
>> draft-wang-idr-vpn-prefix-orf-03.txt (8/16 to 8/30)
>>
>>
>>
>>
>>
>>
>>
>> I admit there will be no single solution for one problem.
>>
>>
>>
>> The role of IETF is to standardize a single solution to real problems. At
>> least we should aim for that.
>>
>>
>>
>> Your problem description is this:  *"rogue PE"*
>>
>>
>>
>> Well to me this is not sufficiently precise to convince anyone that there
>> is a problem to start with. At least I am happy to see that you are no
>> longer stating that the problem you are trying to protect from is "rogue
>> CE" (as clearly PE-CE prefix limit will effectively mitigate it
>> at its source).
>>
>>
>>
>> Bottom line is this - if we assume that any PE can arbitrarily misbehave
>> and inject bogus stuff in the routing control plane then we have a much
>> larger problem. And IMO the right solution to such a problem would be to
>> take such "rogue PE" out of the network ASAP. Not to cherry pick who's VPN
>> to cut first, second, third on RRs in the path.
>>
>>
>>
>> Rgs,
>>
>> R.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>
-- 

<http://www.verizon.com/>

*Gyan Mishra*

*Network Solutions A**rchitect *

*Email gyan.s.mishra@verizon.com <gyan.s.mishra@verizon.com>*



*M 301 502-1347*

v2.23.0 | Report a Bug | By Email