IETF Logo Mail Archive

Re: [Idr] Request to adopt draft-heitz-idr-large-community

"Jakob Heitz (jheitz)" <jheitz@cisco.com> Thu, 08 September 2016 12:52 UTC

Return-Path: <jheitz@cisco.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53DA512B327 for <idr@ietfa.amsl.com>; Thu, 8 Sep 2016 05:52:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.009
X-Spam-Level:
X-Spam-Status: No, score=-16.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.508, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f4e0C1128Ydr for <idr@ietfa.amsl.com>; Thu, 8 Sep 2016 05:51:57 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C447012B364 for <idr@ietf.org>; Thu, 8 Sep 2016 05:29:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11459; q=dns/txt; s=iport; t=1473337768; x=1474547368; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=EGZpmtqu75WsFDhLq9DgOKJGISadK7sGgXBaQmAbKi4=; b=X06YpFCwrZpKkk/krrKsJmXkOW0SiRl+5qzjGFvKWc7mkcyEmBrlYa+d Ax2wk7Bf+EgUVId+HdIlWjawTek1J+1p5wtPXqP5wM2Q2Ez4WbgnnvIKv LxkbzmMFCvBZLWsnnNOBbHCzzpX+CIKTsAuf6eoieujujlAF03/Qj046h M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BdAQAvWdFX/5xdJa1dGQEBAQEBAQEBAQEBgy0BAQEBAR5XLU+NMqsQggMZC4V4AoFcOBQBAgEBAQEBAQFeHAuEYQEBAQMBAQEBNzICCAMFBwQCAQgVAQIeECcLJQIEDgUUB4gnCA68NwEBAQEBAQEBAQEBAQEBAQEBAQEBARcFhjCBeIJWgSKCcBEBBhaDLYIvBY4qhWaFTgGIX4ZggW6EX4kQb4tig3oBHjaCZwIIFoFNcIU2gh8BAQE
X-IronPort-AV: E=Sophos;i="5.30,300,1470700800"; d="scan'208";a="144896709"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 08 Sep 2016 12:29:27 +0000
Received: from XCH-ALN-014.cisco.com (xch-aln-014.cisco.com [173.36.7.24]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id u88CTRSA002571 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 8 Sep 2016 12:29:27 GMT
Received: from xch-aln-014.cisco.com (173.36.7.24) by XCH-ALN-014.cisco.com (173.36.7.24) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Thu, 8 Sep 2016 07:29:26 -0500
Received: from xch-aln-014.cisco.com ([173.36.7.24]) by XCH-ALN-014.cisco.com ([173.36.7.24]) with mapi id 15.00.1210.000; Thu, 8 Sep 2016 07:29:26 -0500
From: "Jakob Heitz (jheitz)" <jheitz@cisco.com>
To: "bruno.decraene@orange.com" <bruno.decraene@orange.com>
Thread-Topic: [Idr] Request to adopt draft-heitz-idr-large-community
Thread-Index: AQHSCDP+9Gy6rPIW0USt867VcqfiL6BuXmaAgAAfcwCAAAPVgIAABqSAgAAddgD///s9xIABGsSA//+xdsyAAG4ygP//rW0Y
Date: Thu, 08 Sep 2016 12:29:26 +0000
Message-ID: <55446E7D-E6D9-4DF1-A939-C5653B59D35A@cisco.com>
References: <20160906113919.GC17613@vurt.meerval.net> <F3BDAC77-FA01-4F90-9BC1-9F2F1B7B6029@ecix.net> <CAHxMReZxtHSHfavDaAm=JrBqQ+UHkbJoai52Zt3rFFSKgp=aLA@mail.gmail.com> <CA+b+ER=QOJXZoZaNhRhiHS2SgE88cBaxOb39eRshyA1TxnQXUg@mail.gmail.com> <20160907161113.GG5423@57.rev.meerval.net>, <CA+b+ERmfPrjbsAx42aKH_OVdZnf0WzqS_B1mJ6eTVni7T2s6xg@mail.gmail.com> <D2565063-A1DE-4AB0-9903-65AA2805D0D3@cisco.com>, <7547_1473330703_57D13E0F_7547_1505_1_53C29892C857584299CBF5D05346208A0F9C7061@OPEXCLILM21.corporate.adroot.infra.ftgroup> <56420857-5B57-44D9-B5B1-99806FA5DAC2@cisco.com>, <23171_1473337501_57D1589D_23171_6268_1_53C29892C857584299CBF5D05346208A0F9C7410@OPEXCLILM21.corporate.adroot.infra.ftgroup>
In-Reply-To: <23171_1473337501_57D1589D_23171_6268_1_53C29892C857584299CBF5D05346208A0F9C7410@OPEXCLILM21.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/TQ3qopv3vJoJZFtFD0_rCKfcCMo>
Cc: idr wg <idr@ietf.org>, Robert Raszuk <robert@raszuk.net>
Subject: Re: [Idr] Request to adopt draft-heitz-idr-large-community
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2016 12:52:02 -0000

Makes sense. Merci Bruno.

Jakob.

> On Sep 8, 2016, at 8:25 AM, "bruno.decraene@orange.com" <bruno.decraene@orange.com> wrote:
> 
> Hi Jakob,
> 
>> From: Jakob Heitz
>> Sent: Thursday, September 08, 2016 12:51 PM
>> 
>> I fully expect people to use the first 4 octets to encode the target ASN for all the reasons
>> mentioned. However, I will not enforce it in the code or in the spec. It is enough to
>> RECOMMEND it in the spec, stating the reason.
> 
> Although I'd prefer RFC 4360 (extended community) formulation ("This sub-field contains an Autonomous System number assigned by IANA."), if the goal is to keep RFC 1997 communities usages as-is, I would be fine re-using RFC 1997 text:
> 
> "The rest of the community attribute values shall be encoded using an
>   autonomous system number in the first two octets.  The semantics of
>   the final two octets may be defined by the autonomous system."
> 
> but updated with a 2119 keyword. i.e. :s/shall/SHALL
> 
> I'm not asking for any enforcement in the code. (and I don't see how the code could enforce it).
> I'm asking for the document to make it clear, that AS X owns the community space starting with X. Such that if there is a conflicting usage, it's clear which AS/actor needs to renumber.
> 
> Note that I can live with current wording in the draft. It's your proposed change that I am commenting on.
> 
> 
> As another comment, I think section 3 ("Textual Representation") could normatively reference RFC5396 ("Textual Representation of Autonomous System (AS) Numbers").
> 
> 
> Thanks,
> --Bruno
> 
>> Thanks,
>> Jakob.
>> 
>> 
>>>> On Sep 8, 2016, at 6:31 AM, "bruno.decraene@orange.com"
>>> <bruno.decraene@orange.com> wrote:
>>> 
>>> [re-sending in ascii]
>>> 
>>> Hi Jakob,
>>> 
>>> Please see inline, [Bruno]
>>> 
>>>> -----Original Message-----
>>>> From: Jakob Heitz (jheitz) > Sent: Thursday, September 08, 2016 12:40 AM
>>>> 
>>>> Here is how I would treat the first 4 octet so of the large community.
>>>> The community is normally used by an ISP to allow a directly connected customer to
>>>> express its wishes about how to process the route. In that case, the first four octets and
>> all
>>>> octets are totally in control of the ISP. The ISP has total control of the definition of the
>>>> octets. If an ISP is willing to carry communities that are destined to another AS, then it
>>>> makes sense for everyone to agree on the encoding of the target ASN in the community.
>>>> I would phrase it like this:
>>>> 
>>>> The meaning of all octets in the large community is to be defined by mutual agreement
>>>> between the originating and terminating ASes. However, if a large community is
>> intended
>>>> to transit an AS, then the ASN of the terminating AS SHOULD be encoded in the first 4
>>>> octets of the large community.
>>> 
>>> 
>>> [Bruno] The problem is that in living networks, people start using a solution (e.g. large
>> community) with a given use case in mind. Then once deployed, it's very hard to change
>> (well, I guess it depends on how big and complex is the network).
>>> So people start with 2 ASes (originating and terminating), then use one VPN AS to
>> transit, then come inter-AS VPN. And those transit AS will see name space collision, which
>> will be a headache. (e.g. who must be forced to renumber?)
>>> Note that a transit AS may also be introduced between 2 peers, without VPN.
>>> 
>>> So I would strongly prefer that the first 4 octets be dedicated to the AS number defining
>> the usage of the community, just like RFC 1997 (BGP community) (and RT for extended
>> community and RD in VPNs)
>>> 
>>> [Bruno]
>>> IMHO, I would interpret your proposition as a fear that in some future, the large-
>> community, is found not to be large enough. If this is the case, it's not too late to make it
>> bigger. e.g. 4*32 bits.
>>> On a side note, I'm also a bit nervous that 3 days after the start of the WGLC, so
>> extremely early for a solution that I would expect to be running for 20 years, we are
>> already discussing that the numbering space may be too small. (full disclosure, I'm co-
>> authoring draft-ietf-idr-wide-bgp-communities)
>>> 
>>> Thanks,
>>> Regards,
>>> --Bruno
>>> 
>>> 
>>>> For example, there is no reason that an invalid ASN (say 0 or 23456) should be
>> disallowed
>>>> as long as the intended recipients of the community understand the meaning.
>>>> 
>>>> Thanks,
>>>> Jakob.
>>>> 
>>>> 
>>>> On Sep 7, 2016, at 1:57 PM, Robert Raszuk <robert@raszuk.net> wrote:
>>>> Hi Job,
>>>> 
>>>> Excellent.
>>>> 
>>>> And my only point was to add that single sentence to the spec when next rev comes out.
>>>> 
>>>> Suggestion for the sentence to add into bottom of the section 3:
>>>> 
>>>> "The Autonomous System number used within the community field is an Autonomous
>>>> System which understands the encoded meaning of the 8 octets which follow and which
>> is
>>>> to act on it."
>>>> 
>>>> ... or something along those lines.
>>>> 
>>>> Cheers,
>>>> R.
>>>> 
>>>> 
>>>> On Wed, Sep 7, 2016 at 6:11 PM, Job Snijders <job@ntt.net> wrote:
>>>> Hi Robert,
>>>> 
>>>>> On Wed, Sep 07, 2016 at 05:47:27PM +0200, Robert Raszuk wrote:
>>>>> I agree with all statements made by Rob S.
>>>>> 
>>>>> Kay's email however triggered the clarification question to the
>>>>> current -03 version.
>>>>> 
>>>>> What is the meaning of explicit AS number listed in the first 4 octets
>>>>> of the community. I was under impression that originally it was the AS
>>>>> number in which given community needs to be executed however it seems
>>>>> that this sentence is no longer in the current version of the draft.
>>>> 
>>>> The first 4 bytes contain the ASN in which the last 8 bytes have a
>>>> meaning. Its not about what is executed where. Consider the last 8
>>>> bytes, the 'local opaque data', a namespace of sorts, the first 4 bytes
>>>> indicate who owns that namespace. The owner of the namespace can
>>>> publicly or privately document what the meaning communities are within
>>>> his/her namespace.
>>>> 
>>>> I welcome suggestions to improve the text on this aspect. RFC 1997 had
>>>> language like "Global Administrator" and "Local Administrator" - but I
>>>> think that is a somewhat archaic to explain this concept. In -04 we're
>>>> talking about "Autonomous System Number" and "Local Data".
>>>> 
>>>>> So it may be unclear if this is AS number inserting this community, if
>>>>> this is target AS to execute it or perhaps like in the case of Route
>>>>> Server is it AS acting as proxy for other ASes it peers with ?
>>>>> 
>>>>> The answer could be none of the above - it's all local significant - but
>>>>> then shouldn't it rather use a 4:4:4 description.
>>>> 
>>>> What Kay described is that they today with RFC 1997 communities they are
>>>> using a horrible kludge because there is not enough space.
>>>> 
>>>> With Large communities, ECIX (AS 9033) could say "Dear customers, if you
>>>> attach 9033:XXX:YYY to your prefix, our routeserver will do A", where
>>>> XXX and YYY are values decided by ECIX. This way, there will never be
>>>> collisions. What XXX and YYY are is up to ECIX, XXX could be the ASN of
>>>> a peer on the route server, YYY could be an identifier which triggers an
>>>> action, such as no-export.
>>>> 
>>>> Given the above context and what Kay sent to the list:
>>>> 
>>>>>> As we use 65000:XXX, where XXX is the ASN which should
>>>>>> not receive the route, this proposal would give us the option to also
>>>>>> extend the control-mechanisms towards 32-bit ASNs and not just 16-bit
>>>>>> ASNs anymore.
>>>> 
>>>> With Large Communities, the above example could be turned into:
>>>> 9033:65000:XXX, where XXX is the ASN which should not receive the route.
>>>> Suddenly they aren't overloading a Global Administrator field with a private ASN! :-)
>>>> 
>>>> ECIX (and other Route Server operators) gain two advantages: There won't
>>>> be a risk of collision because its in their own namespace, (in ECIX's
>>>> case '9033'), and XXX can be a 4-byte value, meaning they can target
>>>> 4-byte ASNs, which is something they cannot do today but clearly want to
>>>> do for consistency.
>>>> 
>>>> It is important to recognise that it is up to ECIX to decide how they
>>>> use the 8 bytes of data available to them. They can put ASNs in there
>>>> directly, or use a mapping table, or throw a dice and just publish which
>>>> value means what on their Route Server. It is entirely opaque.
>>>> 
>>>> Kind regards,
>>>> 
>>>> Job
>>>> 
>>>> ps. Large Communities' expiry date will be the moment the IETF starts
>>>> working on 8-byte ASNs. If that ever happens, we'll hopefully remember
>>>> this thread.
>>>> 
>>>> _______________________________________________
>>>> Idr mailing list
>>>> Idr@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/idr
>> __________________________________________________________________________
>> _______________________________________________
>>> 
>>> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou
>> privilegiees et ne doivent donc
>>> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par
>> erreur, veuillez le signaler
>>> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques
>> etant susceptibles d'alteration,
>>> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie.
>> Merci.
>>> 
>>> This message and its attachments may contain confidential or privileged information
>> that may be protected by law;
>>> they should not be distributed, used or copied without authorisation.
>>> If you have received this email in error, please notify the sender and delete this message
>> and its attachments.
>>> As emails may be altered, Orange is not liable for messages that have been modified,
>> changed or falsified.
>>> Thank you.
> 
> _________________________________________________________________________________________________________________________
> 
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
> 
> This message and its attachments may contain confidential or privileged information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.
>

v2.23.0 | Report a Bug | By Email