IETF Logo Mail Archive

Re: [Idr] draft-wang-idr-vpn-routes-control-analysis (was Re: rd-orf problem clarification at the local level)

Gyan Mishra <hayabusagsm@gmail.com> Fri, 26 February 2021 23:40 UTC

Return-Path: <hayabusagsm@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B12073A13F8; Fri, 26 Feb 2021 15:40:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level:
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OBWeKm1ohiIp; Fri, 26 Feb 2021 15:40:31 -0800 (PST)
Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E51C3A0FD2; Fri, 26 Feb 2021 15:40:31 -0800 (PST)
Received: by mail-pf1-x42c.google.com with SMTP id j12so7268823pfj.12; Fri, 26 Feb 2021 15:40:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SG0fQQJI8rey39AMQcLgRPHr8jFyNaZ5kT9t6vRnk7I=; b=KjDqo/AnDdJiJ27AyRgJqudiNHNaHrH7PPo0/S2TdeR9D4qWMeJJzvPnYUpEwPZqqs jjLcLIUJztAnutCpalrBO3MahKc8Ro7C+aJerEYqfEOZ4w7por1gwM6jIsafExcOVHBz kQViebjcfI7414cauA4MddX/YEKCu1gU/Y2MY0xFpOxQCbk5PKTL6OfMK4u/VNod3BQ1 0zr4j9l3vJh8Zl5QgZbRr5AhfonW1Ep7TmJl5HOVx3MD8mgoihRYNQspVm1AHR6QURWn XPjw2kSr7V/8lF3XHbDCFwyKyXXInFrGDRPsNZdRE3UDWvk3Z0d/hNVIL5yQKjKBL+MT P+rQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SG0fQQJI8rey39AMQcLgRPHr8jFyNaZ5kT9t6vRnk7I=; b=aql0JipKJHCOIeKHDV0AoyIUB9Xb+ik2uo4KsuK17M0RB/vV9XcyDJ/LW8cI21mhSB Fsfg4lHdPSPn865sVEyyVRuPO3t/WQcEIiuzLlZaSQAqGbx3KEC9JO4jUDugkFaN3Krh 3+JWucZYgAJ4S5d+vBS7CUMu8bL//Iz5RN44fYaGeLhDAxHyj++PRLdjWJn6pHeMYSr4 QY28uJpAx5i5/xp089mGV6FNb+1pF5CXCXDgCz/ZpMGh4AD/IIeyHjEudqRiPZdlPa+j jiuR4Wd1OU+GgljMldDNAB3e2KuNGowDeZSazc1qc36yDY9mXkqLP8KGCuauiwVQ9/OH 4qWA==
X-Gm-Message-State: AOAM53036MUe+BjmMW2sbYT0Q8mDTzETPMYwcmVcx6a01ELXeV+oRxHg 6NHqGo06FUxNfr+26KCiYvtebp3r22MjYAQNc9VH03p4Lps=
X-Google-Smtp-Source: ABdhPJweN9OZRF7pG7b4nJ3iEl4tNiWLYGAhIRcLqT3ue4xfWZqP+DAXq84KEa5Uee3JQz6iFuR8Vc98vtN6S8MeCTo=
X-Received: by 2002:a63:1524:: with SMTP id v36mr4896808pgl.383.1614382830653; Fri, 26 Feb 2021 15:40:30 -0800 (PST)
MIME-Version: 1.0
References: <20210225142155.GA27005@pfrc.org> <A7C19F05-DBCD-4AA8-ADC9-7F608BA9F540@chinatelecom.cn> <CABNhwV0EeUt-aue74xK9jAO-9MJXuj6kzNegwyC=d5o3Wd6aXA@mail.gmail.com> <CAOj+MMGgY198Z4Uz8NBDMDMYtinBCauxtPxEojzhiQekJwOYaw@mail.gmail.com> <CABNhwV0EZ2Au-W4-yxKuRV6CstVB4nk-FqCBOag4XkGR=RnZqQ@mail.gmail.com> <CAOj+MMFMdAL=b2WprdGnpuZEXbJkcsR__XuDnwRP5LYu-00PDw@mail.gmail.com>
In-Reply-To: <CAOj+MMFMdAL=b2WprdGnpuZEXbJkcsR__XuDnwRP5LYu-00PDw@mail.gmail.com>
From: Gyan Mishra <hayabusagsm@gmail.com>
Date: Fri, 26 Feb 2021 18:40:19 -0500
Message-ID: <CABNhwV2Yo7_TePHYC7wTO0L7_ZrEGNz-U+2SN=8b=HTtst5anQ@mail.gmail.com>
To: Robert Raszuk <robert@raszuk.net>
Cc: Aijun Wang <wangaj3@chinatelecom.cn>, draft-wang-idr-rd-orf@ietf.org, "idr@ietf. org" <idr@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000027130c05bc45cbd5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/VCiXygg3jdMDYeRWfG6CCeJcjyM>
Subject: Re: [Idr] draft-wang-idr-vpn-routes-control-analysis (was Re: rd-orf problem clarification at the local level)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Feb 2021 23:40:35 -0000

Robert,

On Fri, Feb 26, 2021 at 11:28 AM Robert Raszuk <robert@raszuk.net> wrote:

>
>
> On Fri, Feb 26, 2021 at 4:49 PM Gyan Mishra <hayabusagsm@gmail.com> wrote:

>
> Hi Robert
>
> In the first comment in the thread as a requirement to identify the
> Prefixes based on RD to be blocked in the case of not unique RD requires an
> AND of both RD+RT in the logic.  I am in complete agreement that is
> required.
>
> So I can see Jeffrey’s idea as a possible solution to modify RTC to
> include offending RD update to RTC spec.
>

Just to be clear ... Jeff did not suggest that. This suggestion I wrote.



> However, the RD ORF uses existing ORF machinery with add of new ORF type
> which to me seems a very minor change.  The nice thing about RD ORF is that
> it is controlled and requires manual intervention to unblock where RTC
> would be automatic and that could cause undesirable instability.
>

That can be manual even for RTC. Consider advertising an RD attribute as a
static route. It will be advertised till operator removes it.

Gyan> Anything can be coded but it would be a serious hack to manually
withdraw the RD which is a complete change to current RTC implementation
which is simply enabling SAFI 132 MP Reach capability exchange between
peers.  Nothing manual.


> I am not sure if modifying RTC to include RD block logic would not cause
> added instability with RTC as RTC acts only on RT, as I this is a
> significant change to RTC membership logic.  Also any existing
> implementation of RTC would all be impacted by this change.  With RD ORF as
> this is a new type ORF, the ORF policy would have to be explicitly defined
> so this would only effect new deployments wanting to take advantage of RD
> ORF granularity of filtering.
>

The attribute wouild be optional transitive attribute. If you do not
recognize you do not use it.

Gyan> Optional transitive attributes are expected in theory not to be
recognized by all implementations, however the optional transitive
attributes that exist today such as community and aggregator for example
are recognized by most all implementations.  So as this is an extended
community, this would be recognized by all implementations.

>
> Thx,
> R.
>
>
>
>
>
>>
>> Gyan
>>
>> On Fri, Feb 26, 2021 at 5:47 AM Robert Raszuk <robert@raszuk.net> wrote:
>>
>>> Gyan,
>>>
>>> What you said is pretty obvious I think to everyone here.
>>>
>>> But I think the point of bringing RTC into this picture was a bit
>>> different.
>>>
>>> Just imagine RTC is running between PE and RR and signals interest in
>>> set of RTs to the RR. Let's say those RTs are RT100, RT200, RT300, RT400,
>>> RT500
>>>
>>> Further imagine one VRF importing RT200 overflows on said PE with
>>> incoming (pre-import routes of RD_FOO and RT100, RT200 and RT 300).
>>>
>>> So what if now PE via RTC will simply readvertise interest to get RT200
>>> with new BGP attribute say called BLOCK_RD and lists in such attribute body
>>> Route Distinguisher of RD_FOO ?
>>>
>>> The overall mission accomplished. No need for any new ORF type. It can
>>> be even transitive if we apply a little hack and adjust the way RR will
>>> select the best path for RTC (meaning include this attribute in
>>> advertisements only if all peers sending RT200 attached it with such
>>> RD_FOO).
>>>
>>> To me this is very simply RTC extension and it seems solves this entire
>>> "problem".
>>>
>>> And no - by proposing the above I am not changing my mind that it is
>>> simply wrong network operation to even allow such problem to happen in the
>>> first place.
>>>
>>> Best,
>>> R.
>>>
>>>
>>> On Fri, Feb 26, 2021 at 4:52 AM Gyan Mishra <hayabusagsm@gmail.com>
>>> wrote:
>>>
>>>>
>>>> Hi Jeff
>>>>
>>>> Keep in mind that RTC is an optimization that does not apply to every
>>>> scenario especially in cases where all PEs have all the same VPNs defined
>>>> with explicit RT import.  The special cases were RTC does apply is for
>>>> incongruent VRFs in cases of a sparse RT distribution graph where PEs don’t
>>>> all import the same RTs.  By default all PE have RT filtering enabled by
>>>> default meaning if their is not an explicit VRF definition to match and
>>>> import the RT, the RT is dropped.  With RTC the distribution graph of what
>>>> RTs are advertised RR-PE is now optimized with RT membership, and now  only
>>>> RTs explicitly imported by the PEs are now advertised by the RR to PE for
>>>> processing.  In the case of RD-ORF, it provides a layer of needed
>>>> granularity as the RD PE originator of the flood is a subset of all the VPN
>>>> prefixes represented by the RT permitted by RTC to be advertised to the
>>>> PE.  The RD-ORF now dynamically blocks the offending PE prefixes that would
>>>> otherwise have been advertised by RTC RR to PE and accepted by the PE for
>>>> processing and added to the VRF RIB being overloaded.
>>>>
>>>>
>>>> Kind Regards
>>>>
>>>> Gyan
>>>>
>>>> On Thu, Feb 25, 2021 at 6:21 PM Aijun Wang <wangaj3@chinatelecom.cn>
>>>> wrote:
>>>>
>>>>> Hi, Jeff:
>>>>> Thanks for your suggestions!
>>>>> I think combine RTC and RD-ORF information can accomplish the fine
>>>>> control for the upstream propagation of unwanted VPN routes.
>>>>> We will also try to find other ways to achieve the same effect.
>>>>>
>>>>> Aijun Wang
>>>>> China Telecom
>>>>>
>>>>> > On Feb 25, 2021, at 22:01, Jeffrey Haas <jhaas@pfrc.org> wrote:
>>>>> >
>>>>> > Aijun,
>>>>> >
>>>>> > On Thu, Feb 25, 2021 at 12:07:49PM +0800, Aijun Wang wrote:
>>>>> >>> In the prior discussions, it was clear that remediation was trying
>>>>> to be
>>>>> >>> done on a per-RD basis.  The text in this draft seems to be a
>>>>> larger scope
>>>>> >>> than that; perhaps per VPN (and thus route-target?).  Is that your
>>>>> >>> intention?
>>>>> >> [WAJ] Yes. We are considering to add RT information to the current
>>>>> RD-ORF
>>>>> >> semantic, to identify/control the "excessive routes" in more
>>>>> granular.
>>>>> >
>>>>> > Thanks for the clarification.  That expands the scope of the original
>>>>> > discussion, but might be helpful for the solution.
>>>>> >
>>>>> >>> For a route reflector, it would require that all possible
>>>>> receivers for a
>>>>> >>> RD/RT have no interest in the routes, and that the source of the
>>>>> routes is
>>>>> >>> clearly directional.  BGP does not provide such a distribution
>>>>> graph.
>>>>> >>
>>>>> >> [WAJ] " all its downstream BGP peers can't or don't want to process
>>>>> it"
>>>>> >> means RR receives the RD-ORF messages for the same set of VPN
>>>>> routes from
>>>>> >> all of its clients. This can be achieved by RR
>>>>> >
>>>>> > For my point, consider a trivial case:
>>>>> >
>>>>> > PE1 --- RR --- PE2
>>>>> >
>>>>> > PE2 is the source of the excess routes.
>>>>> > PE1 is the impacted router.
>>>>> > RR has only PE1 and PE2 as peers.
>>>>> >
>>>>> > By your current text, RR can only do something if PE1 and PE2 say
>>>>> they're
>>>>> > not interested.
>>>>> >
>>>>> > It can be observed here that if we have exactly one peer left, we
>>>>> could
>>>>> > signal to that one peer.
>>>>> >
>>>>> > I suspect your intent is to cover situations where you can
>>>>> distinguish PE
>>>>> > routers from solely internal route distributuion infrastructure,
>>>>> such as
>>>>> > route reflectors.  So, using a slighly more interesting topology:
>>>>> >
>>>>> > PE1 --- RR1 --- RR2 --- PE2
>>>>> >
>>>>> > PE2 is the source of the excess routes.
>>>>> > PE1 is the impacted router.
>>>>> > RR1 has only PE1 as a PE device.
>>>>> >
>>>>> > If PE1 signals to RR1 that it isn't interested in the offending
>>>>> routes, RR1
>>>>> > may propagate the filter.
>>>>> >
>>>>> > The issue here is that BGP does not specifically distinguish whether
>>>>> an
>>>>> > attached BGP Speaker is a PE or not.  The protocol doesn't help you
>>>>> make
>>>>> > this determination.
>>>>> >
>>>>> >>> In a network using RT-Constrain without a default RT-Constrain
>>>>> route, such a
>>>>> >>> graph potentially exists.
>>>>> >> [WAJ] RT-Constrain can only express explicitly "what I want" and the
>>>>> >> distributed graph. It can't express explicitly "what I don't want"
>>>>> now, also
>>>>> >> the distribution-block graph. Is that right?
>>>>> >
>>>>> > That is correct.  But consider the following example:
>>>>> >
>>>>> >        PE3
>>>>> >         |
>>>>> > PE1 --- RR1 --- RR2 --- PE2
>>>>> >
>>>>> > PE2 is the source of the excess routes for VPN RT-A.
>>>>> > PE1 is the impacted router.
>>>>> > RR1 has PE1 and PE3 as attached PE routers.
>>>>> > All routers are configured to use RT-Constrain
>>>>> > PE1 and PE2 source RT-Constrain routes for RT-A.  PE3 does not.
>>>>> >
>>>>> > If PE1 signals to RR1 that it isn't interested in the offending
>>>>> routes, and
>>>>> > that signal not only includes the offending RD, but also the
>>>>> matching RTs,
>>>>> > RR1 can determine that there are no further interested receivers for
>>>>> that
>>>>> > RD+RT and propagate that to RR2.
>>>>> >
>>>>> > RT-Constrain provides the ability to figure out what the interested
>>>>> > receivers are for a VPN defined by a route-target.  This provides a
>>>>> > restricted subset of the attached routers for propagation purposes.
>>>>> >
>>>>> > -- Jeff
>>>>> >
>>>>>
>>>>> _______________________________________________
>>>>> Idr mailing list
>>>>> Idr@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/idr
>>>>>
>>>> --
>>>>
>>>> <http://www.verizon.com/>
>>>>
>>>> *Gyan Mishra*
>>>>
>>>> *Network Solutions A**rchitect *
>>>>
>>>>
>>>>
>>>> *M 301 502-134713101 Columbia Pike
>>>> <https://www.google.com/maps/search/13101+Columbia+Pike?entry=gmail&source=g> *Silver
>>>> Spring, MD
>>>>
>>>> _______________________________________________
>>>> Idr mailing list
>>>> Idr@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/idr
>>>>
>>> --
>>
>> <http://www.verizon.com/>
>>
>> *Gyan Mishra*
>>
>> *Network Solutions A**rchitect *
>>
>>
>>
>> *M 301 502-134713101 Columbia Pike
>> <https://www.google.com/maps/search/13101+Columbia+Pike?entry=gmail&source=g> *Silver
>> Spring, MD
>>
>> --

<http://www.verizon.com/>

*Gyan Mishra*

*Network Solutions A**rchitect *



*M 301 502-134713101 Columbia Pike *Silver Spring, MD

v2.14.0 | Report a Bug | By Email