Re: [Idr] https://tools.ietf.org/html/draft-wang-idr-rd-orf-00
Robert Raszuk <robert@raszuk.net> Mon, 20 July 2020 09:26 UTC
Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 079173A03F2 for <idr@ietfa.amsl.com>; Mon, 20 Jul 2020 02:26:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_FACE_BAD=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cno9tUpU6TwI for <idr@ietfa.amsl.com>; Mon, 20 Jul 2020 02:26:20 -0700 (PDT)
Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B5BF3A03F4 for <idr@ietf.org>; Mon, 20 Jul 2020 02:26:20 -0700 (PDT)
Received: by mail-ej1-x631.google.com with SMTP id w6so17302347ejq.6 for <idr@ietf.org>; Mon, 20 Jul 2020 02:26:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=g/T4WUqXQ1kiEVls7q1+lI4C6csOiotkyV/Ujvz31sU=; b=MVwAcClCcIbKEvRMqvgif+Fj4IRYOOAz7eIy11gto0/SZWPXCclwHvqer2jm+ZhLjd KPH8Mj6LDCIdq3s1+/ilf11jPhzvwVzBmHiMwi7vLoa3kmZ/Ts1sWIviSbSXqQy+6TbC pDdhrB+Qziul3SYCRS5JDAVzOlmbv33snH7x+GSg7DHyZYO0QzuFMb8NrppId8hkRkks Cztg9wc7vGMCTjxHdRfFrNIJioHQP5/niM3zlDKd2iDJPYfzAxQeZAAun89kPC9muI+p XA1YG8JQaHMkyMzO8inuSTLQ3lN1+IKylYH+8ABk2SJb9ITQfb8sZrqqO5sSc6l4OKB+ ZUlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=g/T4WUqXQ1kiEVls7q1+lI4C6csOiotkyV/Ujvz31sU=; b=DMEB9ULsWmAzgaLL12SGI8WCqWvpbtJoZx38W39TkCoxpvc5FimO1aVYCOYZT52rKB hPpzTCsjNBJlOtxkw1VQ94ggoQ9kfK8N7zDXOjSMnHQoGImifLb87faYVi4ybr9JSzyN wekNrNVjN59gy5TOpTnq8DkIMmRmZt6MFDAQSjt3zN60psh4hB8EvAEeVLys2vqW4lBM +Zrg0HtYXys8Bklp0nt2+t2+9Swo5KLUaAu6q3ExF22BdkLc3A6jr1AU0LtpkPwQJ/0X xWDg5sSCKI0xXblTdCy/5RU4p2+wDlDQ6LFnS8WKrG9MZURm9YQO72FhFETUUikUDJhJ IKPQ==
X-Gm-Message-State: AOAM532Y1Pul00M1FsRyC4qUsqrg2hQ8pzQqSx3B6/elF+t7/ImyBqZ0 E2Q5v3RQzzvu8BZXpEEU8naAhUG8JvuhHNZxalbTWw==
X-Google-Smtp-Source: ABdhPJytmsm7YI08z+7zAOhgvVfxEw+GLjxqKr/To0qSwQ/AbtkZQn27NCi6OGpCUFT2hFhowRRAl5ufCiPp+lQVqv4=
X-Received: by 2002:a17:906:414c:: with SMTP id l12mr20828247ejk.417.1595237178774; Mon, 20 Jul 2020 02:26:18 -0700 (PDT)
MIME-Version: 1.0
References: <CAOj+MMH_CefbH639OVs==ts4C_7rf4W1d+pUN+Wb+im5+gNfFg@mail.gmail.com> <003c01d65b1a$777b60a0$667221e0$@tsinghua.org.cn> <CAOj+MMEBTbD9nKH8s2a4VJOCGT2itSUTZOc1tRQnOdTBHtsFeA@mail.gmail.com> <007501d65b4f$4990d1e0$dcb275a0$@chinatelecom.cn> <CAOj+MMGQFcKvmYT3SXsXnXT-SQpzsjZRQtoxZhpNe2WA-TgT_A@mail.gmail.com> <BYAPR11MB3207E4C80AE4563F3A8AD0C1C07F0@BYAPR11MB3207.namprd11.prod.outlook.com> <CAOj+MMG4Bw5sKE4WRRG5cssqGAgqP_jX+NaJ6_OnDhdPM5rTuA@mail.gmail.com> <BYAPR11MB3207B46C0198DD2836778EF0C07F0@BYAPR11MB3207.namprd11.prod.outlook.com> <000501d65bf5$6bbe7f50$433b7df0$@tsinghua.org.cn> <CAOj+MMFt=GbL7f7s7mxHD7R1QVQjm+ktvJeUVWY3DZZ3Q69Zng@mail.gmail.com> <000001d65e5e$9c45df90$d4d19eb0$@tsinghua.org.cn>
In-Reply-To: <000001d65e5e$9c45df90$d4d19eb0$@tsinghua.org.cn>
From: Robert Raszuk <robert@raszuk.net>
Date: Mon, 20 Jul 2020 11:26:09 +0200
Message-ID: <CAOj+MMHB9E+zc0NwKjnm0Vt-CiviuUyQWZiFkTjaOxhEKng_VQ@mail.gmail.com>
To: Aijun Wang <wangaijun@tsinghua.org.cn>
Cc: "Jakob Heitz (jheitz)" <jheitz=40cisco.com@dmarc.ietf.org>, Jeff Tantsura <jefftant.ietf@gmail.com>, "idr@ietf. org" <idr@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005faf4f05aadc194b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/ZHrBbJpF9L-8W4lk-sgxFD1HQzM>
Subject: Re: [Idr] https://tools.ietf.org/html/draft-wang-idr-rd-orf-00
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2020 09:26:25 -0000
Aijun, Cisco implemented Prefix ORF for SAFI1. We are talking about using it for SAFI 128. So whatever any vendor is shipping today just does not matter. > But in actual usage of the “Address Prefix ORF”, the RD is often be ignored. Not correct. > *[WAJ] *NO, The above procedures actually speak out that the RD is passed/ignored when compared. That is not the way I read this text. *> [WAJ] *No, the operator needs not intervene this process, Then I think we are done with this proposal right here. No one will agree to make ORF to become a transitive message. With or without policies. Note appling any policies on IBGP is a different problem on its own. Thank you, R. On Mon, Jul 20, 2020 at 8:25 AM Aijun Wang <wangaijun@tsinghua.org.cn> wrote: > Hi, Robert: > > > > The semantic encoding of “Address Prefix ORF(RFC5292)” can cover the > proposed “RD-ORF”, but their usages is different. > > For the usage of “Address Prefix ORF”, please refer to > https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-mt/irg-15-mt-book/irg-oubound-route-filtering.pdf > , the device needs to configure the prefix list that used to notify the > ORF peer. The prefix list itself does not include RD. > > > > For RD-ORF, the sender needs not do such configuration, and it can’t > decide the RD info in advance that leads to the overwhelmed VPN table. > > Defining the new RD-ORF type can make the route filter policy more > distinctly. > > > > Other detail reply are inline below.【WAJ】 > > > > > > Best Regards > > > > Aijun Wang > > China Telecom > > > > *From:* Robert Raszuk [mailto:robert@raszuk.net] > *Sent:* Friday, July 17, 2020 5:43 PM > *To:* Aijun Wang <wangaijun@tsinghua.org.cn> > *Cc:* Jakob Heitz (jheitz) <jheitz=40cisco.com@dmarc.ietf.org>; Jeff > Tantsura <jefftant.ietf@gmail.com>; Aijun Wang <wangaj3@chinatelecom.cn>; > idr@ietf. org <idr@ietf.org> > *Subject:* Re: [Idr] https://tools.ietf.org/html/draft-wang-idr-rd-orf-00 > > > > Hi Aijun, > > > > From our POV, the user of the address-prefix ORF will pay more attention > to the prefix itself > > > > First the "user" is the implementation ... hope you are not expecting real > operator to inject such ORF entries when "overflow" happens. > > > > Let's also observe that In L3VPNs_PREFIX = RD + IPv4_PREFIX > > > > *[WAJ] *In semantic encoding, it seems true. But in actual usage of the > “Address Prefix ORF”, the RD is often be ignored. In RFC7543, we can > also see the context as “ignoring the Route Distinguisher……” in section > 3 “Processing Rules” https://tools.ietf.org/html/rfc7543#section-3 > > > > For example, we can refer to https://tools.ietf.org/html/rfc7543 > (Covering Prefixes Outbound Route Filter for BGP-4), the minLen, maxLen > and host address encoding do not include the RD(when comparing the received > route, the receiver needs to add 64 to minLen/maxLen) > > > > Incorrect. > > > > The RFC says: > > > > o the route prefix length is greater than or equal to the CP-ORF > > Minlen plus 64 (i.e., the length of a VPN Route Distinguisher); > > > > Note: ==equal== So that means that at least RD must be compared. > > *[WAJ] *NO, The above procedures actually speak out that the RD is > passed/ignored when compared. > > > > Actually, the RD-ORF message will be regenerated between every BGP > session, not propagate directly back to the upstream, as that done in BGP > Update messages. > > Then, every regeneration point(RR/ASBR) can control whether or not send > the newly generated RD-ORF to the upstream. In scenarios that when not all > of PEs are overwhelmed by routes from this specified VPN, the RR/ASBR can > constraint the sending of the RD-ORF policy to the source. > > > > "Regeneration" follows propagation. This is exactly why we defined RTC so > all loop free properties are still met. ORF is point to point. > > > > Or do you mean that when RR receives the RD-ORF from sending PE it will > not propagate till an operator pushes a new configuration to propagate this > further. If so have you even considered timing of those events ? > > *[WAJ] *No, the operator needs not intervene this process, but the RR > can have its policy to send out or not the received RD-ORF messages. > > > > > > The edge between CE and PE is one control point to restrict the prefixes > number, but we can’t rely solely on it, especially in the > Option-B/Option-C interconnection scenario. > > Using RD-ORF mechanism, we can prevent the overwhelmed VPN prefixes in one > AS to influence PEs in another AS, and also the PEs within same AS(when > they exchange routes via RR) > > The reason for the occurrences of overwhelmed VPN prefixes may be > misconfiguration on one PE, or being attacked from the outside of network, > or other unforeseeable events. > > > > > > ORF means installing additional route filter outbound from a BGP speaker > as instructed by the peer. > > > > I do not see how any Option-B or worse Option-C peer will allow different > AS to push some VPN prefix filter on his infrastructure. Unless both are > under the same administration - but then you can use prefix limit. > > *[WAJ] *Even under the same administration, we can’t depend on the > prefix limit, because the ASBR/RR has no specific VRF route table. > > Again I do not support your assertion that RD is more granular then RT for > this purpose. It all depends how given operator designed the RT and/or RD > allocations. > > *[WAJ] *Whatever the design of RD/RT, the RD is unique to one VRF, but RT > is not. > > > > As mentioned for a given VPN importing VRF copies prefixes and > *ovverrides* incoming RD with local one. So just think what happens if that > specific VRF "overflows" but there is many sources of original pre-import > routes all with different RDs. > > *[WAJ] * The overwhelmed PE should determines which RD or RDs leads to > its overflow and send the specific RD-ORF message accordingly > > > > If anything in this space I would rather see us perhaps trying to automate > prefix limit per RT (in this case it would be export RTs carried with the > routes not import RTs). > > *[WAJ] *Prefix Limit mechanism can’t be used in Option B/C inter-AS > scenarios > > > > Thx, > R. >
- [Idr] https://tools.ietf.org/html/draft-wang-idr-… Robert Raszuk
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Robert Raszuk
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… UTTARO, JAMES
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Robert Raszuk
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Jakob Heitz (jheitz)
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Robert Raszuk
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Jakob Heitz (jheitz)
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Robert Raszuk
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Jeff Tantsura
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Robert Raszuk
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… UTTARO, JAMES
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Robert Raszuk
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Jakob Heitz (jheitz)
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Jakob Heitz (jheitz)
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Robert Raszuk
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Robert Raszuk
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… UTTARO, JAMES
- Re: [Idr] https://tools.ietf.org/html/draft-wang-… Aijun Wang