IETF Logo Mail Archive

Re: [Idr] draft-wang-idr-vpn-routes-control-analysis (was Re: rd-orf problem clarification at the local level)

Gyan Mishra <hayabusagsm@gmail.com> Fri, 26 February 2021 03:52 UTC

Return-Path: <hayabusagsm@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79DE33A08F8; Thu, 25 Feb 2021 19:52:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jkID8v3Hmk0Y; Thu, 25 Feb 2021 19:52:37 -0800 (PST)
Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2563D3A08ED; Thu, 25 Feb 2021 19:52:36 -0800 (PST)
Received: by mail-pg1-x530.google.com with SMTP id p21so5420097pgl.12; Thu, 25 Feb 2021 19:52:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=g6/9OE6lysJc2jVrddOBh9dYOmN5auFK0EYXoCR6JGQ=; b=ugPGjeZvmoDsgsJwBkzDMbWikKc0iMM/VldCTF8L4NiJhKrNS9WdOgOApKwPLSeKLE 6JI+s1XxPjIvslMRUyNKzYJyKoUAhLAIBXMaAjY6Gz2rSQE8aBvo2oAEzi6/trX4cCmc ur4ri0lwoINuv7oN7kcKmitWwdpjDdMCoTiUKh/AHlyKmRPeUDebq+AV5kmtzY8MkX27 Y4qZhSAF0VwNbfOl1OcOylvvFPHddxlpCmxASKLZX51ds7xUk9kCXdnUQFtP1XgLSRl6 IbhXaRELPC4Kqu2qhYBuiVKtmZXx+IRpUSeW51EL/GVvumoFxZKugqvrQ97ujPj0GXVl Iuvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=g6/9OE6lysJc2jVrddOBh9dYOmN5auFK0EYXoCR6JGQ=; b=g7K5w4mA53cJxI5LsP+5pIB5FNzi5nDQjGQGJulAJgcCRl6JSBBFMxgG6fSsKXh+ND Nva2ZTQmATVKCZl00Wk30Am8ocotbsNtVqe7BS1aqUagJEM5zNKORDkrrZ3b8eyuRknw +y++KcXA5fbLRBU8TYjPgKlEGIk/tAIiarJQI58zcH2LiTQZzycUDjRD2LECEup1pZVO O5YMocbTFcmio3kRw5dKlqcwyZNaIgCKQCk+FXjnmeFr3tDdrIdWv0//UEzCgvhe0Vqg znJImKxaxdO7wIqEJ98HE9mJs1rNSQEYj23zSOIXkWv4h1QE/99dx2sKhzCC7y8JxU0u ug3g==
X-Gm-Message-State: AOAM531hkf3O/PwLw0s+9/A3AwZci6zywKhSry/MDwpZb1vI7WoO1lca vu1+Jomzjsc5hKr1sEH6LIps0HZf32pKxBUgGeQ=
X-Google-Smtp-Source: ABdhPJxwGcL8YPAM5wGinAQsfTDfkn9m8VguEftfjF5Trzlt7WAoh2tY19IAIx+UWp7YzVOPUQ+AhMzfxSDknJmdjSE=
X-Received: by 2002:a63:1524:: with SMTP id v36mr1074193pgl.383.1614311556423; Thu, 25 Feb 2021 19:52:36 -0800 (PST)
MIME-Version: 1.0
References: <20210225142155.GA27005@pfrc.org> <A7C19F05-DBCD-4AA8-ADC9-7F608BA9F540@chinatelecom.cn>
In-Reply-To: <A7C19F05-DBCD-4AA8-ADC9-7F608BA9F540@chinatelecom.cn>
From: Gyan Mishra <hayabusagsm@gmail.com>
Date: Thu, 25 Feb 2021 22:52:25 -0500
Message-ID: <CABNhwV0EeUt-aue74xK9jAO-9MJXuj6kzNegwyC=d5o3Wd6aXA@mail.gmail.com>
To: Aijun Wang <wangaj3@chinatelecom.cn>
Cc: Jeffrey Haas <jhaas@pfrc.org>, draft-wang-idr-rd-orf@ietf.org, idr@ietf.org
Content-Type: multipart/alternative; boundary="000000000000e0a37d05bc3532ea"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/Zg176XKty-b9GjRG9AHhL_N2Vw0>
Subject: Re: [Idr] draft-wang-idr-vpn-routes-control-analysis (was Re: rd-orf problem clarification at the local level)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Feb 2021 03:52:41 -0000

Hi Jeff

Keep in mind that RTC is an optimization that does not apply to every
scenario especially in cases where all PEs have all the same VPNs defined
with explicit RT import.  The special cases were RTC does apply is for
incongruent VRFs in cases of a sparse RT distribution graph where PEs don’t
all import the same RTs.  By default all PE have RT filtering enabled by
default meaning if their is not an explicit VRF definition to match and
import the RT, the RT is dropped.  With RTC the distribution graph of what
RTs are advertised RR-PE is now optimized with RT membership, and now  only
RTs explicitly imported by the PEs are now advertised by the RR to PE for
processing.  In the case of RD-ORF, it provides a layer of needed
granularity as the RD PE originator of the flood is a subset of all the VPN
prefixes represented by the RT permitted by RTC to be advertised to the
PE.  The RD-ORF now dynamically blocks the offending PE prefixes that would
otherwise have been advertised by RTC RR to PE and accepted by the PE for
processing and added to the VRF RIB being overloaded.


Kind Regards

Gyan

On Thu, Feb 25, 2021 at 6:21 PM Aijun Wang <wangaj3@chinatelecom.cn> wrote:

> Hi, Jeff:
> Thanks for your suggestions!
> I think combine RTC and RD-ORF information can accomplish the fine control
> for the upstream propagation of unwanted VPN routes.
> We will also try to find other ways to achieve the same effect.
>
> Aijun Wang
> China Telecom
>
> > On Feb 25, 2021, at 22:01, Jeffrey Haas <jhaas@pfrc.org> wrote:
> >
> > Aijun,
> >
> > On Thu, Feb 25, 2021 at 12:07:49PM +0800, Aijun Wang wrote:
> >>> In the prior discussions, it was clear that remediation was trying to
> be
> >>> done on a per-RD basis.  The text in this draft seems to be a larger
> scope
> >>> than that; perhaps per VPN (and thus route-target?).  Is that your
> >>> intention?
> >> [WAJ] Yes. We are considering to add RT information to the current
> RD-ORF
> >> semantic, to identify/control the "excessive routes" in more granular.
> >
> > Thanks for the clarification.  That expands the scope of the original
> > discussion, but might be helpful for the solution.
> >
> >>> For a route reflector, it would require that all possible receivers
> for a
> >>> RD/RT have no interest in the routes, and that the source of the
> routes is
> >>> clearly directional.  BGP does not provide such a distribution graph.
> >>
> >> [WAJ] " all its downstream BGP peers can't or don't want to process it"
> >> means RR receives the RD-ORF messages for the same set of VPN routes
> from
> >> all of its clients. This can be achieved by RR
> >
> > For my point, consider a trivial case:
> >
> > PE1 --- RR --- PE2
> >
> > PE2 is the source of the excess routes.
> > PE1 is the impacted router.
> > RR has only PE1 and PE2 as peers.
> >
> > By your current text, RR can only do something if PE1 and PE2 say they're
> > not interested.
> >
> > It can be observed here that if we have exactly one peer left, we could
> > signal to that one peer.
> >
> > I suspect your intent is to cover situations where you can distinguish PE
> > routers from solely internal route distributuion infrastructure, such as
> > route reflectors.  So, using a slighly more interesting topology:
> >
> > PE1 --- RR1 --- RR2 --- PE2
> >
> > PE2 is the source of the excess routes.
> > PE1 is the impacted router.
> > RR1 has only PE1 as a PE device.
> >
> > If PE1 signals to RR1 that it isn't interested in the offending routes,
> RR1
> > may propagate the filter.
> >
> > The issue here is that BGP does not specifically distinguish whether an
> > attached BGP Speaker is a PE or not.  The protocol doesn't help you make
> > this determination.
> >
> >>> In a network using RT-Constrain without a default RT-Constrain route,
> such a
> >>> graph potentially exists.
> >> [WAJ] RT-Constrain can only express explicitly "what I want" and the
> >> distributed graph. It can't express explicitly "what I don't want" now,
> also
> >> the distribution-block graph. Is that right?
> >
> > That is correct.  But consider the following example:
> >
> >        PE3
> >         |
> > PE1 --- RR1 --- RR2 --- PE2
> >
> > PE2 is the source of the excess routes for VPN RT-A.
> > PE1 is the impacted router.
> > RR1 has PE1 and PE3 as attached PE routers.
> > All routers are configured to use RT-Constrain
> > PE1 and PE2 source RT-Constrain routes for RT-A.  PE3 does not.
> >
> > If PE1 signals to RR1 that it isn't interested in the offending routes,
> and
> > that signal not only includes the offending RD, but also the matching
> RTs,
> > RR1 can determine that there are no further interested receivers for that
> > RD+RT and propagate that to RR2.
> >
> > RT-Constrain provides the ability to figure out what the interested
> > receivers are for a VPN defined by a route-target.  This provides a
> > restricted subset of the attached routers for propagation purposes.
> >
> > -- Jeff
> >
>
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>
-- 

<http://www.verizon.com/>

*Gyan Mishra*

*Network Solutions A**rchitect *



*M 301 502-134713101 Columbia Pike *Silver Spring, MD

v2.23.0 | Report a Bug | By Email