Re: [Idr] https://tools.ietf.org/html/draft-wang-idr-rd-orf-00

Robert Raszuk <robert@raszuk.net> Thu, 16 July 2020 19:20 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A61BE3A0B25 for <idr@ietfa.amsl.com>; Thu, 16 Jul 2020 12:20:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jDDE0Xjz7rf3 for <idr@ietfa.amsl.com>; Thu, 16 Jul 2020 12:20:45 -0700 (PDT)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE8203A0A24 for <idr@ietf.org>; Thu, 16 Jul 2020 12:20:44 -0700 (PDT)
Received: by mail-ed1-x529.google.com with SMTP id z17so5587932edr.9 for <idr@ietf.org>; Thu, 16 Jul 2020 12:20:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=p5iTue04yf5m+byvIZnbGrXiatxUSMUdBpIKWhx0MWw=; b=MYkrOqaMoiojhw3ZUQScPhTgcWtTj9wZdibNg2RuJivG2QculSSDE4jUS7M1FREGam iHHHuzU/AdPwTv0b2ug2g5xOV5wxBA/k9/y5Pb1HwaZmgzApNoj46qylDeU9G1y0KdZ3 ++gYRS8g41LEo+HCjjy+dYOEqkMua0vk2ThJ9Igbr92vEOlz5If36L3KBlln26co37HH t+qddjxjYeGicOB4YUiUfx/DrxH5D249u+o7hEvjZte0Ep04FIiIAkLvZ9l/YvhhmUAD iQmVB9cxXJom7HI+gAFBl6WrjDPHvPsc3WUghtTBt6a7y8Iz4IlgqW17hV4m5xCraQGV 15Fw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=p5iTue04yf5m+byvIZnbGrXiatxUSMUdBpIKWhx0MWw=; b=VTuXQGKvC4alROi9vWyJwf3SxqcaD5xarTSNWEttysYd+3yCr/QfLqkD4EZCWWmO3y adocUPJoEhaIbj16VlANEGsLlikZP3fsxw3uQlspmDdRLV9GI/7t5k2elZc+f2uhSQfz 1kepRYo9+HDUr5H8jVfJaggdRcFJdjqM8JgHkAs9fuxgGMpdrT5ymxQk1HSM8i65KtgG HHmUo187jYD+cz8OflJN0LIwy/KuVKJq4pqAv8qfgHk8nxIZZol+e+nk3f5gWRjeJpRc 1Qp/+YRbcymYzeOWoKj2OD5NRjUUJLTRuq6Fky/ZpLALQsjbzTnQsxrWXwdY4tDRboVw lv6Q==
X-Gm-Message-State: AOAM532hIw9AvITPLre+yC8NHAwzj5mMXZabrjFLS+tCPodl9N1QRHw/ uQZtoEkf+oX2P+sb57CxtcKm733g006mqgBrE9eTVHTj
X-Google-Smtp-Source: ABdhPJw4tL6QGziDkwxL6dN3ik6HdszO0JXx4gY4Ky5MoiwbSE4e0SvKuiC3MLfJcR01BpPT8w6+se8qw5mvQ4JQo+8=
X-Received: by 2002:aa7:dd14:: with SMTP id i20mr6099422edv.41.1594927243091; Thu, 16 Jul 2020 12:20:43 -0700 (PDT)
MIME-Version: 1.0
References: <CAOj+MMH_CefbH639OVs==ts4C_7rf4W1d+pUN+Wb+im5+gNfFg@mail.gmail.com> <003c01d65b1a$777b60a0$667221e0$@tsinghua.org.cn> <CAOj+MMEBTbD9nKH8s2a4VJOCGT2itSUTZOc1tRQnOdTBHtsFeA@mail.gmail.com> <007501d65b4f$4990d1e0$dcb275a0$@chinatelecom.cn>
In-Reply-To: <007501d65b4f$4990d1e0$dcb275a0$@chinatelecom.cn>
From: Robert Raszuk <robert@raszuk.net>
Date: Thu, 16 Jul 2020 21:20:34 +0200
Message-ID: <CAOj+MMGQFcKvmYT3SXsXnXT-SQpzsjZRQtoxZhpNe2WA-TgT_A@mail.gmail.com>
To: Aijun Wang <wangaj3@chinatelecom.cn>
Cc: Aijun Wang <wangaijun@tsinghua.org.cn>, wangw36@chinatelecom.cn, "idr@ietf. org" <idr@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c46f4505aa93ef7b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/bGQHR2tcAP8tBvZtyYJjwQH41Ag>
Subject: Re: [Idr] https://tools.ietf.org/html/draft-wang-idr-rd-orf-00
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jul 2020 19:20:50 -0000

Aijun,

I do understand that you want to push in RD-ORD pre import RDs. Perhaps
selecting first those which advertise the most VPN routes.

But this is so severely broken idea that I am not sure how to even
describe it. Just imagine the mess of now partially broken VPN users which
asked for full mesh and got now partially working and partially broken
mesh.

This would be also terrible to troubleshoot (even assuming that you would
refrain from RD-ORF propagation).

Bottom line - to control number of VPN routes - for years operators have
deployed prefix limit on ingress to the SP network (PE-CE edge). Once
prefix is accepted into a network it better be installed when VPN topology
requires it.

Filtering per RD is a really BAD IDEA.

Thx,
R.

On Thu, Jul 16, 2020 at 10:58 AM Aijun Wang <wangaj3@chinatelecom.cn> wrote:

> Hi, Robert:
>
>
>
> When the RD is designed as per VRF per PE, the mechanism of RD based ORF
> can also apply-------The received router needs only extract and reflect the
> most influenced RDs back to upstream router(ASBR/RR),  and then to notify
> the source of these VPN routes to control the prefixes advertisement.
>
> Actually, the above design will make the RD-ORF more accurate than the RT
> based control.
>
>
>
>
>
> Best Regards
>
>
>
> Aijun Wang
>
> China Telecom
>
>
>
>
>
>
>
> *From:* robert@raszuk.net [mailto:robert@raszuk.net]
> *Sent:* Thursday, July 16, 2020 3:06 PM
> *To:* Aijun Wang <wangaijun@tsinghua.org.cn>
> *Cc:* wangw36@chinatelecom.cn; Aijun Wang <wangaj3@chinatelecom.cn>cn>;
> idr@ietf. org <idr@ietf.org>
> *Subject:* Re: [Idr] https://tools.ietf.org/html/draft-wang-idr-rd-orf-00
>
>
>
> > It can also be used to identify the VPN customer.
>
>
>
> Sorry but no.
>
>
>
> Best practice for number of reasons is to make RD unique per VRF and not
> per VPN. We should not standardize something which is a pretty bad idea to
> start with.
>
>
>
> Kind regards,
>
> Robert
>
>
>
>
>
>
>
>
>
>
>
> On Thu, Jul 16, 2020 at 4:40 AM Aijun Wang <wangaijun@tsinghua.org.cn>
> wrote:
>
> Hi, Robert:
>
>
>
> Thanks for your reviews and comments.
>
> As you said, RD is to make the VPN prefix unique within the VPN’s domain.
> It can also be used to identify the VPN customer.
>
> The usage of RT, just as you said, is to control what routes are
> distributed where, that is to say, to control the customer’s VPN
> topology. RT can’t be used to identify one VPN customer.
>
>
>
> The scenarios/problems described in this draft(
> https://tools.ietf.org/html/draft-wang-idr-rd-orf-00) are not for the VPN
> topology control, but for the VPN prefix limit management, which is signed
> along with the agreement with the VPN customer.
>
> This is the reason that we select the RD-based ORF control mechanism.
>
>
>
> More detail reply are inline below. Wish to get more your
> comments/suggestions on them.
>
>
>
> Thanks in advance.
>
>
>
> Best Regards
>
>
>
> Aijun Wang
>
> China Telecom
>
>
>
> *From:* idr-bounces@ietf.org [mailto:idr-bounces@ietf.org] *On Behalf Of *Robert
> Raszuk
> *Sent:* Thursday, July 16, 2020 2:26 AM
> *To:* wangw36@chinatelecom.cn; Aijun Wang <wangaj3@chinatelecom.cn>
> *Cc:* idr@ietf. org <idr@ietf.org>
> *Subject:* [Idr] https://tools.ietf.org/html/draft-wang-idr-rd-orf-00
>
>
>
> Dear Aijun & Wei,
>
>
>
> I have read your draft as per subject.
>
>
>
> I think there is a serious misunderstanding on what RD's role is
> in RFC4364.
>
>
>
> RDs MUST never be used to signal anything which would in any way influence
> what routes are distributed where. Their sole role is to make the VPN
> prefix unique across given VPN's domain.
>
> 【WAJ】RD can be used to identify one VPN customer
>
>
>
> It is RTs which are used to import routes to VRFs on PEs. What you are
> trying to do is exactly why we have defined some time back RTC (RFC4684).
> Applications from section 5.1 and 5.2 can be happily addressed with use of
> RTC.
>
> 【WAJ】RT is used to control VPN topology, same as the mechanism of
> RTC(4684). But the application described in section 5.1 and 5.2 of this
> draft is not for VPN topology control, but for VPN route-limit management,
> which is based on customer/RD.
>
>
>
> Informationally let me also point out that RFC7543 has defined extensions
> to ORF to signal RTs for reducing size VPN RIBs in specific Hub & Spoke
> topologies.
>
> 【WAJ】RFC7543 is to pull the prefix that cover one specific host address,
> to get the more optimal route information from the Hub, not the same
> scenarios as described in the current draft.
>
>
>
> Last your proposal calls for treating ORF as a transitive message without
> any loop protection. That is not a good idea.
>
> 【WAJ】ORF messages are exchanged within only the directed BGP sessions.
> Such Messages will be regenerated when it is needed to send to another BGP
> peer.  Would you like to describe more for the loop scenarios?
>
>
>
> I recommend to protect your PEs from being overwhelmed by VPN routes by
> prefix limit instead.
>
> 【WAJ】Prefix Limit mechanism can be used for Option –A, but not for Option
> B/C, as that described in the draft.
>
>
>
> Kind regards,
>
> R.
>
>
>
> PS. Did we have any discussion in IDR or BESS on this proposal ?
>
>
>
>