Re: [Idr] I-D Action: draft-sas-idr-maxprefix-inbound-02.txt

[Robert Raszuk <robert@raszuk.net>]

Jakob,

Spot on.

That is why I mentioned that the very same max-prefix when applied
pre-policy vs post-policy can have a different value.

But I guess this is implementation thing not so much an IETF draft one.

Thx,
R.

On Wed, May 12, 2021 at 11:26 PM Jakob Heitz (jheitz) <jheitz@cisco.com>
wrote:

> The reason to terminate the session is illustrated in:
>
>
> https://datatracker.ietf.org/meeting/104/materials/slides-104-grow-bgp-maximum-prefix-limits-00
>
>
>
> Suppose you have a customer whose prefix advertisements vary somewhat,
>
> so you give him a decent margin. Suppose you set max-prefix to 1000
>
> and on a fateful day he advertises 200 prefixes.
>
> You have some good inbound filters for him, but not perfect, again,
>
> because the prefixes he advertises vary somewhat.
>
> Now, on this day, he leaks the internet to you and you manage to filter
> most of it out,
>
> but several routes sneak past your filter and leak.
>
> Those that sneak past your filter are not enough to trip your max-prefix
> of 1000.
>
> If you have a pre-policy max-prefix of, say, 10000, that will easily catch
> the leak
>
> and you could terminate the session to stop the leak.
>
>
>
> Regards,
>
> Jakob.
>
>
>
> *From:* Idr <idr-bounces@ietf.org> *On Behalf Of * Gyan Mishra
> *Sent:* Wednesday, May 12, 2021 12:20 AM
> *To:* Melchior Aelmans <melchior@aelmans.eu>
> *Cc:* idr@ietf. org <idr@ietf.org>; Melchior Aelmans <maelmans@juniper.net>;
> Robert Raszuk <robert@raszuk.net>
> *Subject:* Re: [Idr] I-D Action: draft-sas-idr-maxprefix-inbound-02.txt
>
>
>
>
>
> After thinking about it I agree that that the prefix pre and post can
> definitely be different.  The pre policy is a copy of the adj-rib-in stored
> separately in memory so the limit values can definitely be different. In
> such case as the pre policy is pre inbound filter so it can have a very
> high water mark for maximum prefix, and the post policy would have the
> maximum prefix exact value to trigger the neighbor being clamped down. In
> general the trigger event peer being clamped down would happen on the post
> policy adj-rib-in as that value would always be lower then the pre policy
> adj-rib-in.  In that respect thought I can’t see a scenario where the pre
> policy maximum prefix would take down the peer over the post policy maximum
> prefix.  That being said I am not sure we really need a pre policy maximum
> prefix.
>
>
>
> I understand the reason behind it to save on memory copy of tbt ash-rib-in
> but I don’t think the action that the peer must be taken down if pre policy
> maximum is exceeded if the post policy is not exceeded.  The post policy
> the control plane rib is programmed into hardware for forwarding so there
> is more impact to resources both control and data plane for post policy as
> opposed to pre policy is control plane copy and also is not advertised to
> other peers as well as are pre policy prefixes.  Much less impact if pre
> policy is exceeded.
>
>
>
> I think the case where a peer advertisement went from 100k to 2M and the
> pre policy was set to
>
> 1M and the post policy was set to 100k and 100k was received in this case
> if it was a Must to clamp down the peer due to pre policy being exceeded
> where post policy was not exceeded  I don’t think that’s a good idea as is
> impacting.  I think for pre policy maybe only a warning should be allowed
> but not clamping down the peer.
>
>
>
> Gyan
>
>
>
>
>
> On Tue, May 11, 2021 at 12:13 PM Melchior Aelmans <melchior@aelmans.eu>
> wrote:
>
> Ack Robert, thanks for confirming.
>
>
>
> Cheers,
>
> Melchior
>
>
>
> On Tue, May 11, 2021 at 3:51 PM Robert Raszuk <robert@raszuk.net> wrote:
>
> Hi Melchior,
>
>
>
> After rethinking this I think the current text in the draft is ok.
>
>
>
> It is after all optional cfg and if vendor supports both pre and post
> policy max-prefix limit inbound the configured numbers may not need to be
> identical.
>
>
>
> Thx,
>
> R.
>
>
>
>
>
> On Tue, May 11, 2021 at 3:22 PM Melchior Aelmans <melchior@aelmans.eu>
> wrote:
>
> Hi Robert, all,
>
>
>
> First of all thanks for your feedback!
>
>
>
> The part we are confused about is that soft-reconfiguration inbound is a
> Cisco command to enable adj-RIB-In which then stores all the received
> routes. On Juniper and OpenBGPd (and possibly other implementations as
> well) adj-RIB-In is enabled by default and protected by a maximum-prefix
> limit inbound.
>
> Could you please elaborate on what you are exactly trying to describe and
> as Job suggested make suggestions for text adjustments?
>
>
>
> Thanks!
> Melchior
>
>
>
> On Thu, Apr 15, 2021 at 4:36 PM Robert Raszuk <robert@raszuk.net> wrote:
>
> Hi Job,
>
>
>
> The distinction between Per and Post policy is clear.
>
>
>
> Inbound Prefix Limit may (depending on implementation) apply to either or
> both of those processing stages.
>
>
>
> The observation I am trying to make is that IMHO soft in is not really a
> Pre Policy in a sense that you must not apply Prefix Limit to it. Otherwise
> the entire idea of soft-in becomes questionable.
>
>
>
> To me perhaps the proper way to visualize it is actually to divide Pre
> Policy into two blocks - ALL Prefixes and Pre-Policy Prefix-Limited. All
> Prefixes block would occur only when soft in is enabled. Otherwise some may
> expect or request to apply Inbound Prefix Limit before routes are stored
> when soft reconfiguration inbound is enabled.
>
>
>
> Or perhaps you actually want to do that sort of breaking that knob ?
>
>
>
> Many thx,
>
> R.
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Thu, Apr 15, 2021 at 4:10 PM Job Snijders <job@fastly.com> wrote:
>
> Dear Robert,
>
> On Thu, Apr 15, 2021 at 02:16:12PM +0200, Robert Raszuk wrote:
> > I think I have one question or suggestion.
>
> Your review is appreciated!
>
> > As you all know some implementations allow you to explicitly force BGP
> > speaker to keep (pre-policy) all routes/paths received.
> >
> > Example:
> >
> > neighbor 192.168.1.1 soft-reconfiguration inbound
> >
> > The draft does not seem to comment on this case yet if implementation
> > maintains the above behaviour at least some of the justifications for
> > the document is gone.
>
> Interesting, the draft's objective is to clarify that inbound limits can
> be applied at multiple stages of the pipeline (pre and post policy), not
> all Network Operating Systems appear to offer this (operationally
> speaking much needed) granularity, and through this draft we hope to
> clarify to implementers that it is something worth considering to add.
>
> > I think that draft should at least mention such behaviour, not force to
> > change it however put some light that if
> > configured by the operator some of the benefits of inbound prefix limit
> > will not be fully effective.
>
> What you call 'soft-reconfiguration inbound' ends up storing into what
> the draft refers to as 'Pre Policy'. (At least... that is the intention,
> it is possible the text is readable to us but not easy to understand for
> others)
>
> Do you have specific text in mind to add to the draft to clarify this?
>
> Kind regards,
>
> Job
>
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>
> --
>
> <http://www.verizon.com/>
>
> *Gyan Mishra*
>
> *Network Solutions Architect *
>
> *Email gyan.s.mishra@verizon.com <gyan.s.mishra@verizon.com>*
>
> *M 301 502-1347*
>
>
>