Re: [Idr] New Version Notification for draft-wang-idr-rd-orf-03.txt

[Aijun Wang <wangaijun@tsinghua.org.cn>]

Hi, Sergey:
The main purpose of this draft is to prevent the overwhelmed VRF in one PE influence the communications of other VRFs in the same PE.
The PE should do the analysis work in advance continuously. Once one of its VRF is overflow, it should find the source of the overwhelming VPN routes immediately, build and send upstream the RD-ORF message. 
The following BGP updates that match this RD-ORF filter will not be received by the PE then.
This PE can still receive the BGP updates for other VPNs or the same VPN but from different RD/Source Router.

Aijun Wang
China Telecom

> On Aug 28, 2020, at 11:51, Fomin, Sergey (Nokia - US/Mountain View) <sergey.fomin@nokia.com> wrote:
> 
> 
> Hi Aijun Wang,
>  
> > [WAJ] Yes, RD-ORF can also be used within the device, but push the policy to its upstream peer or final to the overwhelming source is better.
> I’m still struggling to understand how.
>  
> Even if we disregard all other protection mechanisms, etc, and even if we assume that indeed this highly specific scenario happens in your network, we get a situation where, based on your comments [use cases in the draft are slightly different, though]:
> that poor PE device struggles to parse newly arriving updates (insufficient CPU? Memory? FIB?)

> at the same time, instead of cheap local actions:
> it should parse all these updates
> do some math trying to figure out what set of routes should be discarded
>                                                     i.     which could end up being a completely different set of existing routes, since the PE is still parsing arriving updates, and we don’t know how routes are distributed across PE/RDs
> generate & signal RD-ORF entry to a peer
> wait for withdrawal of those NLRIs (more processing!)..
> What we are trying to save here?
> --
> Sergey
>  
> From: Aijun Wang <wangaijun@tsinghua.org.cn> 
> Sent: Thursday, August 27, 2020 5:52 PM
> To: 'Robert Raszuk' <robert@raszuk.net>
> Cc: Fomin, Sergey (Nokia - US/Mountain View) <sergey.fomin@nokia.com>; 'idr' <idr@ietf.org>
> Subject: RE: [Idr] New Version Notification for draft-wang-idr-rd-orf-03.txt
>  
> Hi, Robert:
>  
> From: Robert Raszuk [mailto:robert@raszuk.net] 
> Sent: Thursday, August 27, 2020 4:47 PM
> To: Aijun Wang <wangaijun@tsinghua.org.cn>
> Cc: Fomin, Sergey (Nokia - US/Mountain View) <sergey.fomin@nokia.com>; idr <idr@ietf.org>
> Subject: Re: [Idr] New Version Notification for draft-wang-idr-rd-orf-03.txt
>  
>  
> > doesn’t release the overwhelming PE from parsing the overloaded BGP updates  
>  
> No. 
>  
> By day one design L3VPNs or L2VPNs are overloading all PEs to parse and drop all BGP updates which do not carry routes containing at least one intersecting RT.
> [WAJ]  But until now, various filter policies for the unnecessary BGP updates has been added, do you agree?
>  
> Often amount of such drops are 100s of thousands or millions at full BGP refresh. If you want to question that I think you either stop using L3VPN service or use RTC by default. Please observe that it was never the issue with any BGP implementations I am familiar with,. Drops are cheap operation. 
>  
> If you want to locally drop based on the RD is it equally cheap (or even cheaper operation) then dropping based on RT as RD is part of the NLRI so you do not even need to parse entire UPDATE msg. Your vendor can implement it for you. There is no need for any bgp best path calculation in such situation.
> [WAJ] Yes, RD-ORF can also be used within the device, but push the policy to its upstream peer or final to the overwhelming source is better.
>  
>  
> Thx,
> R.
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
> On Thu, Aug 27, 2020 at 3:17 AM Aijun Wang <wangaijun@tsinghua.org.cn> wrote:
> Hi, Sergey and Robert:
>  
> Local discard based on vrf-limit or other mechanism doesn’t release the overwhelming PE from parsing the overloaded BGP updates and BGP best path algorithm,  
> Implementing the RD-based filter policy internal is possible but why not advertise it further to the upstream neighbor, which conforms to the aim and procedures of established ORF mechanism?
>  
> Don’t’ you think that based on RD-ORF control mechanism,  inter-AS option B, C and AB can all be safely deployed within inter-domain scenarios, not only for the M&A or between ASes that under the same admin, especially for the non-mpls environment?
>  
> More detail responses are inline.
>  
>  
> Best Regards
>  
> Aijun Wang
> China Telecom
>  
> From: idr-bounces@ietf.org [mailto:idr-bounces@ietf.org] On Behalf Of Fomin, Sergey (Nokia - US/Mountain View)
> Sent: Thursday, August 27, 2020 4:34 AM
> To: Robert Raszuk <robert@raszuk.net>
> Cc: idr <idr@ietf.org>
> Subject: Re: [Idr] New Version Notification for draft-wang-idr-rd-orf-03.txt
>  
> Thanks Robert,
>  
> Indeed I should’ve been more precise on the vrf-limit implementation wording as in vrf rib vs mp-bgp rib.
> Strictly speaking, one may choose to do an implementation in which all non-imported routes are discarded from adj-rib-in/loc-rib (i.e. treat the limit as logical part of an import-policy), though this doesn’t make much sense in 99.9% of cases.
>  
> Agree with the rest of the points.
> --
> Sergey
>  
> From: Robert Raszuk <robert@raszuk.net> 
> Sent: Wednesday, August 26, 2020 12:58 AM
> To: Wei Wang <weiwang94@foxmail.com>
> Cc: Fomin, Sergey (Nokia - US/Mountain View) <sergey.fomin@nokia.com>; wangw36@chinatelecom.cn; idr <idr@ietf.org>; UTTARO, JAMES <ju1738@att.com>
> Subject: Re: [Idr] New Version Notification for draft-wang-idr-rd-orf-03.txt
>  
> Allow me to clarify a few things here. 
>  
> VRF-LIMIT does not and should not discard routes. It only stops import and logs the exceeded message. The route is still in VPNv4 table. Best path indeed is needed in the vpnv4 table. 
>  
> PREFIX-LIMIT does drop the routes and can bring down the session. Best path is not executed. This is very cheap operation. Btw - by 
> default PE only accepts routes carrying RTs matching at least one local import anyway. 
>  
> - - - 
>  
> In this entire thread no one explained in technical terms why use of prefix limit on the customer <--> service provider boundary is not sufficient to prevent from the issues this work seems to be targeting. The only explanation given that this is one way and why not to invent yet another way. That explanation is not sufficient. 
> [WAJ] RD-ORF mechanism is mainly for option B/C or AB, can also be used within one domain that enhance the internal anti-attack capabilities.
>  
> I see that some may think that maybe there is one weak PE among 100 of powerful PEs and such weak PE should not be receiving all routes. Well if this is the case this is an operational mistake and not something we should address with any protocol extension. In L2 or L3 VPNs number of routes (IP prefixes or MACs) should be bounded and well known allowing to plan the deployments well. If an operator is missing that critical operational state that is pretty bad. 
> [WAJ] RD-ORF from the weak PE will not influence other PEs, as this messages is sent independently via PE，RR or ASBR, as stated in the updated version of this draft.
>  
> As far as reachability IMO 0% reachability is much better then random 50% for a given VPN customer. When you have no reachability it is very easy to troubleshoot. When you have partial reachability it is a nightmare with current tools we have. 
> [WAJ] The reason to constraint the VRF routes based on RD & Source Router info, not the entire routes within one VRF, is to limit the influences only to the overwhelming PE.  Or else, the communication among the PEs within one VRF will all be stopped.
> Isn’t it better to stop only the communication between the overwhelmed PE and overwhelming PE in such situation?
> For troubleshoot, don’t’ you agree RD-ORF give the clues to find the reason?  We don’t’ discard the routes in silence.    
>  
> Thx,
> R.
>  
> Thx,
> R.
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
> On Wed, Aug 26, 2020 at 4:11 AM Wei Wang <weiwang94@foxmail.com> wrote:
> Hi Sergey,
>  
> Before route discarding, the router must parse the BGP updates, perform BGP best path algorithm. These processes will cost CPU cycles and further burden the overflowing PE.  Flitering these updates at the sender side can ease such process, this is the same aim as other ORF mechanism.
>  
> Best Regards,
>  
> Wei Wang
> China Telecom
>  
> ------------------ Original ------------------
> From: "Fomin, Sergey (Nokia - US/Mountain View)" <sergey.fomin@nokia.com>;
> Date: Wed, Aug 26, 2020 04:57 AM
> To: "wangw36@chinatelecom.cn"<wangw36@chinatelecom.cn>;
> Cc: "idr"<idr@ietf.org>;"UTTARO, JAMES"<ju1738@att.com>;
> Subject: Re: [Idr] New Version Notification for draft-wang-idr-rd-orf-03.txt
>  
> Hi Wei Wang,
>  
> >> But the soft actions cannot reduce the burden of PE. 
> >> Because for the overflow PE, a local-only discard mechanism can't make it better. If it receive more VPN routes continuously, it must waste more resources to log them.
> Probably we look at this from different perspectives, could you please clarify what exact burden and resources are we talking about?
>  
> In my view, route discard is a cheap operation in terms of CPU cycles, and discarded routes use no RIB or FIB resources.
>  
> --
> Sergey
>  
> From: wangw36@chinatelecom.cn <wangw36@chinatelecom.cn> 
> Sent: Monday, August 24, 2020 7:12 PM
> To: UTTARO, JAMES <ju1738@att.com>; Fomin, Sergey (Nokia - US/Mountain View) <sergey.fomin@nokia.com>
> Cc: idr <idr@ietf.org>
> Subject: Re: RE: [Idr] New Version Notification for draft-wang-idr-rd-orf-03.txt
>  
> Hi Sergey and Jim,
>  
> Thanks for your review. Please see comments in-line.
>  
> Best Regards,
>  
> Wei Wang
> China Telecom
>  
> wangw36@chinatelecom.cn  
>  
> From: UTTARO, JAMES
> Date: 2020-08-25 05:43
> To: Fomin, Sergey (Nokia - US/Mountain View); wangw36@chinatelecom.cn
> CC: idr
> Subject: RE: [Idr] New Version Notification for draft-wang-idr-rd-orf-03.txt
> Comments In-Line.
>  
> Thanks,
>               Jim Uttaro
>  
> From: Idr <idr-bounces@ietf.org> On Behalf Of Fomin, Sergey (Nokia - US/Mountain View)
> Sent: Monday, August 24, 2020 4:28 PM
> To: wangw36@chinatelecom.cn
> Cc: idr <idr@ietf.org>
> Subject: Re: [Idr] New Version Notification for draft-wang-idr-rd-orf-03.txt
>  
> Hi Wei Wang,
>  
> From your description of existing solutions:
>  
> >   4) Configure the Maximum Prefix for each VRF on edge nodes
> >
> >   When a VRF overflows, PE will break down the BGP session with RR
> >   according to the Maximum Prefix mechanism.  However, there may have
> >   several VRFs on PE rely on the PE-RR session, this mechanism will
> >   influence other VRFs.
> This is not correct. A good implementation of _per-vrf prefix-limit_ does not mandate MP-BGP session teardown, it allows to use soft actions instead, such as discard routes + log.
> [Jim U>] Yup.. That is the way my implementations work.. The goal is to ensure maximum correctness of a given VPN. Tearing down the PE-RR session is killing a fly with a sledge hammer..
> [Wei Wang] But the soft actions cannot reduce the burden of PE.
>  
> Additionally, if you insist that a local-only discard mechanism is not good enough (why?)
> [Wei Wang] Because for the overflow PE, a local-only discard mechanism can't make it better. If it receive more VPN routes continuously, it must waste more resources to log them.
>  and you want to prevent route advertisement(s) from an RR/remote PE for a specific VRF, it is hard to see real-world benefits of the proposed solution vs, for example, extra logic on top of RTC (i.e. if you implement a feature "withdraw an RTC route after FIB/memory utilization reaches 95%").
> [Wei Wang] Yes, VRF with 0% reachability may be achieved in this way.
>  Yes, RD-ORF might be a bit more granular in such case, but does it bring any benefit? VRF with 50% reachability or VRF with 0% reachability from a given PE are both examples of unintended network state (and the earlier could be worse) that requires intervention.
> [Wei Wang] In my opinion, VRF with 50% reachability may be able to keep part of user traffic normal. It is better than VRF with 0% reachability.
>  
> --
> Sergey
>  
> From: Idr <idr-bounces@ietf.org> On Behalf Of wangw36@chinatelecom.cn
> Sent: Sunday, August 23, 2020 6:51 PM
> To: idr <idr@ietf.org>
> Subject: Re: [Idr] New Version Notification for draft-wang-idr-rd-orf-03.txt
>  
> Hi IDR experts,
>  
> Based on the previous discussion, we update our draft as follows:
> ·       the description of the limitations of existing solutions is added
> ·       clarifying that the operation process of RD-ORF on each device is independent
> ·       modifying the withdraw mechanism of RD-ORF
>     Any comments are welcome.
>  
> Best Regards.
>  
>  
> Wei Wang
> China Telecom
>  
> wangw36@chinatelecom.cn
>  
> From: internet-drafts
> Date: 2020-08-24 09:43
> To: Haibo Wang; Gyan S. Mishra; Wei Wang; Aijun Wang; Shunwan Zhuang; Jie Dong; Gyan Mishra
> Subject: New Version Notification for draft-wang-idr-rd-orf-03.txt
>  
> A new version of I-D, draft-wang-idr-rd-orf-03.txt
> has been successfully submitted by Wei Wang and posted to the
> IETF repository.
>  
> Name: draft-wang-idr-rd-orf
> Revision: 03
> Title: Route Distinguisher Outbound Route Filter (RD-ORF) for BGP-4
> Document date: 2020-08-24
> Group: Individual Submission
> Pages: 14
> URL:           https://www.ietf.org/internet-drafts/draft-wang-idr-rd-orf-03.txt
> Status:        https://datatracker.ietf.org/doc/draft-wang-idr-rd-orf/
> Htmlized:      https://tools.ietf.org/html/draft-wang-idr-rd-orf-03
> Htmlized:      https://datatracker.ietf.org/doc/html/draft-wang-idr-rd-orf
> Diff:          https://www.ietf.org/rfcdiff?url2=draft-wang-idr-rd-orf-03
>  
> Abstract:
>    This draft defines a new Outbound Route Filter (ORF) type, called the
>    Route Distinguisher ORF (RD-ORF).  RD-ORF is applicable when the
>    routers do not exchange VPN routing information directly (e.g.
>    routers in single-domain connect via Route Reflector, or routers in
>    Option B/Option AB/Option C cross-domain scenario).
>  
>                                                                                 
>  
>  
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>  
> The IETF Secretariat
>  
>  
>  
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr