Re: [Idr] rd-orf problem clarification at the local level
Robert Raszuk <robert@raszuk.net> Mon, 15 February 2021 18:47 UTC
Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DADEB3A0FC4 for <idr@ietfa.amsl.com>; Mon, 15 Feb 2021 10:47:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2LmsvMPfM1Nf for <idr@ietfa.amsl.com>; Mon, 15 Feb 2021 10:47:18 -0800 (PST)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5AEA3A0FB9 for <idr@ietf.org>; Mon, 15 Feb 2021 10:47:17 -0800 (PST)
Received: by mail-lj1-x22f.google.com with SMTP id c8so6878367ljd.12 for <idr@ietf.org>; Mon, 15 Feb 2021 10:47:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4L30liwRARFrAKkwlTvEFIgH3DNcV1aOLLNz+LvXD/c=; b=EGZlEb88VJ16oKxpgahVx3PnVG1aqNCeIBh40vlzMKTASfGvyluqB48yj5PLuH5uRq PL+kYv79RC12York6WxGXizLJNulMIZv9LwUNivHFkC2vxg60DgM3AORJJGxR5OCB6a+ QgcAMWoxHqV6dD3YsI0e5tEVBo9sZ4NlrV7kRwJ0Z59mj+oj1L76q28GDiAJzSjBA+IQ 9nQnPNagl+eMqaYNYvzxdmIBjSXbSVP+K6Nf9cVbAo/aAMwprtDDG9WOYl4A+J70lemO RPgmPcjHkh4NO9+nLtuzLapkogJyqCfBAplwGWtjbc2YtTCDfKFmG9qXPtBM4YCAW1kZ os2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4L30liwRARFrAKkwlTvEFIgH3DNcV1aOLLNz+LvXD/c=; b=aJCUeFU6HVUWWld8KvTxbyUSVJiFZEZZKkABd70yD/950H6rmzpkt0SxyN8eg74wn+ 97iDHuWGiQNh1XMV7ALJxDCWcyC6lmBauGs4yddGiwZh0uZw3cPEZqU7V1nVdMDTQkgv FoA4DqME9DlxZl3ZYziEqxUIoIRT7oUnO3o2Oq0LdgmPhTfLfq/PPQjDpggr2mxldBXX +5cKZeO5/h3R+xNd0+bkbQFps/iw6f0xEvL36g3Qno7g9IokUhWjVDwUP9bMbPa8cG1w tV0OddplhkQLakpYJe8xAgQ/DG0rPjleimf51jfVL6tJ4yq+Fem+mGNC5dbVsF9PDs97 qrOg==
X-Gm-Message-State: AOAM532jjbL79Zmy4M8lGTxFc8sCxwEH1Ya9SO4axkvsimUBTHZM5B9G HWsiEHna7v5O/EVtYJBTgiqBJr28ox23dgGooqz5xA==
X-Google-Smtp-Source: ABdhPJzuPQX5ePnwHsYOr/BNnGmYEk6D58vm5kl1eJuGlcrB81LIIq3vpF+bWlE8/TlCUiT3beWa6d5bs3yv4GxM97U=
X-Received: by 2002:a05:651c:324:: with SMTP id b4mr10255437ljp.318.1613414835902; Mon, 15 Feb 2021 10:47:15 -0800 (PST)
MIME-Version: 1.0
References: <20210215173036.GB16389@pfrc.org>
In-Reply-To: <20210215173036.GB16389@pfrc.org>
From: Robert Raszuk <robert@raszuk.net>
Date: Mon, 15 Feb 2021 19:47:07 +0100
Message-ID: <CAOj+MMFtVQ4RoYFJXjMYfaPn5sLWNuaBv1DEhjyZOH77=7Mogw@mail.gmail.com>
To: Jeffrey Haas <jhaas@pfrc.org>
Cc: "idr@ietf. org" <idr@ietf.org>, draft-wang-idr-rd-orf@ietf.org
Content-Type: multipart/alternative; boundary="0000000000002b799005bb646a71"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/p-Y3L7NQ64cI5eeEHxXyow44skw>
Subject: Re: [Idr] rd-orf problem clarification at the local level
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2021 18:47:21 -0000
Hi Jeff, Great summary. I have just one comment to your text. > 2. The Route Distinguisher field is a fixed length of 8 octets. I would not say that so fast. RD is a structured field per RFC4364 and when wisely allocated it may be useful to treat it as part of a real prefix with mask. The RDs are structured so that every Service Provider can administer its own "numbering space" (i.e., can make its own assignments of RDs), without conflicting with the RD assignments made by any other Service Provider. An RD consists of three fields: a 2-byte type field, an administrator field, and an assigned number field. Practical example: PE_X got compromised and all VPN routes it advertises are going to /dev/null or worse going to one customer site. So one may wish to filter all VPN routes advertised by such PE in one shot by pushing RD/48 for type 1 RD. Thx, Robert. On Mon, Feb 15, 2021 at 6:10 PM Jeffrey Haas <jhaas@pfrc.org> wrote: > Authors, > > The IDR chairs were discussing how best to move forward the discussion > about > Working Group adoption for rd-orf. As part of that discussion, we thought > it would be helpful to have the discussion split to cover specific points. > The goal is primarily to clarify the functional requirements. As part of > this discussion, there will be some technical observations on the proposal. > > This e-mail is structured with the perceived issue, and a set of questions > to be commented on as Issues at the end. > > This e-mail focuses on the rd-orf problem statement from the receiving PE's > perspective. > > --- > > Presume we have a PE router with some number of attached VRFs. > For this example, we have a VRF-A that uses a single route target. > In this VRF, routes from two remote PEs with distinct route distinguishers, > RD1 and RD2, contribute to that VRF. > > --- > > Presumed problem statement: > It is possible for this VRF, and perhaps the PE itself, to be overwhelmed > by > an excess number of VPN routes. > > Common implementation mitigations available today: > 1. A VRF may implement a prefix limit that prevents an excess number of > routes from being redistributed from the VPN's address family into the > VRF. > > However, this does not keep the PE from retaining an excess number of > VPN > routes in its global VPN table. > > 2. The PE may apply BGP policy to restrict the VPN routes that it will > accept and store. An example of this may be policy based on BGP route > properties in Path Attributes such as Extended Communities. Another > example may be policy based on BGP NLRI properties, such as route > distinguisher. (The implementation may require configuration to cause > VPN routes rejected by policy to be discarded rather than stored in the > Adj-Ribs-In as ineligible routes.) > > It is thus possible for an implementation to mitigate the impact storage > requirements for an excess number of VPN routes with no new features. > > --- > > Reducing the work for the receiving PE for unwanted routes: > > It can be observed that a core benefit of RT-Constrain (RFC 4684) is that > it > permits a receiving PE to avoid receiving routes it is not interested in. > This may also reduce the work of the sending BGP Speaker by avoiding the > I/O > overhead of the unwanted routes. > > However, RT-Constrain will not help you reduce the work if you want a > subset > of the routes covered by a specific route target. > > The desired property in rd-orf is that a BGP Speaker will exchange an > outbound route filter that provides a list of route distinguishers that > will > be excluded from the routes sent on a session. > > Essentially, a "do not send these RD routes list". > > Such an ORF can reduce the amount of work on a receiving PE, and reduce the > storage of unwanted routes. > > --- > > Operational considerations for PE filtering using route distinguishers: > > 1. A VPN route may be targeted for more than one receiving VRF. Excluding > VPN routes by route distinguisher may only be done if it is > operationally > acceptable that no VRFs on the receiving router will receiving those > routes, regardless of VPN membership. > > (That is, collateral damage is a possibility that must be understood.) > > 2. A PE may have downstream BGP peers. It must be operationally acceptable > that no downstream BGP peers receive VPN routes whose route > distinguisher > is being filtered. > > 3. VRFs that have prefix limits may have its limit exceeded by routes from > multiple remote PE resources. What is the mechanism that will permit an > implementation to choose what route distinguisher will be filtered, > presuming the collateral damage in points 1 and 2 is acceptable? > > --- > > rd-orf protocol issues: > > 1. The rd-orf type specific part includes a Sequence field. Its use in the > ORF filtering mechanism is unclear in the draft's text. > > It is my speculation that this comes from the Prefix ORF (RFC 5292) > semantics. However, it is improperly specified, if so. A Prefix ORF > requires ordering semantics in order to properly execute prefix-match > behavior, especially given the need for more-specific/less-specific > portions of the match. In the case of an rd-orf, order is not relevant, > only the route-distinguisher. > > 2. The Route Distinguisher field is a fixed length of 8 octets. Using ORF > procedures (RFC 5291), once an ORF has been received for a given > AFI/SAFI, the entries of the ORF must be matched or the routes will not > be advertised to the remote BGP speaker. > > This means that once there is a desire to specify a "do not send" > rd-orf, > it becomes required that all desired RDs must be sent. Knowing the full > set of possible RDs a priori is likely impossible. > > The feature thus needs a "default" entry of some sort. > > --- > > Encoding rd-orf behaviors using Address-Prefix-Based ORF (RFC 5292): > > Jakob Heitz, among others, has mentioned this solution. > > A VPN route is made up of an RD + Prefix, with RD being a fixed 8 octet > value from known types. > > A rd-only ORF may be represented as: > - The AFI/SAFI of the VPN address family to be filtered. > - An appropriate Sequence number > - A minlen of 64 bits > - A maxlen appropriate to the AFI/SAFI of the VPN route in question (as > long > as its bit-length is <= 255). > - Length is 64 bits > - Prefix is the encoded route distinguisher > > The default VPN Address Family ORF may be represented as: > - The AFI/SAFI of the VPN address family to be filtered. > - The last sequence number in the known series. > - A minlen of 0 bits > - A maxlen appropriate to the AFI/SAFI of the VPN route in question (as > long > as its bit-length is <= 255). > - Length is 0 bits > - Prefix will not be encoded due to the Length. > > The Sequence number semantics for such Prefix ORFs containing only route > distinguishers is less important than those for Address prefixes. The main > requirement is that the individual members are distinctly numbered, and > that > the default entry, if present, is last. > > In cases where Prefix filtering is desired for VPN routes in addition to > route distinguisher filtering, the implementation will need to make > appropriate adjustments to the Sequence number. > > That said, aside from the popularity of ORFs in modern BGP implementations > being low, VPN route filtering for ORFs is likely uncommon due to the need > to known the route distinguisher a priori. (See discussion above.) > > --- > > Issues for discussion: > 1. Is this analysis of the issue from the receiving PE's perspective > correct? If not, please comment in the appropriate text above. > > 2. What procedure would an implementation use to apply a prefix-limit to > trigger this filtering mechanism given that a VRF may have routes > contributed to by several route distinguishers? > > 3. Can the procedure above for using RFC 5292 address the use case? If > not, > please comment on the specific use case and encoding difficulty. > > > > > -- Jeff > > _______________________________________________ > Idr mailing list > Idr@ietf.org > https://www.ietf.org/mailman/listinfo/idr >
- [Idr] rd-orf problem clarification at the local l… Jeffrey Haas
- Re: [Idr] rd-orf problem clarification at the loc… Robert Raszuk
- Re: [Idr] rd-orf problem clarification at the loc… Aijun Wang
- Re: [Idr] rd-orf problem clarification at the loc… Aijun Wang
- Re: [Idr] rd-orf problem clarification at the loc… Jeffrey Haas
- [Idr] draft-wang-idr-vpn-routes-control-analysis … Jeffrey Haas
- Re: [Idr] rd-orf problem clarification at the loc… Aijun Wang
- Re: [Idr] draft-wang-idr-vpn-routes-control-analy… Aijun Wang
- Re: [Idr] draft-wang-idr-vpn-routes-control-analy… Jeffrey Haas
- Re: [Idr] draft-wang-idr-vpn-routes-control-analy… Aijun Wang
- Re: [Idr] draft-wang-idr-vpn-routes-control-analy… Gyan Mishra
- Re: [Idr] draft-wang-idr-vpn-routes-control-analy… Robert Raszuk
- Re: [Idr] draft-wang-idr-vpn-routes-control-analy… Aijun Wang
- Re: [Idr] draft-wang-idr-vpn-routes-control-analy… Robert Raszuk
- Re: [Idr] draft-wang-idr-vpn-routes-control-analy… Gyan Mishra
- Re: [Idr] draft-wang-idr-vpn-routes-control-analy… Robert Raszuk
- Re: [Idr] draft-wang-idr-vpn-routes-control-analy… Jeffrey Haas
- Re: [Idr] draft-wang-idr-vpn-routes-control-analy… Jeffrey Haas
- Re: [Idr] draft-wang-idr-vpn-routes-control-analy… Gyan Mishra
- Re: [Idr] draft-wang-idr-vpn-routes-control-analy… Robert Raszuk
- Re: [Idr] draft-wang-idr-vpn-routes-control-analy… Aijun Wang
- Re: [Idr] draft-wang-idr-vpn-routes-control-analy… Gyan Mishra
- Re: [Idr] draft-wang-idr-vpn-routes-control-analy… Aijun Wang
- Re: [Idr] draft-wang-idr-vpn-routes-control-analy… Robert Raszuk
- Re: [Idr] draft-wang-idr-vpn-routes-control-analy… Robert Raszuk
- Re: [Idr] draft-wang-idr-vpn-routes-control-analy… Aijun Wang
- Re: [Idr] draft-wang-idr-vpn-routes-control-analy… Aijun Wang
- Re: [Idr] draft-wang-idr-vpn-routes-control-analy… Gyan Mishra
- Re: [Idr] draft-wang-idr-vpn-routes-control-analy… Aijun Wang
- Re: [Idr] draft-wang-idr-vpn-routes-control-analy… Susan Hares
- Re: [Idr] draft-wang-idr-vpn-routes-control-analy… Aijun Wang