IETF Logo Mail Archive

Re: [Idr] Request to adopt draft-heitz-idr-large-community

"Jakob Heitz (jheitz)" <jheitz@cisco.com> Thu, 08 September 2016 01:08 UTC

Return-Path: <jheitz@cisco.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B6A712B3E9 for <idr@ietfa.amsl.com>; Wed, 7 Sep 2016 18:08:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.028
X-Spam-Level:
X-Spam-Status: No, score=-16.028 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.508, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r-TUJK0wQHdA for <idr@ietfa.amsl.com>; Wed, 7 Sep 2016 18:08:41 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B67D812B049 for <idr@ietf.org>; Wed, 7 Sep 2016 18:08:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=29329; q=dns/txt; s=iport; t=1473296916; x=1474506516; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=rlw6NaSAMjr7p5kjkAQXMWfA7MJo/gIxnkokt1UGv+g=; b=H+bsYmw92UveTCl0/+jRdTDH+PSbOxVA34eY2jECWwaiGFflBmmG2cZt Udod8IhPuO/zla9CeuNu7LJm4UqLIcEprMOfc4+DGAWTO+lE6+pd65Qwu mC0yqlrH2FGiWW9ETyoDB+4anWv+OpOv1RvtO/XK6WvEOv9QnTvkMIULR 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0D3AQDPuNBX/4cNJK1dGQEBAQEBAQEBAQEBgnozAQEBAQEeVy1PjTKrEYIDGQEKhXgCHIFNOBQBAgEBAQEBAQFeJ4RhAQEBAwEBAQEgSQIIAwULAgEGAhgnAwICAiULFBECBA4FFIguCA6TE50kjA8BAQEBAQEBAQEBAQEBAQEBAQEBAQEXBYYvgXiCVoEignARAQaDGCuCLwWUDIVNAYhfhl2PW2+LYYN6AR42gjQzAgMbgU1wg28FCheCCAEBAQ
X-IronPort-AV: E=Sophos;i="5.30,298,1470700800"; d="scan'208,217";a="319299842"
Received: from alln-core-2.cisco.com ([173.36.13.135]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 08 Sep 2016 01:08:35 +0000
Received: from XCH-RCD-011.cisco.com (xch-rcd-011.cisco.com [173.37.102.21]) by alln-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id u8818ZZG026178 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 8 Sep 2016 01:08:35 GMT
Received: from xch-aln-014.cisco.com (173.36.7.24) by XCH-RCD-011.cisco.com (173.37.102.21) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Wed, 7 Sep 2016 20:08:34 -0500
Received: from xch-aln-014.cisco.com ([173.36.7.24]) by XCH-ALN-014.cisco.com ([173.36.7.24]) with mapi id 15.00.1210.000; Wed, 7 Sep 2016 20:08:34 -0500
From: "Jakob Heitz (jheitz)" <jheitz@cisco.com>
To: Robert Raszuk <robert@raszuk.net>
Thread-Topic: [Idr] Request to adopt draft-heitz-idr-large-community
Thread-Index: AQHSCDP+9Gy6rPIW0USt867VcqfiL6BuXmaAgAAfcwCAAAPVgIAABqSAgAAddgD///s9xIAAYb2A///H4FA=
Date: Thu, 08 Sep 2016 01:08:34 +0000
Message-ID: <277F4AEC-4EF7-48EE-9ECE-81B3D341BEC5@cisco.com>
References: <20160906113919.GC17613@vurt.meerval.net> <F3BDAC77-FA01-4F90-9BC1-9F2F1B7B6029@ecix.net> <CAHxMReZxtHSHfavDaAm=JrBqQ+UHkbJoai52Zt3rFFSKgp=aLA@mail.gmail.com> <CA+b+ER=QOJXZoZaNhRhiHS2SgE88cBaxOb39eRshyA1TxnQXUg@mail.gmail.com> <20160907161113.GG5423@57.rev.meerval.net> <CA+b+ERmfPrjbsAx42aKH_OVdZnf0WzqS_B1mJ6eTVni7T2s6xg@mail.gmail.com> <D2565063-A1DE-4AB0-9903-65AA2805D0D3@cisco.com>, <CA+b+ERmT17dvv93edN+O0XU=PmUMWNyyBuKyv-ShjT6g9xO9rg@mail.gmail.com>
In-Reply-To: <CA+b+ERmT17dvv93edN+O0XU=PmUMWNyyBuKyv-ShjT6g9xO9rg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
Content-Type: multipart/alternative; boundary="_000_277F4AEC4EF748EE9ECE81B3D341BEC5ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/tAh5fWDJb3xI45o3tbpr2qCaxK0>
Cc: idr wg <idr@ietf.org>
Subject: Re: [Idr] Request to adopt draft-heitz-idr-large-community
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2016 01:08:43 -0000

Q1. My implementation as it stands uses ios-regex to filter, so you can filter whatever you want. I have an optimization in mind that will make it easier to match on each field individually, but it's not done yet.
Your example: delete largecommunity not in (ios-regex '^2914:')

Q2. If your ISP offers the service to transit communities, then that ISP will be able to transmit the large communities unchanged with my implementation.

Q3. The spec must not enforce any stripping. It is up to a receiver to strip whatever it does not want to receive. In my implementation, large communities are dropped by default by EBGP senders. You must configure send-community-ebgp if you want it to send large communities. You can use the delete statement of Q1 in a neighbor outbound route-policy if you want to selectively remove large communities.

BTW, this all works the same way as it does with regular communities.

Thanks,
Jakob.


On Sep 7, 2016, at 7:29 PM, Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>> wrote:

Hi Jakob,

To me what you proposed here below is sufficient and covers second sentence:

"
​
The meaning of all octets in the large community is to be defined by mutual agreement between the originating and terminating ASes."

- - -

However while we do not talk about this often in IDR and just leave freedom of implementation let me risk a question what filtering capabilities should be or are expected to be implemented for large communities at the ASBRs ?

Q1: In your current implementation can I selectively accept communities only with my AS listed in the first 4 octets and drop everything else ?

Q2: If as you say large community is intended to "transit an AS" how do I know the destination/terminating AS will get what real sender sent or intended to sent in the remaining 4:4 ?

Q3: Assume the terminating AS as agreed with with originating AS did the job. Should spec enforce (MUST) to strip such community before propagating the route any other EBGP speaker ? Why do we want to trash the Internet with something which by AS-PATH rules should never be needed again (leave alone allowas-in tricks or as-overwrite) ?

Thx,
R.



On Thu, Sep 8, 2016 at 12:39 AM, Jakob Heitz (jheitz) <jheitz@cisco.com<mailto:jheitz@cisco.com>> wrote:
Here is how I would treat the first 4 octet so of the large community.
The community is normally used by an ISP to allow a directly connected customer to express its wishes about how to process the route. In that case, the first four octets and all octets are totally in control of the ISP. The ISP has total control of the definition of the octets. If an ISP is willing to carry communities that are destined to another AS, then it makes sense for everyone to agree on the encoding of the target ASN in the community.
I would phrase it like this:

​​
The meaning of all octets in the large community is to be defined by mutual agreement between the originating and terminating ASes. However, if a large community is intended to transit an AS, then the ASN of the terminating AS SHOULD be encoded in the first 4 octets of the large community.

For example, there is no reason that an invalid ASN (say 0 or 23456) should be disallowed as long as the intended recipients of the community understand the meaning.

Thanks,
Jakob.


On Sep 7, 2016, at 1:57 PM, Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>> wrote:

Hi Job,

Excellent.

And my only point was to add that single sentence to the spec when next rev comes out.

Suggestion for the sentence to add into bottom of the section 3:

"The Autonomous System number used within the community field is an Autonomous System which understands the encoded meaning of the 8 octets which follow and which is to act on it."

... or something along those lines.

Cheers,
R.


On Wed, Sep 7, 2016 at 6:11 PM, Job Snijders <job@ntt.net<mailto:job@ntt.net>> wrote:
Hi Robert,

On Wed, Sep 07, 2016 at 05:47:27PM +0200, Robert Raszuk wrote:
> I agree with all statements made by Rob S.
>
> Kay's email however triggered the clarification question to the
> current -03 version.
>
> What is the meaning of explicit AS number listed in the first 4 octets
> of the community. I was under impression that originally it was the AS
> number in which given community needs to be executed however it seems
> that this sentence is no longer in the current version of the draft.

The first 4 bytes contain the ASN in which the last 8 bytes have a
meaning. Its not about what is executed where. Consider the last 8
bytes, the 'local opaque data', a namespace of sorts, the first 4 bytes
indicate who owns that namespace. The owner of the namespace can
publicly or privately document what the meaning communities are within
his/her namespace.

I welcome suggestions to improve the text on this aspect. RFC 1997 had
language like "Global Administrator" and "Local Administrator" - but I
think that is a somewhat archaic to explain this concept. In -04 we're
talking about "Autonomous System Number" and "Local Data".

> So it may be unclear if this is AS number inserting this community, if
> this is target AS to execute it or perhaps like in the case of Route
> Server is it AS acting as proxy for other ASes it peers with ?
>
> The answer could be none of the above - it's all local significant - but
> then shouldn't it rather use a 4:4:4 description.

What Kay described is that they today with RFC 1997 communities they are
using a horrible kludge because there is not enough space.

With Large communities, ECIX (AS 9033) could say "Dear customers, if you
attach 9033:XXX:YYY to your prefix, our routeserver will do A", where
XXX and YYY are values decided by ECIX. This way, there will never be
collisions. What XXX and YYY are is up to ECIX, XXX could be the ASN of
a peer on the route server, YYY could be an identifier which triggers an
action, such as no-export.

Given the above context and what Kay sent to the list:

> > As we use 65000:XXX, where XXX is the ASN which should
>> not receive the route, this proposal would give us the option to also
>> extend the control-mechanisms towards 32-bit ASNs and not just 16-bit
>> ASNs anymore.

With Large Communities, the above example could be turned into:
9033:65000:XXX, where XXX is the ASN which should not receive the route.
Suddenly they aren't overloading a Global Administrator field with a private ASN! :-)

ECIX (and other Route Server operators) gain two advantages: There won't
be a risk of collision because its in their own namespace, (in ECIX's
case '9033'), and XXX can be a 4-byte value, meaning they can target
4-byte ASNs, which is something they cannot do today but clearly want to
do for consistency.

It is important to recognise that it is up to ECIX to decide how they
use the 8 bytes of data available to them. They can put ASNs in there
directly, or use a mapping table, or throw a dice and just publish which
value means what on their Route Server. It is entirely opaque.

Kind regards,

Job

ps. Large Communities' expiry date will be the moment the IETF starts
working on 8-byte ASNs. If that ever happens, we'll hopefully remember
this thread.

_______________________________________________
Idr mailing list
Idr@ietf.org<mailto:Idr@ietf.org>
https://www.ietf.org/mailman/listinfo/idr

v2.23.0 | Report a Bug | By Email