IETF Logo Mail Archive

Re: [Ila] [5gangip] Scaling mapping systems (was Re: BOF Description)

Dino Farinacci <farinacci@gmail.com> Sat, 03 February 2018 23:26 UTC

Return-Path: <farinacci@gmail.com>
X-Original-To: ila@ietfa.amsl.com
Delivered-To: ila@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DF92126CBF; Sat, 3 Feb 2018 15:26:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K_3DxBkWouZq; Sat, 3 Feb 2018 15:26:04 -0800 (PST)
Received: from mail-pl0-x232.google.com (mail-pl0-x232.google.com [IPv6:2607:f8b0:400e:c01::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2A5B124217; Sat, 3 Feb 2018 15:26:04 -0800 (PST)
Received: by mail-pl0-x232.google.com with SMTP id o13so9087347pli.6; Sat, 03 Feb 2018 15:26:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=7E2P6JZBJXrp6mlhFYd9/3wfM/7locUjQnBfL0pkolg=; b=GPyXIl3Xh4ZBBEAj0uKqwdM7GjVPR/6qRXSzpzKa9N4N8hcb6tD3GkEIa5mZygVVKc bCGDJykqXfAlTvWmfFrAlnQTGX9hJZ+52xHf1//M2i4Fd+hjQ2vtWu2NUnnNjbocLN1O 92kPOUDU3hb/GYY5NIG4sx/shD50rmiBE4w97ysFP9D/mbrCEbikWEnRSP145RPlOAyu znTPv+Xw6NNyWT0KWY/Ee+2Eu5GrECle58ahFFFqEdWaxTUA96jqIobFRbxz47Xjy2nk AFFiSUFi53o3ZQIwbGl+zL4e6UV/4TGMOyl6xIRF/zVjOdiBXZ08DQlyfeiSlKqxD8mB r6bg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=7E2P6JZBJXrp6mlhFYd9/3wfM/7locUjQnBfL0pkolg=; b=XwQDXcsWSWL+uVUR6ZWBLRIgAgutA31AAZ9NoKs5AmYnfKzO2pF2wg9j6MNmw1ewZR UwRKsb4LhF9h2Qw1Dk1krKRabG0j1AtqcnUExSFJXWsFIKz5xLBFK5tNP0+fS0rFYW5m pCBeA/iPgoezMGNBTXcDcJMSOgQ96ei/znhicFc9sei0nzLc5XTjhzsFyGU5ixqKYyCo vOLN6mQCT2wRDY6FE5w1W3fC9ceLpOVKHsAuZC0unpP+uaL/Hw8I3eCjlR2eG0qW0Tbx Pq6HbinT2Gh5Y3KNiN7s/jeWwZc0r87XuFTwMloCcMWFWrnKzb3tue0qlkvDBVXe5M7C EcNw==
X-Gm-Message-State: AKwxytdCl+yQNr3B7YHjnVUUlAINLPUKBdEiHgEXvQ82OJRbnxEAtDPI jadpF3KIYhylYen61diGnro=
X-Google-Smtp-Source: AH8x227hCM9HoJVsmPHQSwmOxylgr7aHOXNDQ+Aj8sBA7bte6KBfIkcsTc2oqOtuhhi3VnAyWODUQA==
X-Received: by 2002:a17:902:67c5:: with SMTP id g5-v6mr35637574pln.106.1517700364255; Sat, 03 Feb 2018 15:26:04 -0800 (PST)
Received: from [10.12.239.99] ([222.113.148.132]) by smtp.gmail.com with ESMTPSA id l62sm8328164pga.71.2018.02.03.15.26.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 03 Feb 2018 15:26:03 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Dino Farinacci <farinacci@gmail.com>
In-Reply-To: <CALx6S37+1PK3ET7g+XsCHt6-CJrABLko0YbWgE12xFX=vL5OPA@mail.gmail.com>
Date: Sat, 03 Feb 2018 15:26:00 -0800
Cc: 5GANGIP <5gangip@ietf.org>, Behcet Sarikaya <sarikaya@ieee.org>, ila@ietf.org, Alexandre Petrescu <alexandre.petrescu@gmail.com>, Lorenzo Colitti <lorenzo@google.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <5067FA81-B416-4A19-9F11-A08B35BB8B6D@gmail.com>
References: <CALx6S37+1PK3ET7g+XsCHt6-CJrABLko0YbWgE12xFX=vL5OPA@mail.gmail.com>
To: Tom Herbert <tom@herbertland.com>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ila/PLb7ZYW3P2fYm8-24BG6FwdrL0g>
Subject: Re: [Ila] [5gangip] Scaling mapping systems (was Re: BOF Description)
X-BeenThere: ila@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Identifier Locator Addressing <ila.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ila>, <mailto:ila-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ila/>
List-Post: <mailto:ila@ietf.org>
List-Help: <mailto:ila-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ila>, <mailto:ila-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Feb 2018 23:26:06 -0000

On Fri, Feb 2, 2018 at 10:37 AM, Dino Farinacci <farinacci@gmail.com> wrote:
>> 
>> The question to be answered is if all 10 million need to be stored in one place at the same time.
>> 
>> Lorenzo, do you think the DNS is scaling? And if the mapping system is designed roughly the same way, could it scale?
>> 
> Right, there now are many examples of sharded databases to draw
> lessons from. At 10M entries per router, to get to 1B aggregate
> mappings in a network that's 100 routers. Assuming a 5x replication
> factor then network needs 500 identifier/locator routers. I would
> target scaling this by two orders of magnitude within ten years to
> accommodate influx of IoT devices and fined grained object addressing
> in virtualization. I know this is simplistic math and scaling this is
> a hard problem, but I believe it's a solvable problem.

I think so too and has been an effort of mine for many years. And something I requested and wanted IDEAs to tackle.

> 
>> Also, the other point you made about third-party dependency, is a another question about push versus pull style of operation.
>> 
> 
> There is a related question that needs to be addressed and that's
> DOSability of a mapping cache.
> 
> For instance, from RFC6380:

You mean RFC6830. And what you are commenting on below is the map-cache and not the global mapping system. That is the point I want to get Lorenzo’s opinion about.

> "6.  The ITR receives the Map-Reply message, parses the message (to
> check for format validity), and stores the mapping information from
> the packet.  This information is stored in the ITR's EID-to-RLOC
> mapping cache.  Note that the map-cache is an on-demand cache.  An ITR
> will manage its map-cache in such a way that optimizes for its
> resource constraints. "
> 
> This on-demand mapping cache is the reason that LISP is not in Linux.

Right, I realize that. But that is not for architectural design reasons. It’s for Linux implementors idealist reasons. And that is okay.

> The argument is that it is easily DOSed. A attacker could flood an ITR

And I have said dozens (probably more) that a “cache" and a “table” is not different. And you think a “BGP table” cannot be DoSed either?

Having said that, I just don’t want to say everything sucks, so I want to give you a proactive response.

Just like you use white-lists for push based routing protocols (which doesn’t include the link-state protocols), you can use rate-limiting an white-lists for cache population. 

And in 90% of the cases, most ITRs will have default map-cache entries with I’d say on a larger scale deployment pointing to 4 to 8 RLOCs. Those RLOCs go to RTRs that are larger such products to deal with this.

Please note that carrier grade NATs are cached based systems to. Why would they ever get deployed?

> with packets to random destinations that would trigger map requests.
> If the map requests are rate limited then that could prevent requests
> being made for legitimate traffic. If map replies are generated for
> the bogus traffic they they could fill up the cache and block out
> legitimate users.

Right, I have heard the argument many times. But if you didn’t have a cache, you wouldn’t flee from the problem. And having a cache will allow you to scale better by storing the state in need where you and when you need it.

Geoff Huston showed a decade ago that only 10% of the routes are being used in, at that time, a 500,000 route entry routing table. This was in big core routers in big ISPs at the time. I wonder what the number is now.

> I think the the request rate limiting problem can be mitigated by
> using a redirect model instead, but I don't have complete answer yet
> for the cache exhaustion attack (my patches that would facilitate an
> ILA mapping cache we also rejected).
> 
> Dino, has this DOS issue been looked at for LISP?

Yes, over and over again and has been solved in many ways. RTRs are the current solution as long as NATs are being used and packets need to be encapsulated in IPv4 RLOCs for whatever reason.

RTRs also have the benefit for updating less places for EID mobility. Here is a quick example. Say 1000 EIDs are talking to my LISP based Macbook EID. I’m sitting in a coffee shop behind a coffee shop resident NAT. Those 1000 ITRs have my EID cached with the RTR’s RLOC. The RTR is the only node that can get packets through the coffee-shop NAT. So its map-cache has my EID cached with the tranlsated RLOC. When I move to another coffee-shop my translated RLOC changes, so only the 1 RTR needs updating versus the 1000 ITRs that are talking to me.

RTRs are also useful for traffic-engineering and multicast replication. See draft-ietf-lisp-te and draft-ietf-lisp-signal-free-multicast for details.

That is the indirection you may be referring to. Please correct if I got that wrong.

Dino

v2.23.0 | Report a Bug | By Email