Re: [mpls] I-D Action: draft-ietf-mpls-egress-protection-framework-02.txt
Yimin Shen <yshen@juniper.net> Wed, 25 July 2018 14:25 UTC
Return-Path: <yshen@juniper.net>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C102130E5C; Wed, 25 Jul 2018 07:25:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id teCKwOhArt3M; Wed, 25 Jul 2018 07:25:16 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3ACC0130DF5; Wed, 25 Jul 2018 07:25:16 -0700 (PDT)
Received: from pps.filterd (m0108157.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w6PEK156009457; Wed, 25 Jul 2018 07:25:14 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=W6OWT7LCJ7jQ315QtvRWulYBilvhtbFKVb8y3XsBrXc=; b=oRVtL9vPdY13orK+0hRPPQSzhEj6mXBBn7/ShT59uycPEO1zxKtN+oVOjkPv69wsLxvP IwoUqb/LHDmSTDZe5CZOq6XEADnkSSLRgz0xNriIlBuOgltqpcBlllp/1BIQ/FBkzHu6 uyuI8mP05LHPG4aFNi5MY3B15J1qHOpH3KoUIAwKK07H/Qhrl6WwJmsDi/ghPwcVsi4t glZfVMp+okKsXiGbb8SKIfTQZXtEjkp532FIGsQsCpVBVr2oKvzP0T05gabUzHpTVRn7 yo3COR6ysB9dnh6SvDB5w7A3A2B0AYHu9FIfvpyrcM9Vv5N+uH0H7sWkhUvVRVVsAF9k YQ==
Received: from nam03-by2-obe.outbound.protection.outlook.com (mail-by2nam03lp0055.outbound.protection.outlook.com [216.32.180.55]) by mx0a-00273201.pphosted.com with ESMTP id 2ketq5r0ww-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 25 Jul 2018 07:25:14 -0700
Received: from BN6PR05MB3409.namprd05.prod.outlook.com (10.174.232.21) by BN6PR05MB3298.namprd05.prod.outlook.com (10.174.95.33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.973.12; Wed, 25 Jul 2018 14:25:12 +0000
Received: from BN6PR05MB3409.namprd05.prod.outlook.com ([fe80::a110:ba9f:e568:f57e]) by BN6PR05MB3409.namprd05.prod.outlook.com ([fe80::a110:ba9f:e568:f57e%4]) with mapi id 15.20.0995.014; Wed, 25 Jul 2018 14:25:12 +0000
From: Yimin Shen <yshen@juniper.net>
To: James Bensley <jwbensley@gmail.com>, "mpls@ietf.org" <mpls@ietf.org>
CC: "i-d-announce@ietf.org" <i-d-announce@ietf.org>, "draft-ietf-mpls-egress-protection-framework@ietf.org" <draft-ietf-mpls-egress-protection-framework@ietf.org>
Thread-Topic: [mpls] I-D Action: draft-ietf-mpls-egress-protection-framework-02.txt
Thread-Index: AQHUH6mrwVNHcNOhwEeCYr6zZnuFZqSdTuqAgAJ1S4A=
Date: Wed, 25 Jul 2018 14:25:11 +0000
Message-ID: <DCE597E8-2F99-468B-A8A1-B992C3470CCE@juniper.net>
References: <153203662994.10669.14809491534972596358@ietfa.amsl.com> <CAAWx_pXvb_kmZosSYG3rLJzUcMToYH08kA-eahTFntV3xA-yrw@mail.gmail.com>
In-Reply-To: <CAAWx_pXvb_kmZosSYG3rLJzUcMToYH08kA-eahTFntV3xA-yrw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.10]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR05MB3298; 6:uW1AqIjlVVXGdM43R1Hyyg9SovduK/FEr+Ja0bRIYKDnyglnYC5Mum7h3wkTFurRxB9JwiBAEE3LpcyGrkPWdtYpQOJ4Prd6znvaYqMw1qZkpyXuCttOhpC5qAC+qQayPR+iDKWN8IxOYlmlDWx0v7jXqC3+qq0zzv2VA1pD2M5sEdAe3S6zLycGoTOspK+mpuX1vMR3CqfgojqWNEXpgP5O9cn1N+REKV3fTx83ilMv7l6KUsiT23Xz1i35Tb7Xe+OEin0+l+UGiYlqGpMkidCoAtdKUXcQSZoTzev7DlGWFZWM0Fmg2YqgCir0ARMUHcmFNWGQ++XsEn4y6cqnZsp8ZC4T4+rCd8J6nYL/PVkZ8L6SfxLcoUI5BFpLN0gdlnRdW/A4To1c8XuUeVpYbBMswHj7eLaliWZPhCRHpnrm2wxRu6LbikwXLxPYXhyA63b2UH06uIwnAqHnuIO1XQ==; 5:QDAgoGd3y9/APk7lkxca03L+OXf2BaISkYR/xGX0j7p33SXZm2kEo4Sp8wI0JS1BtfdV9ffjcLxQ020REPtL9jo5YEvbnxUxk7ZV/iNQd2NbB9usVvZu8HTuEeb0AtS+RgwxOJzxlvaBDFm4jjQNd1BAtFvWvbkvbJ45+CI66RA=; 7:hplKKUcteORgR1Vs8nUXDFTiSEkLEq+1e/ubQGUzs4EemPCOw2QvQ91xbTu9UbioMx269S14olgCt0O7W1K0s36PQUF8JPnowYtIqqIeT3qjZTfshal+3h3EIfnswznVX5GeizoiaIkIHD/opWWCGwtBcKUPN8WqWerbzbFKnIRNMfRoXyAp5WX5gw4hIDCJTbUVEhXxehG/UQLJgxHsF72kKluMTegmqZsRrkDc7SvS5rblDEcU3gcsFK220k0A
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: b73ec6ed-f060-47b5-7872-08d5f23a6e95
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600073)(711020)(4618075)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020); SRVR:BN6PR05MB3298;
x-ms-traffictypediagnostic: BN6PR05MB3298:
x-microsoft-antispam-prvs: <BN6PR05MB329849B5690D0A6CB9E708B3BD540@BN6PR05MB3298.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(10436049006162)(192374486261705)(85827821059158);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93001095)(3002001)(3231311)(944501410)(52105095)(6055026)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(20161123560045)(20161123564045)(6072148)(201708071742011)(7699016); SRVR:BN6PR05MB3298; BCL:0; PCL:0; RULEID:; SRVR:BN6PR05MB3298;
x-forefront-prvs: 0744CFB5E8
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(396003)(346002)(366004)(136003)(376002)(25584004)(53754006)(189003)(199004)(6486002)(53546011)(53936002)(36756003)(105586002)(14454004)(6246003)(966005)(6116002)(58126008)(3846002)(82746002)(110136005)(8936002)(81166006)(316002)(7736002)(54906003)(106356001)(68736007)(39060400002)(11346002)(4326008)(305945005)(102836004)(26005)(256004)(6506007)(76176011)(25786009)(14444005)(6512007)(83716003)(33656002)(6306002)(186003)(2616005)(476003)(99286004)(2906002)(8676002)(5660300001)(97736004)(66066001)(6436002)(5250100002)(575784001)(81156014)(86362001)(478600001)(446003)(229853002)(2900100001)(486006)(2501003); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR05MB3298; H:BN6PR05MB3409.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: bNkiMcCb34u8k9wm3fO94hZ5hAaPv5T984GAlBxzdBJKT+na12I2Y+FedaMmHVrWJD4IuhUY0f3O0Sxzjo8GPu69Y/GfB9FO5lnf0Z7N7n9A2krhni0SHPxLEmq0eBnaT79icrO+cFIg6ZrLtTNnK5k/F+elGJ9Ai13XmSd+R8aSaZDVTih6HGgRaZ59hG1StkQXgwDQiqK0qO7hbfqF8m/Z4E4jZFaXNwExdpBymOz6WoC+WWgZMEmvBqnxQrBPl9686BC3B6SJTEqNUK8nZwEocnEOiYFxRRvKpLDB8/KVoLhNE5OVvOWXgZ+Chq6Q3eOh+kmxykuDKJIRqXklz5tKMtNl6g8u3++bwwQ6kQg=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <3B08E4031EA9E44D8E32C42C00D08A49@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: b73ec6ed-f060-47b5-7872-08d5f23a6e95
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jul 2018 14:25:11.8701 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR05MB3298
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-07-25_03:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807250155
Archived-At: <https://mailarchive.ietf.org/arch/msg/mpls/-wDRUlDLK9986uuagChjEKqe1Tk>
Subject: Re: [mpls] I-D Action: draft-ietf-mpls-egress-protection-framework-02.txt
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2018 14:25:20 -0000
Hi James, Thanks for your questions and comments. [QUERY1] This framework focuses on provider’s MPLS networks, and the goal is to make sure that traffic be fast-rerouted towards a service destination. It does not go beyond egress routers/links to a CE domain to make any suggestion there. That is out of the scope of this draft. If there is any local policy on a CE which may cause the CE to reject the rerouted traffic coming over the backup link/path, it should be adjusted and resolved locally (on the CE or in the CE domain) to align with the protection schema. In any case, this should not affect how egress protection should work in the provider’s MPLS network. In your specific example, you have an RPF policy for an IP service on the CE. When provisioning the CE, the user should be aware of the existence of the backup link/path, and should understand what to anticipate over the backup link/path. Hence, a solution to consider both rerouted traffic and security should be possible. In fact, you will have the same issue regardless the kind of protection/restoration mechanism in the MPLS network, whether it is egress protection, global repair driven by ingress router, or control protocol convergence. In any of these cases, if your CE is slower than the reaction of the MPLS network, you will have the same issue. [QUERY2] Yes, it should be PE2. Thanks for catching this. We will fix it in the final version. [QUERY1] This text talks strictly about how PE3 should construct nexthops for the routes in the protection VRF (not the normal VRF). The text does not suggest or imply any change to the PE3’s BGP advertisement towards other routers. There should not be any confusion here. Hope the above has clarified for you. Thanks, -- Yimin On 7/23/18, 4:52 PM, "mpls on behalf of James Bensley" <mpls-bounces@ietf.org on behalf of jwbensley@gmail.com> wrote: Hi All, I hope this is the correct place to ask these questions, I'm new to the IETF WG processes so please guide me if you can. I've read the draft and have some feedback/queries. [QUERY1] In the section 1.Introduction: "Local repair refers to the scenario where the router upstream to an anticipated failure (aka. PLR, i.e. point of local repair) pre-establishes a bypass tunnel to the router downstream of the failure (aka. MP, i.e. merge point), pre-installs the forwarding state of the bypass tunnel in the data plane, and uses a rapid mechanism (e.g. link layer OAM, BFD, and others) to locally detect the failure in the data plane. When the failure occurs, the PLR reroutes traffic through the bypass tunnel to the MP, allowing the traffic to continue to flow to the tunnel's egress router." .... "This framework requires that the destination (a CE or site) of a service MUST be dual-homed or have dual paths to an MPLS network, via two MPLS edge routers." The first text quoted above seems generic enough that it can apply to both an egress node or egress link failure. With egress node failure the the requirement for a Merge Point and fast failure detection mechanism equate to a backup egress node and/or protector node (depending on whether centralized or co-located mode is being used) and OAM, BFD, LoS etc. In the case of an egress link failure though, as per the 2nd text quoted above, the CE must be dual homed to the network and then the PLR is the egress node. The first text quoted above indicates that the PLR must have a rapid failure detection mechanism but it is not stipulated that the CE must also detect the failure as quickly as the egress node. It does say under section 6. Egress link protection: "However, protection for ingress link failure SHOULD be provided by a separate mechanism, and hence is out of the scope of this document." However, there are two problems that I can see; 1. If the CE hasn't detected the PE-CE link is down as fast as the PE, traffic from the MPLS network towards the CE will be rerouted via the backup path (backup PE-CE link via backup egress node) but the return traffic from CE to MPLS network will be sent over the PE-CE link towards egress node and not the backup egress node, which means that traffic will be black-holed until the CE realises it's primary link is down. 2. If the CE uses uRPF it should drop the traffic coming from the PE-CE link from the backup egress node until it detects the PE-CE link to the egress node is down. Both of these scenarios are based on the assumption that the PE to CE links are in active/passive or primary/secondary depending on your terminology - only one link is being used, the other is purely a backup for when the first is down. However, active/passive links to dual-homes CEs is extremely common and the fast re-route mechanism being offered by this draft can be completely undermined because of the two reasons I have outlined above. To prevent the draft be undermined like this: - Opt1. I think it is worth either mentioning the issues that can arise if the CE doesn't detect the issue with the PE-CE link as quickly as the PE. - Opt2. Alternatively, I think it is worth mentioning something like "the CE SHOULD detect the PE-CE link down as quickly as the PE" - a statement which is fairly vague but prevents the entire feature/technology in the draft being undermined when it is correctly implemented. - Opt3. Another alternative, is to suggest that "the PE-CE link SHOULD run a fast failure detection mechanism (the exact choice is outside the scope of this document)" and recommend the implementer use a fast failure detection mechanism between the PE and CE as it's not clearly called out anywhere as far as I can see, only within the MPLS core between PE or P nodes. - Opt4. Something else? Further to this - should the draft make a statement about the use of all-active or active/passive links? In the case of all active links (e.g. ECMP) the uRPF issue no longer exists. [QUERY2] >From section 8.2. Egress link protection: "When PE3 detects a failure of the egress link, it will invoke the above bypass nexthop to reroute VPN service packets." Is that a typo and should be PE2? [QUERY3] >From section 8. Example: Layer-3 VPN egress protection: "The nexthops of these routes MUST be based on PE3's connectivity with site 2, even if this connectivity is not the best path in PE3's VRF due to metrics (e.g. MED, local preference, etc.), and MUST NOT use any path traversing PE2." PE3 is never going to advertise its (presumably) less preferred path to site 2's prefixes towards PE2 because it is receiving more preferred paths from PE2. This draft isn't clearly saying if this behaviour will be overridden ONLY for MPLS VPNs that have this egress protection mechanism explicitly configured or if it relies on the PE already having something like "BGP Advertise Best-External" in Cisco speak or what I think is called "Provider Edge Link Protection" in Junos speak, already enabled. Should this be clearly stated in the draft? Kind regards, James. _______________________________________________ mpls mailing list mpls@ietf.org https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_mpls&d=DwICAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=2-nT7xvtgxYac4wpYxwo_jh5rZM2uwTLxgRhaObwYug&m=oYbfCFZBkqt0fPILE48NoX_4F6MoGf0FPy73BeOwU5M&s=Z4QrqAKMgN3utKrl2oomIpmJRNrUxazXy2GmDtgWpFI&e=
- [mpls] I-D Action: draft-ietf-mpls-egress-protect… internet-drafts
- Re: [mpls] I-D Action: draft-ietf-mpls-egress-pro… James Bensley
- Re: [mpls] I-D Action: draft-ietf-mpls-egress-pro… Yimin Shen