Re: [mpls] RtgDir review: draft-ietf-mpls-egress-ptotection-framework-03

Yimin Shen <yshen@juniper.net> Wed, 02 January 2019 14:50 UTC

Return-Path: <yshen@juniper.net>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51DA6126CC7; Wed, 2 Jan 2019 06:50:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.765
X-Spam-Level:
X-Spam-Status: No, score=-2.765 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.065, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6xbufm4RX9k3; Wed, 2 Jan 2019 06:50:51 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C3D91277D2; Wed, 2 Jan 2019 06:50:50 -0800 (PST)
Received: from pps.filterd (m0108161.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x02EkjqU023338; Wed, 2 Jan 2019 06:50:47 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=iWqIAoziQWPfkXliDzThIIPFT2CTZdsSI/CyOvWXu+M=; b=YQNkGz2khBLQC3nx2lOtn+YLxFZrUzqS9j2nuOAoKqZVo7h5HO05JAoqK20DrYG3p6B7 92PFcEugA6jt6EI8XrqG2DMoRhPBlAfjE+BFfJG13nF0MLhBw5IjzoFhOQGv2VaiBxxx /R7VND5yZhjLlVV9HWxem7PgZgvul07gyRyCORI72S2/M/AKxP1+HeXovwYHmcAHu1RQ +TWkLeixNKUroMj9XaSlhY6L40VO6BCKZWyiCN+dAYtxpdhQ+BhugwK12SblP9Mlzgu6 aGYykM0mLOffyWB6ik3C7l8Lev8YjwxJaJ+hFOo4YLuKuLbcmqy9wKkkcxwor0Lm3yUs mg==
Received: from nam01-bn3-obe.outbound.protection.outlook.com (mail-bn3nam01lp2051.outbound.protection.outlook.com [104.47.33.51]) by mx0b-00273201.pphosted.com with ESMTP id 2prsx88ef3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 02 Jan 2019 06:50:46 -0800
Received: from DM6PR05MB5259.namprd05.prod.outlook.com (20.177.223.223) by DM6PR05MB6107.namprd05.prod.outlook.com (20.178.31.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1495.4; Wed, 2 Jan 2019 14:50:42 +0000
Received: from DM6PR05MB5259.namprd05.prod.outlook.com ([fe80::e4:2c95:b852:bb2d]) by DM6PR05MB5259.namprd05.prod.outlook.com ([fe80::e4:2c95:b852:bb2d%7]) with mapi id 15.20.1516.000; Wed, 2 Jan 2019 14:50:42 +0000
From: Yimin Shen <yshen@juniper.net>
To: Alexander Vainshtein <Alexander.Vainshtein@ecitele.com>, "mpls@ietf.org" <mpls@ietf.org>, "rtg-dir@ietf.org" <rtg-dir@ietf.org>, "rtg-ads@ietf.org" <rtg-ads@ietf.org>
CC: "draft-ietf-mpls-egress-protection-framework.all@ietf.org" <draft-ietf-mpls-egress-protection-framework.all@ietf.org>
Thread-Topic: RtgDir review: draft-ietf-mpls-egress-ptotection-framework-03
Thread-Index: AdR8MjymUP2LtqqCRvO1Anp1Nk3O/ALIazaAABqmdaACctktgAAbf4QgAAE1ceAAKx2a7QAHy7IAAAqahfAD43UBgA==
Date: Wed, 2 Jan 2019 14:50:41 +0000
Message-ID: <436B2645-8340-4CF6-B63A-E1CBA090E7BF@juniper.net>
References: <DB5PR0301MB1909DAA9F3E05FB21A70C1509DD90@DB5PR0301MB1909.eurprd03.prod.outlook.com> <19B9F992-7DAB-478C-9F16-B641ABC898FA@juniper.net> <DB5PR0301MB1909C6ACB5F3513858A4F19D9DD20@DB5PR0301MB1909.eurprd03.prod.outlook.com> <BBAF38CE-1465-472D-A5EF-0832730376CA@juniper.net> <DB5PR0301MB1909D8782E8FE6EE3271F1E79DA70@DB5PR0301MB1909.eurprd03.prod.outlook.com> <DB5PR0301MB190977671FC649F4B39274F49DA00@DB5PR0301MB1909.eurprd03.prod.outlook.com> <0F5CDAEA-68DE-4493-8363-322D06ECE713@juniper.net> <DB5PR0301MB1909BB3E3658457EE6841BDC9DA00@DB5PR0301MB1909.eurprd03.prod.outlook.com>
In-Reply-To: <DB5PR0301MB1909BB3E3658457EE6841BDC9DA00@DB5PR0301MB1909.eurprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.5.181209
x-originating-ip: [66.129.241.12]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM6PR05MB6107; 6:zwPBGb3Y2uvC+F95WAgUBYmxME0VPPtGy6zd/DK468jPaQjwJ13r9V2gPa7oVTxRE5H0Iub2Rk7JX58PGVBPUNDZ+crO9MZCNeizTpUpQ2Oqy2BwOy3Kra7ccGfVhXzhuOfLW6J16Ak2Z8CCrqoamGZrowgFU8dHGY2Mvk3vWy/NnutpcZne//euouQLkfkxjnhB8/uv8ClgPoCzOUbxmpYPAaiujjyoWrOCGvBZiC8S1qVVXSAiG+zlDGUQgly+Cn/1DE2KGEvJDfO4wBlbbZW/FKyRgOEo1ebp6KsEYrKtyRGR1lIas5us1nX/A1AjjWwZdvoIwKI9kQ1Dn4VIranMrxrTzBNjDxWduQRGdio8KEDPfAO6jIlXLMDcnwQFUVaX+S3x7LU4oQws/kWrmFhHFKjRpIV22PG6KrXVxDBY5gZf73hsSuNzCLBySVxmNh2MZzO2NzEoNhFjDjCFGw==; 5:oJvKyMVgYCsHVwS/NKeTWGNvp34ir4enlNb2Qtarn0/+c7XOVjsghdFuPLubcYP5CbpgiTkhMJwiFhVq4g/4crQrF8AvpwS/ncz96FWBZMM1G+HkyxTBZZskR/J0p65AQSxGiomul3jp8KsI32I7r5DyWYcuOij3aJEAKe2pKPAV1CMK2xrkDH981Lm+elnJa07389sj2VCTwo/E3OCg+Q==; 7:xCyYj+Lqugs/x9cPSD7mcpG120Lg1Tzj1Ts3yddtD+clDfiO4iMzHQdErVyB/qQ/g9F88MiTYFh1AgV37RvKzr5vSe8+BSjgaZWPmhspDcSAsbB4dT9Z1BofpJsJM7kBZuKFN4JHZeQIa39b8GZrRA==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 88bdea13-09be-4131-2703-08d670c1ab0c
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:DM6PR05MB6107;
x-ms-traffictypediagnostic: DM6PR05MB6107:
x-microsoft-antispam-prvs: <DM6PR05MB6107B4C88B1C7C76FA6F84E5BD8C0@DM6PR05MB6107.namprd05.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(3230021)(908002)(999002)(5005026)(6040522)(8220060)(2401047)(8121501046)(3231475)(944501520)(52105112)(10201501046)(3002001)(93006095)(93001095)(6055026)(6041310)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123564045)(20161123558120)(201708071742011)(7699051)(76991095); SRVR:DM6PR05MB6107; BCL:0; PCL:0; RULEID:; SRVR:DM6PR05MB6107;
x-forefront-prvs: 0905A6B2C7
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(39860400002)(136003)(346002)(396003)(366004)(199004)(189003)(51444003)(51914003)(68736007)(58126008)(33656002)(5660300001)(86362001)(11346002)(36756003)(14454004)(2501003)(486006)(6512007)(2616005)(99286004)(66574012)(54896002)(110136005)(6246003)(25786009)(66066001)(316002)(6306002)(236005)(53946003)(53936002)(4326008)(476003)(81156014)(4744004)(3846002)(6116002)(790700001)(8676002)(83716004)(71190400001)(71200400001)(229853002)(81166006)(93886005)(106356001)(478600001)(6506007)(105586002)(6436002)(76176011)(2906002)(256004)(14444005)(5024004)(7736002)(6486002)(26005)(446003)(2201001)(102836004)(82746002)(97736004)(186003)(606006)(8936002)(966005)(53546011)(569006); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR05MB6107; H:DM6PR05MB5259.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: Ug5PVchOyVTkbBwFiLLtxhlyLPblodUPOmXf6JATrffokcpiiTzqh5wjXXL2SdrSbOS6s+9sJWTkVNMcF5yy0VEbYvGBsdja3zG9QH8MA1zwd2E49OwKmjcIeY++9A+rFzVqr5f+Bn0rjOrd288Ez3TUpTPSCy8L1b6duTj/8N/Ru6nHiW/cYPWm3Cjs2KK2D5iu6b+nZr0dkNuwE6ocXaEuxkck8hbDiIPsEZUzOxniC41nijcCpEU9BUvtBmh68iTr8caefSmHVb2kPTJe7w0OYdmQnOCiYMbiaHpsJGMJYkReHHFWHkQGaFqxEGHc
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_436B264583404CF6B63AE1CBA090E7BFjunipernet_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 88bdea13-09be-4131-2703-08d670c1ab0c
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jan 2019 14:50:41.9332 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB6107
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-01-02_05:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901020134
Archived-At: <https://mailarchive.ietf.org/arch/msg/mpls/QQmuWMaeYqtOT0FQ_EcB7oojWLE>
Subject: Re: [mpls] RtgDir review: draft-ietf-mpls-egress-ptotection-framework-03
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jan 2019 14:50:58 -0000

Happy new year !

Hi, Chairs, Sasha,

We have addressed all the comments as discussed and agreed with Sasha, and uploaded a new version (04) of the draft.

https://datatracker.ietf.org/doc/draft-ietf-mpls-egress-protection-framework/


Thanks,

-- Yimin


From: Alexander Vainshtein <Alexander.Vainshtein@ecitele.com>;
Date: Thursday, December 13, 2018 at 9:57 AM
To: Yimin Shen <yshen@juniper.net>;
Cc: "rtg-dir@ietf.org"; <rtg-dir@ietf.org>;, "mpls@ietf.org"; <mpls@ietf.org>;, "draft-ietf-mpls-egress-protection-framework.all@ietf.org"; <draft-ietf-mpls-egress-protection-framework.all@ietf.org>;, "rtg-ads@ietf.org"; <rtg-ads@ietf.org>;
Subject: RE: RtgDir review: draft-ietf-mpls-egress-ptotection-framework-03

Yimin,
Lots of thanks for a prompt response. It seems that we are aligned in our understanding of the EVPN problem, and that it deserves a dedicated document.

I do not really care about specific wording, be it “covered by a dedicated document” or “left for future study” – whatever suits your colleagues and you would do from my POV. And, just to make it clear, I do not think that these considerations should block approval and publication of the framework draft. I do not expect such a document to cover in detail all potential applications and their specific issues.

I will be waiting for the next release of the draft to confirm that my comments have been resolved.

Regards,
Sasha

Office: +972-39266302
Cell:      +972-549266302
Email:   Alexander.Vainshtein@ecitele.com

From: Yimin Shen <yshen@juniper.net>;
Sent: Thursday, December 13, 2018 4:44 PM
To: Alexander Vainshtein <Alexander.Vainshtein@ecitele.com>;
Cc: rtg-dir@ietf.org; mpls@ietf.org; draft-ietf-mpls-egress-protection-framework.all@ietf.org; rtg-ads@ietf.org
Subject: Re: RtgDir review: draft-ietf-mpls-egress-ptotection-framework-03

Hi Sasha,

Thanks very much for all the analysis into the EVPN case!

We agree with your point on the BUM traffic. Given the particular forwarding mode of BUM traffic, it will suffer from duplicate packets with egress protection. EVPN definitely deserves a its own document to discuss this kind of caveats and also clarify the working case of known-unicast traffic.

What we can generally say in this framework draft is that - if there needs to be a consideration or discussion of any applicability or operation issues specific to a given type of service, it should be covered by a separate document. IOW, we don’t want to call out a particular service (like EVPN) for “further study”, because a “framework” should already imply and create the space for “future study” of all services and components if needed. We can broadly point out some categories of issues to consider (e.g. BUM traffic, unavailability of protecting forwarding state on protector), but it’s not a goal of this draft to confirm issues for a specific service and put it in the “future study” list. Would you agree with us on this approach?

Thanks again for your detailed comments. They should be noted for the future study 😊

Thanks,

-- Yimin


From: Alexander Vainshtein <Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>>
Date: Thursday, December 13, 2018 at 1:01 AM
To: Yimin Shen <yshen@juniper.net<mailto:yshen@juniper.net>>
Cc: "rtg-dir@ietf.org<mailto:rtg-dir@ietf.org>" <rtg-dir@ietf.org<mailto:rtg-dir@ietf.org>>, "mpls@ietf.org<mailto:mpls@ietf.org>" <mpls@ietf.org<mailto:mpls@ietf.org>>, "draft-ietf-mpls-egress-protection-framework.all@ietf.org<mailto:draft-ietf-mpls-egress-protection-framework.all@ietf.org>" <draft-ietf-mpls-egress-protection-framework.all@ietf.org<mailto:draft-ietf-mpls-egress-protection-framework.all@ietf.org>>, "rtg-ads@ietf.org<mailto:rtg-ads@ietf.org>" <rtg-ads@ietf.org<mailto:rtg-ads@ietf.org>>
Subject: Re: RtgDir review: draft-ietf-mpls-egress-ptotection-framework-03

Yimin,
More of the same - yet another potential issue with egress protection of EVPN MC traffic.
When EVPN uses P2MP LSPs for delivery of MC traffic, the egress in many cases uses the top label as the context label for identifying the ingress PE and interprets the next label(s) in this context. Combining this scheme with the egress protection where the top label received by the Protector represents another context looks quite non-trivial to me and not compatible with some of the approaches for setting the bypass tunnel.
BTW, this issue is probably also relevant for MVPN using P2MP LSPs as PMSI.
My 2c.


Thumb typed by Sasha Vainshtein

________________________________
From: Alexander Vainshtein
Sent: Wednesday, December 12, 2018 11:41:11 AM
To: Yimin Shen
Cc: rtg-dir@ietf.org<mailto:rtg-dir@ietf.org>; mpls@ietf.org<mailto:mpls@ietf.org>; draft-ietf-mpls-egress-protection-framework.all@ietf.org<mailto:draft-ietf-mpls-egress-protection-framework.all@ietf.org>; rtg-ads@ietf.org<mailto:rtg-ads@ietf.org>
Subject: RE: RtgDir review: draft-ietf-mpls-egress-ptotection-framework-03

Yimin and all,
To clarify my issue #4 in the previous email.


RFC 7432 in Section 12 says that “The principles behind the following procedures are borrowed from the split-horizon forwarding rules in VPLS solutions [RFC4761<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc4761&d=DwMGaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=2-nT7xvtgxYac4wpYxwo_jh5rZM2uwTLxgRhaObwYug&m=pPZNt006XVa65-DtrxFryv0NnV76rnnNDLRSaUYnlz0&s=_lNRGBhCOgDwzbOlr60g2Uo1KXFwZ40s6b2Hc_BkeDI&e=>;] [RFC4762<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc4762&d=DwMGaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=2-nT7xvtgxYac4wpYxwo_jh5rZM2uwTLxgRhaObwYug&m=pPZNt006XVa65-DtrxFryv0NnV76rnnNDLRSaUYnlz0&s=6X6YWm8roGZppe3mOskc3651p9ofde52PWeiOx-3ef0&e=>].”



However, RFC 4761 and RFC 4762 define the split-horizon rules differently:


-     RFC 4761 in Section 4.2.5 states that “Split horizon forwarding rules apply to broadcast and multicast packets, as well as packets to an unknown MAC address”

-     RFC 4762 in Section 4.4 states that “a PE MUST NOT forward traffic from one PW to another in the same VPLS mesh”, it does not differentiate between BUM and “known unicast” traffic.

While RFC 7432 is aligned with RFC 4761 in its definition of the split-horizon rules, the rule introduced in RFC 4762 is much simpler to implement, and it is not explicitly prohibited by RFC 7432.


Regards,
Sasha

Office: +972-39266302
Cell:      +972-549266302
Email:   Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>

From: Alexander Vainshtein
Sent: Wednesday, December 12, 2018 11:20 AM
To: 'Yimin Shen' <yshen@juniper.net<mailto:yshen@juniper.net>>
Cc: rtg-dir@ietf.org<mailto:rtg-dir@ietf.org>; mpls@ietf.org<mailto:mpls@ietf.org>; draft-ietf-mpls-egress-protection-framework.all@ietf.org<mailto:draft-ietf-mpls-egress-protection-framework.all@ietf.org>; rtg-ads@ietf.org<mailto:rtg-ads@ietf.org>
Subject: RE: RtgDir review: draft-ietf-mpls-egress-ptotection-framework-03

Yimin,
Lots of thanks for the message.

I think that use of the protection framework described in the draft for protection of EVPN-based MP2MP services requires clarification of several issues. I am not sure I can provide a full list, but, at least, the following should be considered:

1.       It seems that in order for egress protection to work, Ethernet links connecting the primary Egress PE and the Protector to the customer site must participate in a common multi-homed Ethernet Segment. If this is correct, it should be specified explicitly

2.       If the multi-homing Ethernet Segment above operates in the Single-Active mode, and if the Primary PE is the DF on this segment for the specific service you try to protect, then, to the best of my understanding, the proposed protection scheme will not protect anything, because the Protector will declare the relevant VLANs as blocked to the CE (e.g., using MVRP as described in Section 8.5 of RFC 7432. The Protector will only unblock these VLANs when it is elected as the DF – but this will not happen until it will learn that the primary Egress PE or the link that connects it to the CE have failed. (If the Primary PE was not a DF, there would be nothing to protect).

3.       If the If the multi-homing Ethernet Segment above operates in the All-Active mode, and if the Primary PE is the DF on this segment for the specific service you try to protect, then:

a.       In the case of the primary PE failure “known unicast” traffic will be  protected by the proposed scheme

b.       The Protector will discard any BUM traffic it received for this service until it is elected as the DF.
Whether this behavior would count as protection for the service in question or not depends on the significance of multicast traffic in this service.

4.       RFC 7432 defines in Section 12 that Ethernet frames with unknown unicast Destination MAC addresses received from another PE MUST NOT ever be forwarded by the receiving PE to any other PE, only locally. While RFC 7432 restricts this to just unknown unicast frames, I suspect that most implementations do not forward EVPN-encapsulated frames they receive  to other PEs in any case (I can be wrong here, of course) just to be on the safe side when it comes to Ethernet loop prevention. Such implementations would have problems with using the proposed protection scheme for protection against failures of the attachment circuit where the primary Egress PE acts as the PLR.

I do not know if the list above is complete and whether all the issues I’ve raised are relevant, but I think that applicability of the egress protection  framework to EVPN requires some additional thought (and, eventually, a dedicated document). Simply saying that “EVPN can be supported in a similar manner as Layer 3 VPN” could be misleading IMHO.

Hopefully these notes would be useful.

Regards,
Sasha

Office: +972-39266302
Cell:      +972-549266302
Email:   Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>

From: Yimin Shen <yshen@juniper.net<mailto:yshen@juniper.net>>
Sent: Wednesday, December 12, 2018 2:44 AM
To: Alexander Vainshtein <Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>>
Cc: rtg-dir@ietf.org<mailto:rtg-dir@ietf.org>; mpls@ietf.org<mailto:mpls@ietf.org>; draft-ietf-mpls-egress-protection-framework.all@ietf.org<mailto:draft-ietf-mpls-egress-protection-framework.all@ietf.org>; rtg-ads@ietf.org<mailto:rtg-ads@ietf.org>
Subject: Re: RtgDir review: draft-ietf-mpls-egress-ptotection-framework-03

Hi Sasah,

a.       L2VPN services that use EVPN technology would neither suffer from an empty FIB in the protecting MAC-VRF nor use EVPN application labels for MAC learning. But I cannot say whether they do or do not introduce some other issues with the proposed framework – this would require serious in-depth analysis. Meanwhile such services look to me like another case when an explicit definition of “left FFS” or “to be addressed in a separate document” would be very much in place.

EVPN can be supported in a similar manner as Layer 3 VPN, although this document doesn’t provide a detailed example.

Thanks,

-- Yimin


From: Alexander Vainshtein <Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>>
Date: Thursday, November 29, 2018 at 3:50 AM
To: Yimin Shen <yshen@juniper.net<mailto:yshen@juniper.net>>
Cc: "rtg-dir@ietf.org<mailto:rtg-dir@ietf.org>" <rtg-dir@ietf.org<mailto:rtg-dir@ietf.org>>, "mpls@ietf.org<mailto:mpls@ietf.org>" <mpls@ietf.org<mailto:mpls@ietf.org>>, "draft-ietf-mpls-egress-protection-framework.all@ietf.org<mailto:draft-ietf-mpls-egress-protection-framework.all@ietf.org>" <draft-ietf-mpls-egress-protection-framework.all@ietf.org<mailto:draft-ietf-mpls-egress-protection-framework.all@ietf.org>>, "rtg-ads@ietf.org<mailto:rtg-ads@ietf.org>" <rtg-ads@ietf.org<mailto:rtg-ads@ietf.org>>
Subject: RE: RtgDir review: draft-ietf-mpls-egress-ptotection-framework-03

Yimin,
Lots of thanks for a prompt and very encouraging response.

It seems that all my comments would be resolved with the proposed changes. I will be waiting for the next revision of the draft to confirm that.

Please see some remarks inline below.

Regards,
Sasha

Office: +972-39266302
Cell:      +972-549266302
Email:   Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>

From: Yimin Shen <yshen@juniper.net<mailto:yshen@juniper.net>>
Sent: Thursday, November 29, 2018 2:53 AM
To: Alexander Vainshtein <Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>>; rtg-ads@ietf.org<mailto:rtg-ads@ietf.org>
Cc: rtg-dir@ietf.org<mailto:rtg-dir@ietf.org>; mpls@ietf.org<mailto:mpls@ietf.org>; draft-ietf-mpls-egress-protection-framework.all@ietf.org<mailto:draft-ietf-mpls-egress-protection-framework.all@ietf.org>
Subject: Re: RtgDir review: draft-ietf-mpls-egress-ptotection-framework-03

Hi Sasha,

Thanks very much again for the detailed review and the constructive comments and suggestions!

Please see [yshen] inline below.

Thanks,
-- Yimin


From: Alexander Vainshtein <Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>>
Date: Tuesday, November 20, 2018 at 4:41 AM
To: "rtg-ads@ietf.org<mailto:rtg-ads@ietf.org>" <rtg-ads@ietf.org<mailto:rtg-ads@ietf.org>>
Cc: "rtg-dir@ietf.org<mailto:rtg-dir@ietf.org>" <rtg-dir@ietf.org<mailto:rtg-dir@ietf.org>>, "mpls@ietf.org<mailto:mpls@ietf.org>" <mpls@ietf.org<mailto:mpls@ietf.org>>, "draft-ietf-mpls-egress-protection-framework.all@ietf.org<mailto:draft-ietf-mpls-egress-protection-framework.all@ietf.org>" <draft-ietf-mpls-egress-protection-framework.all@ietf.org<mailto:draft-ietf-mpls-egress-protection-framework.all@ietf.org>>
Subject: RtgDir review: draft-ietf-mpls-egress-ptotection-framework-03
Resent-From: <alias-bounces@ietf.org<mailto:alias-bounces@ietf.org>>
Resent-To: <yshen@juniper.net<mailto:yshen@juniper.net>>, Jeyananth <minto@juniper.net<mailto:minto@juniper.net>>, <bruno.decraene@orange.com<mailto:bruno.decraene@orange.com>>, <hannes@rtbrick.com<mailto:hannes@rtbrick.com>>, <c.michel@telekom.de<mailto:c.michel@telekom.de>>, <huaimo.chen@huawei.com<mailto:huaimo.chen@huawei.com>>, <jiangyuanlong@huawei.com<mailto:jiangyuanlong@huawei.com>>, <tsaad@cisco.com<mailto:tsaad@cisco.com>>, <n.leymann@telekom.de<mailto:n.leymann@telekom.de>>, <loa@pi.nu<mailto:loa@pi.nu>>, <martin.vigoureux@nokia.com<mailto:martin.vigoureux@nokia.com>>, <db3546@att.com<mailto:db3546@att.com>>, <aretana.ietf@gmail.com<mailto:aretana.ietf@gmail.com>>, Loa Andersson <loa@pi.nu<mailto:loa@pi.nu>>
Resent-Date: Tuesday, November 20, 2018 at 4:41 AM


Hello,

I have been selected as the Routing Directorate reviewer for this draft. The Routing Directorate seeks to review all routing or routing-related drafts as they pass through IETF last call and IESG review, and sometimes on special request. The purpose of the review is to provide assistance to the Routing ADs. For more information about the Routing Directorate, please see ​http://trac.tools.ietf.org/area/rtg/trac/wiki/RtgDir<https://urldefense.proofpoint.com/v2/url?u=http-3A__trac.tools.ietf.org_area_rtg_trac_wiki_RtgDir&d=DwMGaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=2-nT7xvtgxYac4wpYxwo_jh5rZM2uwTLxgRhaObwYug&m=xu90MfAW_jm6lYh6hyEgpJehTmsKq0dHrkE5tND9658&s=lmNRlXjT4KG6xOton77vla3JlOuHmrmtA-DTbeS-eI8&e=>

Although these comments are primarily for the use of the Routing ADs, it would be helpful if you could consider them along with any other IETF Last Call comments that you receive, and strive to resolve them through discussion or by updating the draft.
Document: draft-ietf-mpls-egress-protection-framework-03
Reviewer: Alexander (“Sasha”) Vainshtein
Review date: 19-Nov-18
IETF LC End Date: Not known
Intend status: Standards Track

Summary:
I have some minor concerns about this document that I think should be resolved before publication.

Comments:
The draft is well written, requires from the reader has good understanding of multiple technologies including:

  *   context label spaces and context labels RFC 5331
  *   local and remote LFA mechanisms (RFC 5286 and RFC 7490)
  *   Segment Routing Mirror SIDs (RFC 8402) and more.
I doubt it is suitable reading for a beginner, but I also doubt any required background could be skipped.

This is a framework document, with at least one “specialization” of this framework already being published as RFC 8104<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc8104&d=DwMGaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=2-nT7xvtgxYac4wpYxwo_jh5rZM2uwTLxgRhaObwYug&m=xu90MfAW_jm6lYh6hyEgpJehTmsKq0dHrkE5tND9658&s=ZQnSkVQtt1y5mvUspbxj3ex47FimKytILN6VNLAAXIk&e=>;.  I assume that other “specialization” documents are on the way.

I have hold a very constructive off-list discussion with the authors before posting this review. Some of my comments have been already acknowledged. I would like to thank the authors and, especially, Yimin, for cooperation.

Caveat:
I have done an unsolicited review of the precursor individual draft<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Darchive_web_mpls_current_msg17033.html&d=DwMGaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=2-nT7xvtgxYac4wpYxwo_jh5rZM2uwTLxgRhaObwYug&m=xu90MfAW_jm6lYh6hyEgpJehTmsKq0dHrkE5tND9658&s=zeQV7i8GATWDPu-c_ILYWpjPkln0Wz5-0D6Al_gpPFU&e=>;. From my POV, the document has been quite in good shape even then, so I may be considered as positively biased (the current version acknowledges my comments). I have noticed that the majority of my then comments have been successfully resolved in the current version of the draft.

[yshen] Thanks again!

Major Issues: No major issues found

Minor Issues:

1)      The document seems to be ambiguous  with regard to expected coverage of L2VPN services by the framework it defines:
a.       On one hand, the requirement for the framework in the 2nd bullet in Section 4 says that it MUST “accommodate existing and future IP/MPLS services, including layer-2 VPNs, layer-3 VPNs, hierarchical LSP, and others”
b.       On the other hand, the overview of the framework (in Section 1) says that “When a PLR does local repair, the protector is responsible for performing "context label switching" for rerouted MPLS service packets and "context IP forwarding" for rerouted IP service packets, to allow the service packets to continue to reach the service destinations”. i.e., MAC-based switching seems to be excluded from the protector responsibility.
c.       Section 3 of the draft only defines the terms “Context label switching”  and “Context IP forwarding”. This also suggests that Context Layer-2 switching is not covered by the framework

[yshen] Actually, this framework does allow a context label to point to a layer-2 switching table, if the packets coming to a protector have a layer-2 header (rather than a label or IP header) below the context label, which could be the case of MAC address table.  In theory, a context label may point to any type of look-up table. IOW, depending the use case, any meaningful context-based “layer-N” forwarding/switching is allowed by this framework. We will add a section to the end of draft to make it future compatible.[[Sasha]] Sounds good. I will be waiting for the actual text in the next revision of the draft.

2)      I have some doubts regarding applicability of the egress protection framework defined in the draft  to VPLS-based (RFC 4761 and/or RFC 4762)  services because:
a.       With VPLS, CE multi-homing always operates in single-active mode. As a consequence:

                                                               i.      Prior to failure of the primary egress, the VSI that represents the service in the Protector PE would not learn any MAC addresses

                                                             ii.      If the PLR redirects “known unicast” traffic intended for the primary egress PE to the protector, the VSI that locally represents protected service there would flood this traffic as “unknown unicast” and, as such, probably subject it to rate limiting.

                                                           iii.      From the POV of the customer of the VPLS service,  this means that redirecting traffic to the protecting VSI, by and of itself would not fully restore the service, since substantial part of the customer traffic would be dropped until MAC learning in the protecting VSI is completed
b.       It is also worth noting that in VPLS received application labels do not only define egress VSI as the context for the MAC-based switching but also identify remote ingress VSI for MAC learning. Extending such identification to cover also application labels of the redirected traffic looks quite non-trivial to me
c.       I see these concerns as minor issues because, as explained above, it is not clear to me whether the framework is supposed to cover VPLS services. An explicit caveat (possibly defining applicability of the framework to VPLS services as “left FFS”, or to be discussed in a separate document”) would suffice to resolve them IMHO
d.       L2VPN services that use EVPN technology would neither suffer from an empty FIB in the protecting MAC-VRF nor use EVPN application labels for MAC learning. But I cannot say whether they do or do not introduce some other issues with the proposed framework – this would require serious in-depth analysis. Meanwhile such services look to me like another case when an explicit definition of “left FFS” or “to be addressed in a separate document” would be very much in place.

[yshen] We will mention VPLS and EVPN for future study, as well as services where no other router is able to learn or establish its own connectivity with service destination in advance of a primary PE failure, to serve as a protector.[[Sasha]] This should suffice I think.

3)      The example of applying the egress protection framework to BGP/MPLS IP VPN (RFC 4364) in Section 8 is explicitly restricted to scenario when both the primary egress VRF and the protector VRF use per-VRF label allocation scheme.
a.       With this scheme, the usage of the proposed egress protection framework is quite straightforward.
b.       However, RFC 4364 defines several label allocation schemes and states that the label allocation scheme can be selected independently in each PE without any impact on interoperability. It is not clear to me, to which extent IP VPN services that use different label allocation schemes in different egress PEs would be covered by the proposed framework
c.       Since we are only speaking about an example in a framework document, there is no need to describe a complete solution here. Simply noting the need for elaboration with regard to other VPN application label allocation schemes  (including the possible mismatch in the primary and protector egress PEs) and sending the reader to a (future) dedicated document would suffice IMHO.

[yshen] We will clarify that the primary PE (PE2) may allocate VPN labels by using per-VRF, per-route, or per-interface mode. The protector (PE3) should set up the nexthop for each label route in pe2.mpls table as below:
-          If the VPN label is a per-VRF label, the nexthop of the label route should point to the protection VRF.
-          If the VPN label is a per-route label, the nexthop of the label route should be based on the protector’s own connectivity with the IP prefix.
-          If the VPN label is a per-interface label, there are two cases. (A) If the distribution of IP prefixes over the interfaces on the primary PE aligns completely with the distribution of IP prefixes over the interfaces on the protector, the nexthop of the label route should point to the corresponding interface of the IP prefix on the protector. (B) Otherwise (or for simplicity), the nexthop of the label route should point to the protection VRF.
[[Sasha]] Would it not be simpler to say that, regardless of the way the primary egress PE allocates its VPN application labels, the Protector should always treat them as pointing to the relevant VRF and performing context IP forwarding? The logic that matches routes learned by the primary egress PE and by the Protector would be complicated and eventually could fall back to the same scheme – so what is the gain?

4)      Section 5.8 describes 3 possible approaches to advertisement of the Context ID IP address in IGP. But it does not define any of these approaches as “MUST to implement”. This looks to me like an opening for interoperability issues between implementations that support different approaches. On the other hand, I am not sure whether a framework document is the right place to select a MUST to implement option, especially when the expected areas of applicability are quite different:
a.       The “proxy mode” approach imposes minimal (if any) specific requirements on the routing and TE domain (i.e., no dedicated extensions in IGP,  just support of some FRR mechanism by the signaling protocol used for the tunnel setup)
b.       The “alias mode” seems to require support of at least Segment Routing extensions to the relevant IGP in the routing domain as well as support of the Mirror SID in all potential PLRs. Therefore I think that it is a native scheme to be used in the SR-MPLS environments, but problematic in the environments that do not use SR-MPLS for setup of any LSPs
c.       The definition of the “stub link mode” is accompanied by a somewhat vague caveat: “The correctness of the egress-protected tunnels and the bypass tunnels relies on the path computations for the any-cast IP  address performed by the ingress routers and PLR.  Therefore, care MUST be taken for the applicability of this approach to a given network topology”.  Some clarification here would be welcome IMHO, especially since no analog of this mode could be found in RFC 8104.
d.       I have looked up Section 4.3 in RFC 8104 that discusses two approaches (equivalents of the Proxy and Alias modes in this draft) to advertisement of Context ID, and found the following text there (the critical fragment is highlighted):
   The mechanism in this document intends to be flexible on the approach
   used by a network, as long as it satisfies the above requirements for
   the transport tunnel path and bypass tunnel path.  In theory, the
   network can use one approach for context ID X and another approach
   for context ID Y.  For a given context ID, all relevant routers,
   including primary PE, protector, and PLR, must support and agree on
   the chosen approach.  The coordination between the routers can be
   achieved by configuration.
Adding such ( or similar) text to Section 5.8 looks to me as a reasonable compromise between being excessively strict and being excessively flexible in a framework document.

[yshen] We will add similar text to the draft. As a framework, the draft presents and discusses a number of options in a general manner. These options are technically equal and all feasible, although they each may have pros and cons. This is also based on our goal to make egress protection applicable to a variety of networks of different technologies. Hence, the draft does not mandate any option as a MUST. That decision of which option to use in a given network is left to the specific technology deployed and the vendors involved.
[[Sasha]] This should do it IMHO.

Nits:

  1.  RFC 2119 is mentioned in the text, but does not appear as a Normative reference (BTW, I have pointed to this fact in my unsolicited review more than a year ago, but it still remains unresolved)
  2.  RFC 8174 is neither mentioned in the text (as seems to be the norm these days) nor appears as a Normative reference.

[yshen] We will add these RFCs to the normative reference section.
[[Sasha]] And to refer to them in the “Specification of Requirements” section.

Regards,
Sasha

Office: +972-39266302
Cell:      +972-549266302
Email:   Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>


___________________________________________________________________________

This e-mail message is intended for the recipient only and contains information which is
CONFIDENTIAL and which may be proprietary to ECI Telecom. If you have received this
transmission in error, please inform us by e-mail, phone or fax, and then delete the original
and all copies thereof.
___________________________________________________________________________

___________________________________________________________________________

This e-mail message is intended for the recipient only and contains information which is
CONFIDENTIAL and which may be proprietary to ECI Telecom. If you have received this
transmission in error, please inform us by e-mail, phone or fax, and then delete the original
and all copies thereof.
___________________________________________________________________________

___________________________________________________________________________

This e-mail message is intended for the recipient only and contains information which is
CONFIDENTIAL and which may be proprietary to ECI Telecom. If you have received this
transmission in error, please inform us by e-mail, phone or fax, and then delete the original
and all copies thereof.
___________________________________________________________________________

___________________________________________________________________________

This e-mail message is intended for the recipient only and contains information which is
CONFIDENTIAL and which may be proprietary to ECI Telecom. If you have received this
transmission in error, please inform us by e-mail, phone or fax, and then delete the original
and all copies thereof.
___________________________________________________________________________