[OSPF] Extensible LSAs

"Fred Baker (fred)" <fred@cisco.com> Fri, 03 May 2013 17:10 UTC

Return-Path: <fred@cisco.com>
X-Original-To: ospf@ietfa.amsl.com
Delivered-To: ospf@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id E999B21F99DC for <ospf@ietfa.amsl.com>; Fri, 3 May 2013 10:10:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -108
X-Spam-Status: No, score=-108 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id DRCDscPd3owo for <ospf@ietfa.amsl.com>; Fri, 3 May 2013 10:10:24 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com []) by ietfa.amsl.com (Postfix) with ESMTP id 1D25E21F9896 for <ospf@ietf.org>; Fri, 3 May 2013 08:58:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4837; q=dns/txt; s=iport; t=1367596711; x=1368806311; h=from:to:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=3XgXnlaq1T3aUCX/yIyv6zNvc4+jIedBTKxPF19UL4I=; b=gasJQ9mZKA3aJlBhA/VLbe6HLyKkHpzxy1qsxjHgk6OAHkNaJ4AUlPqN lmrE5jRecgvoenm9iNWsjvX+OWcUkQArWQeGZdhPpRkLnWCKLBmciFvsz YSnNtyFR9ktUaUo5VJ2AmXIFVwVZn7fz50nNBpK4otshUwphcZiANw9Y4 M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AmcGAKvdg1GtJXHB/2dsb2JhbABQgwc3RL5ueRZtB4IhAQQ6UQEaEBRCFxAEG4gEBwWiCJ89jwCDKmEDmFKKboUegw1yAYE0
X-IronPort-AV: E=Sophos;i="4.87,605,1363132800"; d="scan'208";a="206140649"
Received: from rcdn-core2-6.cisco.com ([]) by rcdn-iport-8.cisco.com with ESMTP; 03 May 2013 15:58:16 +0000
Received: from xhc-rcd-x07.cisco.com (xhc-rcd-x07.cisco.com []) by rcdn-core2-6.cisco.com (8.14.5/8.14.5) with ESMTP id r43FwG93006561 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <ospf@ietf.org>; Fri, 3 May 2013 15:58:16 GMT
Received: from xmb-rcd-x09.cisco.com ([]) by xhc-rcd-x07.cisco.com ([]) with mapi id 14.02.0318.004; Fri, 3 May 2013 10:58:15 -0500
From: "Fred Baker (fred)" <fred@cisco.com>
To: "ospf@ietf.org" <ospf@ietf.org>
Thread-Topic: Extensible LSAs
Thread-Index: AQHOSBcF6qrBfLZt6Uegrm5XE7rqsA==
Date: Fri, 03 May 2013 15:58:15 +0000
Message-ID: <8C48B86A895913448548E6D15DA7553B842575@xmb-rcd-x09.cisco.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-ID: <AC2335A175D86A459705B0A87A3AA416@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [OSPF] Extensible LSAs
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 May 2013 17:10:47 -0000

As I started at the past IETF meeting, there has been some additional work on extensible LSAs, egress routing, and building access control into routing (which in my mind is primarily useful in data centers). Interested in your remarks.

  "OSPFv3 LSA Extendibility", Acee Lindem, Sina Mirtorabi, Abhay Roy, Fred
  Baker, 1-May-13

diff: http://tinyurl.com/ct9wn6g
  "Using OSPFv3 with Role-Based Access Control", Fred Baker, 2-May-13

diff: http://tinyurl.com/ctcshzb
  "IPv6 Source/Destination Routing using OSPFv3", Fred Baker, 2-May-13

To diff from the previous drafts, if you want one, you want to do this following. This is what the tiny url gets you.


I'll save you one question, though. I get asked frequently why these didn't follow MT-OSPF or MI-OSPF, and commented on this in the meeting in Orlando. The reason is that neither is fundamentally a topology or instance question. MT-OSPF OSPF presumes that some non-null set of links in a topology are either absent from some of the topologies or that metrics differ, so that routes in one topology differ from those in another. This is about qualification of routes - a scalable access list or policy route, if you will. One could integrate it with MT-OSPF within a network, but the most immediate use cases aren't helped by it.

Consider egress routing in a multihomed network, the use case presented by homenet. We have a network with two or more upstreams, each of which allocates a PA prefix to the network. In homenet's case and probably for small networks, The technique described in draft-ietf-ospf-ospfv3-autoconfig-02.txt is used to allocate a /64 prefix from each PA prefix to each LAN in the domain. Links derive their metrics from bandwidth, and might in effect use hop count. So the different "topologies" are identical. What differs between them is that there are multiple default routes, and due to BCP 38 implementation upstream, we want to direct traffic using a given ISP's PA prefix to that ISP. So we want to attach a source prefix to each default (AS-external, most likely, or at least an intra-as-prefix) route. Internal routes, in that case, will likely accept "any" source including external sources, which is to say that they are advertised without a source prefix.

The concept of source/destination routing is extensible to intra-area or inter-area routing as well as egress routing. The use cases are most likely something about security - there is some domain within the network that only certain other parts of the network are permitted to reach. That is, of course, more hypothetical at this point.

As to the use of the flow label, in a multi-tenant data center, that is a *lot* of topologies. I think it has scaling issues. As to Multi-Instance, suppose I put a set of VMs on a LAN that are part of one tenant and another set of VMs in a different tenant. Yes, I probably put them into different subnets. But how do instances actually help me there? They don't, really.

What the SDN folks are doing right now is segregating the network using overlays - GRE tunnels, VLANs, or some such thing. That mostly has the effect of making it difficult for the network to do anything, or to optimize the application in any way from a network perspective. I'd like to keep the application stuff at the application layer and enable the network to support the application. So to my way of thinking, the applications should think in terms of communicating with each other as instances - names, addresses given by some controller, or whatever - and are given those by the controller that created them using whatever protocol it uses. Part of what they are given, one of half a dozen parameters they are already given, is a tenant number for access control to put into the flow label. The controller can similarly configure the OSPF instance on their favorite router to advertise the subnet(s) in question with those tenant numbers. Voila, they have communication that is supported in the network architecture, and with this they are given the communication isolation they're looking for.