Re: [OSPF] [Isis-wg] Mail regarding draft-ietf-ospf-segment-routing-extensions

Shraddha Hegde <> Mon, 05 January 2015 08:49 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id ECEAD1A1EEA; Mon, 5 Jan 2015 00:49:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.398
X-Spam-Status: No, score=0.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MANGLED_BEEF=2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id b0PBVy6Lft8u; Mon, 5 Jan 2015 00:49:09 -0800 (PST)
Received: from ( [IPv6:2a01:111:f400:fc10::1:776]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id ED42C1A0178; Mon, 5 Jan 2015 00:49:08 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Mon, 5 Jan 2015 08:48:45 +0000
Received: from ([]) by ([]) with mapi id 15.01.0049.002; Mon, 5 Jan 2015 08:48:45 +0000
From: Shraddha Hegde <>
To: "Les Ginsberg (ginsberg)" <>, Pushpasis Sarkar <>, "Peter Psenak (ppsenak)" <>, "" <>, "" <>, Hannes Gredler <>
Thread-Topic: [OSPF] [Isis-wg] Mail regarding draft-ietf-ospf-segment-routing-extensions
Date: Mon, 5 Jan 2015 08:48:44 +0000
Message-ID: <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
authentication-results: spf=none (sender IP is );
x-dmarcaction: None
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(3005003);SRVR:BY1PR0501MB1239;
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:; SRVR:BY1PR0501MB1239;
x-forefront-prvs: 0447DB1C71
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(377454003)(24454002)(479174004)(13464003)(189002)(51704005)(199003)(54606007)(105586002)(106116001)(93886004)(230783001)(106356001)(99286002)(2201001)(2656002)(87936001)(561944003)(54356999)(50986999)(120916001)(76176999)(86362001)(2900100001)(107046002)(68736005)(15975445007)(2950100001)(102836002)(46102003)(76576001)(77156002)(31966008)(62966003)(33656002)(19580395003)(19580405001)(40100003)(92566001)(54206007)(74316001)(4396001)(122556002)(21056001)(97736003)(101416001)(99396003)(66066001)(64706001)(20776003)(579004); DIR:OUT; SFP:1102; SCL:1; SRVR:BY1PR0501MB1239;; FPR:; SPF:None; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jan 2015 08:48:44.4140 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0501MB1239
Cc: "" <>, "" <>
Subject: Re: [OSPF] [Isis-wg] Mail regarding draft-ietf-ospf-segment-routing-extensions
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 05 Jan 2015 08:49:14 -0000


Pls consider a case when the post convergence path goes through a different node and is well provisioned.

|                     |
        |       |

When the link between B & C goes down, we don’t want to divert the traffic via B-E-E-F-C because it is not well provisioned for the service.
The post convergence path is A-G-D which is well provisioned.
In this case it makes sense to simply avoid protection for the service as the nature of the service is such that it can be disconnected and reconnected without impacting the end user of the service.

The post convergence paths need to be provisioned at least for one failure if that is not the case then the service will remain down
Irrespective of the technology used.


-----Original Message-----
From: Les Ginsberg (ginsberg) [] 
Sent: Monday, January 05, 2015 12:07 PM
To: Pushpasis Sarkar; Shraddha Hegde; Peter Psenak (ppsenak);;; Hannes Gredler
Subject: RE: [OSPF] [Isis-wg] Mail regarding draft-ietf-ospf-segment-routing-extensions

Pushpasis -


-----Original Message-----
From: Pushpasis Sarkar []
Sent: Sunday, January 04, 2015 10:13 PM
To: Les Ginsberg (ginsberg); Shraddha Hegde; Peter Psenak (ppsenak);;; Hannes Gredler
Subject: Re: [OSPF] [Isis-wg] Mail regarding draft-ietf-ospf-segment-routing-extensions

Hi Les,

On 1/5/15, 11:23 AM, "Les Ginsberg (ginsberg)" <> wrote:

>Pushpasis -
>The key point is that the proposal does not have any lasting impact on 
>traffic flow. A simple topology should suffice to illustrate this.
>          |       |
>          E----F
>(All links have the same cost)
>Suppose we wish to have traffic entering at A flow along the path 
>- but if the link B---C fails we do NOT want traffic to take the path 
>You propose to have C advertise an address with two node-sids - one 
>which allows protection - call it C(P) - and one which does NOT allow 
>protection - call it C(NP).
[Pushpasis] No. My proposal is for D to advertise two node sids, D1 with NP set to 0 and D2 with NP set to 1. Applications on that do not need B, or C to protect the A-B-C-D path will use D2. B and C will not install backup paths for D2. Other apps can use D1 as they are supposed to do otherwise. Wether to protect D1 or not is a local decision of B and C.
Hope I could clarify enough :)

[Les:] Whether we talk about C or D doesn’t matter. As you point out below the issue you are concerned with is the FIB update time on the intermediate nodes relative to the recomputation on the ingress node.

>If the label stack specifies C(NP) - then while the link B--C is UP 
>everything works as desired (primary path to C(NP) on Node B is via 
>link B-C).
>However, when the link B--C goes down, the network will reconverge and 
>in a modest amount of time the new primary path to C(NP) on node B will 
>be via link B-E.
[Pushpasis] Yes agreed. But only applications on A will be injecting traffic using D2. Once the B-C link-down event reaches router A will stop injecting traffic using D2. A path re-compute will be triggered on A. Yes I agree that if B converges D2 (not FRR) before A re-compute, there is still chance that some small amount of traffic is sent over A-B-E-F-C-D.

[Les:] Well yes - the key point is that you cannot guarantee the timing of when B (for example) will reconverge relative to when the ingress node A decides to reroute/drop the D2 traffic. Given that B is closer to the failure it is quite likely that B will respond more quickly than A - and of course there are many other variables which could affect the relative response time of A and B. So the sole benefit of what you propose seems to be that in some cases you MIGHT not send as much traffic to D2 via the undesired links.

At this point I think you would do well to look at the existing solutions - as well as Jeff's post on this thread which provides an excellent framework for thinking about solutions. We do have ways of addressing this problem and doing so far more robustly than what you are proposing. The ROI for what you propose is quite low. For my part I don’t think what you propose is a good idea.


>The existence of C(NP) therefore only affects traffic flow during the 
>reconvergence period i.e. if we assume B did NOT install a repair path 
>for C(NP) traffic will be dropped only until a new primary path is 
>calculated. I don’t see the value in this.
>As a (somewhat dangerous) aside, the functionality you are looking for 
>is more akin to "not-via" as defined in RFC 6981 - though I am quick to 
>add that I am NOT proposing to pursue that. :-) But reading that RFC 
>might give you more insight into why simply setting "don't protect" for 
>a prefix isn't useful for the purpose you have in mind.
>   Les
>-----Original Message-----
>From: Pushpasis Sarkar []
>Sent: Sunday, January 04, 2015 8:34 PM
>To: Les Ginsberg (ginsberg); Shraddha Hegde; Peter Psenak (ppsenak); 
>draft-ietf-isis-segment-routing-extensions@tools.ietf.orgorg; Hannes 
>Subject: Re: [OSPF] [Isis-wg] Mail regarding 
>Hi Les,
>Please find comments inline..
>Here is my proposal. Please let me know if this sounds reasonable or not.
>- A new ŒNo-Potection-Required¹ or ŒNP¹ flag be added to the Prefix-SID 
>Sub-TLV/TLV. Setting this flag means none of the transit routers should 
>try to protect this node-segment.
>- Let nodes advertise two node-sid-index each (per address-family), one 
>without and one with ŒNP¹ flag set. For node-sid advertised with ŒNP¹ 
>flag 0, routers same behave the same way as today. But when they 
>receive a node-sid with ŒNP¹ flag set, they avoid/skip finding a backup 
>for that segment.
>- Finally ingress servers or TE-applications may use these 'node-sids 
>with NP-flag set¹ for use cases where it is better to drop traffic on 
>topology outages rather than diverting it to some other paths. For such 
>cases ingress router or TE-applications should look for node-sids with 
>ŒNP¹ flag set and not the regular node-sids. For all other normal use 
>cases(including L3VPN/6VPE etc) traffic should be carried using 
>node-sid without ŒNP‹flag set.
>Thanks and Regards,
>On 1/5/15, 3:37 AM, "Les Ginsberg (ginsberg)" <> wrote:
>>Pushpasis -
>>I don't agree.
>>The use of one node-sid vs another has nothing whatever to do with the 
>>request Shraddha has made i.e. should we introduce a flag indicating 
>>whether a particular prefix should be protected or not. A node-sid 
>>only dictates what (intermediate) node traffic should be sent to - not 
>>link(s) are used to reach that node.
>[Pushpasis] This is not about which links to take. It is about wether 
>transit routers should try to protect the node-segment to the this 
>node-sid or not. I think this opens up a lot many number of 
>possibilities on the ingress router and TE controller-based applications.
>>Adjacency-sids have a different semantic - they identify the link over 
>>which traffic is to be forwarded. Identifying an adjacency-sid as 
>>unprotected means traffic will NEVER flow over a different link. There 
>>is no equivalent behavior w a node-sid - which is what this discussion 
>>has been about.
>[Pushpasis] I am not trying to draw a parallel between this new flag 
>and the ŒB¹ flag in Adj-Sid SubTlv. Like said before
>>   Les
>>-----Original Message-----
>>From: Pushpasis Sarkar []
>>Sent: Sunday, January 04, 2015 8:51 AM
>>To: Les Ginsberg (ginsberg); Shraddha Hegde; Peter Psenak (ppsenak); 
>>Subject: Re: [OSPF] [Isis-wg] Mail regarding 
>>Hi Les,
>>I think the requirement Shraddha is referring is about the choice of 
>>exact node-sid to use while constructing the label-stack for a 
>>explicit-LSP on the ingress router, which will be typically done after 
>>running some CSPF on the SPRING topology. And not the IGP on ingress 
>>or transit routers.
>>On 1/3/15, 3:10 AM, "Les Ginsberg (ginsberg)" <> wrote:
>>>Shraddha -
>>>IGPs today do NOT perform constraint based SPFs - so I don't know why 
>>>you believe that the primary SPF will meet a set of constraints that 
>>>an LFA calculation will not. In fact , it is the opposite which is 
>>>true because implementations today do support preferences in choosing 
>>>LFAs based on various configured policy - something which is NOT done 
>>>for primary SPF.
>>>If you want a certain class of traffic to avoid a subset of the links 
>>>in the topology then you need to have a way of identifying the links 
>>>(NOT the node addresses) and a way of calculating a path which only 
>>>uses the links which meet the constraints of that class of service.
>>>Identifying a particular prefix as protected or unprotected won't 
>>>achieve that.
>>>   Les
>>>-----Original Message-----
>>>From: Shraddha Hegde []
>>>Sent: Friday, January 02, 2015 10:54 AM
>>>To: Les Ginsberg (ginsberg); Peter Psenak (ppsenak); 
>>>Subject: RE: [Isis-wg] Mail regarding 
>>>Hi Les/Peter,
>>>      When reconvergence happens, the primary path will be calculated 
>>>based on all constriants.
>>>This is not true with the protection path.Protection path is 
>>>calculated locally (LFA/RLFA)  and does not consider the 
>>>characteristics of the services running on that path.
>>>It's easier for some services to pick the unprotected path when the 
>>>nature of the service is that it can be restarted  when there is a 
>>>-----Original Message-----
>>>From: Les Ginsberg (ginsberg) []
>>>Sent: Friday, January 02, 2015 10:06 PM
>>>To: Peter Psenak (ppsenak); Shraddha Hegde; 
>>>Subject: RE: [Isis-wg] Mail regarding 
>>>Peter -
>>>The requirement Shraddha specified was to not allow a particular 
>>>class of service ("heavy bandwidth services" was the example
>>>provided) to use certain links in the topology. My point is that 
>>>advertising a flag for a given prefix which says "do not calculate a 
>>>repair path for this prefix"
>>>does not help achieve this. Once the network reconverges following 
>>>the failure of one of the links on which "heavy bandwidth services"
>>>is allowed/preferred it is quite likely that the new best path will 
>>>be over a link on which "heavy bandwidth services" is NOT 
>>>allowed/preferred. This will happen whether you have the new flag or 
>>>not - so the flag will have no lasting effect. It would only affect 
>>>traffic flow during the brief period during which the network is 
>>>I think you and I are actually in agreement - I am simply sending a 
>>>stronger negative message - not only do I think the flag is not 
>>>- I think it does not achieve the goal Shraddha has in mind.
>>>   Les
>>>-----Original Message-----
>>>From: Peter Psenak (ppsenak)
>>>Sent: Friday, January 02, 2015 12:18 AM
>>>To: Les Ginsberg (ginsberg); Shraddha Hegde; 
>>>Subject: Re: [Isis-wg] Mail regarding 
>>>Hi Les,
>>>I believe the idea is not to exclude any particular link, it's 
>>>actually much simpler - do not calculate backup for the prefix if the 
>>>flag is set.
>>>I'm still not quite sure how useful above is, but technically it is 
>>>On 12/30/14 17:22 , Les Ginsberg (ginsberg) wrote:
>>>> Shraddha -
>>>> When performing a best path calculation whether a given link is in 
>>>>the set of best paths (to be protectedED) or not (could be used as a 
>>>>protectING path) is a function of the topology - not the link.  If 
>>>>there is a topology change it is quite likely that a given link will 
>>>>change from being a protectED link to being a protectING link (or 
>>>>vice versa).
>>>>So what you propose regarding node-SIDs would not work.
>>>> In the use case you mention below if you don't want a certain class 
>>>>of traffic to flow on a given link it requires a link attribute 
>>>>which is persistent across topology changes. There are ways to do 
>>>>that - using Adj-SIDs is one of them. But using node-SIDs in the way 
>>>>you propose is NOT.
>>>>     Les
>>>> -----Original Message-----
>>>> From: OSPF [] On Behalf Of Shraddha 
>>>> Hegde
>>>> Sent: Monday, December 29, 2014 10:12 PM
>>>> To: Peter Psenak (ppsenak);
>>>> Cc:;
>>>> Subject: Re: [OSPF] [Isis-wg] Mail regarding 
>>>> draft-ietf-ospf-segment-routing-extensions
>>>> Peter,
>>>>> The requirement here is to get an un-protected path for services 
>>>>>which do not want to divert the traffic on protected path in any case.
>>>>> can you give an example of such a service and a reasoning why such 
>>>>>service would want to avoid local protection along the path?
>>>> Heavy bandwidth services are potential candidates.  The network is 
>>>>well planned and well provisioned for primary path but same is not 
>>>>true for backup paths.
>>>> Diverting heavy bandwidth services along protection path can 
>>>>disrupt the other services on that path, they are better-off 
>>>>un-protected so that an event in the network Would result in 
>>>>disconnection and a retry for such services.
>>>> Rgds
>>>> Shraddha
>>>> -----Original Message-----
>>>> From: Peter Psenak []
>>>> Sent: Monday, December 29, 2014 4:35 PM
>>>> To: Shraddha Hegde;
>>>> Cc:;
>>>> Subject: Re: [Isis-wg] Mail regarding 
>>>> draft-ietf-ospf-segment-routing-extensions
>>>> Shraddha,
>>>> On 12/29/14 10:06 , Shraddha Hegde wrote:
>>>>> Peter,
>>>>> The requirement here is to get an un-protected path for services 
>>>>>which do not want to divert the traffic on protected path in any case.
>>>> can you give an example of such a service and a reasoning why such 
>>>>service would want to avoid local protection along the path?
>>>> thanks,
>>>> Peter
>>>>> So when the originator of node-sid signals un-protected path 
>>>>>requirement, there is always an unprotected path.
>>>>> Regarding the protected path, it is the default behavior as it 
>>>>>exists today. You get protection if it's available otherwise you 
>>>>>don't get protection.
>>>>> In fact, you can have the new flag to say "NP flag" meaning 
>>>>>non-protected flag which can be set for the unprotected path.
>>>>> By default it remains off and gives the behavior as it exists today.
>>>>> Rgds
>>>>> Shraddha
>>>>> -----Original Message-----
>>>>> From: Peter Psenak []
>>>>> Sent: Monday, December 29, 2014 2:26 PM
>>>>> To: Shraddha Hegde;
>>>>> Cc:;
>>>>> Subject: Re: [Isis-wg] Mail regarding 
>>>>> draft-ietf-ospf-segment-routing-extensions
>>>>> Shraddha,
>>>>> I do not see how an originator of the node-sid can mandate a 
>>>>>protection for the prefix on other routers. What if there is no 
>>>>>backup available on a certain node along the path?
>>>>> The parallel with the B-flag in adj-sids is not right - in case of 
>>>>>adj-sid the originator has the knowledge about the local adjacency 
>>>>>protection and as such can signal it it it's LSA.
>>>>> thanks,
>>>>> Peter
>>>>> On 12/29/14 09:47 , Shraddha Hegde wrote:
>>>>>> Peter,
>>>>>> Pls see inline.
>>>>>> Rgds
>>>>>> Shraddha
>>>>>> -----Original Message-----
>>>>>> From: Peter Psenak []
>>>>>> Sent: Monday, December 29, 2014 2:02 PM
>>>>>> To: Shraddha Hegde;
>>>>>> Cc:;
>>>>>> Subject: Re: [Isis-wg] Mail regarding 
>>>>>> draft-ietf-ospf-segment-routing-extensions
>>>>>> Shraddha,
>>>>>> I do not see how an originator can set any flag regarding the 
>>>>>>protection of the locally attached prefix.
>>>>>> <Shraddha> The originator advertises 2 node-sids. One with p flag 
>>>>>>set and the other without the p-flag set.
>>>>>>     It's all the routers on the path towards such prefix that 
>>>>>>need to deal with the protection.
>>>>>> <Shraddha> The receiving nodes will download protected path for 
>>>>>>the node-sid with p-flag set and download Unprotected path for the 
>>>>>>node-sid with p-flag unset.
>>>>>> Signaling anything from the originator seems useless.
>>>>>> <Shraddha>  For node-sids it's the others who need to build the 
>>>>>>forwarding plane but it's only the originator who can signal which of
>>>>>>                            Sid need to be built with protection 
>>>>>>and which not. Other routers on the path cannot signal this 
>>>>>> With this you have two paths for the node. One is protected and 
>>>>>>the other is unprotected. This meets the requirement of having an 
>>>>>>un-protected path.
>>>>>> It's very much in parallel to B-flag in adj-sids. It is similar 
>>>>>>to advertising multiple adj-sids one with B-flag on and other with 
>>>>>>b-flag off , to get protected and unprotected Adj-sids.
>>>>>> thanks,
>>>>>> Peter
>>>>>> On 12/29/14 09:26 , Shraddha Hegde wrote:
>>>>>>> Yes.You are right.
>>>>>>> Lets say a prefix sid has a flag "p flag". If this is on it 
>>>>>>>means build a path and provide protection.
>>>>>>> If this is off it means build a path with no protection.
>>>>>>> The receivers of the prefix-sid will build forwarding plane 
>>>>>>>based on this flag.
>>>>>>> The applications building the paths will either use prefix-sids 
>>>>>>>with p flag on or off based on the need of the service.
>>>>>>> Rgds
>>>>>>> Shraddha
>>>>>>> -----Original Message-----
>>>>>>> From: Peter Psenak []
>>>>>>> Sent: Monday, December 29, 2014 1:49 PM
>>>>>>> To: Shraddha Hegde;
>>>>>>> Cc:;
>>>>>>> Subject: Re: [Isis-wg] Mail regarding 
>>>>>>> draft-ietf-ospf-segment-routing-extensions
>>>>>>> Shraddha,
>>>>>>> the problem is that the node that is advertising the node-sid 
>>>>>>>can not advertise any data regarding the protection of such 
>>>>>>>prefix, because the prefix is locally attached.
>>>>>>> thanks,
>>>>>>> Peter
>>>>>>> On 12/29/14 09:15 , Shraddha Hegde wrote:
>>>>>>>> Peter,
>>>>>>>> If there is a service which has to use un-protected path and 
>>>>>>>>while  building such a path if the node-sids Need to be used 
>>>>>>>>(one reason  could be label stack compression) , then there has 
>>>>>>>>to be unprotected node-sid that this service can make use of.
>>>>>>>> Prefix -sids could also be used to represent different service 
>>>>>>>>endpoints which makes it even more relevant to have A means of 
>>>>>>>>representing  unprotected paths.
>>>>>>>> Would be good to hear from others on this, especially operators.
>>>>>>>> Rgds
>>>>>>>> Shraddha
>>>>>>>> -----Original Message-----
>>>>>>>> From: Peter Psenak []
>>>>>>>> Sent: Monday, December 29, 2014 1:35 PM
>>>>>>>> To: Shraddha Hegde;
>>>>>>>> Cc:;
>>>>>>>> Subject: Re: [Isis-wg] Mail regarding 
>>>>>>>> draft-ietf-ospf-segment-routing-extensions
>>>>>>>> Shraddha,
>>>>>>>> node-SID is advertised by the router for the prefix that is 
>>>>>>>>directly attached to it. Protection for such local prefix does 
>>>>>>>>not mean much.
>>>>>>>> thanks,
>>>>>>>> Peter
>>>>>>>> On 12/24/14 11:57 , Shraddha Hegde wrote:
>>>>>>>>> Authors,
>>>>>>>>> We have a "backup flag" in adjacency sid to indicate whether 
>>>>>>>>> the label is protected or not.
>>>>>>>>> Similarly. I think we need a flag in prefix-sid as well to 
>>>>>>>>> indicate whether the node-sid is to be protected or not.
>>>>>>>>> Any thoughts on this?
>>>>>>>>> Rgds
>>>>>>>>> Shraddha
>>>>>>>>> _______________________________________________
>>>>>>>>> Isis-wg mailing list
>>>>>>>> .
>>>>>>> .
>>>>>> .
>>>>> .
>>>> _______________________________________________
>>>> OSPF mailing list
>>>> .
>>>OSPF mailing list