IETF Logo Mail Archive

Re: [Sidrops] Which 8210-bis error code should be used?

Claudio Jeker <cjeker@diehard.n-r-g.com> Thu, 08 June 2023 10:09 UTC

Return-Path: <cjeker@diehard.n-r-g.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1BA6C14CE4F for <sidrops@ietfa.amsl.com>; Thu, 8 Jun 2023 03:09:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id arGUChotedWo for <sidrops@ietfa.amsl.com>; Thu, 8 Jun 2023 03:09:03 -0700 (PDT)
Received: from diehard.n-r-g.com (diehard.n-r-g.com [62.48.3.9]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D72AC151B16 for <sidrops@ietf.org>; Thu, 8 Jun 2023 03:09:02 -0700 (PDT)
Received: (qmail 65148 invoked by uid 1000); 8 Jun 2023 10:09:00 -0000
Date: Thu, 08 Jun 2023 12:09:00 +0200
From: Claudio Jeker <cjeker@diehard.n-r-g.com>
To: gengnan <gengnan=40huawei.com@dmarc.ietf.org>
Cc: SIDR Operations WG <sidrops@ietf.org>
Message-ID: <ZIGovP2SaF0UgkNT@diehard.n-r-g.com>
References: <F338C878-E41A-4DB7-A4C6-1CEE0A6F6502@verisign.com> <003401d9993d$6b03db90$410b92b0$@cernet.edu.cn> <C1A9142F-F938-42F2-970E-3C2B85044019@nlnetlabs.nl> <ZICJjsmMcuQr55Sn@diehard.n-r-g.com> <7462895378ab4903b692264e67700ee5@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <7462895378ab4903b692264e67700ee5@huawei.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/EEWHdj5RE4au04WlAD5jiHkx7Fo>
Subject: Re: [Sidrops] Which 8210-bis error code should be used?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jun 2023 10:09:06 -0000

On Thu, Jun 08, 2023 at 06:53:41AM +0000, gengnan wrote:
> Hi,
> 
> (Want to confirm another 8210bis error code usage in this thread..)
> 
> The two descriptions in the 8210bis draft below look like inconsistent.
> (Through reading the codes) Openbgpd seems to follow the first
> description, i.e., "replacing". 
> If "replacing" is the correct understanding, why not IPvX PDU and Router
> Key PDU take the "replacing" action?  

I followed 5.12 that is very clear that an announce will replace the ASPA
record. The section is also emphasing that the ASPA PDU lookup is not
using the Provider Autonomous System Numbers or Provider AS Count as
information to lookup the record:
    The router MUST see at most one ASPA for a given AFI from a cache for a
    particular Customer Autonomous System Number active at any time.

So there is a difference in behaviour here regarding the other PDUs.
For IPvX PDU and Router Key PDU track one element and the full element is
used as key in the lookup (there is no extra data).

The ASPA PDU did not do that. It aggreagtes all the Provider Autonomous
System Numbers into a single object (extra data). To simplify update
operation the replace method was added. The alternative would be to update
an ASPA record by issuing a withdraw of the old record and announce of the
new record. This can result in Break Before Make issues.

For IPvX PDUs this problem is delegated to the RTR cache to order the
updates properly. For Router Key there is nothing in place right now
mainly because there is no experience with it. My assumption is that
Section 11 will need to be extended for Router Key consideration at some
point. In the case for Router Keys this may be delegated all the way up to
the CA to perform proper key roll over procedures (so it may not be needed
inside RTR itself).

RTR is lacking all the transactional awareness that databases normally
need to be ACID compliant. This lack of basic isolation is a big problem
of RTR and the reason for special workarounds (Section 11).

In OpenBGPD we try to make all Payload PDU updates between Cache Response
and End of Data PDU to appear atomic but if the End of Data PDU is not
received in reasonable time (60 sec) this atomicity is not guaranteed.
This works as long as the RTR cache is not spreading connected PDUs
over multiple incremental updates.
 
> Description 1: 
> "
> Receipt of an ASPA PDU announcement (announce/withdraw flag == 1) when the router already has an ASPA PDU with the same Customer Autonomous System Number and the same Address Family (see AFI Flags field), replaces the previous one.
> "
> Description 2: 
> "
> Duplicate Announcement Received (fatal):
> The received PDU has Flag=1, but a matching record ({Prefix, Len, Max-Len, ASN} tuple for an IPvX PDU or {SKI, ASN, Subject Public Key} tuple for a Router Key PDU), or Customer Autonomous System for an ASPA PDU is already active in the router.
> "

The additon of ASPA PDU text in Description 2 (Section 13. Error Codes)
needs to be removed since there is no way to have a duplicate announcement
based on the text in Section 5.12
Now one could argue that sending an ASPA PDU to replace the current PDU
that is exactly the same should trigger this error but what do we gain
from that?

-- 
:wq Claudio

v2.23.0 | Report a Bug | By Email