6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has...
Transcript of 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has...
![Page 1: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/1.jpg)
6PE fails and other short stories…Sandy Breeze
![Page 2: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/2.jpg)
6PEWhy did we even do 6PE?
• Been around for ages, implementations should be mature
• LDP6 not going anywhere, never really happened
• Enables VPNv6
![Page 3: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/3.jpg)
6PE DDoS detection
• No BGP session in AFI/SAFI 2/1 if NH in 2/4
Peering / Transit
R1 R2
arbor
iBGPIPv6 unicast
iBGPIPv6 LU
Not working
Country
Working
IOS-XR
![Page 4: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/4.jpg)
6PE DDoS detection
• GRE to the rescue! IOS-XR
R1 R2
arbor
iBGPIPv6 unicast
iBGPIPv6 LU
Country
Working
GRE
Working
![Page 5: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/5.jpg)
6PE DDoS detection
• FRR royally breaks GRE IOS-XR
R1 R2
arbor
iBGPIPv6 unicast
iBGPIPv6 LU
Country
Working
GRE
Working
![Page 6: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/6.jpg)
6PE Label Allocation
• Allocate-all does not scale IOS
R1 R2 R3
peer
iBGP - IPv6 unicast
2001:1::/322001:2::/322001:3::/32…
Prefix: Label:2001:1::/32 20012001:2::/32 20022001:3::/32 2003…
iBGP - IPv6 labeled-unicast
![Page 7: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/7.jpg)
6PE Label Allocation
• Default behavior to IPv6 Exp-Null for all EOS
• Configurable behavior to IPv6 Exp-Null IOS-XR
R1 R2 R3
peer
iBGP - IPv6 unicast
2001:1::/322001:2::/322001:3::/32…
Prefix: Label:2001:1::/32 20012001:2::/32 20022001:3::/32 2003…
iBGP - IPv6 labeled-unicast
![Page 8: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/8.jpg)
6PE TCAM exhaustion
• Both 72 and 144 space used (If P+T edge) IOS
R1 R2 R3
peer
iBGP - IPv6 unicast
2001:1::/322001:2::/322001:3::/32…
Prefix: Label:2001:1::/32 20012001:2::/32 20022001:3::/32 2003…
iBGP - IPv6 labeled-unicast
![Page 9: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/9.jpg)
6PE Bugs in 2019
• XRv fails to process 6LU withdraw, loc-RIB grows indefinitely until crash. Status: Fixed.
IOS-XR
• ASR1k continually sends full BGP RIB to IPv6-Unicast peers. Status: Fixed.
IOS-XE
• Shared code-path for all labelled NH’s. Eg; VPNv4 and 6PE, A withdraw in one will cause blackholing in other. State: Fixed (very quickly!)
EOS
![Page 10: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/10.jpg)
LDPDeployed in 2003 for MPLS L3VPN
• Original spec had too many dependencies on IPv4
• RFC7552 LDP6 was too late to the table (June 2015)
• Unnecessarily independent of IGP (in the core)
R1 R2 R3ISISLDP
ISIS
NO LDPX X
• LDP6 not really implemented, and where it is, still no L2/L3VPN support
![Page 11: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/11.jpg)
Other nuisances: FRR LFAConsider:
• No shared PQ space, no FRR LFA
R6
R3
R2
R1
R5
R4666
1010
10
10
10
webserver
XP-space Q-space
![Page 12: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/12.jpg)
Consider:
Other nuisances: μ-loops
R6
R3
R2
R1
R5
R4
666
1010
10 10
webserver
X16003
16002
16001
16004
16005
16006
10
![Page 13: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/13.jpg)
R6
R3
R2
R1
R5
R4
666
1010
10 10
webserver
16003
16002
16001
16004
16005
16006
10
Consider:
• Loop duration function of convergence time• Existed since day 1 in IGP
Other nuisances: μ-loops
![Page 14: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/14.jpg)
Problem recapProblem Why6PE BGP label allocation (can) chew through labels
Vendors are still implementing it badlyRelies on LDP
LDP No (implemented) native IPv6 supportNot closely coupled with IGP, independent
FRR LFA Coverage can be bad where topology has no overlapping SPF from source / destination (PQ router space)
u-Loops Bringing links into service can cause μ-loops which are based on surrounding speed devices converge
![Page 15: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/15.jpg)
Summary
…we had a bad time with 6PE
![Page 16: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/16.jpg)
…another tool on the block
![Page 17: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/17.jpg)
How do routers allocate labels?
R1
Label Manager: (aka LSD - Label Switching DB)
Application Count---------------------------- -------LSD(A) 4LDP(A) 308BGP-VPNv4(A):bgp-default 150494ISIS(A):CLUK 100---------------------------- -------TOTAL 150905
• There is a label manager (LSD)• Protocols who can allocate /
distribute labels are clients of the label manager
![Page 18: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/18.jpg)
If an IGP did labels……it’d (probably) be the best at label allocation and distribution in the world [sic]
![Page 19: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/19.jpg)
Segment Routing 101? (2 slides)Node SID• Global instruction in IGP, which
any node in the SR domain can execute- Forward to node x via shortest path
Adjacency SID• Instruction which only the node who
originated the instruction can execute, eg:- Send out interface y
P1
P2
P5 P610
1010
16011 16015
P3
P416012
16016 16013
16014
10
P1
P2
P5 P620001
P3
P4
20001 20001
20001
20001
20001
20002
20002
20002 20002 20002
2000220003
20003 20003
20003
![Page 20: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/20.jpg)
Topology:
Apply SR header at P1:+=
VisuallyP1
P2
P5 P620001
P3
P4
20001 20001
20001
20001
20001
20002
20002
20002 20002 20002
2000220003
20003 20003
20003
16014
16013160161601516011
16012
{ 16015, 20003, 16013}
P1
P2
P5 P620001
P3
P4
20001 20001
20001
20001
20001
20002
20002
20002 20002 20002
2000220003
20003 20003
20003
16014
16013160161601516011
16012
![Page 21: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/21.jpg)
Problem recapProblem Why6PE BGP label allocation chews through labels
Vendors are always implementing it badlyRelies on LDP
LDP No (implemented) native IPv6 supportNot closely coupled with IGP, independent
FRR LFA Coverage can be bad where topology has no overlapping SPF from source / destination (PQ router space)
u-Loops Bringing links into service can cause μ-loops which are based on surrounding speed devices converge
![Page 22: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/22.jpg)
Problem recapProblem Why
LDP No (implemented) native IPv6 supportNot closely coupled with IGP, independent
• IS-IS will allocate and distribute them
![Page 23: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/23.jpg)
Problem recapProblem Why6PE BGP label allocation chews through labels
Vendors are always implementing it badlyRelies on LDP
• LDP will be gone• Dual-stack all links in IS-IS• Move to IPv6 unicast (keep LU for VPNv6 only)
![Page 24: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/24.jpg)
Problem recapProblem Why
FRR LFA Coverage can be bad where topology has no overlapping SPF from source / destination (PQ router space)
• SR introduces TI-LFA
![Page 25: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/25.jpg)
Nuisance: FRR LFAConsider:
• No shared PQ space, no FRR LFA
R6
R3
R2
R1
R5
R4666
1010
10
10
10
webserver
XP-space Q-space
![Page 26: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/26.jpg)
TI-LFAConsider:
• No shared PQ space? No problem. List of adj-sidsprovide missing bits where no PQ overlap
R6
R3
R2
R1
R5
R4666
1010
10
10
10
webserver
XP-space Q-space
1600324001packet
16003
16002
16001
16004
16005
16006
1600324001packet Adj-SID 24001
packet
![Page 27: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/27.jpg)
Problem recapProblem Why
u-Loops Bringing links into service can cause μ-loops which are based on surrounding speed devices converge
• SR introduces micro-loop avoidance, with timer
![Page 28: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/28.jpg)
How to we get there?
![Page 29: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/29.jpg)
Coexistence
• LDP -> SR- PE2 -> P2 as per standard LDP- P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps
label for SR segment
P1 P2PE116001 16011 16012
PE2P3
SR enabled LDP enabled
• SR -> LDP- SRMS programs ‘remote-binding SID’s’ for LDP only routers- PE1 sees PE2 node SID just as if PE2 had sent it to him- P2 has no SR to PE2 so swaps for LDP label to reach PE2
![Page 30: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/30.jpg)
Feature to OS/Hardware mapIOS-XR(ASR9k, XRv)
IOS-XE(ASR1k, CSR1kv)
Arista EOS IOS(6500/7200/GSR)
SR IPv4 Node-SID
Pre: 5.3 From: 3.16S Pre: 4.18 No support
SR TI-LFA Pre: 5.3 From: 3.18S Roadmap: 2019
No support
SR Microloop Avoidance
Pre: 5.3 From: 16.6.1 TBC No support
SR OAM Pre: 5.3 From: 3.17S TBC No support
SR-DPM No Support No Support TBC No Support
PW prefer SR
6.4.2 TBC TBC No Support
SRMS Pre: 5.3 From: 3.18S (domain-wide flooding)
TBC No Support
Note: do not actually use IOS-XR pre 6.4.2 for any SR-MPLS
![Page 31: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/31.jpg)
Implementation
2) Rollout IS-IS SR to all SR capable routers, leaving the default behaviour of preferring LDP over SR
3) Move all SR routers to prefer SR
1) Deploy SR mapping server (SRMS) configuration for all LDP only prefixes in the IGP.
4) Remove LDP from all SR-to-SR adjacent routers.
5) Remove LDP from all SR routers not attached to LDP only routers (watchout for LDP GR)
![Page 32: 6PE fails and other short stories… - PTNOG · •LDP -> SR-PE2 -> P2 as per standard LDP-P2 has no LDP binding for PE1 but sees PE1 via SR, so swaps label for SR segment PE1 P1](https://reader034.fdocuments.us/reader034/viewer/2022051806/5ffe97c6b8f14f706853627a/html5/thumbnails/32.jpg)
Any questions?