[Nsi-wg] UvA/TUD topology exchange proposal
Jerry Sobieski
jerry at nordu.net
Fri Sep 19 11:05:01 EDT 2014
Hi folks-
Topology can easily get overwhelmingly complex. We really have to
simplify and minimize the amount of advertised topology. Interdomain
Topology Complexity is the key reason prior circuit provisioning
services never took root - we MUST simplify and minimize.
One of the fundamentals we are missing here is the separation of
"topology" (adjacency information) from "forwarding behaviour" (policy
in this case). I think NSI is making the topology overly and
unnecessarily complex by trying to publicaly express all possible
attributes that may affect a reservation decision - ie. by expecting all
pathfinders to be able to predict the answer before you ask the
question. This is ...crazy. This is an optimization problem and
the more information you try to express the more complex and specialized
you make all path finders. And after they make their prediction - they
still have to ask anyway(!) These are dynamical systems... So all
this optimization is simply to reduce the prospect that a reservation
request might fail. I.e. you are trying to prune the search space. So
we can spend (litterally) years hashing out this age old optimization
problem - re-creating complex and mostly only specialized extensions, or
we can use a higher degree of automated brute force and emperical
experience to make it all work.
If we did not announce *ANY* topology information except simple
adjacencies ...- what would be the performance of reservation requests
to reach a confirmation state?
The prospect of a successfull confirmation in any single domain is
improved if the domain has a very minimally restrictive or non-existent
policy on connection requests, and has ample resources available across
its domain (between any STPs) at the time they are needed.
Interestingly, the chances of a request being confirmed also increases
the less specific the request... i.e. the more specific the request, the
less likely the provider will be to have the specific resources
available. So neither of these depend upon extensive advertisement of
forwarding behaviour or policy. They rely on the provider actually
trying to *PROVIDE* services (not restricting them), and the requester
specifying only what they *truly require*.
Thus a NSI domain with minimal policy (e.g. an OpenExchange ) and with
lots of resources (e.g. 100 Gbps edge ports and non-blocking internal
facilities) is highly likely to be able to confirm a reservation. A
NSI domain with numerous complex and restrictive policies and only a
bare minimum of resource (links) will likely fail the request most
times. This response is regardless of the policy used.
Similarly, if the user requests a connection specifying only what they
truly need - e.g. a 10Gbps capacity that terminates on "any" STP at this
host and any STP on that nework - and does not get picky about EROs,
transit paths, energy consumption, or transit VLANs - will also be
highly likely to be confirmed.
Regarding policy - if all networks arrange for transit credential for
their directly adjacent networks on a bi-lateral basis, then the Chain
rule makes policy almost moot...each domain will always have a means of
transiting a request down stream. So a best common practice that would
solve the immediate policy problem is for directly adjacent networks to
work out a transit policy/credentials, and when the chain rule is used,
those transit credentials are used. If a requester wants to do a Tree
segmentation, fine too - but they have to know an appropriate set of
credentials for each domain. There is no need to advertise policy, or
to artificially try to deduce what the user is doing by looking at end
points...
So all this chatter about policy advertisement is missing the Big
Picture that our goal is: "Find a successful path." Period. It is not:
"Find a successful path, on your first try." As a user I don't care it
it took a thousand requests downstream before I receive a confirmed a
path - once it is confirmed I know I have my connection at the appointed
time. It is important that I get a confirmation ultimately, not that I
get a confirmation quickly. We can improve the reservation search
performance by improving the request format - allowing the user to relax
some components of the request so that the provider can be less rigid -
and by maing sure we have sufficient resource in place as providers to
meet the demand easily.
I really think we are making the path finding process much harder than
is necessary - and the degree of complexity you are building into the
topology advertisements will make it difficult for networks to field a
service and difficult for users to utilize it - so this complexity is
very counter productive. (THe token passing authorization is another
mechanism I think is fundamentally flawed and therefore adds unecessary
complexity ...but that is another posting:-)
Let get back to basics and simplify and minimize the topology announcement.
You can yell at me in Uppsala:-)
Best regards
Jerry
On 9/19/14, 8:43 AM, Diederik Vandevenne wrote:
> Hi Henrik,
>
> Thank you for explaining your example. I now do understand your policy problem better. To describe your example in more general terms: you have policies that allow restricted transit to domains that are not your direct neighbors (more than one hop away). I guess this is one of the cases where the policy cannot be exposed only by the topology information itself. However, without going too much into detail, there are other ways to handle these policies.
>
> One idea is to indicate for each SDP in the topology file that transit is allowed, denied or restricted. If the pathfinder has to choose between a domain that allows transit and one that has a restricted transit policy, the pathfinder may prefer the domain that always allows transit. If there are only domains with restricted transit to choose from, you could just let the requesting agent try to see if it works, as Jerry suggested, or the domains can for example link to a policy file which can be used by the pathfinder to choose the best path. The proposal of the UvA also allows to distribute personalized topology files based on the identity of the requesting NSA. But I guess I am going again to deep into the technology and finding solutions ;). The point I want to make is that there are solutions for your (policy) problems that can work with a system that uses NML topology files and (tree based) control / signaling planes that are distinct from the data plane.
>
> I totally agree with what Guy said during the last conference call: We want to do something new. Why bother with NSI if you only want it to be a copy of BGP? As Guy said, NSI can be seen as a form of SDN where the network is a resource that can be controlled by applications and end users (based on a policy of course). The usefulness of NSI would be limited if it would work in the same way as BGP. Also note that if the services offered through NSI and BGP are not the same, the policies may also be very different. The limitations you see now may not even apply.
>
>
> Kind regards,
>
> Diederik
>
>
>
> SURFsara heeft een nieuw algemeen telefoonnummer: 020 800 1300
>
> | Diederik Vandevenne | Infrastructure Services | SURFsara |
> | Science Park 140 | 1098 XG | Amsterdam |
> | T 06 4798 8196 | diederik.vandevenne at surfsara.nl | www.surfsara.nl |
>
> On 19 Sep 2014, at 11:24, Henrik Thostrup Jensen <htj at nordu.net> wrote:
>
>> Hi Diederik
>>
>> On Thu, 18 Sep 2014, Diederik Vandevenne wrote:
>>
>>> Sorry to jump into this discussion. Given the agenda of the upcoming NSI meeting on monday I am very interested in the restrictive policies you have that are not easy to describe or should only work when the control plane and data plane er equal (chain).
>> So chaining allows better control of how you connect different networks together. That is, how the data should transit.
>>
>>>> The basic shortcoming of the system is that it is based around a single representation of each network (the NML way of thinking). However this is practially never the case.
>>>>
>>>> You can try and encode switching capabilities into each network description and do pathfinding (the current approach for some in the NSI group), but this falls to the ground when there are restrictive policies about re-transit (i.e., I am allowed to transit a service into another network, but the entity I am selling to is not allowed to re-transit).
>>>
>>> If I understand your example well, A is allowed to transit B to reach C, but B is not allowed to send traffic back to A (see diagram below),
>> I don't know any cases like that (but I won't say they don't exist).
>>
>>> right? If this is correct, I think you should be able to describe this policy in NML with the unidirectional ports and links. Or do you mean B is allowed to transit C, but A is not allowed to transit C through B?
>> Moving diagram up:
>>
>>> A --- B --- C --- D
>> Yes. You can have cases where A is allowed to transit to C, but not D. This is the case for some NRENs that we provide some transit services too, but not our full transit services (due to AUPs about R&E/commercial traffic or simply due to the network having their own peering infrastructure in one region of the world but not another).
>>
>>> This would be hard to describe. I think the only way is to make a list of source domains that are allowed to transit. But I do not see how domain C could do this with BGP without the cooperation of domain B. Can you explain?
>> You can apply filters in BGP for what you choose to announce further (in fact, this is a core part of BGP to avoid loops). Typically you won't re-announce peering stuff from peering links, but we have customers/peers where this is these cases are not clear cut. Say a customer announces an IP range and some AS-paths to us. We may only announce part of the range and as-paths further down.
>>
>>
>> Best regards, Henrik
>>
>> Henrik Thostrup Jensen <htj at nordu.net>
>> Software Developer, NORDUnet
>
>
> _______________________________________________
> nsi-wg mailing list
> nsi-wg at ogf.org
> https://www.ogf.org/mailman/listinfo/nsi-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.ogf.org/pipermail/nsi-wg/attachments/20140919/ea42a6b2/attachment.html>
More information about the nsi-wg
mailing list