Hi Ketan and Robert,
I think Ketan got the point.
In order to make the doument more clearly, we would like to add the following
description in section 5.1:
"The default entry is a special entry where the value of the "Overload VPN
routes process method" is not applicable."
The operations ADD, REMOVE, and REMOVE-ALL can be applied to the default entry.
Best Regards,
Wei
Original
From: Robert Raszuk <[email protected]>
Date: 2026-02-10 21:37
To: Ketan Talaulikar <[email protected]>
Cc: Wei Wang <[email protected]>, BESS <[email protected]>, idr
<[email protected]>, Susan Hares <[email protected]>, Keyur Patel
<[email protected]>
Subject: Re: [bess] Re: [Idr] Re: draft-ietf-idr-vpn-prefix-orf-25 - 1 Week
WGLC onchanges (1/29/2026 to 1/5/2026)
Hi Ketan,
I decoded what draft defines in section 5.2 as procedure when handling PERMIT
ORF Message:
So that literally translates to:
If ORF Match filter is set to PERMIT
AND
If Overload = 0 which means ALL VPN ROUTES matching the filter MUST BE
WITHDRAWN
AND
if Seq=0xFFFFFFFF (so this MUST be last ORF entry)
AND
if length=8 (so there must not be any optional TLVs)
AND
if RD=0 (meaning apply to all VPN prefixes for a given AFI/SAFI)
then
INSTALL the entry.
The first contradiction in the definition is based on the use of PERMIT
with logical AND to Overload = 0 definition which is stated to
mean ALL VPN ROUTES matching the filter MUST BE WITHDRAWN .. and here
filter is RD=0 meaning MATCH ALL.
I think authors think that they must address PERMIT even if it does not deliver
any value to the draft. I am simply saying not to allow PERMIT in
their ORF definition at all. Just use DENY what their draft is all
about.
In the ORF world PERMIT means to advertise only those routes which match a
filter ... so if they like to go by RD it MUST not be 0. But again IMO
attracting the routes is not what authors claim as the value of the draft.
Kind regards,
Robert
On Tue, Feb 10, 2026 at 2:28 PM Ketan Talaulikar <[email protected]>
wrote:
Hi Wei,
Thanks for the updated version - it addresses the comments that I had raised.
Coming to Robert's concern with the use of PERMIT, I would like to share my
understanding to cross-check if I have made a mistake in my reading.
The only ORF entry with PERMIT allowed is the "last" catch-all entry that says
to permit everything that has not been denied by previous (DENY) rules. If such
an entry is always required, then I found the use of the SHOULD to give a
conflicting meaning.
Besides the above, any other ORF entry with PERMIT MUST be discarded. So,
everything else is about denying/filtering out matching routes and the
operations are ADD, REMOVE or REMOVE ALL for those rules.
But the ADD/REMOVE/REMOVE-ALL should also apply to the "default" PERMIT rule as
well?
Robert, I am not sure if I've understood your point correctly, and please
correct me if I'm wrong.
Thanks,
Ketan
On Tue, Feb 10, 2026 at 2:44 PM Robert Raszuk <[email protected]> wrote:
Hi Wei,
You missed the most important comment. As currently defined, use of ORF PERMIT
is self contradicting. Version -27 still has the bad text in section 5.2.
My recommendation is to either remove use of ORF PERMIT from your proposal
(easy edit and you are not using it really for anything useful) or fix it and
use PERMIT correctly which will require a lot of work and text to be added to
the draft.
Kind regards,
Robert
On Tue, Feb 10, 2026 at 9:05 AM Wei Wang <[email protected]> wrote:
Hi Ketan and Robert,
Thanks for your comments and suggestions! We have uploaded the -v27 to address
your comments.
(https://datatracker.ietf.org/doc/html/draft-ietf-idr-vpn-prefix-orf-27)
And please also see the in-line replies.
Best Regards,
Wei
Original
From: Robert Raszuk <[email protected]>
Date: 2026-02-06 17:55
To: Ketan Talaulikar <[email protected]>
Cc: Wei Wang <[email protected]>, BESS <[email protected]>, idr
<[email protected]>, Susan Hares <[email protected]>, Keyur Patel
<[email protected]>
Subject: [bess] Re: [Idr] Re: draft-ietf-idr-vpn-prefix-orf-25 - 1 Week WG LC
onchanges (1/29/2026 to 1/5/2026)
Hi,
Thank you for posting version -26 of this document.
I see that you still did not want to make sending RD optional. Oh well I do
believe making it as optional TLV would make this extension more practical
and much more useful. And the most interesting point is that functionality
wise you still support the case of RD = 0 (meaning irrespective of RD value)
apply the filter.
So instead of sending 8 octets of 0 you could just not send it at all.
[WW]: We still hope to keep the "RD" in the "VPN Prefix ORF type-specific
encoding", becasue the key point of VPN Prefix ORF mechanism is to identify the
source of overwhelmed VPN routes:
1) In scenario that is unique RD per PE, RD soely can identify the source of
overwhelmed VPN routes correctly
2) In scenario that is unique RD per VPN, RD + Source PE can identify such
source.
Anyway, carrying RD can control the advertisements of VPN routes in more
granular manner.
Please see some more review comments ...
1)
Why do both figures have identical descriptions yet showing different pictures
?
Figure 1: VPN Prefix ORF type-specific encoding
Figure 2: VPN Prefix ORF type-specific encoding
I guess it should be instead:
Figure 1: VPN Prefix ORF common part encoding
Figure 2: VPN Prefix ORF type-specific encoding
[WW]: You're correct. This typo is modifiedI in -v27.
2)
In section 5.2 I am finding extremely hard to parse description regarding
using match filters with PERMIT.
Quote:
If the "Match" bit is "PERMIT", and is the "default" entry (the
overload VPN routes process method equal to 0, sequence equal to
0xFFFFFFFF, length is equal to 8, and Route Distinguisher is equal to
0), the entry SHOULD be installed. Otherwise, if the "Match" bit is
"PERMIT", the entry MUST be discarded and a warning MUST be sent to
the operator.
So that literally translates to:
If ORF Match filter is set to PERMIT
AND
If Overload = 0 which means ALL VPN ROUTES matching the filter MUST BE
WITHDRAWN
AND
if Seq=0xFFFFFFFF (so this MUST be last ORF entry)
AND
if length=8 (so there must not be any optional TLVs)
AND
if RD=0 (meaning apply to all VPN prefixes for a given AFI/SAFI)
then
INSTALL the entry.
This is so confusing ... and semantically incorrect.
First PERMIT must not mean WITHDRAW - this is contradicting the intention to
use PERMIT filters ... Please see reasons for PERMIT vs DENY is described in
RFC5291:
The "Match" component is used to support matching granularity on a
per ORF entry basis. It can be either PERMIT or DENY.
The semantics
of PERMIT is to ask the peer to pass updates for the set of routes
that match the ORF entry. The semantics of DENY is to ask
the peer
not to pass updates for the set of routes that match the ORF entry.
then
Sending RD = 0 makes sense only with some optional TLVs which the above
prohibits to send along with PERMIT.
So bottom line you have not defined the use of PERMIT correctly. Perhaps you
can just say black on white that you are not supporting PERMIT ORF filters at
all in your specification.
[WW]: Thank you to point out it. I think we can remove "the overload VPN routes
process method equal to 0".
Thx,
Robert
On Thu, Feb 5, 2026 at 7:06 AM Ketan Talaulikar <[email protected]>
wrote:
Hello Authors,
I see that you have just posted v26 -
https://datatracker.ietf.org/doc/html/draft-ietf-idr-vpn-prefix-orf-26
There are some issues in the table below (similar in the text as well) and some
suggestions:
+-----------+-------------------------+ | AFI |
SAFI |
+-----------+-------------------------+ |IPv4/IPv6 |MCAST-VPN
| |
|MCAST-VPLS | |
|VPLS
| | |BGP EVPNs
| |
|MPLS-labeled VPN address |
+-----------+-------------------------+ |L2VPN |BGP EVPNs
|
+-----------+-------------------------+
Please give this table a number. Would be good to specifically list the AFI and
SAFI values here for clarity and give a reference to their base RFCs.
[WW]: OK. These is added in -v27.
Most importantly, I was not aware of IPv4/IPv6 AFI being used with either VPLS
or EVPN SAFIs. Can you please provide a reference?
[WW]: After double checking, the VPLS, EVPN and MCAST-VPLS SAFIs should be used
with L2VPN. This is changed in -v27.
Also, I see that you have introduced a filter TLV for Route Types for EVPN. A
similar problem exists for other types of VPNs having typed NLRIs as pointed
out by Robert. Isn't a similar mechanism required for those address families?
Therefore, shouldn't this mechanism be generic to VPNs with typed NLRIs?
[WW]: Yes, I think this TLV can be used for others routes that carry the Route
type field. So we remove the description stating that this TLV is restricted to
EVPN routes.
Thanks,
Ketan
On Wed, Feb 4, 2026 at 12:54 PM Wei Wang <[email protected]> wrote:
Hi Robert,
I think a "EVPN Route Type TLV" can be added in Section 4 to control the filter
of EVPN routes.
Best Regards,
Wei
Original
From: Robert Raszuk <[email protected]>
Date: 2026-02-03 17:47
To: Wei Wang <[email protected]>
Cc: Ketan Talaulikar <[email protected]>, BESS <[email protected]>, idr
<[email protected]>, Susan Hares <[email protected]>, Keyur Patel
<[email protected]>
Subject: Re: [Idr] Re: draft-ietf-idr-vpn-prefix-orf-25 - 1 Week WG LC
onchanges (1/29/2026 to 1/5/2026)
Hi Wei,
Ad 2 - You can not if you have a single interface from the customer.
Ad 3 - It would be an optional TLV of course. but providing required
control.
Ad 4 - I am not sure if private development counts as an implementation
for the purposes of IDR document progression. But I will refer to chairs and AD
to judge on that.
Cheers,
R.
On Tue, Feb 3, 2026 at 3:21 AM Wei Wang <[email protected]> wrote:
Hi Ketan and Robert,
1. If all the types of EVPN routes are under one VRF and there is no threshold
control mechanism for each of these types, we can only treat them
all together, although some of them may be more importnace than
others.
2. If we want to control these EVPN routes seperately, we can put them
into different VRFs, via the configuration of RTs of each VRF, then the
mechanism that is described in this document can apply and needs not be any
changed.
3. We also think that add route types within the encoding is not practical,
because other NLRI types don't have the "route type" field.
4. The implementations of this draft has been done via FRR, but we haven't
committed it.
Best Regards,
Wei
Original
From: Ketan Talaulikar <[email protected]>
Date: 2026-01-30 22:44
To: BESS <[email protected]>
Cc: idr <[email protected]>, Robert Raszuk <[email protected]>, Susan Hares
<[email protected]>, Keyur Patel <[email protected]>
Subject: [Idr] Re: draft-ietf-idr-vpn-prefix-orf-25 - 1 Week WG LC on changes
(1/29/2026 to 1/5/2026)
I concur with Robert.
This mechanism introduces a mandatory RD filter. I won't get into the debate of
the operational value and efficacy of this mechanism - that is for operators to
report on. I don't see a technical issue with L3VPN.
The same cannot be said about EVPN (and I have not yet considered the expanded
applicability proposed by the authors to MVPN and VPLS).
Let me elaborate on the issue with using this with EVPN.
- The goal of this mechanism is to prevent overload of VPN routes from a
specific PE+VPN-context
- The primary and mandatory filter is the RD (there are others but they
supplement RD)
- Let's say there is an overload of MAC+IP routes and this mechanism kicks in.
Would that affect the AD per ES route with the same RD? What would be its
implication?
The question is how this would affect/impact different types of EVPN route
types given its primary RD filter?
May I request someone from the BESS WG to review this specific aspect (broader
review is also welcome!) :
https://www.ietf.org/archive/id/draft-ietf-idr-vpn-prefix-orf-25.html
Thanks,
Ketan
On Fri, Jan 30, 2026 at 7:20 PM Robert Raszuk <[email protected]> wrote:
Hi Aijun,
On Fri, Jan 30, 2026 at 2:37 PM Aijun Wang <[email protected]> wrote:
Hi, Robert:
The document doesn’t filter the VPN prefixes solely based on RD, it bases
mainly the RT and other additional TLVs.
RD is only one additional parameter that can be used to assist the filter of
the overflow VPN prefixes routes.
The way the draft is written it is actually the other way around. Other
optional parameters may augment RD based filtering.
See this:
Optional TLVs: Carries potential additional information to
provide
extensibility for the VPN Prefix ORF mechanism. Its
format is
shown in Figure 6.
Btw there is no "Figure 6" :).
And as we all know all other "optional parameters" can also be sent today
with other mechanisms for filtering routes.
Thx,
R.
Aijun Wang
China Telecom
On Jan 30, 2026, at 19:36, Robert Raszuk <[email protected]> wrote:
Dear Wei and WG,
Ad 1 - Nope this does not address my comment as you still can not distinguish
with current encoding of your draft to which NLRI types given RD applies. So as
of today it is not applicable to any AFI/SAFIs with typed NLRIs (specifically
to EVPNs).
Ad 2 - ok.
Ad 3 - I have a different opinion.
But rereading your document there is one more fundamentally incorrect
section:
3.2. Address Prefix ORF
Using Address Prefix ORF to filter VPN routes requires a pre-
configuration, but it is impossible to know in advance which prefix
may exceed the predefined threshold.
Please note that RD is part of the prefix. The above comment in section 3.2 is
wrong as it neglects the fact that prefix ORF contains a length field. So
Address Prefix ORF as defined in RFC5292 when used with the length of
64 is exactly RD based ORF. In fact it is even more flexible as
subject doc if you use Minlen and Maxlen fields correctly :).
So using plain vanilla RFC5292 which is already implemented and shipping
completely removes the need to progress the subject document any further. I
don't understand why we are last calling something which has already been
standardized and in general form published as RFC in 2008.
Kind regards,
Robert
On Fri, Jan 30, 2026 at 3:54 AM Wei Wang <[email protected]> wrote:
Hi Robert,
Thanks for your comments. And please see my in-line replies. If these
modifications can address your concerns, we will update this draft based on
them.
Best Regards,
Wei
Original
From: Robert Raszuk <[email protected]>
Date: 2026-01-30 02:06
To: Susan Hares <[email protected]>
Cc: idr <[email protected]>, Keyur Patel <[email protected]>
Subject: [Idr] Re: draft-ietf-idr-vpn-prefix-orf-25 - 1 Week WG LC on changes
(1/29/2026 to 1/5/2026)
Dear WG,
As recommended moving my three comments to this thread:
1)
> KT> My point was that simply filtering on the RD can accidentally
affect Route Types 1
> (as an example) and have severe implications on EVPN services. This is not
an issue
> with CP-ORF but specific to this new mechanism. Please consider at least
warning
> about this?
IMO warning is not enough.
I would rather either suggest extending the encoding to cover AFI/SAFIs with
typed NLRIs or make the clear statement that this draft is not applicable to
AFI/SAFIs with typed NLRIs at all.
[WW]: We can add a table about the AFI and SAFI types applicable to this
mechanism in Section 4 as follow:
+-------+-------------------------------+
| AFI | SAFI
|
+-------+-------------------------------+
|IPv4/ |MCAST-VPN
|
|IPv6 |MCAST-VPLS
|
| |VPLS
|
| |BGP EVPNs
|
| |MPLS-labeled VPN address |
+------+--------------------------------+
|L2VPN |BGP EVPNs
|
+------+--------------------------------+
2)
Also I think there is typo in this sentence:
However, each existing solution has its own limitation as described in Section
4.
it should be
However, each existing solution has its own limitation as described in Section
3.
[WW] Thank you! We will modify it in the updated version.
3)
I would also like to see in this specification a clear note or section stating
that this document violates Proposed Standard RFC4364 as RFC4364 clearly
defines in section 4.1 what RD is all about:
An RD is simply a number, and it does not contain any inherent
information; it does not identify the origin of the route or the
set
of VPNs to which the route is to be distributed. The purpose
of the
RD is solely to allow one to create distinct routes to a common
IPv4
address prefix. Other means are used to determine where to
redistribute the route (see Section 4.3).
RD should never be used for import, export or any sort of filtering and
it's sole role is to make prefixes unique.
[WW]: I think the usage of RD in this document doesn't conflict with the
description in RFC4364. RD is just a distinguisher carried by VPN routers. It
is a part of VPN Prefix. We just use this distinguisher to filter the VPN
routes. It is simliar with that we do the prefixes filter via the shorter,
common part of the related prefixes.
Kind regards,
Robert
On Thu, Jan 29, 2026 at 2:41 PM Susan Hares <[email protected]> wrote:
Greetings:
draft-ietf-idr-vpn-prefix-orf-25 has made changes during the AD review.
This begins a 1-week WG last call on the changes.
If you have concerns regarding the changes, please respond to this message.
If no concerns or objections are raised, this document will enter into IETF LC.
Cheerily, IDR Chairs
[Sue for Keyur Patel (shepherd)
_______________________________________________
Idr mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
Idr mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
Idr mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
Idr mailing list -- [email protected]
To unsubscribe send an email to [email protected]_______________________________________________
BESS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
