Re: MPLS patches

To: tech-net%NetBSD.org@localhost
Subject: Re: MPLS patches
From: Mihai Chelaru <kefren%netbsd.org@localhost>
Date: Mon, 07 Jan 2008 14:20:21 +0200

David Young wrote:

Last night, I scanned the web for MPLS configuration
examples, and all that I found was Cisco IOS, which was not
very compelling, and a discussion on an OpenSolaris forum
which, albeit vague, did mention an MPLS pseudo-interface,
<https://www.opensolaris.org/jive/thread.jspa?messageID=33315>.

I don't think this project got anywhere near design finishing. I didalso read the rest of the threads in that category.

I don't think that the word "intuitive" really applies to MPLS,
and it is a vague word that deserves to be defined in any discussion,
<http://www.asktog.com/papers/raskinintuit.html>.  I think that it will
be helpful if MPLS uses familiar abstractions in familiar ways; using a
pseudo-interface to add/subtract encapsulation is familiar to users of
VLANs and tunnels.

Hehe, nice lecture, still I don't think that Picard(or was it Data ?) ora lady that didn't know how to handle the mouse is an appropiate examplein this case. Anyhow, I'll try to explain below in detail why usingencap/decap interface(s) is not something I'd like.

Also this raises another problem: I could do this if NetBSD would have aclear difference between control and forwarding but this is not the caseand I don't want to change the ifa/p for a route without a very strongreason.
You seem to have a precise meaning in mind, but what you have written
is vague.  Can you elaborate on this lack of control/forwarding separation
as it applies to ifa/ifp and MPLS?

Because you want to use an interface [X] that will be seen from controlplane, I quickly see some problems:

- No control coming from interface regarding encapsulation (think aboutcell-mode)- if one set a route to point to an interface:next-hop pair, he expectsthat to be honored. This will not be the case with these interfaces(route interface will be changed to mplsX)- double lookup on non-MPLS encapsulation: in order to have a reasonfor MPLS PI to exist we need to route-lookup once for INET in order todeliver that packet to MPLS PI, and once in MPLS PI code in order toknow how and where should I deliver the frame from MPLS point of view.- I'll end up keeping a mirror of all routing tables where I shouldkeep the PROTO->MPLS associations (remember, we need to separate PROTOfrom MPLS in PROTO routing table in order to keep reason for MPLSpseudo-interface existence, where PROTO may be INET or something else).So, mpls_interface will get a packet, together with it's adress familyand relookup in that address family mirror table to see how it should beencapsulated.

        - double lookup for MPLS encapsulated packets that we receive.

- shim-pop-pushed instead of MPLS swapping. Fast label swapping isconsidered one of the MPLS advantages. Also RFC3031 explicitly calls theforwarding mechanism "Label Swapping"

        - loss of forwarding speed

- it will not simplify the code in ether_output() because we still needto handle AF_MPLS frames there

[X] - How many pseudo-interfaces do you want anyway ? These are theoptions as they come to my mind right now:- only one used for both decap and encap. decap if packet is nottagged, encap else. Still this is no good solution if you want to tapbecause you'll see here both in and out. Also you'll really have no ideawhere that packet comes from and where it goes and you'll have packetscoming from mpls0 and going out to mpls0.- one pseudo-interface per non-pseudo-interface. This seems moreappropiate as we may know where that packet comes and where it goes.Also, I think I can live with information passed via tags betweenpseudo-interfaces and real-interfaces. But this case raises anotherquestion: if we do it for MPLS why don't we do it for every ethernetprotocol ? Since when an interface should be used only for carrying IPonly frames ?

        - one decap interface and one pseudo-interface per neighbour
        - one pseudo-interface per non-pseudo-interface and one PI per neighbour

Personally I don't like the latter two, because I don't want to polluteinterface space with one iface per neighbour. Think how it will be tocreate an interface per OSPF neighbour for example. Also, theirmanagement will be almost impossible and I don't think that ldp daemonshould mix with this interface management(including but not restrictedto creating/destroying). For all the cases, someone that worked withMPLS on Cisco or Junipers for example, will not feel "familiar" withthese pseudo-interfaces.

Yes, I am.  I also believe it makes the system a lot more transparent
and comprehensible to use a pseudo-interface.  We have the opportunity to
apply a packet filter or to tap packets.  Tapping packets is an essential
aid for troubleshooting.

(IMO, a deficiency of IPSec in NetBSD is that it does not use
pseudo-interfaces, even when it does tunnel-like things like IPSEC_NAT_T.)

Note that MPLS is not encrypting packets and tcpdump prints the innerpackets for common cases, so payload tapping is still possible.

But there is another problem: you asked for this pseduo-interface(s)because you expect to tap packets on it(them). But you can't really knowwhat you will tap because MPLS shim doesn't contain informationregarding the inner protocol. Tcpdump may only guess here after aprotocol analysis but there are a lot of non-IP[6] things that can liveinside an MPLS frame.

No, you don't need to use it if you will only read the data.  I suggest
extracting a const pointer to the data with mtod, then


I'll constify where is the case.

--
Thanks,
Mihai

References:
- MPLS patches
  - From: Mihai Chelaru
- Re: MPLS patches
  - From: David Young
- Re: MPLS patches
  - From: Mihai Chelaru
- Re: MPLS patches
  - From: David Young

Prev by Date: LW-IGMPv3 implementation
Next by Date: Memory debugging question...
Previous by Thread: Re: MPLS patches
Next by Thread: Re: UDP multicast
Indexes:

Home | Main Index | Thread Index | Old Index