Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify policy-forwarding and routing-policy if no rules are present #1223

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Clarify policy-forwarding and routing-policy if no rules are present #1223

wants to merge 8 commits into from

Conversation

dplore
Copy link
Member

@dplore dplore commented Nov 14, 2024
edited
Loading

Change Scope

  • Clarify policy-forwarding such that if no rules are present, all packets will be matched

@dplore dplore requested a review from a team as a code owner November 14, 2024 18:40
@dplore
Copy link
Member Author

dplore commented Nov 14, 2024

Related to discussion on #1150

@dplore dplore changed the title Clarify that if no rules are present, no packets will be matched. Clarify policy-forwarding if no rules are present Nov 14, 2024
@OpenConfigBot
Copy link

OpenConfigBot commented Nov 14, 2024
edited
Loading

No major YANG version changes in commit 441428e

s19nal
s19nal approved these changes Nov 26, 2024
View reviewed changes
Copy link

@s19nal s19nal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - updated clarification reads well.

@dplore
Copy link
Member Author

dplore commented Nov 26, 2024

We discussed this a second time in the OC Operators meeting on Nov 26, 2024.
It is observed that policy-forwarding and routing-policy should have the same semantics. At the moment, both are ambiguous about the behavior when there are no rules (policy-forwarding) or no conditions (routing-policy) defined.

For routing-policy, vendor native implementations widely support policies which have no 'conditions' matching all packets.

Example native routing policy configuration: https://gist.github.com/dplore/cff9a4c782f68734adaafff8952fc3cb (Kudos to @oscargdd for sharing this investigation)

So I am updating this description to assert that no rules means match all packets.

@dplore dplore changed the title Clarify policy-forwarding if no rules are present Clarify policy-forwarding and routing-policy if no rules are present Nov 26, 2024
xuqma
xuqma approved these changes Nov 26, 2024
View reviewed changes
Copy link
Contributor

@xuqma xuqma left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM for BGP routing policies. Thanks Darren.

@dplore
Copy link
Member Author

dplore commented Dec 3, 2024

After a bit more discussion, there was a request to also clarify what happens if there is a routing-policy statement with no condition AND no action, as well as a policy-definition without any statements. These should be treated as errors (grpc error: INVALID_ARGUMENT, netconfig error missing-element).

Note that policy-result is an action. So one may write a valid OC routing-policy which has for example, one statement which as no condition (matching all routes) and a policy-result of ACCEPT_ROUTE.

I will update this pull request accordingly.

robshakir
robshakir requested changes Dec 18, 2024
View reviewed changes
release/models/policy-forwarding/openconfig-policy-forwarding.yang
forwarding-policy is applied to an interface via referencing it
consist of a number of criteria, such as DSCP. The match criteria
is specified as rules. If no rules are specified, then the policy
will match all packets.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this the right thing to do vs. having an explicit match-all type criteria?

The downside of this API design is that the absence of something means something implicitly -- it seems a better API design to have the presence of something indicate something, which would mean that we should rather have an explicit "match everything" (can be done with matching all src/dst IP addrs)?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no right or wrong here. This proposal is made based on precedent as referenced in #1223 (comment) earlier in this PR. The industry precedent is no-condition = matches any and all. This was also discussed in the OpenConfig operator meeting on Nov 26, 2024 with some thoughtful conversation.

The precedent is pretty strong where 5 out of 5 implement that no "condition" means match all. (Not included in the gist of 4 examples is arista EOS, which also defines a route map with no match statements as match all)

I do like the idea of being explicit in general. A number of changes in OC in the last few years have been due to ambiguity. But what is better? Do something different in OC or go with the precedent? In this case, I think the precedent is so strong that it's better to go with no conditions means match all. This change makes this decision explicit via description, but not in the data model/API.

release/models/policy/openconfig-routing-policy.yang Show resolved Hide resolved
@akalluru1
Copy link
Contributor

After a bit more discussion, there was a request to also clarify what happens if there is a routing-policy statement with no condition AND no action, as well as a policy-definition without any statements. These should be treated as errors (grpc error: INVALID_ARGUMENT, netconfig error missing-element).

Note that policy-result is an action. So one may write a valid OC routing-policy which has for example, one statement which as no condition (matching all routes) and a policy-result of ACCEPT_ROUTE.

I will update this pull request accordingly.

Small clarification, About following:

what happens if there is a routing-policy statement with no condition AND no action, as well as a policy-definition without any statements. These should be treated as errors (grpc error: `INVALID_ARGUMENT`, netconfig error `missing-element`)
  • Is this capturing 2 different scenarios, i.e., scenario 1: a routing-policy statement with no condition AND no action & scenario 2: a policy-definition without any statements?
  • In both the scenarios error (grpc error: INVALID_ARGUMENT, netconfig error missing-element) should be returned.

@dplore
Copy link
Member Author

dplore commented Dec 28, 2024

After a bit more discussion, there was a request to also clarify what happens if there is a routing-policy statement with no condition AND no action, as well as a policy-definition without any statements. These should be treated as errors (grpc error: INVALID_ARGUMENT, netconfig error missing-element).
Note that policy-result is an action. So one may write a valid OC routing-policy which has for example, one statement which as no condition (matching all routes) and a policy-result of ACCEPT_ROUTE.
I will update this pull request accordingly.

Small clarification, About following:

what happens if there is a routing-policy statement with no condition AND no action, as well as a policy-definition without any statements. These should be treated as errors (grpc error: `INVALID_ARGUMENT`, netconfig error `missing-element`)
  • Is this capturing 2 different scenarios, i.e., scenario 1: a routing-policy statement with no condition AND no action & scenario 2: a policy-definition without any statements?
  • In both the scenarios error (grpc error: INVALID_ARGUMENT, netconfig error missing-element) should be returned.

Two scenarios as you described.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xuqma xuqma xuqma approved these changes

@robshakir robshakir robshakir requested changes

@s19nal s19nal s19nal approved these changes

Requested changes must be addressed to merge this pull request.

Assignees

@robshakir robshakir

Labels
non-breaking
Projects
OC Operator Review
Status: last-call
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@dplore @OpenConfigBot @akalluru1 @robshakir @xuqma @s19nal