Filter duplicate paths in path combinator #2445
Conversation
FR4NK-W
force-pushed
the
fix_dup_paths
branch
from
ccde746 to
863606e
Compare
There was a problem hiding this comment.
Reviewable status: 0 of 1 files reviewed, 1 unresolved discussion (waiting on @FR4NK-W and @scrye)
a discussion (no related file):
I think the combinator is working as intended. While the forwarding interfaces are the same, from a crypto point of view the paths are different. This means that one path can be valid for forwarding, while the other would fail. If SCIOND chooses only one of the paths, and it is the wrong one, the application has no way of obtaining the other one.
For completeness, I'm also pinning here the unit test you linked on chat: https://github.com/scionproto/scion/blob/master/go/lib/infra/modules/combinator/testdata/00_loops.txt . The first two paths are an example of same forwarding, but different crypto due to different segments being used.
I discussed this a bit with @kormat, and it's probably better to have applications be aware that two different paths can have the same interface representation. Can you please include here a detailed description of how this negatively impacts the SIG? We can then define the use case we want, and later fix it in the SIG directly.
There was a problem hiding this comment.
Reviewed 1 of 1 files at r1.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @FR4NK-W)
|
@scrye E.g. There are 4 paths from A to B that are identical at the interface level as the one in use and 1 with different interfaces. In the case shown below, where the ASes involved in the cryptographic verification are the same, is there still a reason for keeping multiple ways of representing/verifying the same forwarding path? C Path #0:
12| |13 Fields:
| | IF CS. ISD=1
21| |31 HF .V InIF=0 OutIF=12
B HF .. InIF=21 OutIF=14
14| HF .. InIF=41 OutIF=0
| Interfaces:
41| B#14
A A#41
Path #1:
Fields:
IF CS. ISD=1
HF .V InIF=0 OutIF=13
HF .. InIF=31 OutIF=14
HF .. InIF=41 OutIF=0
Interfaces:
B#14
A#41 |
There was a problem hiding this comment.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @FR4NK-W)
go/lib/infra/modules/combinator/combinator.go, line 54 at r1 (raw file):
pathSlice = append(pathSlice, path.GetFwdPathMetadata()) } shortPaths := FilterLongPaths(pathSlice)
I would also leave an implementation of the current no-filtered behavior, with an explicit name (something like CombineAllowSameIfaces but better named).
There was a problem hiding this comment.
The failure count on the paths is not sufficient to recover from this state.
The SIG should recover. If it doesn't, it's a bug (if path 1 is bad, and path 2 has the same interfaces and is also bad, path 3 should be tried, and so on and so forth). Also, if one of the forwarding interfaces is down, the revocation should flush all the paths from the app. What is the exact behavior you're seeing when the SIG attempts to recover?
but I agree that most of them will not want to have the same interface-identical paths repeated.
Having identical paths should not affect application logic, because applications should always look at the raw forwarding path as a black box. If the interfaces are identical, apps should just make the assumption that the raw path is somehow different, and should in effect track health separately.
What we could do is have SCIOND have a bias towards non-duplicates, meaning that if an app asks for K paths, SCIOND will give lower scores to duplicates, so apps get maximum interface diversity out of the partial answer. Would something like this fix the issue you're seeing?
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @FR4NK-W)
go/lib/infra/modules/combinator/combinator.go, line 54 at r1 (raw file):
Previously, juagargi (Juan A. García Pardo Giménez de los Galanes) wrote…
I would also leave an implementation of the current no-filtered behavior, with an explicit name (something like
CombineAllowSameIfacesbut better named).
The SCIOND IPC API would need to change then, s.t. clients can select between the two. It's a breaking change, but we can do it if there are no other solutions. I'm wondering if the scoring suggestion above works though, because that would mean we don't need any API changes.
scrye
added
i/needs investigation
|
After discussing this internally for a bit, we agree that SCIOND should be able to delete duplicates, but this should be configurable and not the default. This means the combinator is not the place to do the filtering (the combinator should always build everything), and it should be done instead on the It might be the case that for Anapaya deployments we will also enable this in the near future. To merge this, the following changes are needed:
|
scrye
removed
the
i/needs investigation
Filter paths with identical sequence of interfaces. These duplicates occur because sciond may return the same "effective" path with different short-cut "upstream" parts. We don't need these duplicates, they are identical for our purposes; we simply pick the one with latest expiry. See also discussion in scionproto/scion#2445 (currently not merged).
Filter paths with identical sequence of interfaces. These duplicates occur because sciond may return the same "effective" path with different short-cut "upstream" parts. We don't need these duplicates, they are identical for our purposes; we simply pick the one with latest expiry. See also discussion in scionproto/scion#2445 (currently not merged).
|
With #3930 (and due to the new data-plane path format), duplicate paths are now filtered. Closing this. |
Combine should not return dulicate paths,
sciond does not filter separately.
This change is