Re: [Anima] ANIMA when there is a system-wide issue
Michael Richardson <mcr+ietf@sandelman.ca> Fri, 19 February 2021 17:47 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41F3D3A1942 for <anima@ietfa.amsl.com>; Fri, 19 Feb 2021 09:47:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5z2wiSdygeNF for <anima@ietfa.amsl.com>; Fri, 19 Feb 2021 09:47:18 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 233243A12CF for <anima@ietf.org>; Fri, 19 Feb 2021 09:45:39 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id D934F389D1; Fri, 19 Feb 2021 12:49:30 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 2dEKHq3uqQzD; Fri, 19 Feb 2021 12:49:28 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 6C7D0389D0; Fri, 19 Feb 2021 12:49:28 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 756BB63; Fri, 19 Feb 2021 12:45:35 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Toerless Eckert <tte@cs.fau.de>, Anima WG <anima@ietf.org>
In-Reply-To: <20210216174315.GB48871@faui48f.informatik.uni-erlangen.de>
References: <136aa329-41a5-8b65-ef9e-fadf089696eb@gmail.com> <704b66e9-d41c-f7e9-7e4b-f2d934ec9158@gmail.com> <PR3PR07MB68265F26A2CFB818D9CFDFBCF3C30@PR3PR07MB6826.eurprd07.prod.outlook.com> <20210128160356.GB54347@faui48f.informatik.uni-erlangen.de> <17274.1611866107@localhost> <20210211201910.GA48871@faui48f.informatik.uni-erlangen.de> <18842.1613083225@localhost> <20210216174315.GB48871@faui48f.informatik.uni-erlangen.de>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Fri, 19 Feb 2021 12:45:35 -0500
Message-ID: <4218.1613756735@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/6-JFZnb3YKsL_-7GFOUhdsUj65U>
Subject: Re: [Anima] ANIMA when there is a system-wide issue
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2021 17:47:27 -0000
EXECSUM: we need IEEE802.1X political clue. The WG should adopt my l2-friendly-acp document as a problem statement document, and then we should propose a solution which can be discussed outside of the IETF. Toerless Eckert <tte@cs.fau.de> wrote: >> Toerless Eckert <tte@cs.fau.de> wrote: > draft-ACP section 7. explains >> how to implement ACP on any low-end > L2-only as well as L2/L3 devices >> so that the device can operate ACP as > if it was just an L3 device, >> while in parallel operating unchanged on > some or all ports as an L2 >> switch with STB: ACP packets are software > routed and software IPsec >> en/decrypted. } Predictable scaling requirements for ACP neighbors can most easily } achieved if in topologies such as these, ACP capable L2 switches } can ensure that discovery messages terminate on them so that } neighboring ACP routers and switches will only find the physically } connected ACP L2 switches as their candidate ACP neighbors. >> So, your solution is to have L2 switches not forward based upon L3 >> multicast addresses. tte> I can not parse this. Can you rephrase ? You are asking L2 switches, which don't speak any L3 protocols in their forwarding engine, to do filtering on L3 things, namely L3 destination multicast addresses. >> While this is deterministically mapped to a unique L2 multicast MAC, tte> What is "this" ? Sorry.... can not parse again. The L3 multicast address is mapped on ethernet to a deterministic L2 multicast address. So, an L2 switch could filter on that, but unless it then examines the L3 address, it could catch future L3 multicasts that happen to map to the same L2 multicast. When we allocated the ACP l3 multicast destination, we did not make any attempt to make it a unique L2 target. Assuming that there are no existing conflicts, to avoid the above, we would need to allocate all the other L3 multicast targets that map to the same L2 multicast target. tte> In my past implementation experience, the punt option that always tee> works is one where you punt a specific ethertype. >> Great, so one of the options I proposed is to have a new ethertype for >> IPv6-DULL messages, as you also say below. tte> My point was that its not only about the discovery packets. We also tte> want to make sure that the ACP secure channel packets could also go tte> across blocked ports. Yes, that's a different problem, but I agree it is related. For the L2 SDN that does not use STP because it does not want blocked ports, but rather wants to use all the bandwidth, the problem is keep the ACP DULL multicast from causing loops. mcr> I think that the IEEE/IETF liason can get us an ethertype, given an mcr> appropriate STD track draft. Tell me if that you think this is within mcr> the ANIMA WG's charter. tte> Different encap to make ANI more resilient. Sounds to me like tte> perfectly in scope of BRSKI/ACP extensions charter point. Good, we agree. tte> I just think we shouldn't rush this but think it through well: tte> First of all, relying on a separate MAC address for ACP is the most tte> eay way out. But its not clear to me if thi works on every tte> hardware. On the other hand, i can see how i would always have a tte> separate MAC address for ACP if for example i have classic PC tte> hardware and implement ACP on the BMC (e.g.: as extension to tte> OpenBMC). But many switches/routers also have a MAC address pool tte> they can use. Having the ACP on the (Open)BMC is definitely a killer use, and I hope to get there soon. One might still want the ACP running even if the context of a BMC user who shoots eirself in the foot. The Linux kernel gives one the "macvlan" which is effectively a kind of bridge (actually mutually exclusive with being in the a bridge). The macvlan gets a kernel allocated randomized mac address, and can be moved into a network namespace and effectively hidden, however, there does not seem to be a way to keep the physical interface from being marked down. tte> When it comes to encapsulating across new ethertype, we need to make tte> it extensible, thats IEEE requirement for such a scarce resource. So tte> we might even want to ask around IETF for similar use-cases to have tte> candidate other values for a selector field for example. tte> Need to read through EAP over Ethernet to check what we could tte> share. I forgot all about it. But ultimatly, its going to be a tte> small "selector-header" on top of the new ethertype that we need to tte> define. You want chapter 11 of 802.1X-2020. Table 11-3 lists the 9 EAPOL types used. No equivalent to IANA Consideratons exist, so I think that it would require a revision by the IEEE to allocate a code. That would really be enough. tte> I can see at least two selectors: ACP-secure-channel and Discovery tte> (DULL-GRASP). Both are IPv6 with LL src/dst, different protocols, so as long as we can carry IPv6, then we can do both. tte> I have not thought about use-cases for e.g.: just BRSKI without ACP. BRSKI can use the DULL GRASP channel to get access to a Join Proxy. If used without ACP, then the certificate enrollment could well lead to use of EAP to connect. That's an important connection. tte> If you read up on the public slides i did eternities ago for my tte> prior employer about that vendors (somewhat proprietary) ACP tte> implementation in the context of service provide ethernet services, tte> where a customer L2-ethernet service is multiplexed across a service tte> provider L2VPN service, then those type of service-edge nodes have tte> all type of pain for discovery protocols such as CDP/LLDP, e.g.: for tte> their own instance and for the customer instance. So LLDP has tte> explicit provisions for this, and i have to find time to swap in the tte> context of that stuff again. Much easier if we had in-person IETFs tte> and someone in the know like Norm Finn could remind me ;-)) Yes, I recognize that. There is a table 11-1 in the 802.1X document that deals with this. It seems broken that an end system has to know whether it's in a some kind of L2-service to do it's announcements, etc. tte> As in: lets make sure that our selector field header could support tte> the same flexibility for those use-cases. At least to the extent tte> that we know for a rev0 spec how many "reserved/ignore" bits we need tte> and then fill them in later. My reading is that they accomplish this via table 11-1, and if we were to build upon EAPOL, that it would all come for free. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Anima] ANIMA when there is a system-wide issue Brian E Carpenter
- Re: [Anima] ANIMA when there is a system-wide iss… Michael Richardson
- Re: [Anima] ANIMA when there is a system-wide iss… Brian E Carpenter
- Re: [Anima] ANIMA when there is a system-wide iss… Brian E Carpenter
- Re: [Anima] ANIMA when there is a system-wide iss… Ciavaglia, Laurent (Nokia - FR/Paris-Saclay)
- Re: [Anima] ANIMA when there is a system-wide iss… Brian E Carpenter
- Re: [Anima] ANIMA when there is a system-wide iss… Michael Richardson
- Re: [Anima] ANIMA when there is a system-wide iss… Toerless Eckert
- Re: [Anima] ANIMA when there is a system-wide iss… Toerless Eckert
- Re: [Anima] ANIMA when there is a system-wide iss… Michael Richardson
- Re: [Anima] ANIMA when there is a system-wide iss… Toerless Eckert
- Re: [Anima] ANIMA when there is a system-wide iss… Michael Richardson
- Re: [Anima] ANIMA when there is a system-wide iss… Brian E Carpenter
- Re: [Anima] ANIMA when there is a system-wide iss… Michael Richardson
- Re: [Anima] ANIMA when there is a system-wide iss… Toerless Eckert
- Re: [Anima] ANIMA when there is a system-wide iss… Toerless Eckert
- Re: [Anima] ANIMA when there is a system-wide iss… Michael Richardson
- Re: [Anima] ANIMA when there is a system-wide iss… Toerless Eckert
- Re: [Anima] ANIMA when there is a system-wide iss… Michael Richardson