Re: [Int-area] WG Adoption Call: IP over Intentionally Partitioned Links

Erik Nordmark <nordmark@acm.org> Tue, 07 February 2017 23:06 UTC

Return-Path: <nordmark@acm.org>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A38241294F9 for <int-area@ietfa.amsl.com>; Tue, 7 Feb 2017 15:06:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.434
X-Spam-Level:
X-Spam-Status: No, score=-1.434 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_SPAM=0.5, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CiENu1wohXrS for <int-area@ietfa.amsl.com>; Tue, 7 Feb 2017 15:06:19 -0800 (PST)
Received: from c.mail.sonic.net (c.mail.sonic.net [64.142.111.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F225C12947E for <int-area@ietf.org>; Tue, 7 Feb 2017 15:06:18 -0800 (PST)
Received: from [172.22.227.238] ([162.210.130.3]) (authenticated bits=0) by c.mail.sonic.net (8.15.1/8.15.1) with ESMTPSA id v17N62Jj030972 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 7 Feb 2017 15:06:03 -0800
To: "Pascal Thubert (pthubert)" <pthubert@cisco.com>, Erik Nordmark <nordmark@acm.org>, Richard Li <renwei.li@huawei.com>, "int-area@ietf.org" <int-area@ietf.org>, Wassim Haddad <wassim.haddad@ericsson.com>
References: <FB580294-14F5-4ED7-B692-F5F3872247A9@ericsson.com> <F061CEB6876F904F8EA6D6B92877731C3AF2AC0E@SJCEML703-CHM.china.huawei.com> <923f7967-0e76-fa13-9cd3-fc5e153df784@acm.org> <a78107c31cb245c6bfbcdf0f61c111e1@XCH-RCD-001.cisco.com>
From: Erik Nordmark <nordmark@acm.org>
Message-ID: <f9f55cfc-3b97-2300-a4dd-a469c4773868@acm.org>
Date: Tue, 07 Feb 2017 15:06:02 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <a78107c31cb245c6bfbcdf0f61c111e1@XCH-RCD-001.cisco.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Sonic-CAuth: UmFuZG9tSVaAQDLAHNa1tQKGkDePgqlSMru6Yc6Q7GvqYdO1UZDl0N20I4TgVA7HwKlfx5rHSiSLQyWUmKFxdbgua+VWcF1e
X-Sonic-ID: C;SPUN/4nt5hGlmZXQQiug7g== M;GvpU/4nt5hGlmZXQQiug7g==
X-Sonic-Spam-Details: 0.0/5.0 by cerberusd
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/6MowUlygmlJuOY2TZLsAPRsaGPE>
Subject: Re: [Int-area] WG Adoption Call: IP over Intentionally Partitioned Links
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2017 23:06:20 -0000

On 2/7/17 2:54 AM, Pascal Thubert (pthubert) wrote:
> Hello Erik:
>
> Section 3: Clarifying Questions on scope (note that a picture would help visualize the IPPL better):
>
> * The document insists on PVLAN, and I agree with the need/goal to explain them and support them better. I'm used to a promiscuous primary VLAN from which IP multicast effectively functions, like a core. Is there a need from something more complex?

It is true that downstream multicast on the primary vlan works, however 
a host which originates upstream multicast on an isolated or community 
vlan wouldn't just work. It doesn't seem like anybody cares, hence the 
draft merely documents this issue.
> * Splitting a subnet in several L2 domains with L3 tunnels interconnection is a different beast, yet would fit in the generic term of IPPL. Is it the intention that those are covered?

Depends on the IP configuration associated with those tunnels. If IP at 
both ends agree that the tunnel is assigned the same prefix (i.e. both 
ends think it is 192.168.1.0/24) or both ends agree that the tunnel has 
no prefix but instead has a single local and remote IP addresses, then 
the tunnel is a link which is not partitioned.

However, if the router's IP configuration is 192.168.1.1/24 and a host 
has an IP configuration with no subnet but instead has a local address 
192.168.1.17 and a remote IP of 192.168.1.1, then the tunnels are used 
to construct an intentionally partitioned link. In this case a host 
sending a packet to 129.168.1.99 requires that the router forward it 
back out the same interface. (And if you are doing this with IPv6 you'd 
end up assuming that the routers forward a a packet addressed to a 
link-local address out the interface on which it arrived.)

Do you know of any existing document/protocol which describes such 
intentionally partitioned tunnel setups?
If so there would be something we could reference, and there would be a 
reason to clarify the scope in this document.


> * Finally there's the multilink subnet whereby the router interconnects the limited ports with the core at L3. In that case, the router has multiple ports on the subnet, as opposed to the PVLAN where it has only one, thus the risk of ARP loop. This case appears to be not covered, though it makes the proxy ARP operation much more natural. Is that correct?

For me to understand your case you have to separate out the L3 
configuration and what it sees as L3 interfaces (whether those are L3 
ports or SVIs); for IPPL it doesn't matter which mapping there is 
between L3 interfaces and L2 ports.

So are the ports you refer to L2 ports with IP seeing an SVI? Or 
something else?

>
> Section 4:
> For ND and ARP, this means that address resolution and service discovery from isolated links will not necessarily work, and that there is a need for a careful deployment. We could note that there is an expectation that there are some reliable multicast transmissions between any node a limited set of peers (which may depend on that node), in particular that any node can discover a router, and whatever network services it is looking for e.g. a printer over mDNS.  Can we say that the expectation is that people deploy common services in the promiscuous core and place hosts and limited services in the isolated ports

Deploying common services on promiscious ports is a result of having 
deployed IPPL links.
(Note that the draft doesn't advocate that folks deploy IPPL; it is 
merely stating what needs to be done for IPv4 and IPv6 coping with 
partitioned links. Hence I'm careful with the wording to not encourage 
more deployment of partitioned links than needed.)

I'll add some words about that to the document once this becomes a WG 
document.

>
> Section 6:
> The draft expects that the routers serving the hosts are connected to the promiscuous ports whereas the hosts are connected to the limited ports. If all the ARP proxy routers are in a promiscuous core where multicast functions (even if emulated), then the proxy operation can be done having the proxies copy the ARP reqs from the edge to the core, and from the core to the edge. This is doable (and done) in a L3 switch that has a capability to know from which port a packet came in, and control which ports will get a copy.

I don't think that is how e.g. PVLAN implementations work today. I know 
that is not how DAD proxy works.
The router doesn't copy the received packet and send it out. Instead the 
router originates a new packet with its own MAC address as the source.

Why do you want the routers to send out the unmodified packets? That 
would make them into bridges hence they would potentially violate the 
partitioning that was created in the actual bridges.

What problem are you trying to solve by doing this?

>
> "  At a minimum, the reception of an ARP request MUST NOT  result in sending an ARP request, and..." The "and" seems to read like this is a rule and there is more. But this is not required to obtain the intented loop avoidance, for instance the suggestion that the routers do not forward ARPs coming from other routers known by MAC@ but forward the others, and it appears to kill the design above. I'd suggest to remove that quoted text, or say that this in one way of achieving the recommendation to avoid loops that is already there.

router != bridge as described in this document.
The fact that there are products which combine routing and bridging 
functions doesn't mean we can't and shouldn't describe the routing 
function as separate from the bridging function. That is basically what 
all the RFCs I've read done.

Thus I'm confused.

Are you talking about some unspecified device which, between the same 
set of interfaces, bridges some packets and forwards others?
Is there an RFC or IEEE 802 specification for such a device?

>
>   Section 8
>     "For that reason it is NOT RECOMMENDED to configure outbound multicast forwarding from private VLANs." Not all protocols would be impacted in a same manner. I think that the recommendation, which applies to ND more than to many others because of DAD, could be more specific, like that whatever is done to propagate a multicast beyond the limited scope allowed by the PVLAN should ensure that the multicast is either harmless to the protocol it is propagating, or not echoed back to the source device at all. Then again, the latter is something that can be done in a L3 switch and a ML subnet router.

ND packets are never forwarded in any useful way since forward (as 
described in RFCs) is a an IP operation which includes decrementing the 
ttl/hopcount and ND verifies that hopcount is 255 on receipt.

The intent of the statement is about IP multicast packets which are 
forwarded in other networks, but have issues with duplication or 
loopback to the sender when the sender is on a community or isolated vlan.

Section 8 tries to explain that issue with

    IP Multicast which spans across multiple IP links and that have
    senders that are on community or isolated ports require additional
    forwarding mechanisms in the routers that are attached to the
    promiscuous ports, since the routers need to forward such packets out
    to any allowed receivers in the private VLAN without resulting in
    packet duplication.  For multicast senders on isolated ports such
    forwarding would result in the sender potentially receiving the
    packet it transmitted.  For multicast senders on community ports, any
    receivers in the same community VLAN are subject to receiving
    duplicate packets; one copy directly from layer 2 from the sender and
    a second copy forwarded by the multicast router.



    Erik


>
> Cheers,
>
> Pascal
> -----Original Message-----
> From: Int-area [mailto:int-area-bounces@ietf.org] On Behalf Of Erik Nordmark
> Sent: jeudi 26 janvier 2017 19:20
> To: Richard Li <renwei.li@huawei.com>; int-area@ietf.org; Wassim Haddad <wassim.haddad@ericsson.com>
> Subject: Re: [Int-area] WG Adoption Call: IP over Intentionally Partitioned Links
>
> On 1/25/17 4:09 PM, Richard Li wrote:
>> Authors:
>>
>> Do you intend to specify a standard or provide some information about
>> the implementation?
>>
> Richard,
>
> I'm not sure I understand your question.
>
> The draft specifies constraints on an implementation (with some MUST and
> SHOULD) for both the L2 partitioning layer and for IP running over this partitioned L2. That makes it a standard.
> Note that in general it is a bad idea to standardize specific behavior since we want to allow implementations to try different things.
> FWIW I've been bitten by this in the past with the IPv6 NUD standard being far to prescriptive with retransmission behaviors so we had to make an additional standards-track RFC relaxing the behavior.
>
>> Another question:Assuming your router supports L2VPN or its
>> equivalent, can L2VPN solve your problem?
>>
> If L2VPN is used to create a fully connected L2 network, then the L2VPN link would not be partitioned. Hence you wouldn't need the IPPL handling in that case. (But I imagine L2VPN could be used to create a partitially partitioned link as well.)
>
> But that doesn't mean that L2VPN would solve the problem people set up to solve when they created split horizon for DSL or PVLAN for Ethernets.
>
> We just need to make sure IPv4 and IPv6 can run reliably on such partitioned links.
>
> Does that answer your question?
>
> Thanks,
>      Erik
>
>> Thanks,
>>
>> Richard
>>
>> *From:*Int-area [mailto:int-area-bounces@ietf.org] *On Behalf Of
>> *Wassim Haddad
>> *Sent:* Thursday, January 19, 2017 1:39 PM
>> *To:* int-area@ietf.org
>> *Subject:* [Int-area] WG Adoption Call: IP over Intentionally
>> Partitioned Links
>>
>> Dear all,
>>
>> We would like to start a WG adoption call for
>> _draft-nordmark-intarea-ippl-05_ ("IP over Intentionally Partitioned
>> Links”).
>>
>> Please indicate your preferences on the mailling list. The deadline is
>> Februray 3rd.
>>
>> Regards,
>>
>> JC & Wassim
>>
>>
>>
>> _______________________________________________
>> Int-area mailing list
>> Int-area@ietf.org
>> https://www.ietf.org/mailman/listinfo/int-area
>
> _______________________________________________
> Int-area mailing list
> Int-area@ietf.org
> https://www.ietf.org/mailman/listinfo/int-area
>