IETF Logo Mail Archive

Re: [Int-area] Proxy function for PTB messages on the tunnel end

Vasilenko Eduard <vasilenko.eduard@huawei.com> Thu, 25 March 2021 17:12 UTC

Return-Path: <vasilenko.eduard@huawei.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3711E3A27DB; Thu, 25 Mar 2021 10:12:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mExn_VXo5PLi; Thu, 25 Mar 2021 10:12:17 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2796F3A27D1; Thu, 25 Mar 2021 10:12:17 -0700 (PDT)
Received: from fraeml713-chm.china.huawei.com (unknown [172.18.147.207]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4F5ryz5l10z682d6; Fri, 26 Mar 2021 01:03:23 +0800 (CST)
Received: from msceml702-chm.china.huawei.com (10.219.141.160) by fraeml713-chm.china.huawei.com (10.206.15.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Thu, 25 Mar 2021 18:12:14 +0100
Received: from msceml703-chm.china.huawei.com (10.219.141.161) by msceml702-chm.china.huawei.com (10.219.141.160) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Thu, 25 Mar 2021 20:12:13 +0300
Received: from msceml703-chm.china.huawei.com ([10.219.141.161]) by msceml703-chm.china.huawei.com ([10.219.141.161]) with mapi id 15.01.2106.013; Thu, 25 Mar 2021 20:12:13 +0300
From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
To: "Black, David" <David.Black@dell.com>, Joseph Touch <touch@strayalpha.com>
CC: "v6ops@ietf.org" <v6ops@ietf.org>, int-area <int-area@ietf.org>
Thread-Topic: Proxy function for PTB messages on the tunnel end
Thread-Index: AdcfDpZejD7P5RAGQ06oVS2C5lk8jAACE+sAAAi5WeD//90TAP//s51QgAByGQD//8LNQIAAUjUA//8J3tAARFNWgP//xB4Q//+RtwD//uUYkP/962+A//ucEtD/91rKgP/txlXQ/9tXi4D/tnfdMP9s3R+A/tl7ULD9sxGQAPtlIkIg9sn8kYDtk8DZcA==
Date: Thu, 25 Mar 2021 17:12:13 +0000
Message-ID: <fa802c8edef445bc93f9d246e3b10a17@huawei.com>
References: <0b61deabe8f3420eba1b5794b024e914@huawei.com> <A063E98C-0D6C-49B2-B871-E2B39A097FD5@strayalpha.com> <37059faadd6e441cb98f6ec7e01ecef9@huawei.com> <9D23C833-46C5-4B93-A204-D2D4F54689DF@strayalpha.com> <1e6ecd3b468d4255bda65d519190135d@huawei.com> <3B48413C-A47D-4F3F-B9E4-7ED4D33AA66B@strayalpha.com> <22bb7bf129694ccfbbad441d8d22e05c@huawei.com> <A5F62B47-DBA3-457D-89CD-D570EA2EA886@strayalpha.com> <eb63d427f4d34e44908ccee2c2d14073@huawei.com> <F158C443-6E73-4FC6-ADCA-6D28EE8F0A30@strayalpha.com> <d1c8a80b387847a3b00566e3dc0768ab@huawei.com> <D87C00F7-2902-48C4-9DCA-E1019EF32CAA@strayalpha.com> <46be60a38c0f4bc08f352dc8ed353c6a@huawei.com> <4E4C25CB-561C-4BF1-B99B-14E26D00009B@strayalpha.com> <4415086a1b734313b383307a27eb3fb2@huawei.com> <1A41F380-5176-4856-B0FE-BCA065FEAB15@strayalpha.com> <d2dffa85fdbc476f95c008a41e65e696@huawei.com> <8CB230FB-D5D9-4EE2-BA61-7FBC786D09CA@strayalpha.com> <c3ac993dc35340648988c688f1b86bbc@huawei.com> <61E1D204-B806-4D11-86D1-F175ED38A96C@strayalpha.com> <348c2c09d1ad4a7dbac4add24bbb5ab8@huawei.com> <MN2PR19MB40450A07EAF2FC2BD5439F2983639@MN2PR19MB4045.namprd19.prod.outlook.com> <6a9c2f22ed0b4ffab4fedb12bb39a7d0@huawei.com> <MN2PR19MB404524DF4CB3749D38A2094B83629@MN2PR19MB4045.namprd19.prod.outlook.com>
In-Reply-To: <MN2PR19MB404524DF4CB3749D38A2094B83629@MN2PR19MB4045.namprd19.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.47.197.145]
Content-Type: multipart/alternative; boundary="_000_fa802c8edef445bc93f9d246e3b10a17huaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/QzSXoGEByEQVx1hzaro8SyM5yzo>
X-Mailman-Approved-At: Fri, 26 Mar 2021 08:29:04 -0700
Subject: Re: [Int-area] Proxy function for PTB messages on the tunnel end
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Mar 2021 17:12:23 -0000

Hi David,
I do not agree with the position:
“Let’s specify a standard for the software platform, the guys developing specialized ASICs should solve their problem themselves”.
Tunneling is done now much often in these specialized ASICs, not in PCs.
Eduard
From: Black, David [mailto:David.Black@dell.com]
Sent: Thursday, March 25, 2021 7:46 PM
To: Vasilenko Eduard <vasilenko.eduard@huawei.com>; Joseph Touch <touch@strayalpha.com>
Cc: v6ops@ietf.org; int-area <int-area@ietf.org>; Black, David <David.Black@dell.com>
Subject: RE: Proxy function for PTB messages on the tunnel end

Inline …

Thanks, --David

From: Vasilenko Eduard <vasilenko.eduard@huawei.com<mailto:vasilenko.eduard@huawei.com>>
Sent: Thursday, March 25, 2021 5:52 AM
To: Black, David; Joseph Touch
Cc: v6ops@ietf.org<mailto:v6ops@ietf.org>; int-area
Subject: RE: Proxy function for PTB messages on the tunnel end


[EXTERNAL EMAIL]
Hi David,


  1.  Any real tunneling implementation does check the incoming packet against virtual link MTU, not against any buffer. Because buffers are “big enough” for tunneling that does support fragmentation/reassembly or buffer does not exist at all for tunneling that does not support fragmentation.
[David>] We agree on this.  The check against the virtual link MTU (which is EMTU_R in the draft) is what causes generation of the ICMP PTB.


  1.  Why you are talking about “NIC”, “driver”, “EMTU_R”? All these abstractions do not exist in hardware that is doing tunneling for us.
[David>] That is entirely about "the link-attached-to-host case, where an ICMP PTB may be counterproductive" which also needs to be covered, in addition to the router case that you're focused on.

It is the Data Plane ASIC, right? It deals with traffic flow (Verilog), not with control flow (RTC == Run to Completion, “C”).
[David>] That would be in a router, actual hosts that don't have data plane ASICs also have to be covered.

It does not have LINUX on board. No one would be capable to emulate “host” on this ASIC, at least not to degree that this draft demands.
[David>] The draft specifies abstractions – implementations optimize across them.

It was originally a very bad idea to unify tunnel end point with host – they are running on principally different hardware. The difference is much bigger than between RISC and CISC.
[David>] I disagree - tunnel encap/decap software absolutely also runs on actual hosts.  Remote access VPN clients are an obvious example.

Eduard
From: Black, David [mailto:David.Black@dell.com]
Sent: Thursday, March 25, 2021 12:10 AM
To: Vasilenko Eduard <vasilenko.eduard@huawei.com<mailto:vasilenko.eduard@huawei.com>>; Joseph Touch <touch@strayalpha.com<mailto:touch@strayalpha.com>>
Cc: v6ops@ietf.org<mailto:v6ops@ietf.org>; int-area <int-area@ietf.org<mailto:int-area@ietf.org>>; Black, David <David.Black@dell.com<mailto:David.Black@dell.com>>
Subject: RE: Proxy function for PTB messages on the tunnel end

Hi Eduard,

>>            - links NEVER *generate* ICMPs
>>            - routers and hosts *generate* ICMPs
> Why virtual link could not send ICMP PTB (like on a physical link)?

The short answer (IMHO) is "yes, but the host or router generates the ICMP PTB."  There's a subtle distinction here that better supports the link-attached-to-host case, where an ICMP PTB may be counterproductive.

Starting with a router case, suppose that a large packet arrives at a router whose forwarding table determines that the next hop is a virtual link that encapsulates the packet to send in a tunnel.  The router checks the MTU for that virtual link (tunnel EMTU_R), determines that the packet is too large to send, and the router generates an ICMP PTB to report that.  This works the same way for a physical link that just sends the packet (MTU that is checked is that of the physical link) – in both cases the router generates an ICMP PTB based on link (interface) information before attempting to send the packet on that link.

The host case enables a host device driver or network stack to deal with this situation without forcing an ICMP PTB to be generated and parsed.  Starting with the physical link case – attempting to send a packet that's too large for the NIC to send generates an error that propagates back up the host network stack – forcing generation of an ICMP PTB in this case may be counterproductive.  Exactly where that error is generated may depend on how  the network stack and NIC are implemented – the error could originate from the NIC itself, the NIC device driver, or a higher layer of the network stack that checks the link MTU before the packet is handed off to the NIC device driver.  For a software encapsulation implementation of a virtual link, the MTU (tunnel EMTU_R) gets checked at or above the network stack layer that does the encapsulation.  If there's a software router embedded in the host (e.g., virtual switch with IP forwarding functionality), that router could generate an ICMP PTB based on the error or on directly checking the link MTU.

Thanks, --David

From: Int-area <int-area-bounces@ietf.org<mailto:int-area-bounces@ietf.org>> On Behalf Of Vasilenko Eduard
Sent: Wednesday, March 24, 2021 4:05 PM
To: Joseph Touch
Cc: v6ops@ietf.org<mailto:v6ops@ietf.org>; int-area
Subject: Re: [Int-area] Proxy function for PTB messages on the tunnel end


[EXTERNAL EMAIL]
Hi Joseph,
You have presented below (and in many other messages) a long list of policies (extensive usage of “SHOULD”, “NEVER”, “MUST”)
That are new – would change how current tunnels operate
And are not justified by any reasoning.
It is religion, not technology.

Why virtual link could not send ICMP PTB (like on a physical link)? Just because… it is “unsolicited”. But one moment – any other PTB is unsolicited too - It is an event.

You have not answered any of my questions – you continue to promote the solution from the draft-ietf-intarea-tunnels putting some excerpts in a different order.

PS: I am especially sorry that draft-ietf-intarea-tunnels would scrape the best tunneling RFC that we have for IPv6. RFC 2473 was really good.
Eduard
From: Joseph Touch [mailto:touch@strayalpha.com]
Sent: Wednesday, March 24, 2021 10:01 PM
To: Vasilenko Eduard <vasilenko.eduard@huawei.com<mailto:vasilenko.eduard@huawei.com>>
Cc: v6ops@ietf.org<mailto:v6ops@ietf.org>; int-area <int-area@ietf.org<mailto:int-area@ietf.org>>
Subject: Re: Proxy function for PTB messages on the tunnel end

Two points:

On Mar 24, 2021, at 7:59 AM, Vasilenko Eduard <vasilenko.eduard@huawei.com<mailto:vasilenko.eduard@huawei.com>> wrote:

It would invalidate all tunneling implementations. It is not compatible with any one of them. PMTUD is killed. Revolution.

PMTUD is effectively dead, so if you’re worried about it, you’re 20+ years too late - as per the RFCs I’ve already cited.

All complaints against RFC 2473 are minor (if right),
Except this one that is definitely wrong:

       o Tunnel ingress issues ICMPs

This is a violation of RFC792 and 8200; the ICMPs issued are that of routers, not links. If the ingress is at the source host, these ICMPs would come from a device that is not a router.
ICMP PTB is very important to deliver to the traffic source.

I’m saying something very specific:
            - tunnels are links
            - links NEVER *genenerate* ICMPs
            - routers and hosts *generate* ICMPs
                        based on what happens inside them, e.g,, to their processes and links

So the question is “under what conditions does a link cause a router/host to generate an ICMP?”

There should be no unsolicited ICMPs, i.e., routers/hosts NEVER generate ICMPs unless in reaction to a packet being sent or received.

PTB means “I cannot send the packet over this link”. Not path - link. There is no PTB for a path; the assumption is that one link of a path that fails will send the ICMPs back to the source.

For a tunnel, when can it NOT send a packet?
            - only when that packet is larger than the tunnel EMTU_R (i.e., egress received max, reassembled if reassembly is supported)

A packet that can be fragmented and traverse a tunnel is not too big. It’s “bigger than you might like” or “bigger than desired”, but there is no ICMP to indicate that sort of ‘soft’ (non failure) error.

So what should happen:
            - tunnels ingress should know and update (if changing) the tunnel EMTU_R value
            - routers/hosts should use EMTU_R as the tunnel MTU
                        again, because the tunnel path MTU is a preference; the tunnel EMTU_R is the actual strict limit
            - routers/hosts sending packets over a tunnel generate ICMP PTBs as needed
                        again, the router/host generates the message, not the tunnel ingress
                        this happens when the router/host tries to send a packet over out that tunnel interface that is larger than the tunnel MTU

So this all works, as long as ICMPs are relayed.

Draft-tunnels does not deprecate this behavior. It describes it and explains why this is the correct behavior.

Tunnel ingresses that relay PTBs inside are broken; they fail in ways they do not need to. That is the true error.

Joe

v2.23.0 | Report a Bug | By Email