IETF Logo Mail Archive

Re: [Int-area] Some thoughts on draft-yong-intarea-inter-sites-over-tunnels

"Templin, Fred L" <Fred.L.Templin@boeing.com> Mon, 05 December 2016 22:29 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D2FC1295EE for <int-area@ietfa.amsl.com>; Mon, 5 Dec 2016 14:29:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RaxnOIbiUoj3 for <int-area@ietfa.amsl.com>; Mon, 5 Dec 2016 14:29:09 -0800 (PST)
Received: from phx-mbsout-02.mbs.boeing.net (phx-mbsout-02.mbs.boeing.net [130.76.184.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75AA1129D53 for <int-area@ietf.org>; Mon, 5 Dec 2016 14:29:08 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by phx-mbsout-02.mbs.boeing.net (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with SMTP id uB5MT8gh021287; Mon, 5 Dec 2016 15:29:08 -0700
Received: from XCH15-06-10.nw.nos.boeing.com (xch15-06-10.nw.nos.boeing.com [137.136.239.219]) by phx-mbsout-02.mbs.boeing.net (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id uB5MT5J9021246 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=OK); Mon, 5 Dec 2016 15:29:05 -0700
Received: from XCH15-06-08.nw.nos.boeing.com (2002:8988:eede::8988:eede) by XCH15-06-10.nw.nos.boeing.com (2002:8988:efdb::8988:efdb) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 5 Dec 2016 14:29:04 -0800
Received: from XCH15-06-08.nw.nos.boeing.com ([137.136.238.222]) by XCH15-06-08.nw.nos.boeing.com ([137.136.238.222]) with mapi id 15.00.1178.000; Mon, 5 Dec 2016 14:29:04 -0800
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: Joe Touch <touch@isi.edu>, Lucy yong <lucy.yong@huawei.com>, Brian E Carpenter <brian.e.carpenter@gmail.com>, "int-area@ietf.org" <int-area@ietf.org>
Thread-Topic: [Int-area] Some thoughts on draft-yong-intarea-inter-sites-over-tunnels
Thread-Index: AQHSSfUTLZDjgwj4v06xdSRLJ7spf6DwdPtAgAFWbFCAAJuxAP//gxPAgACJCwD//3tEwIAAjWUA//+BhHAAFPoOgAAP0p/A//+omgD//4m84IABfSIAgACA9qD//51zgIAAhBJQ//+I0oAAEIbo0AAPI8IAAC4ZozAAgC5ygAAP6STg
Date: Mon, 05 Dec 2016 22:29:04 +0000
Message-ID: <25503919e279426eb5fd827acf14d9c4@XCH15-06-08.nw.nos.boeing.com>
References: <2a8ef418-91dc-b0c5-1384-203b4fde3830@gmail.com> <c282e277-3257-a8e0-6256-e143c6d35752@isi.edu> <b1b6f51369864c2da290fba88117cb5f@XCH15-06-08.nw.nos.boeing.com> <950cf5fb-3c71-f428-cea1-ab44849147bb@isi.edu> <daf5035c7fad45eaa577c4e7e08a81cc@XCH15-06-08.nw.nos.boeing.com> <d711f321-e8c9-8d69-33d6-4008789b4de9@isi.edu> <93f8d61c9b6343b9b70b887c43e3aaee@XCH15-06-08.nw.nos.boeing.com> <d4e08982-03f8-fe5e-0c67-aa5cd7f26275@isi.edu> <e4096f9729474e00915432aa5c3af300@XCH15-06-08.nw.nos.boeing.com> <b82247d0-5221-ad60-3c4f-6e3287ef1fa9@isi.edu> <f54cd95a4f974ca189e2b3fb24864b97@XCH15-06-08.nw.nos.boeing.com> <a3f0ade1-2145-ee28-31cf-d5a4878b507c@isi.edu> <1707aa63f4e4424e85a8933a79b43dfe@XCH15-06-08.nw.nos.boeing.com> <982c4212-34cb-21f1-c8a8-a23df18d5c30@isi.edu> <1ced07df7e8c453f8c0821363bc5604e@XCH15-06-08.nw.nos.boeing.com> <137debc3-eb11-5c13-884e-d8f6598e8ec9@isi.edu> <30ad1018463746b3b7ef5d864abc9ff3@XCH15-06-08.nw.nos.boeing.com> <e23fc6bd-c95d-9d38-74e1-c040bffe653f@isi.edu>
In-Reply-To: <e23fc6bd-c95d-9d38-74e1-c040bffe653f@isi.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [137.136.248.6]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-MML: disable
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/n7WkBOGOyhBfHxosSthMd-jXDds>
Subject: Re: [Int-area] Some thoughts on draft-yong-intarea-inter-sites-over-tunnels
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Dec 2016 22:29:11 -0000

Hi Joe,

> -----Original Message-----
> From: Joe Touch [mailto:touch@isi.edu]
> Sent: Monday, December 05, 2016 1:25 PM
> To: Templin, Fred L <Fred.L.Templin@boeing.com>; Lucy yong <lucy.yong@huawei.com>; Brian E Carpenter
> <brian.e.carpenter@gmail.com>; int-area@ietf.org
> Subject: Re: [Int-area] Some thoughts on draft-yong-intarea-inter-sites-over-tunnels
> 
> Hi, Fred,
> 
> 
> On 12/1/2016 12:52 PM, Templin, Fred L wrote:
> > Hi Joe,
> > ...
> > Can you say why you think redirecting an entire subnet is potentially more
> > problematic (noting that RFC6706 has been published since 2012 and so the
> > notion of subnet redirection is already well known)?
> 6706 is within the context of authenticated origin.

Yes, that is correct. And, RFC6706 applies to all link types that support
Redirection (i.e., and not just tunnel NBMA links).

> It's a problem in the more general case where that's not known - e.g.,
> where host redirect is already used.

I don't understand the point you are trying to make here, but it
might not even matter. 

> >> Yes, buried in 6706 are the issues that might be in such a rev, but we
> >> can't expect IPv6 ND implementers to dive into a large spec that has no
> >> clear relation to IPv6 and doesn't update 4861 to find it. If there is a
> >> way for this approach to be generally useful, it really needs to be in a
> >> 4861bis update.
> > Not an RFC4861bis, no, but possibly in a document that updates RFC4861.
> > Is that what you meant
> I was thinking of a single doc focused on the subnet redirect. That
> could be in a 4861bis or a single doc that updates 4861, but should not
> be a small part of a much larger doc that does many other things
> concurrently IMO.

RFC6706 specifies subnet redirect for any link type that can support
ordinary Redirect. RFC6706(bis) updates that spec.

> >>>> It acts exactly like one NMBA link on which your endpoint has multiple
> >>>> virtual interfaces.
> >>> This is from RFC4861:
> >>>
> >>>      Inbound load balancing - Nodes with replicated interfaces may want
> >>>            to load balance the reception of incoming packets across
> >>>            multiple network interfaces on the same link.  Such nodes
> >>>            have multiple link-layer addresses assigned to the same
> >>>            interface.  For example, a single network driver could
> >>>            represent multiple network interface cards as a single
> >>>            logical interface having multiple link-layer addresses.
> >>>
> >>> AERO is not talking about inbound load balancing, but it is talking about
> >>> a single logical interface having multiple link-layer addresses in exactly
> >>> the same spirit as implied by this text.
> >> Which is what I said - one link with multiple interfaces. The example
> >> given explains that this can be done through interface virtualization,
> >> which I also noted.
> > No, it agrees with what I said: "a single network driver could represent
> > multiple network interface cards as a single logical interface having multiple
> > link-layer addresses". One interface; multiple link-layer addresses; one link.
> The only difference is whether you can use vanilla IP forwarding (to
> pick the outgoing virtual interface) or need some sort of additional
> mechanism (that allows multiple IP forwarding entries to use the same
> interface and next-hop IP, but needs additional fields to differentiate
> the L2 source/dest). With virtual interfaces, you can use existing code.

To be completely clear, with AERO the tunnel interface itself (i.e., the
AERO interface) is the virtual interface. Within the AERO interface there
are one or more underlying interfaces (physical or virtual), with each
interface having one or more addresses. The underlying interface
addresses are seen as link-layer addresses of the AERO interface.

The AERO interface is the node's point of connection to the AERO link,
where the AERO link is the entire underlying network. The AERO
interface therefore has multiple link-layer addresses but it connects
to a single link. This is consistent with the link model for ISATAP which
was published as RFC4214/RFC5214.

With this model, the inner IP layer uses vanilla IP forwarding to pick
the (singular) AERO interface as the outgoing interface. Once inside
the AERO interface, the inner IP destination address is mapped to
the correct corresponding AERO interface neighbor cache entry,
then encapsulation is applied, and then the encapsulated packet
is shipped out the correct underlying interface.

> >> Whether you use them for input or output reasons is up to the forwarding
> >> plane; it shouldn't be buried inside the tunnel mechanism. That's a flaw
> >> of many other tunnel approaches.
> > I disagree with any implications of a flaw. There is one forwarding table entry,
> > but the neighbor cache entry has multiple link-layer addresses. So, IP forwarding
> > does its normal thing at the IP layer, but inside the interface the packet is
> > forwarded to the correct link-layer address of the neighbor among multiple
> > candidates at the sub-IP layer. I can demonstrate this in running code today.
> I agree this works, but you need your new code to accomplish this for
> the very reason you cite.

All tunnel drivers have code that operates at the sub-IP layer, i.e., and not
just OpenVPN. Look at the linux kernel sit.c, ipip.c, ip_gre.c, etc. drivers, and
look at any apps that use the TUN/TAP interface. This code is not flawed.

> If you treat these as different interfaces, then existing forwarding
> code would have sufficed.

Existing IP forwarding code does suffice with a single interface. It is the
same as on any multipoint interface (e.g., Ethernet).

> >> Tunnels should stop at the interface.
> > But they don't. Look at the way OpenVPN works.
> Not the poster child of how networking works, IMO.

It is not just OpenVPN, which was used as only one widely-deployed
example.

> >>>  But, by allowing multiple S/TLLAOs
> >>> on IPv6 ND messages, AERO nodes can tell their neighbors about their
> >>> multiple link-layer address and how they prefer to have those link-layer
> >>> addresses used for inbound traffic.
> >> In my terminology, they affect the forwarding table. Sure.
> > They do not affect the forwarding table at the IP layer.
> 
> They should. You're effectively using a different link source/dest.

I'm not sure if this statement is born from a misunderstanding of the
 AERO interface/link model or some kind of preconceived notions you
may have from some other context. But, it is one (virtual) interface
connected to one (virtual) link the same way as Ethernet has one
(physical) interface connected to one (physical) link.

> > The IP layer sees only
> > a single next-hop while the sub-IP layer gets to see the multiple link-layer
> > addresses in the neighbor cache entry.
> That's the flaw, IMO - it's not needed of you use VIFs (we demonstrated
> this in the X-Bone).

Not adhering to the X-Bone model does not necessarily constitute a flaw.
Otherwise, if X-Bone were the measuring stick pretty much all widely
deployed tunneling solutions would be considered flawed.

I would ask you to go through the AERO spec and tell me what you think
is broken. And, a dissimilarity with X-Bone does not necessarily mean
that something is broken.

Thanks - Fred
fred.l.templin@boeing.com

> Joe
> 
> 
> 
> >
> > Thanks - Fred
> > fred.l.templin@boeing.com
> >
> >>>>>> - I agree that IPv6 ND was done in an INTAREA WG; the same might be true
> >>>>>> for AERO, but the INTAREA WG should be a place where generic aspects of
> >>>>>> all Internet layer issues should be addressed, not domain-specific
> >>>>>> solutions (IMO).
> >>>>>>
> >>>>>> AERO might be one doc, but it is 60+ pages with over 70 revisions. I don't think it would be useful to bog down INTAREA with
> >>>>>> something that large.
> >>>>> The document size and number of revisions are irrelevant. By making it
> >>>>> an intarea doc, it would revert back to a -00.
> >>>> That helps only the number of revisions issue; the point is that the
> >>>> work associated with this doc involves substantial effort for review.
> >>> RFC6706 was 33pages long, but was reviewed and approved in a relatively
> >>> short time and without going through a working group formation. Is there
> >>> some kind of page count cutoff I am not aware of?
> >> It wasn't a WG doc either.
> >>
> >> Yes, individua submissionl is another option.
> >>
> >> Joe
> >>
> >
>

v2.23.0 | Report a Bug | By Email