Re: [Int-area] WG Adoption Call: IP over Intentionally Partitioned Links
"Pascal Thubert (pthubert)" <pthubert@cisco.com> Thu, 02 March 2017 12:29 UTC
Return-Path: <pthubert@cisco.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 076D1129984 for <int-area@ietfa.amsl.com>; Thu, 2 Mar 2017 04:29:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.512
X-Spam-Level:
X-Spam-Status: No, score=-14.512 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kNdtZ4UGGyCN for <int-area@ietfa.amsl.com>; Thu, 2 Mar 2017 04:29:42 -0800 (PST)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2A32129982 for <int-area@ietf.org>; Thu, 2 Mar 2017 04:29:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=58036; q=dns/txt; s=iport; t=1488457781; x=1489667381; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=T1ap4krZx8WBOKv/tsagiCy888k6n6U3QfWNi2Z2pWU=; b=HelIhVTduCJf+rNg/2RdF3rEROll7ezrAHGGACCy9/TKvGFH5BaouI7p Xu74qwkbAqKhu1VqDLFackDsQsI3bosEzKQyHz6OD5ljHf74s1iGwsSC+ dDHuj6IsUMOtkf814FDoMmaiOYHMMyOUc38XjGV30b63/IFU4Yn1ZbteF E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DbAQDoD7hY/5xdJa1eGQEBAQEBAQEBAQEBBwEBAQEBgm45KWGBCQeDVooKkWeVNYIKAx8BCoV4AhqCLD8YAQIBAQEBAQEBYiiEcAEBAQMBAQEYAwYKQRAHBAIBCBEEAQEhAQYDAgICJQsUCQgCBAESCAyJXggOsUqCJosXAQEBAQEBAQEBAQEBAQEBAQEBAQEBGAWGTIRvhDABCTEVCoJQgl8FnCkBkiiCBIUig1SGLpM2AR84gQFUFT6ETx2BYXWHQQEGH4EKgQ0BAQE
X-IronPort-AV: E=Sophos;i="5.35,231,1484006400"; d="scan'208,217";a="392490533"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 02 Mar 2017 12:29:38 +0000
Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id v22CTcBo001776 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 2 Mar 2017 12:29:38 GMT
Received: from xch-rcd-001.cisco.com (173.37.102.11) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Thu, 2 Mar 2017 06:29:37 -0600
Received: from xch-rcd-001.cisco.com ([173.37.102.11]) by XCH-RCD-001.cisco.com ([173.37.102.11]) with mapi id 15.00.1210.000; Thu, 2 Mar 2017 06:29:37 -0600
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Erik Nordmark <nordmark@acm.org>, Richard Li <renwei.li@huawei.com>, "int-area@ietf.org" <int-area@ietf.org>, Wassim Haddad <wassim.haddad@ericsson.com>, "Dorothy Stanley (DStanley@arubanetworks.com)" <DStanley@arubanetworks.com>
Thread-Topic: [Int-area] WG Adoption Call: IP over Intentionally Partitioned Links
Thread-Index: AQHScpxO+lEWKzah3E+5mqsDI9bBLaFKUEuAgAEwkQCAEd1yAIABTo8AgCMAPNA=
Date: Thu, 02 Mar 2017 12:29:12 +0000
Deferred-Delivery: Thu, 2 Mar 2017 12:28:35 +0000
Message-ID: <425de076ca264ac0bca2fc56aa4b60c6@XCH-RCD-001.cisco.com>
References: <FB580294-14F5-4ED7-B692-F5F3872247A9@ericsson.com> <F061CEB6876F904F8EA6D6B92877731C3AF2AC0E@SJCEML703-CHM.china.huawei.com> <923f7967-0e76-fa13-9cd3-fc5e153df784@acm.org> <a78107c31cb245c6bfbcdf0f61c111e1@XCH-RCD-001.cisco.com> <f9f55cfc-3b97-2300-a4dd-a469c4773868@acm.org>
In-Reply-To: <f9f55cfc-3b97-2300-a4dd-a469c4773868@acm.org>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.55.22.4]
Content-Type: multipart/alternative; boundary="_000_425de076ca264ac0bca2fc56aa4b60c6XCHRCD001ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/sNhzxPwdcCNqzwkqtAQnafbV4XE>
X-Mailman-Approved-At: Mon, 06 Mar 2017 13:12:44 -0800
Subject: Re: [Int-area] WG Adoption Call: IP over Intentionally Partitioned Links
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2017 12:29:45 -0000
Hello Erik :
Please see inline:
* Splitting a subnet in several L2 domains with L3 tunnels interconnection is a different beast, yet would fit in the generic term of IPPL. Is it the intention that those are covered?
Depends on the IP configuration associated with those tunnels. If IP at both ends agree that the tunnel is assigned the same prefix (i.e. both ends think it is 192.168.1.0/24) or both ends agree that the tunnel has no prefix but instead has a single local and remote IP addresses, then the tunnel is a link which is not partitioned.
However, if the router's IP configuration is 192.168.1.1/24 and a host has an IP configuration with no subnet but instead has a local address
192.168.1.17 and a remote IP of 192.168.1.1, then the tunnels are used to construct an intentionally partitioned link. In this case a host sending a packet to 129.168.1.99 requires that the router forward it back out the same interface. (And if you are doing this with IPv6 you'd end up assuming that the routers forward a a packet addressed to a link-local address out the interface on which it arrived.)
Do you know of any existing document/protocol which describes such intentionally partitioned tunnel setups?
If so there would be something we could reference, and there would be a reason to clarify the scope in this document.
[Pascal] I'm thinking of the cases described in IPv6 ND proxies, RFC 4389; the case above would be scenario 2, and the desire would be to avoid copying the L2 broadcasts over the possibly slow PPP link. ND proxy can indeed be useful in subnet configurations where people want to isolate portions of the layer 2 network, not necessarily for security reasons but also, say, to limit the broadcast domain and protect wireless clients. The configurations proposed in the RFC force going through L3 and appears to me as forms of IPPL. Would you agree?
As your draft does, RFC 4389 also insists on loopless configurations only. A
> * Finally there's the multilink subnet whereby the router interconnects the limited ports with the core at L3. In that case, the router has multiple ports on the subnet, as opposed to the PVLAN where it has only one, thus the risk of ARP loop. This case appears to be not covered, though it makes the proxy ARP operation much more natural. Is that correct?
For me to understand your case you have to separate out the L3 configuration and what it sees as L3 interfaces (whether those are L3 ports or SVIs); for IPPL it doesn't matter which mapping there is between L3 interfaces and L2 ports.
So are the ports you refer to L2 ports with IP seeing an SVI? Or something else?
[Pascal] No, I’m not talking about an SVI but about placing a router where the IPPL draft places a switch.
The router also has the effect of partitioning the L2 broadcast domain. I understand that IEEE Std 802.11 recommends the use of ND proxy to protect the wireless edge, which is yet another form of topology, not explicited by RFC 4389, but covered by draft-ietf-6lo-backbone-router for the context of constrained power. Ccing Dorothy to make sure I’m not mis-representing the IEEE position.
My question is really about the scope of the IPPL document, considering that the term IPPL seems a lot larger in scope than private vlans…
>
>
> Section 6:
> The draft expects that the routers serving the hosts are connected to the promiscuous ports whereas the hosts are connected to the limited ports. If all the ARP proxy routers are in a promiscuous core where multicast functions (even if emulated), then the proxy operation can be done having the proxies copy the ARP reqs from the edge to the core, and from the core to the edge. This is doable (and done) in a L3 switch that has a capability to know from which port a packet came in, and control which ports will get a copy.
I don't think that is how e.g. PVLAN implementations work today. I know that is not how DAD proxy works.
The router doesn't copy the received packet and send it out. Instead the router originates a new packet with its own MAC address as the source.
Why do you want the routers to send out the unmodified packets? That would make them into bridges hence they would potentially violate the partitioning that was created in the actual bridges.
What problem are you trying to solve by doing this?
[Pascal] I agree that the DAD that the Pvlan nodes see are issued by the router, and that’s how the end device are kept unaware of each other, and that’s part of the router being a proxy. My point was not about the information being transported with the same packet, but about the loop avoidance text in the proxy operation:
“
For the ARP proxy to be robust it MUST avoid loops where router1
attached to the link sends an ARP request which is received by
router2 (also attached to the link), resulting in an ARP request from
router2 to be received by router1.
“
Point is, the L3 switch makes a difference between what’s coming from an access port that’s private and what’s coming from a port connected to the primary vlan (the backbone) where the routers are sitting. In particular, DAD requests coming from the primary are not proxied back to the primary, so there is no loop. The proxy checks if it has a matching state on a private port in which case it replies, otherwise it drops the DAD packet.
>
> " At a minimum, the reception of an ARP request MUST NOT result in sending an ARP request, and..." The "and" seems to read like this is a rule and there is more. But this is not required to obtain the intented loop avoidance, for instance the suggestion that the routers do not forward ARPs coming from other routers known by MAC@ but forward the others, and it appears to kill the design above. I'd suggest to remove that quoted text, or say that this in one way of achieving the recommendation to avoid loops that is already there.
router != bridge as described in this document.
The fact that there are products which combine routing and bridging functions doesn't mean we can't and shouldn't describe the routing function as separate from the bridging function. That is basically what all the RFCs I've read done.
Thus I'm confused.
Are you talking about some unspecified device which, between the same set of interfaces, bridges some packets and forwards others?
Is there an RFC or IEEE 802 specification for such a device?
[Pascal] I thought this discussion is about proxying the ARP. And I’m saying that “the reception of an ARP request” may actually “ result in sending an ARP request” as long as the flooding domain is controlled and loops are avoided, as discussed just above. Probably le being confused in the scope of the text I was reading.
>
> Section 8
> "For that reason it is NOT RECOMMENDED to configure outbound multicast forwarding from private VLANs." Not all protocols would be impacted in a same manner. I think that the recommendation, which applies to ND more than to many others because of DAD, could be more specific, like that whatever is done to propagate a multicast beyond the limited scope allowed by the PVLAN should ensure that the multicast is either harmless to the protocol it is propagating, or not echoed back to the source device at all. Then again, the latter is something that can be done in a L3 switch and a ML subnet router.
ND packets are never forwarded in any useful way since forward (as described in RFCs) is a an IP operation which includes decrementing the ttl/hopcount and ND verifies that hopcount is 255 on receipt.
[Pascal] I was confused again. I though the forwarding term here was describing the switch behavior, and I read this text as a recommendation that the switch does not propagate the multicast..
The intent of the statement is about IP multicast packets which are forwarded in other networks, but have issues with duplication or loopback to the sender when the sender is on a community or isolated vlan.
[Pascal] Did I read too quickly or could that be clarified in the text?
Section 8 tries to explain that issue with
IP Multicast which spans across multiple IP links and that have
senders that are on community or isolated ports require additional
forwarding mechanisms in the routers that are attached to the
promiscuous ports, since the routers need to forward such packets out
to any allowed receivers in the private VLAN without resulting in
packet duplication. For multicast senders on isolated ports such
forwarding would result in the sender potentially receiving the
packet it transmitted. For multicast senders on community ports, any
receivers in the same community VLAN are subject to receiving
duplicate packets; one copy directly from layer 2 from the sender and
a second copy forwarded by the multicast router.
[Pascal] I must admit I do not fully understand what this text. Maybe a picture with the routers and the switches showing the packet duplication at work?
Take care,
Pascal
>
> Cheers,
>
> Pascal
> -----Original Message-----
> From: Int-area [mailto:int-area-bounces@ietf.org] On Behalf Of Erik
> Nordmark
> Sent: jeudi 26 janvier 2017 19:20
> To: Richard Li <renwei.li@huawei.com<mailto:renwei.li@huawei.com>>; int-area@ietf.org<mailto:int-area@ietf.org>; Wassim
> Haddad <wassim.haddad@ericsson.com<mailto:wassim.haddad@ericsson.com>>
> Subject: Re: [Int-area] WG Adoption Call: IP over Intentionally
> Partitioned Links
>
> On 1/25/17 4:09 PM, Richard Li wrote:
>> Authors:
>>
>> Do you intend to specify a standard or provide some information about
>> the implementation?
>>
> Richard,
>
> I'm not sure I understand your question.
>
> The draft specifies constraints on an implementation (with some MUST
> and
> SHOULD) for both the L2 partitioning layer and for IP running over this partitioned L2. That makes it a standard.
> Note that in general it is a bad idea to standardize specific behavior since we want to allow implementations to try different things.
> FWIW I've been bitten by this in the past with the IPv6 NUD standard being far to prescriptive with retransmission behaviors so we had to make an additional standards-track RFC relaxing the behavior.
>
>> Another question:Assuming your router supports L2VPN or its
>> equivalent, can L2VPN solve your problem?
>>
> If L2VPN is used to create a fully connected L2 network, then the
> L2VPN link would not be partitioned. Hence you wouldn't need the IPPL
> handling in that case. (But I imagine L2VPN could be used to create a
> partitially partitioned link as well.)
>
> But that doesn't mean that L2VPN would solve the problem people set up to solve when they created split horizon for DSL or PVLAN for Ethernets.
>
> We just need to make sure IPv4 and IPv6 can run reliably on such partitioned links.
>
> Does that answer your question?
>
> Thanks,
> Erik
>
>> Thanks,
>>
>> Richard
>>
>> *From:*Int-area [mailto:int-area-bounces@ietf.org] *On Behalf Of
>> *Wassim Haddad
>> *Sent:* Thursday, January 19, 2017 1:39 PM
>> *To:* int-area@ietf.org<mailto:int-area@ietf.org>
>> *Subject:* [Int-area] WG Adoption Call: IP over Intentionally
>> Partitioned Links
>>
>> Dear all,
>>
>> We would like to start a WG adoption call for
>> _draft-nordmark-intarea-ippl-05_ ("IP over Intentionally Partitioned
>> Links”).
>>
>> Please indicate your preferences on the mailling list. The deadline
>> is Februray 3rd.
>>
>> Regards,
>>
>> JC & Wassim
>>
>>
>>
>> _______________________________________________
>> Int-area mailing list
>> Int-area@ietf.org<mailto:Int-area@ietf.org>
>> https://www.ietf.org/mailman/listinfo/int-area
>
> _______________________________________________
> Int-area mailing list
> Int-area@ietf.org<mailto:Int-area@ietf.org>
> https://www.ietf.org/mailman/listinfo/int-area
>
- [Int-area] WG Adoption Call: IP over Intentionall… Wassim Haddad
- Re: [Int-area] WG Adoption Call: IP over Intentio… Pascal Thubert (pthubert)
- Re: [Int-area] WG Adoption Call: IP over Intentio… Erik Nordmark
- Re: [Int-area] WG Adoption Call: IP over Intentio… Richard Li
- Re: [Int-area] WG Adoption Call: IP over Intentio… Erik Nordmark
- Re: [Int-area] WG Adoption Call: IP over Intentio… Pascal Thubert (pthubert)
- Re: [Int-area] WG Adoption Call: IP over Intentio… Erik Nordmark
- Re: [Int-area] WG Adoption Call: IP over Intentio… Pascal Thubert (pthubert)
- [Int-area] Fwd: WG Adoption Call: IP over Intenti… Wassim Haddad
- Re: [Int-area] WG Adoption Call: IP over Intentio… Erik Nordmark
- Re: [Int-area] WG Adoption Call: IP over Intentio… Pascal Thubert (pthubert)