IETF Logo Mail Archive

Re: [Int-area] I-D Action: draft-ietf-intarea-tunnels-03.txt

Joe Touch <touch@isi.edu> Tue, 12 July 2016 15:17 UTC

Return-Path: <touch@isi.edu>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 281F012DC10 for <int-area@ietfa.amsl.com>; Tue, 12 Jul 2016 08:17:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.187
X-Spam-Level:
X-Spam-Status: No, score=-3.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gy1tnLnRkZYU for <int-area@ietfa.amsl.com>; Tue, 12 Jul 2016 08:17:01 -0700 (PDT)
Received: from nitro.isi.edu (nitro.isi.edu [128.9.208.207]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B00112DD27 for <int-area@ietf.org>; Tue, 12 Jul 2016 07:48:55 -0700 (PDT)
Received: from [172.20.6.185] ([12.222.78.10]) (authenticated bits=0) by nitro.isi.edu (8.13.8/8.13.8) with ESMTP id u6CEmMmG021075 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 12 Jul 2016 07:48:24 -0700 (PDT)
To: "Templin, Fred L" <Fred.L.Templin@boeing.com>, "int-area@ietf.org" <int-area@ietf.org>
References: <20160707062805.26768.34892.idtracker@ietfa.amsl.com> <577E7549.9020000@isi.edu> <77275dc8e3214bb6a0139818394437f9@XCH15-05-05.nw.nos.boeing.com> <57800BA9.5030208@isi.edu> <39db9bd3bd304883b4a56f452edb25d3@XCH15-05-05.nw.nos.boeing.com> <57840C05.3030605@isi.edu> <79cca622fbcb43eb9abed5066019964e@XCH15-05-05.nw.nos.boeing.com> <57841686.7070008@isi.edu> <d242edcae9634d6b832896d9fe883d2c@XCH15-05-05.nw.nos.boeing.com> <57842860.2070907@isi.edu> <7702d0e5928541af9fb8c8e3516d3f02@XCH15-05-05.nw.nos.boeing.com>
From: Joe Touch <touch@isi.edu>
Message-ID: <57850334.9090306@isi.edu>
Date: Tue, 12 Jul 2016 07:48:20 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <7702d0e5928541af9fb8c8e3516d3f02@XCH15-05-05.nw.nos.boeing.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-MailScanner-ID: u6CEmMmG021075
X-ISI-4-69-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/yqelLPF8QB-Oabdnm4j6opWfhM4>
Subject: Re: [Int-area] I-D Action: draft-ietf-intarea-tunnels-03.txt
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2016 15:17:04 -0000


On 7/12/2016 7:37 AM, Templin, Fred L wrote:
> ...
>>>> There is no solution if the mutlpathing uses other packet info for context.
>>> My understanding of multipath is that it needs to ensure that all packets
>>> of the same flow follow the same path. Any multipath equipment in the
>>> network that does not honor that requirement is broken, at least to my
>>> understanding.
>> If that's the case, then PLPMTUD will work just fine with tunneled
>> traffic because the multipath and tunnel will both be operating only on
>> the flow information in the outermost IP header.
> Not necessarily. The tunnel ingress may need to encapsulate original
> packets with many different flow labels that are all destined to the
> same egress. Unless the ingress probes the path *for each distinct
> flow* multipath can still cause the probes to take different paths
> than the corresponding data packets.
A flow is defined by source, destination, and flow ID when the flow ID
is set.

(otherwise it's defined by whatever DPI is used, which typically
involves source, destination, protocol, source port, and dest port).

So different flow IDs between the same ingress/egress pairs are
different flows. I've already noted that PLPMUTD would need to run
independently for each flow between ingress and egress, *exactly as it
would for different flows between a given pair of endpoints that don't
use tunnels*.

> I am also told that some networking gear looks more deeply into
> the original packet than just the flow label, i.e., even after the
> original packet has been encapsulated. So, it is not necessarily
> just the flow label that multipath will operate on.

That could interfere with multipath between two endpoints as well, e.g.,
if it tries to differentiate between access to different app layer content.

All bets are off of multipoint ignores flow ID and its defining context
- for PLPMTUD for both tunnels and the rest of the Internet.

>
>>>>> This is different than for tunnels, because the tunnel ingress is not the source
>>>>> of the original packets - it is only the source of the encapsulated packets.
>>>> It is identical in that the ingress is responsible for fragmentation,
>>>> which the layer at which PLPMTUD is supposed to happen.
>>> This statement makes no sense afaict.
>> To clarify:
>>
>> PLPMTUD operating at the ingress would need to operate on the flows of
>> the IP packets emitted by the ingress into the tunnel. Those flows are
>> defined by the outer header. The fragmentation is defined by how the
>> ingress source fragments (either at the outer IP layer or any other
>> layer within the added encapsulation headers).
>>
>> That would make the ingress no different from any other traffic source.
>> It emits one or more flows, and as long as the flows it emits are
>> respected by multipath routing, PLPMTUD at the ingress on each flow will
>> work correctly.
> One alternative would be for the ingress to set the same flow label in
> the encapsulation headers of all packets regardless of the flow labels
> in the original packets (i.e., the "pipe" model). But this would either
> defeat multipath (undesirable) or still not solve the problem if
> multipath looks more deeply into the packet than just the outer
> flow label (unfixable).

The former may be desirable or not, and it's up to the ingress to decide
(or whomever configures it).

The latter is a problem in multipath that can affect everyone, not just
tunnels, as noted above.


>
>>>>> And,
>>>>> the ingress may need to encapsulate pacekts produced by many original
>>>>> sources which may take very different routes due to multipath within the tunnel.
>>>> Then the tunnel should do what it can to ensure that they do not take
>>>> different routes.
>>> The tunnel has no way of controlling which routes the network will select.
>> Agreed, but if the network uses routes that DPI beyond the encapsulation
>> headers, then *by your claim* that routing is violating multipath
>> routing and all bets are off anyway.
> My understanding is that the network may use information more deeply
> embedded in the packet than just flow label for multipath decisions.
Multipath can interfere with any PLPMTUD if this is the case.

> So, yes, it is DPI but if the ingress does it it needs to be very sure that
> all packets of the same flow get the same treatment. This does not
> negate my claim.

No, but it renders it a bit moot if it isn't specific to tunnels.

Joe

v2.23.0 | Report a Bug | By Email