IETF Logo Mail Archive

Re: [ippm] draft-ioametal-ippm-6man-ioam-ipv6-deployment-00 feedback (Re: v6 option types for IOAM data fields)

Tom Herbert <tom@herbertland.com> Fri, 05 April 2019 18:15 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 200E31205CE for <ippm@ietfa.amsl.com>; Fri, 5 Apr 2019 11:15:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NHXFaSBbiUAt for <ippm@ietfa.amsl.com>; Fri, 5 Apr 2019 11:15:46 -0700 (PDT)
Received: from mail-qt1-x841.google.com (mail-qt1-x841.google.com [IPv6:2607:f8b0:4864:20::841]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C3571205D2 for <ippm@ietf.org>; Fri, 5 Apr 2019 11:15:46 -0700 (PDT)
Received: by mail-qt1-x841.google.com with SMTP id s15so119966qtn.3 for <ippm@ietf.org>; Fri, 05 Apr 2019 11:15:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=BOt/fXSTLa9xc3S1E4FP/kUsKbUwMPTZ75o7h7fmcHY=; b=raBud9Zca9vEWUQBY29RIYUfWkclImmW9cs0sk+c9fz6FSoAG/iUJTUOq0T60YJGgr bL6Z0F+loSe83i13nILr4j1aoc/bsVLxYYjDd8iPnzyAbd4U2p/7D2BDL6c2uXu4Lhwd nwO1zfmbogvRzb1WJsvmV9thQWG0Mph37aNVZVPK6f7mXFU+TA29dCJkMGx3Hl++i7zW WIbINeK6ajWXEZoT0+jZOKSfDblUJW57BD0vJjsYbrYC0wmhhkA2lzo07rQ4G+v785JE EyHO3TYmfbeNrApCHMgAnotv0xSiwq4c6MxTmvYUKKVOMHOtAyjO85rdC2UmxlXuNqXs zg6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=BOt/fXSTLa9xc3S1E4FP/kUsKbUwMPTZ75o7h7fmcHY=; b=Uxk5InRncxAsRUWpGO390aOaTa+43CqQ/c5D8UPUw90aGOvieD05QIaF8+PfTdSuAa BMitF5Ui3ElVOxzXh6G8fK4bfAr0lm05wCM12Jklk9w9wb/1YjllKQ2KKMuRSvSvqKUB U0KYavYbqBfOwkgjHZyKzEp3Eqf8sunWEAOq6HoqClC3F+wS4ytop3+LLIzAelbUNFSJ y1EUUB7DJe4MV7I6akvy28NwmwCwJ87i/Qdty7T7KzXl2ZEeRxetISHtDtu2/vOQII7i 04YadCzyYeswi1FsffRTLP3e/1AFweSm2J8QzGSMq1CjVz6314mX/U9A4nGpy225gc6P ugdg==
X-Gm-Message-State: APjAAAXLystuUlG9vsp5+pHamgTkfohnoxPzlwRNRw5s8iHIE8FnfXXs S5EidBvAzoC1fvGkyijxtEgpJoohAusyihBZ6Eekqg==
X-Google-Smtp-Source: APXvYqxaD645jVXPtid1SOpTp2NrjMbt882VZAyuzD/0gxTFoFYwG6J0FOs6a20yfDgDvDujBguQA8RTBMnmMCtySj8=
X-Received: by 2002:ac8:3782:: with SMTP id d2mr12075878qtc.170.1554488144937; Fri, 05 Apr 2019 11:15:44 -0700 (PDT)
MIME-Version: 1.0
References: <CACL_3VGxyn-PYosFsKPVdd8C=P5AbE6HD1zrimHKuh2MPkhnuQ@mail.gmail.com> <505272eac2dd44fa891d4d36d14da9af@XCH-RCD-008.cisco.com> <CAO42Z2wGMzc_RT=eWTx9Ve-5reS0nCWiteGOuE16=MB4Fg8mkg@mail.gmail.com> <f50040ab52d04867b9a5cefa1c3131c3@XCH-RCD-008.cisco.com> <CAO42Z2zgguekybwVuCh8Az3mK8gHp292BYnWYhJq-8KEyfKzOA@mail.gmail.com> <7ea9049fe6f44a40aefe4801bd796322@XCH-RCD-008.cisco.com> <CAO42Z2y5TS1+8YxNsr=BKz5v8-ZPTiO-M7CU2k6FzNqVZoU4VA@mail.gmail.com> <CY4PR11MB1335960AD9BF9A4B990F7E10DA4A0@CY4PR11MB1335.namprd11.prod.outlook.com> <CAO42Z2xqq=uksNQPxvF_CRSxf1V_MADbFurzW4hqQW0v478cyw@mail.gmail.com> <DM6PR11MB36254EAC97ACF07F5BAD43CADA5F0@DM6PR11MB3625.namprd11.prod.outlook.com> <DM6PR11MB362528DB0EADA21493CC49A3DA590@DM6PR11MB3625.namprd11.prod.outlook.com> <alpine.DEB.2.20.1904011139550.3490@uplift.swm.pp.se> <BN8PR11MB36181C47785968D8FCA2DED9DA550@BN8PR11MB3618.namprd11.prod.outlook.com> <alpine.DEB.2.20.1904020744260.3490@uplift.swm.pp.se> <MN2PR11MB36299BC5A8F12770A6EABA01DA560@MN2PR11MB3629.namprd11.prod.outlook.com> <4278D47A901B3041A737953BAA078ADE1478D5E2@DGGEML532-MBX.china.huawei.com> <VI1PR05MB4125507A0428AA013BDC9B1BB9500@VI1PR05MB4125.eurprd05.prod.outlook.com> <4278D47A901B3041A737953BAA078ADE1478EC8B@DGGEML532-MBX.china.huawei.com> <CALx6S34K_ph8n8woCQ=OVUtYLadOkuBDHRwLj+rtMYRba1ELdA@mail.gmail.com> <14A3D5C9-1EED-4E11-9329-B62B819271A2@broadcom.com>
In-Reply-To: <14A3D5C9-1EED-4E11-9329-B62B819271A2@broadcom.com>
From: Tom Herbert <tom@herbertland.com>
Date: Fri, 05 Apr 2019 11:15:34 -0700
Message-ID: <CALx6S36wRZ_e8urjUxn_mxiPEEHNoddyCQddWhdCHuADeKMNNQ@mail.gmail.com>
To: Jai Kumar <jai.kumar@broadcom.com>
Cc: "Pengshuping (Peng Shuping)" <pengshuping@huawei.com>, 6man WG <ipv6@ietf.org>, ippm <ippm@ietf.org>, "C. M. Heard" <heard@pobox.com>, Mikael Abrahamsson <swmike@swm.pp.se>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/5_zmTqvb2k9JOTd--PMXeTx9w4U>
Subject: Re: [ippm] draft-ioametal-ippm-6man-ioam-ipv6-deployment-00 feedback (Re: v6 option types for IOAM data fields)
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2019 18:15:50 -0000

On Fri, Apr 5, 2019 at 10:55 AM Jai Kumar <jai.kumar@broadcom.com> wrote:
>
> Even if we use flow label for ECMP, lack of accessibility of L4 information (for various services, most simple is ACL) makes the proposal pretty much unusable.
>
That is convoluting router and firewall functionality and
requirements. This a discussion about packet forwarding which does
_not_ require ACLs. In a limited domain, for which IOAM is intended,
it is unlikely that they'll ACLs would be used in internal nodes, but
we do need good ECMP routing at all intermediate nodes need to be
consistent rather or not that the IOAM option is present. As side
note, the ability to extract L4 information out of packets is
dwindling anyway thanks to encryption and other techniques trying to
undo protocol ossification. For instance, good luck getting L4
information out of an IPsec tunnel :-).

Tom

> NIC cards are not used pervasively for ACLs and other services, I believe iptables in kernel are good enough for host but that’s not acceptable in networking elements.
>
> -Jai
>
> On 4/5/19, 10:31 AM, "ippm on behalf of Tom Herbert" <ippm-bounces@ietf.org on behalf of tom@herbertland.com> wrote:
>
>     On Fri, Apr 5, 2019 at 9:16 AM Pengshuping (Peng Shuping)
>     <pengshuping@huawei.com> wrote:
>     >
>     > Hi Barak,
>     >
>     > We are certainly not designing for the lowest capable solutions but exploring optimal solutions which could help to keep the forwarding performance while inserting the iOAM data with variable length.
>
>     Shuping,
>
>     That's exactly the argument for using the flow label in ECMP.
>     Efficeint packet forwarding can be done solely by inspected the forty
>     byte fixed length header of the packet regardless of the contents of
>     the rest of the packet. That is an optimal solution. Anything else for
>     ECMP like doing DPI or hacking up IOAM to try do pull transport layers
>     into the parsing buffer (whatever size that may be) are nothing more
>     than hacks and unnecessarily perpetuate techniques used with IPv4 that
>     either don't work or are unnecessary in IPv6.
>
>     Tom
>
>
>     >
>     > In terms of the forwarding efficiency, we would all agree that a short and fixed header would be better than a variable header.
>     >
>     > Best regards
>     > Shuping
>     >
>     >
>     > 发件人: Barak Gafni<gbarak@mellanox.com>
>     > 收件人: Pengshuping (Peng Shuping)<pengshuping@huawei.com>;Frank Brockners (fbrockne)<fbrockne@cisco.com>;Mikael Abrahamsson<swmike@swm.pp.se>
>     > 抄送: C. M. Heard<heard@pobox.com>;6man WG<ipv6@ietf.org>;Mark Smith<markzzzsmith@gmail.com>;ippm<ippm@ietf.org>
>     > 主题: RE: draft-ioametal-ippm-6man-ioam-ipv6-deployment-00 feedback (Re: v6 option types for IOAM data fields)
>     > 时间: 2019-04-05 03:18:26
>     >
>     > Hi Shuping,
>     > I think that the question is whether we design for the lowest capable solutions. I assume someone can find solutions with even lower amount of parsing.. The low end solutions for these capabilities may need to either adopt with new designs or use solutions such as what is suggested in this thread by Tom Herbert.
>     > Personally, I don't think we should go this way, but to design appropriate solutions, with appropriate layers in the headers. For example, prevent dependencies between "remote" headers.
>     >
>     > Thanks,
>     > Barak
>     >
>     > -----Original Message-----
>     > From: ippm <ippm-bounces@ietf.org> On Behalf Of Pengshuping (Peng Shuping)
>     > Sent: Wednesday, April 3, 2019 6:47 AM
>     > To: Frank Brockners (fbrockne) <fbrockne@cisco.com>; Mikael Abrahamsson <swmike@swm.pp.se>
>     > Cc: C. M. Heard <heard@pobox.com>; 6man WG <ipv6@ietf.org>; Mark Smith <markzzzsmith@gmail.com>; ippm@ietf.org
>     > Subject: [ippm] 答复: draft-ioametal-ippm-6man-ioam-ipv6-deployment-00 feedback (Re: v6 option types for IOAM data fields)
>     >
>     > Hi,
>     >
>     > The parsing depth of the early chips is 96B/128B. For the new chips the parsing depth has been increased but still limited. So Mikael's concern makes sense especially in the tracing mode that the IOAM data fields are going to increase significantly along the path, which will even push the Routing Header out of the parsing depth of the chip. So it would make sense to split the IOAM data part from the IOAM header/instruction part, and place the IOAM data after the RH or even after the L4 header in order to be able to read the L4 information to enable ECMP, as stated in the draft https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-li-6man-ipv6-sfc-ifit-00&amp;data=02%7C01%7Cgbarak%40mellanox.com%7C612ba6dc117440e68c4608d6b83ae174%7Ca652971c7d2e4d9ba6a4d149256f461b%7C0%7C0%7C636898960379485833&amp;sdata=Dob4zN%2F1jSGxLTlqGma29JJNvqJDBt4VzqHsN4OpxM4%3D&amp;reserved=0.
>     >
>     > BR,
>     > Shuping
>     >
>     >
>     > -----邮件原件-----
>     > 发件人: ippm [mailto:ippm-bounces@ietf.org] 代表 Frank Brockners (fbrockne)
>     > 发送时间: 2019年4月2日 17:40
>     > 收件人: Mikael Abrahamsson <swmike@swm.pp.se>
>     > 抄送: C. M. Heard <heard@pobox.com>; 6man WG <ipv6@ietf.org>; Mark Smith <markzzzsmith@gmail.com>; ippm@ietf.org
>     > 主题: Re: [ippm] draft-ioametal-ippm-6man-ioam-ipv6-deployment-00 feedback (Re: v6 option types for IOAM data fields)
>     >
>     >
>     >
>     > -----Original Message-----
>     > From: Mikael Abrahamsson <swmike@swm.pp.se>
>     > Sent: Dienstag, 2. April 2019 08:06
>     > To: Frank Brockners (fbrockne) <fbrockne@cisco.com>
>     > Cc: Mark Smith <markzzzsmith@gmail.com>; C. M. Heard <heard@pobox.com>; 6man WG <ipv6@ietf.org>; ippm@ietf.org
>     > Subject: RE: draft-ioametal-ippm-6man-ioam-ipv6-deployment-00 feedback (Re: v6 option types for IOAM data fields)
>     >
>     > On Mon, 1 Apr 2019, Frank Brockners (fbrockne) wrote:
>     >
>     > > ...FB: There is obviously no easy answer. Couple of thoughts:
>     > > * IOAM is considered a "domain specific" feature (see
>     > > draft-ietf-ippm-ioam-data-05, section 3). Routers in the IOAM domain
>     > > should be IOAM capable.  And IMHO,  we should add a statement to
>     > > draft-ioametal-ippm-6man-ioam-ipv6-deployment that an implementation
>     > > of IOAM MUST ensure "C1".
>     > >
>     > > * That said, there can be situations, where C1 cannot be achieved, e.g..
>     > > consider a network which does ECMP scheduling based on packet length.
>     > >
>     > > * What one could consider - and which is one suggested deployment
>     > > model
>     > > - is that by default IOAM data fields are added to _all_ customer
>     > > packets. The decapsulating node would decide whether the IOAM
>     > > information contained in a packet would be used (and exported) or not.
>     > > That way one would not need to deal with the situation that some
>     > > traffic carries IOAM while other does not - and might thus be treated
>     > > differently.
>     >
>     > Yes, I think this is the only way. Is there a risk that intermediate routers would not be IOAM capable? I think the C1 requirement is really really hard to fulfil and I'm also afraid that adding the IOAM header will actually make ECMP stop working on some platforms (because they would not have the capability to look deep enough into the packet to find L4 information, so it'll go back to 2 tuple ECMP instead of 5 tuple.
>     >
>     > But this question can only be answered by people with deep NPU knowledge...
>     >
>     > .....FB2: Given that IOAM is a domain specific feature - I expect that folks initially start to use it in domains (like e.g. a DC) where all boxes are IOAM capable and can trace the packet appropriately - or per Tom's note, can be configured so that one would do ECMP based on addresses and flow-label.  There are chips with pretty deep parsing capability (up to a few hundred bytes).
>     >
>     > > ...FB: The comparison to MPLS is interesting. How often do MPLS
>     > > packets leak and cause harm? For IOAM,
>     > > draft-ioametal-ippm-6man-ioam-ipv6-options-02 proposes a deployment
>     > > model similar to what we do for MPLS: Unless an interface is
>     > > explicitly configured for IOAM, packets with IOAM data fields MUST be dropped.
>     > > Hence leakage would only occur, if we have a clearly misbehaving
>     > > router which violates this rule. Similar to you, I'd also greatly
>     > > appreciate any pointers to research on how common MPLS leaked packets are.
>     >
>     > When it comes to "cause harm" I imagine there are (at least) two ways to cause harm, one is privacy/secrecy/security loss and the other one is actual operational loss.
>     >
>     > I know of bugs where labeled packets went the wrong way and caused them to be lost, I've also seen bugs where bugs caused traffic to "hop" between VRFs in MPLS VPN (or to "global" VRF). I don't have numbers on this though.
>     >
>     > Depending on the deployment scenario, it might make sense to make IOAM packets not valid for non-IOAM aware devices (basically encap entire packet/payload), but that might be a problem for intermediate non-IOAM nodes then. This would affect the ECMP requirement. I can see cases where one would operationally turn on IOAM for some customers traffic and then see the problem go away because now ECMP changed.
>     >
>     > > ...FB: One idea that Shwetha came up with to identify the source AS of
>     > > a leaked packet, would be to add a new new IOAM E2E option - as
>     > > proposed in section 5.1.1 bullet 2 of
>     > > draft-ioametal-ippm-6man-ioam-ipv6-deployment-01.
>     >
>     > Yes, that'd solve that problem.
>     >
>     > How much has the silicon people been involved so far in the design of the headers? What is the current thinking of amount of data going into the IOAM header? Considering things like trace options etc it seems to me the header can grow quite large? To satisfy the ECMP requirement what about putting the IOAM information as a trailer behind the regular payload? Or is there a problem for the hw to manipulate information that far into the packet (I also imagine this will considerably lower the forwarding performance of IOAM packets on IOAM aware platforms).
>     >
>     > .....FB2: There are quite a few folks with hardware background that co-author the IOAM drafts. Parsing capability differs between chips, as does the ability to deal with new/flexible headers and the ability to modify data in the extension headers. So the unfortunate answer to that question is "it depends" (what information do you gather, how large is your domain, what are the capabilities of your hardware/software forwarder, etc.), but I do expect that for specific deployment domains (e.g. DC, Enterprise) - but also for overlay networks / VPNs - we'll see an increasing amount of chips that are well suited for processing large extension header.
>     >
>     > Cheers, Frank
>     >
>     > --
>     > Mikael Abrahamsson    email: swmike@swm.pp.se
>     >
>     > _______________________________________________
>     > ippm mailing list
>     > ippm@ietf.org
>     > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fippm&amp;data=02%7C01%7Cgbarak%40mellanox.com%7C612ba6dc117440e68c4608d6b83ae174%7Ca652971c7d2e4d9ba6a4d149256f461b%7C0%7C0%7C636898960379485833&amp;sdata=VjZ1PiwifYGCf159je0yef3BJFz6AQNNAtkgmAMDFKM%3D&amp;reserved=0
>     > _______________________________________________
>     > ippm mailing list
>     > ippm@ietf.org
>     > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fippm&amp;data=02%7C01%7Cgbarak%40mellanox.com%7C612ba6dc117440e68c4608d6b83ae174%7Ca652971c7d2e4d9ba6a4d149256f461b%7C0%7C0%7C636898960379485833&amp;sdata=VjZ1PiwifYGCf159je0yef3BJFz6AQNNAtkgmAMDFKM%3D&amp;reserved=0
>     > --------------------------------------------------------------------
>     > IETF IPv6 working group mailing list
>     > ipv6@ietf.org
>     > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>     > --------------------------------------------------------------------
>
>     _______________________________________________
>     ippm mailing list
>     ippm@ietf.org
>     https://www.ietf.org/mailman/listinfo/ippm
>
>
>

v2.23.0 | Report a Bug | By Email