IETF Logo Mail Archive

Re: [ippm] Comment on draft-ietf-ippm-ioam-ipv6-options-00

Tom Herbert <tom@quantonium.net> Tue, 19 November 2019 15:52 UTC

Return-Path: <tom@quantonium.net>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4436D120BF9 for <ippm@ietfa.amsl.com>; Tue, 19 Nov 2019 07:52:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=quantonium-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v5vNGbMNcGJh for <ippm@ietfa.amsl.com>; Tue, 19 Nov 2019 07:52:11 -0800 (PST)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F5AF120BEE for <ippm@ietf.org>; Tue, 19 Nov 2019 07:52:10 -0800 (PST)
Received: by mail-ed1-x52d.google.com with SMTP id a21so17439003edj.8 for <ippm@ietf.org>; Tue, 19 Nov 2019 07:52:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quantonium-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=BCi0Jit63ePzjeip5+WrwIJiu00sLyTbyi5QIkhOMX4=; b=TNAgC2Bo1w/veEFRZHQ4rh2aDR7HmpdEOrnbhDpk1uxpOs6S4qNQ88Orl1tEztMggb 3Lxw4qrcPxx/hCQwPgCY74kqN+IP987FmxvXPIOeC6pZMCz9ccO3jdY/S8dcMJlSNSoY NM1w87beJFzMvkG8bMNJDyRp1pwxtnHjJAeAR0NsWGWZ8sz22L5sGYkDnx3J73xPagB5 xBHaHCmYPODKQIL5iwWWLIKK/neir1CrwVuK0ZRyExEo431+NtuBdT9gP066CeC7rU54 MFutnvs6JZ6q3UkGoyY0fIFlcNcBpl8e4LVkneB1sEmciaQww+zH9zjswVOG0owwveYm WtoQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=BCi0Jit63ePzjeip5+WrwIJiu00sLyTbyi5QIkhOMX4=; b=Ag3OF6Tl6uZ7Ikmtb+7sIj+0InvVmkmub/k+9RwTk57y9um2MYXM8MlHW92iRB/GFs OIqmaCrXx/jGvYqqELj4Iq/tKdj577E31oD9g4ne8GKWuYoLwMZ4j4xmAat5fk5GB+P6 DYkBdHLc4uvXw2PCcj9uiwlXNUprNxOYJ0qAYPKvYlz3B0Mcj7UVT7NKecW4ANB8KDSF VBDCSKv72ThIp5k1KvTWUlgHt2lYkcDuYBN8meT1FWgUdSLj1OB1v6ZecwvCcq6o+opQ D92uqO8Y066ySfpEZA9du1LB0oproHUbz+sq3dNOlF6q9EnEan7fHn/G/b3GmpeLjWY6 nqXg==
X-Gm-Message-State: APjAAAXthtk+hmRLCSoUGn3yczqF3Yp0WYGQO/mqs4mWbW6YmGjTCuTQ TJ8H6c2+OynyWM5CCA8bzEIyzxg753Z+DIlCloMwyt+ad0E=
X-Google-Smtp-Source: APXvYqxylWLtLWTNeHvhkIlK1r5IFshW87Zz8fWDbsJW29GsbQpPiiGXP4C3vccwEu+pGdmC7gjqe+vo/Jt8fLZmOZY=
X-Received: by 2002:a17:907:2070:: with SMTP id qp16mr36168279ejb.115.1574178729231; Tue, 19 Nov 2019 07:52:09 -0800 (PST)
MIME-Version: 1.0
References: <201911181318081812271@zte.com.cn> <BYAPR11MB2584C26544D5CC6DEE766FC7DA4C0@BYAPR11MB2584.namprd11.prod.outlook.com> <CAPDqMeqzB-PzHJM3MDH9oubpo3f23T7+ZGqv3daezxCq5c941A@mail.gmail.com> <BYAPR11MB258404FD5756841E455C13D4DA4C0@BYAPR11MB2584.namprd11.prod.outlook.com>
In-Reply-To: <BYAPR11MB258404FD5756841E455C13D4DA4C0@BYAPR11MB2584.namprd11.prod.outlook.com>
From: Tom Herbert <tom@quantonium.net>
Date: Tue, 19 Nov 2019 07:51:57 -0800
Message-ID: <CAPDqMerT80akH__AkCpvr_5A3Ww-1_NPX9qXGdP8ay87O6bDpA@mail.gmail.com>
To: "Frank Brockners (fbrockne)" <fbrockne@cisco.com>
Cc: "xiao.min2@zte.com.cn" <xiao.min2@zte.com.cn>, "ippm@ietf.org" <ippm@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/HxrWAGDXwhrwnN2q2qqV3IkfNqw>
Subject: Re: [ippm] Comment on draft-ietf-ippm-ioam-ipv6-options-00
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2019 15:52:15 -0000

On Mon, Nov 18, 2019 at 8:49 PM Frank Brockners (fbrockne)
<fbrockne@cisco.com> wrote:
>
> Tom,
>
>
> > -----Original Message-----
> > From: Tom Herbert <tom@quantonium.net>
> > Sent: Dienstag, 19. November 2019 12:24
> > To: Frank Brockners (fbrockne) <fbrockne@cisco.com>
> > Cc: xiao.min2@zte.com.cn; ippm@ietf.org
> > Subject: Re: [ippm] Comment on draft-ietf-ippm-ioam-ipv6-options-00
> >
> > On Mon, Nov 18, 2019 at 7:47 PM Frank Brockners (fbrockne)
> > <fbrockne@cisco.com> wrote:
> > >
> > > Hi Xiao,
> > >
> > >
> > >
> > > thanks for following up. Apparently the behavior described in
> > > draft-ietf-ippm-ioam-ipv6-options-00 isn’t a bug – as we speculated in
> > > the IPPM WG meeting yesterday, but the desired behavior that we
> > > arrived at after WG discussions in 6man and with several IPv6 experts.
> > > See
> > > https://github.com/inband-
> > oam/ietf/commit/48175cf89de6369a4d01017ec80c
> > > 07b34f57f17c#diff-803b63dbe26303f504708318e255d884 (“Don't forward an
> > > IOAM packet unless configured to do so.”)
> > >
> > > This behavior for IPv6 is to ensure that packets with IOAM do not accidentally
> > leak from a domain that employs IPv6.
> > >
> > > This also means for IPv6, things are more constrained than what is stated in
> > the more generic draft-ietf-ippm-ioam-data-08.
> > >
> > Frank,
> >
> > Per the draft-ietf-ippm-ioam-ipv6-options-00 the act bits are 00 which means
> > "skip over this option and continue processing the header". So if a router doesn't
> > support IOAM, I believe other act bits like maybe
> > 01 would be necessary to enforce the rule of “Don't forward an IOAM packet
> > unless configured to do so.” Of course, nodes may also ignore HBH options
> > completely per RFC8200 which means even such packets might be forwarded
> > out of the domain anyway.
>
> ...  the current text is a for a more specific case, i.e. you have a router that *does* understand IOAM and receives a packet with IOAM on an interface that is not configured for IOAM.

But the draft says "This ensures that IOAM data does not
unintentionally get forwarded outside the IOAM domain.", these
requirements don't do that.

I see another issue, the option may be in a Destination Options
header. So in order for a router to detect presence of the IOAM option
it would need to examine the Desintation Option while the packet is
inflight, but that prohibited by RFC8200: "Extension headers (except
for the Hop-by-Hop Options header) are not processed, inserted, or
deleted by any node along a packet's delivery path..."

> The conclusion from earlier discussions was to drop the packet - per the current text. This leaves default processing of unknown option types untouched - i.e. processing would happen per RFC 8200.

Yes, packet should be dropped at the domain edege, but that is a
firewall functionality not router functionality. If we start adding
requirements to routers to drop traffic on the basis of inspecting
content not normally required for routing, then this will create a
avalanche of router requirements for each type of limited domain.
Clearly packets with SRH need to be dropped at edge, as do packets
with private addresses, and there will no doubt be other cases. All of
these fall under the auspices of firewalls at the edge of the domain,
not routers within the domain. Segement rouitng handles this properly
as filtering packets with SRH at edge is required.

Tom


>
> Frank
>
>
> So trying to guarantee packets won't be forwarded
> > out of the domain at all edge routers may be a futile effort. An alternative would
> > be that the source SHOULD only use IOAM when it knows the destination is in
> > the domain, and a firewall MAY be applied at the domain edge to drop packets
> > with IOAM.
> >
> > Tom
> >
> > >
> > >
> > > Cheers, Frank
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > From: ippm <ippm-bounces@ietf.org> On Behalf Of xiao.min2@zte.com.cn
> > > Sent: Montag, 18. November 2019 13:18
> > > To: ippm@ietf.org
> > > Subject: [ippm] Comment on draft-ietf-ippm-ioam-ipv6-options-00
> > >
> > >
> > >
> > > Hi Frank,
> > >
> > >
> > >
> > > Repeat what I said on the mic this morning as below.
> > >
> > >
> > >
> > > In section 3 of draft-ietf-ippm-ioam-ipv6-options-00 it says:
> > >
> > > "Unless a particular interface is explicitly enabled (i.e. explicitly   configured)
> > for IOAM, a router MUST drop packets which contain extension headers carrying
> > IOAM data-fields."
> > >
> > > But in section 4.4 of draft-ietf-ippm-ioam-data-08 it says:
> > >
> > > "If not all nodes within a domain are IOAM capable, IOAM tracing information
> > (i.e., node data, see below) will only be collected on those nodes which are
> > IOAM capable.  Nodes which are not IOAM capable will forward the packet
> > without any changes to the IOAM-Data-Fields."
> > >
> > > It seems they're not in alignment.
> > >
> > >
> > >
> > > Best Regards,
> > >
> > > Xiao Min
> > >
> > > _______________________________________________
> > > ippm mailing list
> > > ippm@ietf.org
> > > https://www.ietf.org/mailman/listinfo/ippm

v2.23.0 | Report a Bug | By Email