IETF Logo Mail Archive

Re: [ippm] Comment on draft-ietf-ippm-ioam-ipv6-options-00

Tom Herbert <tom@quantonium.net> Wed, 20 November 2019 00:17 UTC

Return-Path: <tom@quantonium.net>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6ED0A120133 for <ippm@ietfa.amsl.com>; Tue, 19 Nov 2019 16:17:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=quantonium-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ysmVAeXrORE9 for <ippm@ietfa.amsl.com>; Tue, 19 Nov 2019 16:17:17 -0800 (PST)
Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8A4B120115 for <ippm@ietf.org>; Tue, 19 Nov 2019 16:17:16 -0800 (PST)
Received: by mail-ed1-x536.google.com with SMTP id l25so18762304edt.6 for <ippm@ietf.org>; Tue, 19 Nov 2019 16:17:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quantonium-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=HNfVaZfU6O0/ohzl8QtcyaumbK4kZZiFk23fruKc7WA=; b=zr9zCxFkaKz1/D0rVQkpuggb7GBqH2ws7IzGQB01ocq4IL0w8Yczjbp8uKjoa1ycWQ 2YQgCmaQP6TkVoghq1Bt8Rf2slKnwgKpOORt7BNYY8z6vugcsHZyqGaM9ny5+cLoLzR9 cUNTJywI/htyQeG9RrbsJlTOuWuL2s50C15+07VZH6R+8YnFxk06rhnjCyQZJYm6XkuA oe87NU9GqtdqrObRQUV/a3FeDldtRaBV3r3GgWbcAwQZVT53rtkdJKVuNDt3d98esT/Z 4zidajlhNOnTtHHkkCI7gZ+YFPjBxHKDv2dr4P+PNXW06+ipJlLoytZzhKOS+82fOd3R A0AA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=HNfVaZfU6O0/ohzl8QtcyaumbK4kZZiFk23fruKc7WA=; b=BcEOJ8wJCcANPP+JrR3Y/t2cIsuKXVk03OrfumocSDwLLvZFweI12vWX3pWpE9LiiQ /ms6hzIqm/JbZ2WezT9sEJoxcrZ9FacPvaQ/jcT5/5QEYA+4p9flXi6bOLUFoZLI603s ZjKLgSdSLZsqgTGgsNooW6AlbtfEFmT5609ZJFNBdArirInyVYNHdXhiQGhqFVEt+fXj gVUvPIpH4JKkySmbOy6WU265apkTkwExDnpaY9riWB/RmiHXmTHezd2y21rjfH+e/Cke RQhZGRYANI/gpnGcUbLGtTiuzRS1CSz73m+SOHmoT5qyTQnQZVFAgHT3K+MPCwZEtJWK fIBw==
X-Gm-Message-State: APjAAAVLFeDXvTSnon+idRJdcpsT4NSmwPYgWD4iBe3fioI8Kqg7dtyt V2npnGmndImGnj+y9+TKdYv28QWvnwVVzp4Wtr/ebg==
X-Google-Smtp-Source: APXvYqzQQ9IM0RZ3xoFO6iuHCfw+GFmAOg1W34Vx3SFpoluGS9oXinMy4L8XR2igDWv6XD5vT7xWnZYH+65RvuHs6XI=
X-Received: by 2002:a17:906:5c06:: with SMTP id e6mr754922ejq.195.1574209035263; Tue, 19 Nov 2019 16:17:15 -0800 (PST)
MIME-Version: 1.0
References: <201911181318081812271@zte.com.cn> <BYAPR11MB2584C26544D5CC6DEE766FC7DA4C0@BYAPR11MB2584.namprd11.prod.outlook.com> <CAPDqMeqzB-PzHJM3MDH9oubpo3f23T7+ZGqv3daezxCq5c941A@mail.gmail.com> <BYAPR11MB258404FD5756841E455C13D4DA4C0@BYAPR11MB2584.namprd11.prod.outlook.com> <CAPDqMerT80akH__AkCpvr_5A3Ww-1_NPX9qXGdP8ay87O6bDpA@mail.gmail.com> <BYAPR11MB25843C29CD2476E4FBCE72DBDA4C0@BYAPR11MB2584.namprd11.prod.outlook.com>
In-Reply-To: <BYAPR11MB25843C29CD2476E4FBCE72DBDA4C0@BYAPR11MB2584.namprd11.prod.outlook.com>
From: Tom Herbert <tom@quantonium.net>
Date: Tue, 19 Nov 2019 16:17:04 -0800
Message-ID: <CAPDqMeqOqeqkOzgpw0YZMAufSfjDGzvvBVMVRDV2TNK3sjzUgA@mail.gmail.com>
To: "Frank Brockners (fbrockne)" <fbrockne@cisco.com>
Cc: "xiao.min2@zte.com.cn" <xiao.min2@zte.com.cn>, "ippm@ietf.org" <ippm@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/MjxCMNz5l8Yz6qIIly5Ta8D8-FM>
Subject: Re: [ippm] Comment on draft-ietf-ippm-ioam-ipv6-options-00
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2019 00:17:21 -0000

On Tue, Nov 19, 2019 at 3:51 PM Frank Brockners (fbrockne)
<fbrockne@cisco.com> wrote:
>
> Tom,
>
> > -----Original Message-----
> > From: Tom Herbert <tom@quantonium.net>
> > Sent: Dienstag, 19. November 2019 23:52
> > To: Frank Brockners (fbrockne) <fbrockne@cisco.com>
> > Cc: xiao.min2@zte.com.cn; ippm@ietf.org
> > Subject: Re: [ippm] Comment on draft-ietf-ippm-ioam-ipv6-options-00
> >
> > On Mon, Nov 18, 2019 at 8:49 PM Frank Brockners (fbrockne)
> > <fbrockne@cisco.com> wrote:
> > >
> > > Tom,
> > >
> > >
> > > > -----Original Message-----
> > > > From: Tom Herbert <tom@quantonium.net>
> > > > Sent: Dienstag, 19. November 2019 12:24
> > > > To: Frank Brockners (fbrockne) <fbrockne@cisco.com>
> > > > Cc: xiao.min2@zte.com.cn; ippm@ietf.org
> > > > Subject: Re: [ippm] Comment on draft-ietf-ippm-ioam-ipv6-options-00
> > > >
> > > > On Mon, Nov 18, 2019 at 7:47 PM Frank Brockners (fbrockne)
> > > > <fbrockne@cisco.com> wrote:
> > > > >
> > > > > Hi Xiao,
> > > > >
> > > > >
> > > > >
> > > > > thanks for following up. Apparently the behavior described in
> > > > > draft-ietf-ippm-ioam-ipv6-options-00 isn’t a bug – as we
> > > > > speculated in the IPPM WG meeting yesterday, but the desired
> > > > > behavior that we arrived at after WG discussions in 6man and with several
> > IPv6 experts.
> > > > > See
> > > > > https://github.com/inband-
> > > > oam/ietf/commit/48175cf89de6369a4d01017ec80c
> > > > > 07b34f57f17c#diff-803b63dbe26303f504708318e255d884 (“Don't forward
> > > > > an IOAM packet unless configured to do so.”)
> > > > >
> > > > > This behavior for IPv6 is to ensure that packets with IOAM do not
> > > > > accidentally
> > > > leak from a domain that employs IPv6.
> > > > >
> > > > > This also means for IPv6, things are more constrained than what is
> > > > > stated in
> > > > the more generic draft-ietf-ippm-ioam-data-08.
> > > > >
> > > > Frank,
> > > >
> > > > Per the draft-ietf-ippm-ioam-ipv6-options-00 the act bits are 00
> > > > which means "skip over this option and continue processing the
> > > > header". So if a router doesn't support IOAM, I believe other act
> > > > bits like maybe
> > > > 01 would be necessary to enforce the rule of “Don't forward an IOAM
> > > > packet unless configured to do so.” Of course, nodes may also ignore
> > > > HBH options completely per RFC8200 which means even such packets
> > > > might be forwarded out of the domain anyway.
> > >
> > > ...  the current text is a for a more specific case, i.e. you have a router that
> > *does* understand IOAM and receives a packet with IOAM on an interface that
> > is not configured for IOAM.
> >
> > But the draft says "This ensures that IOAM data does not unintentionally get
> > forwarded outside the IOAM domain.", these requirements don't do that.
>
> ... FB: If everything is properly setup, packets with IOAM data fields should never leave the IOAM domain.

Frank,

If everything were set up correctly one would expect that the source
would only set IOAM in the packet if it knows that the destination is
in the domain. From that POV the purpose of an egress firewall is to
protect against misconfiguration or bugs.

> Having a default of "drop" with the need to explicitly configure an "allow" reduces the potential of errors.
> Which means we should soften the statement, given that it does not "ensure" that bad things don't happen - but it does try to help avoid bad things happening.

An explicit firewall at the edge could just as easily and more
completely enforce the isolation. Per the current draft requirements,
even non-edge routers need to act as firewalls for IOAM.

>
> >
> > I see another issue, the option may be in a Destination Options header. So in
> > order for a router to detect presence of the IOAM option it would need to
> > examine the Desintation Option while the packet is inflight, but that prohibited
> > by RFC8200: "Extension headers (except for the Hop-by-Hop Options header) are
> > not processed, inserted, or deleted by any node along a packet's delivery
> > path..."
>
> ...FB: Hmmm - I'm not following. Why would a router (i.e. transit node) look at DO? The text does not say that anywhere.

Per the draft: "IOAM data fields are encapsulated in "option data"
fields of two types of extension headers in IPv6 packets - either
Hop-by-Hop Options header or Destination options header."

-and-

"Unless a particular interface is explicitly enabled (i.e. explicitly
configured) for IOAM, a router MUST drop packets which contain
extension headers carrying IOAM data-fields."

Putting these two statements together means that a router MUST drop
packets with a Destination Options header that carried IOAM
data-fields regardless of whether the packet is addressed to the
router. If the intent is that the router only drops for HBH then the
requirement should read "...a router MUST drop packets which contain a
Hop-by-Hop extension header carrying IOAM data-fields."

Tom

> If you are an IOAM encap/decap node (host or tunnel endpoint), you'd deal with DO and HbyH - and the text means: Ignore those on interfaces which aren't enabled for IOAM.
> If you are an IOAM transit node, you'd deal with HbyH - and the text again means: Ignore those on interfaces which aren't enabled for IOAM.
>
> >
> > > The conclusion from earlier discussions was to drop the packet - per the
> > current text. This leaves default processing of unknown option types untouched
> > - i.e. processing would happen per RFC 8200.
> >
> > Yes, packet should be dropped at the domain edege, but that is a firewall
> > functionality not router functionality. If we start adding requirements to routers
> > to drop traffic on the basis of inspecting content not normally required for
> > routing, then this will create a avalanche of router requirements for each type of
> > limited domain.
>
> ...FB: Per what I said above, we don't ask the router to inspect anything that the router would look at in any case.
> If you believe that the behavior of "explicitly enable an interface for IOAM" - i.e. ask for explicit config - does not add any benefits, and others feel the same way, we can drop that requirement from the spec again. It adds to configuration complexity - so unless we feel it adds a benefit, we should get rid of it. The earlier conversation we had on the topic concluded that it would add a benefit - which is why the text is there.
>
> Cheers, Frank
>
> > Clearly packets with SRH need to be dropped at edge, as do packets with private
> > addresses, and there will no doubt be other cases. All of these fall under the
> > auspices of firewalls at the edge of the domain, not routers within the domain.
> > Segement rouitng handles this properly as filtering packets with SRH at edge is
> > required.
> >
> > Tom
> >
> >
> > >
> > > Frank
> > >
> > >
> > > So trying to guarantee packets won't be forwarded
> > > > out of the domain at all edge routers may be a futile effort. An
> > > > alternative would be that the source SHOULD only use IOAM when it
> > > > knows the destination is in the domain, and a firewall MAY be
> > > > applied at the domain edge to drop packets with IOAM.
> > > >
> > > > Tom
> > > >
> > > > >
> > > > >
> > > > > Cheers, Frank
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > From: ippm <ippm-bounces@ietf.org> On Behalf Of
> > > > > xiao.min2@zte.com.cn
> > > > > Sent: Montag, 18. November 2019 13:18
> > > > > To: ippm@ietf.org
> > > > > Subject: [ippm] Comment on draft-ietf-ippm-ioam-ipv6-options-00
> > > > >
> > > > >
> > > > >
> > > > > Hi Frank,
> > > > >
> > > > >
> > > > >
> > > > > Repeat what I said on the mic this morning as below.
> > > > >
> > > > >
> > > > >
> > > > > In section 3 of draft-ietf-ippm-ioam-ipv6-options-00 it says:
> > > > >
> > > > > "Unless a particular interface is explicitly enabled (i.e. explicitly
> > configured)
> > > > for IOAM, a router MUST drop packets which contain extension headers
> > > > carrying IOAM data-fields."
> > > > >
> > > > > But in section 4.4 of draft-ietf-ippm-ioam-data-08 it says:
> > > > >
> > > > > "If not all nodes within a domain are IOAM capable, IOAM tracing
> > > > > information
> > > > (i.e., node data, see below) will only be collected on those nodes
> > > > which are IOAM capable.  Nodes which are not IOAM capable will
> > > > forward the packet without any changes to the IOAM-Data-Fields."
> > > > >
> > > > > It seems they're not in alignment.
> > > > >
> > > > >
> > > > >
> > > > > Best Regards,
> > > > >
> > > > > Xiao Min
> > > > >
> > > > > _______________________________________________
> > > > > ippm mailing list
> > > > > ippm@ietf.org
> > > > > https://www.ietf.org/mailman/listinfo/ippm

v2.23.0 | Report a Bug | By Email