IETF Logo Mail Archive

Re: [ippm] draft-ioametal-ippm-6man-ioam-ipv6-deployment-00 feedback (Re: v6 option types for IOAM data fields)

"Frank Brockners (fbrockne)" <fbrockne@cisco.com> Tue, 26 March 2019 07:19 UTC

Return-Path: <fbrockne@cisco.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E34611202BC; Tue, 26 Mar 2019 00:19:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.502
X-Spam-Level:
X-Spam-Status: No, score=-14.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Iam7IYm0; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=YM5pIpwn
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tt7CU3_QwLQ5; Tue, 26 Mar 2019 00:19:10 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D74C21202A0; Tue, 26 Mar 2019 00:19:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9960; q=dns/txt; s=iport; t=1553584750; x=1554794350; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=ZTjOJskeW9F1FlvXqGqy/jFgv9MNiSRETrmNZOxK1B4=; b=Iam7IYm0EETED66Vc66wtPbRIP2t8FmK0BosUEJQfOjkqIOP3kUoAsnU OCfjbuIyV/rTduMAwwCbkTvsPICKvrS2qHFTBxON2KzOS+SnM+9r7Ulx1 6TwUPGwVPc7qTT9SYE3UYJQtRTfkY3AX6CcHzjWopaHgJTTwvFa0J7WZY Y=;
IronPort-PHdr: 9a23:xXGkQxMq2kom4/miRQYl6mtXPHoupqn0MwgJ65Eul7NJdOG58o//OFDEu6w/l0fHCIPc7f8My/HbtaztQyQh2d6AqzhDFf4ETBoZkYMTlg0kDtSCDBj1JuTtZC88EexJVURu+DewNk0GUMs=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AEAAAL0Zlc/5BdJa1aChoBAQEBAQIBAQEBBwIBAQEBgVEFAQEBAQsBgT0kLAOBXAQLJ4QOg0cDhFKKWoJXiTiNVYEuFIEQA1QNAQEshEACF4UCIjQJDQEBAwEBCQEDAm0cDIVKAQEBBCMRDAEBNwELBAIBCBEEAQEBAgIfBwICAh8RFQgIAgQOBQgThGUDFQECojwCihRxgS+CeAEBBYUKDQuCDAiBCyQBizEXgUA/gRFGgkw+ghqBdwEHCwEhgwgxgiaKG4JYl3M2CQKPeoNYlAKSXYtwAgQCBAUCDgEBBYFNOGVxcBU7gmyCCgwXE4M4ilNygSiMYoI+AQE
X-IronPort-AV: E=Sophos;i="5.60,271,1549929600"; d="scan'208";a="537733843"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 26 Mar 2019 07:19:08 +0000
Received: from XCH-RCD-014.cisco.com (xch-rcd-014.cisco.com [173.37.102.24]) by rcdn-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id x2Q7J8If025660 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 26 Mar 2019 07:19:08 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-RCD-014.cisco.com (173.37.102.24) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 26 Mar 2019 02:19:07 -0500
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 26 Mar 2019 03:19:06 -0400
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 26 Mar 2019 03:19:06 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector1-cisco-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZTjOJskeW9F1FlvXqGqy/jFgv9MNiSRETrmNZOxK1B4=; b=YM5pIpwnBD3pjWXy5iPbuDQfrcn58MuwIJfZxfX0ipToDoGk/oBZ78iG7K2m9mlOVWXur5eSPokLIX7fdW/e/ZUL3K2S0H3fv8LJgd8nEZ1a5JbMr7UT7V3z+64+cYj+mBG12gmFqZ+tXDIi+6DjaCsdD/0d+8oa+nBSXdfYin4=
Received: from DM6PR11MB3625.namprd11.prod.outlook.com (20.178.230.149) by DM6PR11MB2699.namprd11.prod.outlook.com (20.176.99.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1730.18; Tue, 26 Mar 2019 07:19:04 +0000
Received: from DM6PR11MB3625.namprd11.prod.outlook.com ([fe80::d145:a1f4:ed34:e31b]) by DM6PR11MB3625.namprd11.prod.outlook.com ([fe80::d145:a1f4:ed34:e31b%3]) with mapi id 15.20.1730.019; Tue, 26 Mar 2019 07:19:04 +0000
From: "Frank Brockners (fbrockne)" <fbrockne@cisco.com>
To: Mark Smith <markzzzsmith@gmail.com>
CC: "C. M. Heard" <heard@pobox.com>, 6man WG <ipv6@ietf.org>, "ippm@ietf.org" <ippm@ietf.org>
Thread-Topic: draft-ioametal-ippm-6man-ioam-ipv6-deployment-00 feedback (Re: v6 option types for IOAM data fields)
Thread-Index: AQHU4eVk77oZnWiBmUa6JfuK7viq2qYclmiQ
Date: Tue, 26 Mar 2019 07:19:04 +0000
Message-ID: <DM6PR11MB36254EAC97ACF07F5BAD43CADA5F0@DM6PR11MB3625.namprd11.prod.outlook.com>
References: <CACL_3VGxyn-PYosFsKPVdd8C=P5AbE6HD1zrimHKuh2MPkhnuQ@mail.gmail.com> <505272eac2dd44fa891d4d36d14da9af@XCH-RCD-008.cisco.com> <CAO42Z2wGMzc_RT=eWTx9Ve-5reS0nCWiteGOuE16=MB4Fg8mkg@mail.gmail.com> <f50040ab52d04867b9a5cefa1c3131c3@XCH-RCD-008.cisco.com> <CAO42Z2zgguekybwVuCh8Az3mK8gHp292BYnWYhJq-8KEyfKzOA@mail.gmail.com> <7ea9049fe6f44a40aefe4801bd796322@XCH-RCD-008.cisco.com> <CAO42Z2y5TS1+8YxNsr=BKz5v8-ZPTiO-M7CU2k6FzNqVZoU4VA@mail.gmail.com> <CY4PR11MB1335960AD9BF9A4B990F7E10DA4A0@CY4PR11MB1335.namprd11.prod.outlook.com> <CAO42Z2xqq=uksNQPxvF_CRSxf1V_MADbFurzW4hqQW0v478cyw@mail.gmail.com>
In-Reply-To: <CAO42Z2xqq=uksNQPxvF_CRSxf1V_MADbFurzW4hqQW0v478cyw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=fbrockne@cisco.com;
x-originating-ip: [2001:420:c0c0:1007::15e]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: aa4b284c-c9ef-4b78-130b-08d6b1bb5407
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600127)(711020)(4605104)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:DM6PR11MB2699;
x-ms-traffictypediagnostic: DM6PR11MB2699:
x-microsoft-antispam-prvs: <DM6PR11MB26993878B5F6F8F8245D2EE4DA5F0@DM6PR11MB2699.namprd11.prod.outlook.com>
x-forefront-prvs: 09888BC01D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(39860400002)(136003)(346002)(376002)(396003)(51444003)(189003)(199004)(13464003)(71200400001)(2906002)(7696005)(6116002)(476003)(52536014)(5660300002)(53936002)(66574012)(478600001)(11346002)(81156014)(74316002)(186003)(81166006)(71190400001)(8936002)(68736007)(102836004)(4326008)(99286004)(106356001)(25786009)(46003)(6916009)(7736002)(305945005)(316002)(54906003)(1411001)(6246003)(97736004)(76176011)(9686003)(8676002)(14444005)(6506007)(446003)(6436002)(86362001)(229853002)(486006)(55016002)(14454004)(33656002)(5024004)(105586002)(93886005)(256004)(53546011); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR11MB2699; H:DM6PR11MB3625.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: ZK4pLYFa0HrMpYJ3ljrr9Llsan4O9Mu28kwRVVimnJkPtUEjzFmiUEseT2y6QfpvXNjj3qhmZPYVpaMVYEnSK1Tsj+OZ2tHg3Wcb4ZwML43E5zvHqaQq+XoqIulcyYTh0eNh3FVmifgoTm2nrcHC4jc/B13NL5YqxAoEM5n9mV+nQWWNLMtrpuikU+R6ez762OYApw+/OafiKfx0usECHuKPiyX3AFmkEOm9zX/a0s0vBPKed1/q9j6F/Gcyns6mhuk8NTicavY0jvPnUHbJ6cjRiG9zrHmgq4nDUd6lv5THKYO3+/OOJ6kP7yg2OwvXR+6Cm06h95AKdNGAEMD2AamWKPSmKYRFioC9uj0xRzwaYrOQ6JHhlSTc21S9D6r6khc3axhYgnGh1NMkPRO/JMG1bGBv+XHBdqWuWwF/jDE=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: aa4b284c-c9ef-4b78-130b-08d6b1bb5407
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Mar 2019 07:19:04.5113 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB2699
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.24, xch-rcd-014.cisco.com
X-Outbound-Node: rcdn-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/_2Kqcz2uTnRtVtxfLP4Eqf8jxfE>
Subject: Re: [ippm] draft-ioametal-ippm-6man-ioam-ipv6-deployment-00 feedback (Re: v6 option types for IOAM data fields)
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 07:19:20 -0000

Hi Mark,

Thanks much and now it is me to say sorry for the delay in responding. We'll add the additional paragraphs you suggest to the next revision.
Based on the outcome of the WG discussion on Friday we can decide whether folks are interested in broadening the scope of the doc to become more generic.

Thanks again, Frank

-----Original Message-----
From: Mark Smith <markzzzsmith@gmail.com> 
Sent: Sonntag, 24. März 2019 03:00
To: Frank Brockners (fbrockne) <fbrockne@cisco.com>
Cc: C. M. Heard <heard@pobox.com>; 6man WG <ipv6@ietf.org>; ippm@ietf.org
Subject: draft-ioametal-ippm-6man-ioam-ipv6-deployment-00 feedback (Re: v6 option types for IOAM data fields)

Hi Frank,

Apologies not to get back to you sooner, I missed this email (and now have a filter to highlight emails directly sent to me). Also apologies for sending feedback so close to IETF104.

On Thu, 14 Mar 2019 at 03:23, Frank Brockners (fbrockne) <fbrockne@cisco.com> wrote:
>
> With the upcoming meeting in Prague, I wanted to come back to this discussion:
>
> We've just recently posted a new draft (draft-ioametal-ippm-6man-ioam-ipv6-deployment-00) - which summarizes a set of deployment considerations for IOAM with IPv6, i.e. complementing 6man draft-ioametal-ippm-6man-ioam-ipv6-options-01. draft-ioametal-ippm-6man-ioam-ipv6-deployment-00 also includes the deployment scenario that Mark detailed below.
>
> Appreciate your thoughts - especially from 6man to provide for proper guidance to IPPM.
>

<snip>

Thanks very much to you and the other authors for writing up that this Internet Draft.

Regarding

"3.  Considerations for IOAM deployment in IPv6 networks"

that's an excellent list and set of descriptions of what I think are the requirements for when information is added to an existing IPv6 packet as it transits a network domain that wishes to add and then remove local domain supplementary information.

I think those requirements also apply to the addition of Segment Routing information to existing packets as they transit an SR domain, so one thought could be to extract them out and publish them as a more general Internet Draft, titled something like "Considerations For Adding Supplemental Information to IPv6 Packets Transiting a Network Sub-Domain". (Actually, reading more, I think most of the ID is not really that specific to IOAM, so most of the ID could probably be published as a more generic document on considerations for adding supplemental information to transit IP packets).


Regarding,

"5.1.1.  IPv6-in-IPv6 encapsulation"

where the outer encapsulation header destination IPv6 address is set to the same as the inner, original IPv6 destination address, for packets transiting the IOAM domain, I think that method would be quite vulnerable to C3:

"C3 Packets with IOAM data or associated ICMP errors, should not
      arrive at destinations which have no knowledge of IOAM.  Consider
      using IOAM in transit devices; misleading ICMP errors due to
      addition and/or presence of OAM data in the packet can confuse a
      source of the packet that did not insert the OAM information."


As the outer header IPv6 address is exterior to the IOAM domain as it is also the inner packet's DA, it means that standard and default IPv6 destination address based forwarding would forward the packet as is (i.e. encapsulated with IOAM information) external to the domain, without removing the outer IPv6 encapsulation and the IOAM information. In other words, IOAM information would leak if standard
IPv6 forwarding was used, which of course is enabled by default for
IPv6 routers.

To prevent that, the egress IOAM device would have to use non-standard, non-default IPv6 forwarding, which means deeper inspection of each and every egress packet regardless of its destination address, to see if it is an encapsulated IOAM packet, and to then remove the outer IPv6 header and IOAM information if it exists, before then standard IPv6 forwarding the original inner packet.

The advantage of using a separate and IOAM domain local and interior address space as in "5.1.2.  IP-in-IPv6 encapsulation with ULA", is that the outer packet ULA destination address is distinguishing which packets need IOAM encapsulation processing from those that don't (and of course, as the ULA address space is local to and unique to the IOAM domain, if they do leak externally, they have no valid destination to reach).

As those encapsulated IOAM packets are distinguished using the (outer) Destination Address, the selector for standard IPv6 forwarding, there is now no need for any special, new and more complex packet handling by the IOAM domain egress device. Using standard IPv6 forwarding avoids the complexity and implementation that would then be imposed on every router implementation that could be used as an egress IOAM domain device.

"2. To simplify debugging in case of leaked IOAM data fields in

       packets, consider a new IOAM E2E destination option to identify
       the Source IOAM domain (AS, v6 prefix).  Insert this option into
       the IOAM destination options EH attached to the outer IPv6
       header.  This additional information would allow for easy
       identification of an AS operator that is the source of packets
       with leaked IOAM information."

is suggesting a solution to the leaked IOAM issue. However I think it is always better to avoid a problem using an alternative method if possible, rather than to continue to let it the problem exist and then mitigate or eliminate its effects with even further mechanisms. It's more complexity to mitigate or eliminate, and that's more things that can break.


Regarding,

"5.1.2.  IP-in-IPv6 encapsulation with ULA"

Some suggested text -

"Addressing and routing in the ION are to be configured so
   that the IP-in-IPv6 encapsulated packets follow the same path as the
   original, non-encapsulated packet would have taken."

add something like

"This would create an internal IPv6 forwarding topology using the IOAM domain's interior ULA address space that is parallel with the forwarding topology that exists with the non-IOAM address space (the topology and address space that would be followed by packets that do not have supplemental IOAM information) . Establishment and maintenance of the parallel IOAM ULA forwarding topology could be automated in the future, similar to how LDP [RFC5036] is used in MPLS to establish and maintain an LSP forwarding topology that is parallel to the network's IGP forwarding topology."


"Assuming that the operational guidelines specified in Section 4 of
   [RFC4193] are properly followed, the probability of leaks in this
   approach will be almost close to zero."

add something like

"If the packets do leak through IOAM egress device misconfiguration or partial IOAM egress device failure, the packets' ULA destination address is invalid outside of the IOAM domain. There is no exterior destination to be reached, and the packets will be dropped when they encounter either a router external to the IOAM domain that has a packet filter that drops packets with ULA destinations, or a router that does not have a default route."


Regards,
Mark.

v2.23.0 | Report a Bug | By Email