IETF Logo Mail Archive

Re: [ippm] draft-ioametal-ippm-6man-ioam-ipv6-deployment-00 feedback (Re: v6 option types for IOAM data fields)

"Frank Brockners (fbrockne)" <fbrockne@cisco.com> Thu, 28 March 2019 19:50 UTC

Return-Path: <fbrockne@cisco.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD3C61204CC; Thu, 28 Mar 2019 12:50:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=EohFZM3T; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=LnKt6AqI
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SGAqJhFKw80s; Thu, 28 Mar 2019 12:50:34 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B6DA12039E; Thu, 28 Mar 2019 12:50:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11052; q=dns/txt; s=iport; t=1553802634; x=1555012234; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=z6HxVgJFOgdmtQL3JgGiVYAc4aGNlzfXoBqInxmw++4=; b=EohFZM3TZJOvSZkh0QwY2MxOuRzupSxBP1mBxea5AAYbhbLNJL/GCboT z/5XTrNf4+hkYzmfCDHxoB9dhh/47dFaiPkRjVAY4omWv7Zp46/KGYQ6n jbKUn0v3XeO7P0Oj3ogVMWEzRiS4mFK+AM9uB14msFMcqoTo5KrCxRbn3 E=;
IronPort-PHdr: 9a23:83GFRBZSY3XpqdjJZq6m41H/LSx94ef9IxIV55w7irlHbqWk+dH4MVfC4el20gabRp3VvvRDjeee87vtX2AN+96giDgDa9QNMn1NksAKh0olCc+BB1f8KavkZTY9F8dEWXdu/mqwNg5eH8OtL1A=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AEAADwJJ1c/51dJa1bChoBAQEBAQIBAQEBBwIBAQEBgVEFAQEBAQsBgT0kLANodAQLJ4QOg0cDhFKKXIJXiTiNVoEuFIEQA1QNAQEYDQeEQAIXhR0iNAkNAQEDAQEJAQMCbRwMhUoBAQEEAQEhEQwBASwLAQsEAgEIEQQBAQECAh8HAgICHwYLFQgIAgQOBQgTgwiBXQMVAQIMn1ACihRxgS+CeAEBBYE1AoNRDQuCDAMFgQskAYsxF4FAP4ERRoJMPoIaRwEBA4ErAQcLASGDCDGCJoojJII1l3w2CQKHaogcg1mUDJE1gTyLdQIEAgQFAg4BAQWBTThlcXAVO4JsggoMFxODOIUUhT9ygSiMD4I+AQE
X-IronPort-AV: E=Sophos;i="5.60,281,1549929600"; d="scan'208";a="251840186"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 28 Mar 2019 19:50:33 +0000
Received: from XCH-RCD-008.cisco.com (xch-rcd-008.cisco.com [173.37.102.18]) by rcdn-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id x2SJoWEq032016 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 28 Mar 2019 19:50:33 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-RCD-008.cisco.com (173.37.102.18) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 28 Mar 2019 14:50:32 -0500
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 28 Mar 2019 14:50:31 -0500
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 28 Mar 2019 15:50:31 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector1-cisco-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=z6HxVgJFOgdmtQL3JgGiVYAc4aGNlzfXoBqInxmw++4=; b=LnKt6AqINGtihAn8g921bxepLw6PQ+8cX5oNVgnV9UHqVC02qUPNGOaNNQwWN08XZGX1PD9mPTupAqFoNKGQeqY2Um5qzrq03Z0DBjwOKWkAuD2uxIcGUbXWXB9mkV7bZ4VRE49DDaQdK/z+opkDvUOBcVae6kaqVCI9hTEsUso=
Received: from DM6PR11MB3625.namprd11.prod.outlook.com (20.178.230.149) by DM6PR11MB4092.namprd11.prod.outlook.com (20.176.126.33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1750.15; Thu, 28 Mar 2019 19:50:30 +0000
Received: from DM6PR11MB3625.namprd11.prod.outlook.com ([fe80::d145:a1f4:ed34:e31b]) by DM6PR11MB3625.namprd11.prod.outlook.com ([fe80::d145:a1f4:ed34:e31b%3]) with mapi id 15.20.1750.014; Thu, 28 Mar 2019 19:50:30 +0000
From: "Frank Brockners (fbrockne)" <fbrockne@cisco.com>
To: Mark Smith <markzzzsmith@gmail.com>
CC: "C. M. Heard" <heard@pobox.com>, 6man WG <ipv6@ietf.org>, "ippm@ietf.org" <ippm@ietf.org>
Thread-Topic: draft-ioametal-ippm-6man-ioam-ipv6-deployment-00 feedback (Re: v6 option types for IOAM data fields)
Thread-Index: AQHU4eVk77oZnWiBmUa6JfuK7viq2qYclmiQgATixqA=
Date: Thu, 28 Mar 2019 19:50:30 +0000
Message-ID: <DM6PR11MB362528DB0EADA21493CC49A3DA590@DM6PR11MB3625.namprd11.prod.outlook.com>
References: <CACL_3VGxyn-PYosFsKPVdd8C=P5AbE6HD1zrimHKuh2MPkhnuQ@mail.gmail.com> <505272eac2dd44fa891d4d36d14da9af@XCH-RCD-008.cisco.com> <CAO42Z2wGMzc_RT=eWTx9Ve-5reS0nCWiteGOuE16=MB4Fg8mkg@mail.gmail.com> <f50040ab52d04867b9a5cefa1c3131c3@XCH-RCD-008.cisco.com> <CAO42Z2zgguekybwVuCh8Az3mK8gHp292BYnWYhJq-8KEyfKzOA@mail.gmail.com> <7ea9049fe6f44a40aefe4801bd796322@XCH-RCD-008.cisco.com> <CAO42Z2y5TS1+8YxNsr=BKz5v8-ZPTiO-M7CU2k6FzNqVZoU4VA@mail.gmail.com> <CY4PR11MB1335960AD9BF9A4B990F7E10DA4A0@CY4PR11MB1335.namprd11.prod.outlook.com> <CAO42Z2xqq=uksNQPxvF_CRSxf1V_MADbFurzW4hqQW0v478cyw@mail.gmail.com> <DM6PR11MB36254EAC97ACF07F5BAD43CADA5F0@DM6PR11MB3625.namprd11.prod.outlook.com>
In-Reply-To: <DM6PR11MB36254EAC97ACF07F5BAD43CADA5F0@DM6PR11MB3625.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=fbrockne@cisco.com;
x-originating-ip: [2001:420:c0c0:1001::2af]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bc5510c6-b597-4be1-35f5-08d6b3b6a1f7
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:DM6PR11MB4092;
x-ms-traffictypediagnostic: DM6PR11MB4092:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <DM6PR11MB4092B4FCD451658596B6999FDA590@DM6PR11MB4092.namprd11.prod.outlook.com>
x-forefront-prvs: 0990C54589
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(39860400002)(136003)(346002)(396003)(366004)(51444003)(189003)(199004)(13464003)(76176011)(97736004)(9686003)(6306002)(11346002)(446003)(55016002)(1411001)(476003)(486006)(186003)(305945005)(93886005)(6116002)(74316002)(99286004)(4326008)(105586002)(229853002)(966005)(25786009)(68736007)(106356001)(5660300002)(54906003)(86362001)(33656002)(81166006)(6436002)(8936002)(81156014)(8676002)(102836004)(316002)(2906002)(478600001)(14454004)(6506007)(6916009)(256004)(7736002)(6246003)(46003)(66574012)(71190400001)(71200400001)(7696005)(14444005)(5024004)(52536014)(53546011)(53936002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR11MB4092; H:DM6PR11MB3625.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: hUN7dt9xoiL0c8pDEf0gL66zOAT0QazA4K+36vdE5huwkJnSn5H6ORrlAkLVr5nD7ftJdlha2AHoViipXa3/R2/okrJhJwBDKiag6VZqdWFzCfVVaQb0/L852euX1e03s2DbgVb6ud5me56Zj0PuS8iEu625gUBmzqxKDh7N0m8rmTGeOviM1eSKG2RHi9QtZ7bPtHqhumuICaNWqsbhSnENZRgRpe4YqXm2Ihg9vgoRt7tHFdqr5wHayuPE9gMy4cadtOaTvQV8nQPo09Nmeziiag4lJ92TpKGgBNjqK4nR0JY7a5/+qjfj8WXx9swxN6COjYN1jH1PbGOhDiFqgDNf76BkXNRm+aiovDr0k5rxUuZXjVOgDDlVCnbCSVjxDPgj056iDJzr6rWqht1/Q3u9bCR6E0kfYygLgRvVHBU=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: bc5510c6-b597-4be1-35f5-08d6b3b6a1f7
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Mar 2019 19:50:30.1025 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB4092
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.18, xch-rcd-008.cisco.com
X-Outbound-Node: rcdn-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/c8o0yYxdtajTsoScd_Ai8J1WyDE>
Subject: Re: [ippm] draft-ioametal-ippm-6man-ioam-ipv6-deployment-00 feedback (Re: v6 option types for IOAM data fields)
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2019 19:50:49 -0000

FYI - A new draft including Mark's comments below just got posted:
https://tools.ietf.org/html/draft-ioametal-ippm-6man-ioam-ipv6-deployment-01 

Frank

-----Original Message-----
From: ipv6 <ipv6-bounces@ietf.org> On Behalf Of Frank Brockners (fbrockne)
Sent: Dienstag, 26. März 2019 08:19
To: Mark Smith <markzzzsmith@gmail.com>
Cc: C. M. Heard <heard@pobox.com>; 6man WG <ipv6@ietf.org>; ippm@ietf.org
Subject: RE: draft-ioametal-ippm-6man-ioam-ipv6-deployment-00 feedback (Re: v6 option types for IOAM data fields)

Hi Mark,

Thanks much and now it is me to say sorry for the delay in responding. We'll add the additional paragraphs you suggest to the next revision.
Based on the outcome of the WG discussion on Friday we can decide whether folks are interested in broadening the scope of the doc to become more generic.

Thanks again, Frank

-----Original Message-----
From: Mark Smith <markzzzsmith@gmail.com> 
Sent: Sonntag, 24. März 2019 03:00
To: Frank Brockners (fbrockne) <fbrockne@cisco.com>
Cc: C. M. Heard <heard@pobox.com>; 6man WG <ipv6@ietf.org>; ippm@ietf.org
Subject: draft-ioametal-ippm-6man-ioam-ipv6-deployment-00 feedback (Re: v6 option types for IOAM data fields)

Hi Frank,

Apologies not to get back to you sooner, I missed this email (and now have a filter to highlight emails directly sent to me). Also apologies for sending feedback so close to IETF104.

On Thu, 14 Mar 2019 at 03:23, Frank Brockners (fbrockne) <fbrockne@cisco.com> wrote:
>
> With the upcoming meeting in Prague, I wanted to come back to this discussion:
>
> We've just recently posted a new draft (draft-ioametal-ippm-6man-ioam-ipv6-deployment-00) - which summarizes a set of deployment considerations for IOAM with IPv6, i.e. complementing 6man draft-ioametal-ippm-6man-ioam-ipv6-options-01. draft-ioametal-ippm-6man-ioam-ipv6-deployment-00 also includes the deployment scenario that Mark detailed below.
>
> Appreciate your thoughts - especially from 6man to provide for proper guidance to IPPM.
>

<snip>

Thanks very much to you and the other authors for writing up that this Internet Draft.

Regarding

"3.  Considerations for IOAM deployment in IPv6 networks"

that's an excellent list and set of descriptions of what I think are the requirements for when information is added to an existing IPv6 packet as it transits a network domain that wishes to add and then remove local domain supplementary information.

I think those requirements also apply to the addition of Segment Routing information to existing packets as they transit an SR domain, so one thought could be to extract them out and publish them as a more general Internet Draft, titled something like "Considerations For Adding Supplemental Information to IPv6 Packets Transiting a Network Sub-Domain". (Actually, reading more, I think most of the ID is not really that specific to IOAM, so most of the ID could probably be published as a more generic document on considerations for adding supplemental information to transit IP packets).


Regarding,

"5.1.1.  IPv6-in-IPv6 encapsulation"

where the outer encapsulation header destination IPv6 address is set to the same as the inner, original IPv6 destination address, for packets transiting the IOAM domain, I think that method would be quite vulnerable to C3:

"C3 Packets with IOAM data or associated ICMP errors, should not
      arrive at destinations which have no knowledge of IOAM.  Consider
      using IOAM in transit devices; misleading ICMP errors due to
      addition and/or presence of OAM data in the packet can confuse a
      source of the packet that did not insert the OAM information."


As the outer header IPv6 address is exterior to the IOAM domain as it is also the inner packet's DA, it means that standard and default IPv6 destination address based forwarding would forward the packet as is (i.e. encapsulated with IOAM information) external to the domain, without removing the outer IPv6 encapsulation and the IOAM information. In other words, IOAM information would leak if standard
IPv6 forwarding was used, which of course is enabled by default for
IPv6 routers.

To prevent that, the egress IOAM device would have to use non-standard, non-default IPv6 forwarding, which means deeper inspection of each and every egress packet regardless of its destination address, to see if it is an encapsulated IOAM packet, and to then remove the outer IPv6 header and IOAM information if it exists, before then standard IPv6 forwarding the original inner packet.

The advantage of using a separate and IOAM domain local and interior address space as in "5.1.2.  IP-in-IPv6 encapsulation with ULA", is that the outer packet ULA destination address is distinguishing which packets need IOAM encapsulation processing from those that don't (and of course, as the ULA address space is local to and unique to the IOAM domain, if they do leak externally, they have no valid destination to reach).

As those encapsulated IOAM packets are distinguished using the (outer) Destination Address, the selector for standard IPv6 forwarding, there is now no need for any special, new and more complex packet handling by the IOAM domain egress device. Using standard IPv6 forwarding avoids the complexity and implementation that would then be imposed on every router implementation that could be used as an egress IOAM domain device.

"2. To simplify debugging in case of leaked IOAM data fields in

       packets, consider a new IOAM E2E destination option to identify
       the Source IOAM domain (AS, v6 prefix).  Insert this option into
       the IOAM destination options EH attached to the outer IPv6
       header.  This additional information would allow for easy
       identification of an AS operator that is the source of packets
       with leaked IOAM information."

is suggesting a solution to the leaked IOAM issue. However I think it is always better to avoid a problem using an alternative method if possible, rather than to continue to let it the problem exist and then mitigate or eliminate its effects with even further mechanisms. It's more complexity to mitigate or eliminate, and that's more things that can break.


Regarding,

"5.1.2.  IP-in-IPv6 encapsulation with ULA"

Some suggested text -

"Addressing and routing in the ION are to be configured so
   that the IP-in-IPv6 encapsulated packets follow the same path as the
   original, non-encapsulated packet would have taken."

add something like

"This would create an internal IPv6 forwarding topology using the IOAM domain's interior ULA address space that is parallel with the forwarding topology that exists with the non-IOAM address space (the topology and address space that would be followed by packets that do not have supplemental IOAM information) . Establishment and maintenance of the parallel IOAM ULA forwarding topology could be automated in the future, similar to how LDP [RFC5036] is used in MPLS to establish and maintain an LSP forwarding topology that is parallel to the network's IGP forwarding topology."


"Assuming that the operational guidelines specified in Section 4 of
   [RFC4193] are properly followed, the probability of leaks in this
   approach will be almost close to zero."

add something like

"If the packets do leak through IOAM egress device misconfiguration or partial IOAM egress device failure, the packets' ULA destination address is invalid outside of the IOAM domain. There is no exterior destination to be reached, and the packets will be dropped when they encounter either a router external to the IOAM domain that has a packet filter that drops packets with ULA destinations, or a router that does not have a default route."


Regards,
Mark.
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email