IETF Logo Mail Archive

Re: [ippm] Comment on draft-ietf-ippm-ioam-ipv6-options-00

"Frank Brockners (fbrockne)" <fbrockne@cisco.com> Tue, 19 November 2019 23:51 UTC

Return-Path: <fbrockne@cisco.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B55E12008C for <ippm@ietfa.amsl.com>; Tue, 19 Nov 2019 15:51:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=RMFrPdFu; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=t1QGSNYn
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 55vdte_Ld8cS for <ippm@ietfa.amsl.com>; Tue, 19 Nov 2019 15:51:53 -0800 (PST)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E498B12008F for <ippm@ietf.org>; Tue, 19 Nov 2019 15:51:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9920; q=dns/txt; s=iport; t=1574207512; x=1575417112; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=I2kB4TOaBQ/IhBeDqgEiXM+x/hgiSXRRuTb2tWwR5rI=; b=RMFrPdFuffq52BAKOTskysiAU6jxgP2fwzkRZ97nlMC/XwN7Cimm+KO7 G8xUnzEqqfqN7sHTTsk6LQ5mSkVr3up7p/rMxO0gYgYiheYIyJ/eOPN9X Prfpjwppvf9KIAq0KSo6m3xRmoAwZrPamtKomMqwnT31ugpjnTkxVTGBt o=;
IronPort-PHdr: 9a23:/7DMxR1+B8n/CArhsmDT+zVfbzU7u7jyIg8e44YmjLQLaKm44pD+JxKGt+51ggrPWoPWo7JfhuzavrqoeFRI4I3J8RVgOIdJSwdDjMwXmwI6B8vQB0fhK/XpaSESF8VZX1gj9Ha+YgBY
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CwAAB1f9Rd/4gNJK1lGgEBAQEBAQEBAQMBAQEBEQEBAQICAQEBAYF+gUtQBWxYIAQLKoQqg0YDinOBdmiYAIJSA1QJAQEBDAEBGAsKAgEBhEACF4IOJDgTAgMNAQEEAQEBAgEFBG2FNwyFUQEBAQECAQEBEBERDAEBKQMLAQQHBAIBCBEEAQEBAgImAgICJQsVCAgCBA4FCBqDAYJGAw4gAQIMpwQCgTiIYHWBMoJ+AQEFhQ0YghcDBoEOKIwVGIFAP4ERRoJMPoJiAQGBOimDDjKCLI0Egw+eGgqCK4cahSaJKpVVhDyWBnqRUAIEAgQFAg4BAQWBaSKBWHAVO4JsUBEUkRoMF4NQhRSFP3SBKItRgWJeAQE
X-IronPort-AV: E=Sophos;i="5.69,219,1571702400"; d="scan'208";a="668715887"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 19 Nov 2019 23:51:51 +0000
Received: from XCH-ALN-003.cisco.com (xch-aln-003.cisco.com [173.36.7.13]) by alln-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id xAJNpph0032066 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 19 Nov 2019 23:51:51 GMT
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by XCH-ALN-003.cisco.com (173.36.7.13) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 19 Nov 2019 17:51:50 -0600
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 19 Nov 2019 18:51:49 -0500
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 19 Nov 2019 17:51:49 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=caCyd5zyqukC2UZu7BarxB6cl3yeOmm/7qyXJj1fgpxW/amGgbRiBnnR2kSrOLWLqddhpYcu+3VG9qxsOtjymJG8IBQ+oKT1W+LNSXm53mqmIHEOKIaO3IV5atQL9xnm9sqwIsttE7TF5E2ZnWYYlAm53rej1BTb6QSJly1pXKX94TbXIovjI/0J1t+gxecf9b1ZDGtm9OgtaZUpoW0JaFU+OFZZL4Vhi5tWLJcmcQ5aJCFcBHsPl9jNoX94Qxg10nyT/KMsY4B++ahqbm8ZT7ZMbMoOg4Gmlrjzyxn74+gMcWePCkcKMB+kuGXeZF5xGqLRzeSsgdHZybwcNERGkg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=I2kB4TOaBQ/IhBeDqgEiXM+x/hgiSXRRuTb2tWwR5rI=; b=Yd4abZSUlc1NaW5ajUN98Est3WPwjQmUkiCGykfpWxsPGqUgYiM9JJN+kf0aIP2x22uWEMeTe9Jo7dEWtU3UsJ7FoPczAjAEU+r1QCDSgp6SNa4XCnex7NiW+rL2T9bCOXz/PJXi0HWzyXo3ayrCET3PFAGHeyWYA/cAxS8cFGxJZ2Hb9uQV6eIwWXxQNeYS9NDArNvzxuwqOCbSmFJlAANaWIJuXhcCByBWY99pOhypAFleJL0wY6Fo0Uhuz593qaAjiATh01F1kUd5z62MkOaE6Xz3+Yz+r+zYbb7mSB0fJ11KVFIBxxENZ0e3JR1nUTkI7SqP4OCXFTtHXp2s4g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=I2kB4TOaBQ/IhBeDqgEiXM+x/hgiSXRRuTb2tWwR5rI=; b=t1QGSNYnAFQaMW0Tm0likkvBKNoDquOg/7dZbSKlwW1suMJV51T4ElwvI8Idxzze4enhIhkUK7XZ3YJeGqchaEEi5bwFpQ/PVp1y75jt1e47hEJQ4Q03xEnrdJb8S4NSla9P93aAypA20L9HWCkF94zZa0AL6uqMN/3/2OFGDvQ=
Received: from BYAPR11MB2584.namprd11.prod.outlook.com (52.135.228.31) by BYAPR11MB3718.namprd11.prod.outlook.com (20.178.238.214) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.29; Tue, 19 Nov 2019 23:51:48 +0000
Received: from BYAPR11MB2584.namprd11.prod.outlook.com ([fe80::854c:63ec:ff6f:7e8a]) by BYAPR11MB2584.namprd11.prod.outlook.com ([fe80::854c:63ec:ff6f:7e8a%6]) with mapi id 15.20.2451.031; Tue, 19 Nov 2019 23:51:48 +0000
From: "Frank Brockners (fbrockne)" <fbrockne@cisco.com>
To: Tom Herbert <tom@quantonium.net>
CC: "xiao.min2@zte.com.cn" <xiao.min2@zte.com.cn>, "ippm@ietf.org" <ippm@ietf.org>
Thread-Topic: [ippm] Comment on draft-ietf-ippm-ioam-ipv6-options-00
Thread-Index: AQHVnc+mkUUodDJUYkqiPluxlzl7UaeR2DNAgAAOdYCAAAZMkIAAufeAgACBNTA=
Date: Tue, 19 Nov 2019 23:51:48 +0000
Message-ID: <BYAPR11MB25843C29CD2476E4FBCE72DBDA4C0@BYAPR11MB2584.namprd11.prod.outlook.com>
References: <201911181318081812271@zte.com.cn> <BYAPR11MB2584C26544D5CC6DEE766FC7DA4C0@BYAPR11MB2584.namprd11.prod.outlook.com> <CAPDqMeqzB-PzHJM3MDH9oubpo3f23T7+ZGqv3daezxCq5c941A@mail.gmail.com> <BYAPR11MB258404FD5756841E455C13D4DA4C0@BYAPR11MB2584.namprd11.prod.outlook.com> <CAPDqMerT80akH__AkCpvr_5A3Ww-1_NPX9qXGdP8ay87O6bDpA@mail.gmail.com>
In-Reply-To: <CAPDqMerT80akH__AkCpvr_5A3Ww-1_NPX9qXGdP8ay87O6bDpA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=fbrockne@cisco.com;
x-originating-ip: [2001:420:c0c0:1005::5a]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d02a1f8e-f4be-44b4-cf0a-08d76d4b7101
x-ms-traffictypediagnostic: BYAPR11MB3718:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <BYAPR11MB371861A4DA8E32312579F1BDDA4C0@BYAPR11MB3718.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 022649CC2C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(346002)(396003)(376002)(136003)(39860400002)(199004)(189003)(13464003)(4326008)(9686003)(52536014)(66476007)(6306002)(46003)(55016002)(33656002)(476003)(71200400001)(71190400001)(446003)(11346002)(305945005)(76176011)(7736002)(7696005)(102836004)(316002)(53546011)(6506007)(256004)(966005)(14444005)(6436002)(8676002)(81166006)(25786009)(81156014)(5660300002)(186003)(229853002)(74316002)(478600001)(14454004)(8936002)(6246003)(486006)(6116002)(66946007)(76116006)(86362001)(66574012)(6916009)(66446008)(64756008)(66556008)(54906003)(2906002)(99286004); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR11MB3718; H:BYAPR11MB2584.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: lJ8FHyqAQBMagUmJ1UfIoQIB2qIzSyuge8wT1f0oyiGg3P2EdxFux+O7zh2vcvintpZyZMbeR3o+Tu1hwJdSHCyH0HZw1I9c0s5v4LagS33twlr5m0fLt94Ir7JoOdJeOXTCjUzV83CCOdCwMTNk7IqfrN0tu8NetMIdkrV6Hl7cP91N0X3U1adPaNxpXiCtJEnYPvFhji3d9UxGvEpLQuc3ww/zZdiypHvUluX9gG5+1wwne4XqcB2x/d/laRrrwTjTfsowxCYviBj9WuybxRb/wwjZ96Vod/3bC5IuxIJreQuF9PJgZFIuBQjdBbnV9XkO6HIVRs0lOs5V3LLEogEKfaizETMBcDAJaQih8abb07iNYKWCEXhFe8jRbUPP0AgA6NXHcP7GrFHA/KSJKABgCY/FQwoNlz9OQLy6r1YKtbut1XQgrKzaPwzGWI58sMP0NsbRuhfNQH1Fmp71aiQEABACSZo95SdAsqHokt0=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: d02a1f8e-f4be-44b4-cf0a-08d76d4b7101
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Nov 2019 23:51:48.0454 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: V1S3zHAmYDG59I9is4Xk0WAE8H3GDrMhsNffreZyfiBgjU+tImyXWIoo78kpPNjsgyiq/OecRQA0oovHczGpYA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3718
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.13, xch-aln-003.cisco.com
X-Outbound-Node: alln-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/f3xd0-4qPcLuWpUhZochgKVpRhA>
Subject: Re: [ippm] Comment on draft-ietf-ippm-ioam-ipv6-options-00
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2019 23:51:57 -0000

Tom,

> -----Original Message-----
> From: Tom Herbert <tom@quantonium.net>
> Sent: Dienstag, 19. November 2019 23:52
> To: Frank Brockners (fbrockne) <fbrockne@cisco.com>
> Cc: xiao.min2@zte.com.cn; ippm@ietf.org
> Subject: Re: [ippm] Comment on draft-ietf-ippm-ioam-ipv6-options-00
> 
> On Mon, Nov 18, 2019 at 8:49 PM Frank Brockners (fbrockne)
> <fbrockne@cisco.com> wrote:
> >
> > Tom,
> >
> >
> > > -----Original Message-----
> > > From: Tom Herbert <tom@quantonium.net>
> > > Sent: Dienstag, 19. November 2019 12:24
> > > To: Frank Brockners (fbrockne) <fbrockne@cisco.com>
> > > Cc: xiao.min2@zte.com.cn; ippm@ietf.org
> > > Subject: Re: [ippm] Comment on draft-ietf-ippm-ioam-ipv6-options-00
> > >
> > > On Mon, Nov 18, 2019 at 7:47 PM Frank Brockners (fbrockne)
> > > <fbrockne@cisco.com> wrote:
> > > >
> > > > Hi Xiao,
> > > >
> > > >
> > > >
> > > > thanks for following up. Apparently the behavior described in
> > > > draft-ietf-ippm-ioam-ipv6-options-00 isn’t a bug – as we
> > > > speculated in the IPPM WG meeting yesterday, but the desired
> > > > behavior that we arrived at after WG discussions in 6man and with several
> IPv6 experts.
> > > > See
> > > > https://github.com/inband-
> > > oam/ietf/commit/48175cf89de6369a4d01017ec80c
> > > > 07b34f57f17c#diff-803b63dbe26303f504708318e255d884 (“Don't forward
> > > > an IOAM packet unless configured to do so.”)
> > > >
> > > > This behavior for IPv6 is to ensure that packets with IOAM do not
> > > > accidentally
> > > leak from a domain that employs IPv6.
> > > >
> > > > This also means for IPv6, things are more constrained than what is
> > > > stated in
> > > the more generic draft-ietf-ippm-ioam-data-08.
> > > >
> > > Frank,
> > >
> > > Per the draft-ietf-ippm-ioam-ipv6-options-00 the act bits are 00
> > > which means "skip over this option and continue processing the
> > > header". So if a router doesn't support IOAM, I believe other act
> > > bits like maybe
> > > 01 would be necessary to enforce the rule of “Don't forward an IOAM
> > > packet unless configured to do so.” Of course, nodes may also ignore
> > > HBH options completely per RFC8200 which means even such packets
> > > might be forwarded out of the domain anyway.
> >
> > ...  the current text is a for a more specific case, i.e. you have a router that
> *does* understand IOAM and receives a packet with IOAM on an interface that
> is not configured for IOAM.
> 
> But the draft says "This ensures that IOAM data does not unintentionally get
> forwarded outside the IOAM domain.", these requirements don't do that.

... FB: If everything is properly setup, packets with IOAM data fields should never leave the IOAM domain. 
Having a default of "drop" with the need to explicitly configure an "allow" reduces the potential of errors.
Which means we should soften the statement, given that it does not "ensure" that bad things don't happen - but it does try to help avoid bad things happening.

> 
> I see another issue, the option may be in a Destination Options header. So in
> order for a router to detect presence of the IOAM option it would need to
> examine the Desintation Option while the packet is inflight, but that prohibited
> by RFC8200: "Extension headers (except for the Hop-by-Hop Options header) are
> not processed, inserted, or deleted by any node along a packet's delivery
> path..."

...FB: Hmmm - I'm not following. Why would a router (i.e. transit node) look at DO? The text does not say that anywhere. 
If you are an IOAM encap/decap node (host or tunnel endpoint), you'd deal with DO and HbyH - and the text means: Ignore those on interfaces which aren't enabled for IOAM.
If you are an IOAM transit node, you'd deal with HbyH - and the text again means: Ignore those on interfaces which aren't enabled for IOAM.

> 
> > The conclusion from earlier discussions was to drop the packet - per the
> current text. This leaves default processing of unknown option types untouched
> - i.e. processing would happen per RFC 8200.
> 
> Yes, packet should be dropped at the domain edege, but that is a firewall
> functionality not router functionality. If we start adding requirements to routers
> to drop traffic on the basis of inspecting content not normally required for
> routing, then this will create a avalanche of router requirements for each type of
> limited domain.

...FB: Per what I said above, we don't ask the router to inspect anything that the router would look at in any case.
If you believe that the behavior of "explicitly enable an interface for IOAM" - i.e. ask for explicit config - does not add any benefits, and others feel the same way, we can drop that requirement from the spec again. It adds to configuration complexity - so unless we feel it adds a benefit, we should get rid of it. The earlier conversation we had on the topic concluded that it would add a benefit - which is why the text is there.

Cheers, Frank

> Clearly packets with SRH need to be dropped at edge, as do packets with private
> addresses, and there will no doubt be other cases. All of these fall under the
> auspices of firewalls at the edge of the domain, not routers within the domain.
> Segement rouitng handles this properly as filtering packets with SRH at edge is
> required.
> 
> Tom
> 
> 
> >
> > Frank
> >
> >
> > So trying to guarantee packets won't be forwarded
> > > out of the domain at all edge routers may be a futile effort. An
> > > alternative would be that the source SHOULD only use IOAM when it
> > > knows the destination is in the domain, and a firewall MAY be
> > > applied at the domain edge to drop packets with IOAM.
> > >
> > > Tom
> > >
> > > >
> > > >
> > > > Cheers, Frank
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > From: ippm <ippm-bounces@ietf.org> On Behalf Of
> > > > xiao.min2@zte.com.cn
> > > > Sent: Montag, 18. November 2019 13:18
> > > > To: ippm@ietf.org
> > > > Subject: [ippm] Comment on draft-ietf-ippm-ioam-ipv6-options-00
> > > >
> > > >
> > > >
> > > > Hi Frank,
> > > >
> > > >
> > > >
> > > > Repeat what I said on the mic this morning as below.
> > > >
> > > >
> > > >
> > > > In section 3 of draft-ietf-ippm-ioam-ipv6-options-00 it says:
> > > >
> > > > "Unless a particular interface is explicitly enabled (i.e. explicitly
> configured)
> > > for IOAM, a router MUST drop packets which contain extension headers
> > > carrying IOAM data-fields."
> > > >
> > > > But in section 4.4 of draft-ietf-ippm-ioam-data-08 it says:
> > > >
> > > > "If not all nodes within a domain are IOAM capable, IOAM tracing
> > > > information
> > > (i.e., node data, see below) will only be collected on those nodes
> > > which are IOAM capable.  Nodes which are not IOAM capable will
> > > forward the packet without any changes to the IOAM-Data-Fields."
> > > >
> > > > It seems they're not in alignment.
> > > >
> > > >
> > > >
> > > > Best Regards,
> > > >
> > > > Xiao Min
> > > >
> > > > _______________________________________________
> > > > ippm mailing list
> > > > ippm@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/ippm

v2.23.0 | Report a Bug | By Email