IETF Logo Mail Archive

Re: [ippm] draft-ioametal-ippm-6man-ioam-ipv6-deployment-00 feedback (Re: v6 option types for IOAM data fields)

Tom Herbert <tom@herbertland.com> Tue, 02 April 2019 06:26 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4313A1200F5 for <ippm@ietfa.amsl.com>; Mon, 1 Apr 2019 23:26:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4GV6MhdWA3Kz for <ippm@ietfa.amsl.com>; Mon, 1 Apr 2019 23:26:33 -0700 (PDT)
Received: from mail-qk1-x72b.google.com (mail-qk1-x72b.google.com [IPv6:2607:f8b0:4864:20::72b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A841212001E for <ippm@ietf.org>; Mon, 1 Apr 2019 23:26:33 -0700 (PDT)
Received: by mail-qk1-x72b.google.com with SMTP id o129so7219605qke.8 for <ippm@ietf.org>; Mon, 01 Apr 2019 23:26:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ZoA4+xHHv8S1/xwu8JJSabbA90pRUaXSBxJfroNWlwM=; b=CExVKXGbQOwh1ZE3htAZvUq+SkfYQ6jKyKY9CrcrWAfl4GgDE4n6GbAkYaNLp6u5EO +PRdGHe4UfWQwybJJ+JT/OsjO9LA36FQtKEC68jIFl9c6tBgIUb2DpjFmG7X5XcctAIH P/seDGUVUo0KzjKhPwnNzJiVSb/TLwd7yYbsPQtqn3Z6Q9bfNkYCyWZmIwkyoHS0BMT1 Qr358zuJbpCuymOXvaEwuyRD3jCfB7qI9K0g9OhmdpJ4ZS5UoeKe6FLSib1cwbKz+wBk K/jy65sBcyIuquhr3Eh/Mb4cmj4YW+SY/kkjxoz8SC7lvCFhxgcTZCFW9216ZDIwYaOX Eq6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ZoA4+xHHv8S1/xwu8JJSabbA90pRUaXSBxJfroNWlwM=; b=oIvl8WaI00Ok9YYa38l6S9zh6RDsak+XqH3HhnzvDCPryzvCFHIaj6pXDU+X3nXPWD 0OMJTn3onA4XkvzOC31C+qW4qvSAW2W3+74VVPe9ZrHMGsYNehpAu7rGO/OPDKmequlo egT18mmY4NJaxJ/tQbfJD7lMGIf5Ba4Mtq5Cl7QRqwCvTY1YWrT64TF5pZ/z9nLIgXjS t+B1peo0WgPlig2wpcrY5mZtzlHkBijWidA0Ik+o9bqgRopIbstARqA0sSEezbheryCN SrvV0hTmuFR6aif5NMzsvooafkJdvBkHVSxTqhHc2GeI/Z7+fh9rAVkeuETrKk03H41V AnGA==
X-Gm-Message-State: APjAAAXNOJvo2GxgbG7LeZKqU3ZiUzveIttgamB0JamvQLOzfqycCm+b 2DH5h0uELDJotetehs4vFy8ty1rs7hgVZ3cITIjvFA==
X-Google-Smtp-Source: APXvYqzLYF+W/2pMDrIV36piZSPUHZcBnFiyTVCVbAPN3g0cI1cJtNZVnTX9j11aoW6nx0U2LCuxtdBp7q6QhzbNq9I=
X-Received: by 2002:a37:4d53:: with SMTP id a80mr56170387qkb.247.1554186392500; Mon, 01 Apr 2019 23:26:32 -0700 (PDT)
MIME-Version: 1.0
References: <CACL_3VGxyn-PYosFsKPVdd8C=P5AbE6HD1zrimHKuh2MPkhnuQ@mail.gmail.com> <505272eac2dd44fa891d4d36d14da9af@XCH-RCD-008.cisco.com> <CAO42Z2wGMzc_RT=eWTx9Ve-5reS0nCWiteGOuE16=MB4Fg8mkg@mail.gmail.com> <f50040ab52d04867b9a5cefa1c3131c3@XCH-RCD-008.cisco.com> <CAO42Z2zgguekybwVuCh8Az3mK8gHp292BYnWYhJq-8KEyfKzOA@mail.gmail.com> <7ea9049fe6f44a40aefe4801bd796322@XCH-RCD-008.cisco.com> <CAO42Z2y5TS1+8YxNsr=BKz5v8-ZPTiO-M7CU2k6FzNqVZoU4VA@mail.gmail.com> <CY4PR11MB1335960AD9BF9A4B990F7E10DA4A0@CY4PR11MB1335.namprd11.prod.outlook.com> <CAO42Z2xqq=uksNQPxvF_CRSxf1V_MADbFurzW4hqQW0v478cyw@mail.gmail.com> <DM6PR11MB36254EAC97ACF07F5BAD43CADA5F0@DM6PR11MB3625.namprd11.prod.outlook.com> <DM6PR11MB362528DB0EADA21493CC49A3DA590@DM6PR11MB3625.namprd11.prod.outlook.com> <alpine.DEB.2.20.1904011139550.3490@uplift.swm.pp.se> <BN8PR11MB36181C47785968D8FCA2DED9DA550@BN8PR11MB3618.namprd11.prod.outlook.com> <alpine.DEB.2.20.1904020744260.3490@uplift.swm.pp.se>
In-Reply-To: <alpine.DEB.2.20.1904020744260.3490@uplift.swm.pp.se>
From: Tom Herbert <tom@herbertland.com>
Date: Tue, 02 Apr 2019 08:26:21 +0200
Message-ID: <CALx6S364AzeZL0+AiPWUj5q_mu+9JAa2taGebos83X6X9Xtz5w@mail.gmail.com>
To: Mikael Abrahamsson <swmike@swm.pp.se>
Cc: "Frank Brockners (fbrockne)" <fbrockne@cisco.com>, "C. M. Heard" <heard@pobox.com>, 6man WG <ipv6@ietf.org>, "ippm@ietf.org" <ippm@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/fOyztZG3YQKB4FppztcDuMfU_8g>
Subject: Re: [ippm] draft-ioametal-ippm-6man-ioam-ipv6-deployment-00 feedback (Re: v6 option types for IOAM data fields)
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2019 06:26:36 -0000

On Tue, Apr 2, 2019 at 8:06 AM Mikael Abrahamsson <swmike@swm.pp.se> wrote:
>
> On Mon, 1 Apr 2019, Frank Brockners (fbrockne) wrote:
>
> > ...FB: There is obviously no easy answer. Couple of thoughts:
> > * IOAM is considered a "domain specific" feature (see
> > draft-ietf-ippm-ioam-data-05, section 3). Routers in the IOAM domain
> > should be IOAM capable.  And IMHO,  we should add a statement to
> > draft-ioametal-ippm-6man-ioam-ipv6-deployment that an implementation of
> > IOAM MUST ensure "C1".
> >
> > * That said, there can be situations, where C1 cannot be achieved, e.g.
> > consider a network which does ECMP scheduling based on packet length.
> >
> > * What one could consider - and which is one suggested deployment model
> > - is that by default IOAM data fields are added to _all_ customer
> > packets. The decapsulating node would decide whether the IOAM
> > information contained in a packet would be used (and exported) or not.
> > That way one would not need to deal with the situation that some traffic
> > carries IOAM while other does not - and might thus be treated
> > differently.
>
> Yes, I think this is the only way. Is there a risk that intermediate
> routers would not be IOAM capable? I think the C1 requirement is really
> really hard to fulfil and I'm also afraid that adding the IOAM header will
> actually make ECMP stop working on some platforms (because they would not
> have the capability to look deep enough into the packet to find L4
> information, so it'll go back to 2 tuple ECMP instead of 5 tuple.
>
> But this question can only be answered by people with deep NPU
> knowledge...
>
Mikael,

This is solved with proper use of the IPv6 flow label for ECMP instead
of devices continuing to try to find 5 tuples buried deep within
packets. DPI is only going to become harder as more headers and
functionality are added (e.g. segment routing header will be another
problem, deep headers will exceed parsing buffers, and it's impossible
to find the 5 tuple for a fragment and still be stateless). Since IOAM
is used in a limited domain, the requirement should be that all
routers in the domain support ECMP routing using flow label (note that
is a less stringent requirement than all routers having to support
IOAM).

Tom

> > ...FB: The comparison to MPLS is interesting. How often do MPLS packets
> > leak and cause harm? For IOAM,
> > draft-ioametal-ippm-6man-ioam-ipv6-options-02 proposes a deployment
> > model similar to what we do for MPLS: Unless an interface is explicitly
> > configured for IOAM, packets with IOAM data fields MUST be dropped.
> > Hence leakage would only occur, if we have a clearly misbehaving router
> > which violates this rule. Similar to you, I'd also greatly appreciate
> > any pointers to research on how common MPLS leaked packets are.
>
> When it comes to "cause harm" I imagine there are (at least) two ways to
> cause harm, one is privacy/secrecy/security loss and the other one is
> actual operational loss.
>
> I know of bugs where labeled packets went the wrong way and caused them to
> be lost, I've also seen bugs where bugs caused traffic to "hop" between
> VRFs in MPLS VPN (or to "global" VRF). I don't have numbers on this
> though.
>
> Depending on the deployment scenario, it might make sense to make IOAM
> packets not valid for non-IOAM aware devices (basically encap entire
> packet/payload), but that might be a problem for intermediate non-IOAM
> nodes then. This would affect the ECMP requirement. I can see cases where
> one would operationally turn on IOAM for some customers traffic and then
> see the problem go away because now ECMP changed.
>
> > ...FB: One idea that Shwetha came up with to identify the source AS of a
> > leaked packet, would be to add a new new IOAM E2E option - as proposed
> > in section 5.1.1 bullet 2 of
> > draft-ioametal-ippm-6man-ioam-ipv6-deployment-01.
>
> Yes, that'd solve that problem.
>
> How much has the silicon people been involved so far in the design of the
> headers? What is the current thinking of amount of data going into the
> IOAM header? Considering things like trace options etc it seems to me the
> header can grow quite large? To satisfy the ECMP requirement what about
> putting the IOAM information as a trailer behind the regular payload? Or
> is there a problem for the hw to manipulate information that far into the
> packet (I also imagine this will considerably lower the forwarding
> performance of IOAM packets on IOAM aware platforms).
>
> --
> Mikael Abrahamsson    email: swmike@swm.pp.se
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email