Re: [ippm] draft-ioametal-ippm-6man-ioam-ipv6-deployment-00 feedback (Re: v6 option types for IOAM data fields)

[Tom Herbert <tom@herbertland.com>]

On Tue, Apr 2, 2019 at 9:33 AM Mikael Abrahamsson <swmike@swm.pp.se> wrote:
>
> On Tue, 2 Apr 2019, Tom Herbert wrote:
>
> > This is solved with proper use of the IPv6 flow label for ECMP instead
> > of devices continuing to try to find 5 tuples buried deep within
> > packets. DPI is only going to become harder as more headers and
> > functionality are added (e.g. segment routing header will be another
> > problem, deep headers will exceed parsing buffers, and it's impossible
> > to find the 5 tuple for a fragment and still be stateless). Since IOAM
> > is used in a limited domain, the requirement should be that all routers
> > in the domain support ECMP routing using flow label (note that is a less
> > stringent requirement than all routers having to support IOAM).
>
> From what I have seen so far, most devices if they support flow label for
> ECMP, can/will use the flow label in *addition* to 5-tuple.
>
Mikael,

They can do that if they want, but it's less reliable then just using
the flow label and three tuple. There is no gaurantee that the five
tuple can be consistently determined for all packets of a flow for a
number of reasons. Even with the just the IOAM in an EH, there are
going to be devices that don't have the logic to skip over an EH to
find the transport layer, so that motivates that the idea that every
packet needs to have the IOAM attached whether it's needed or not
(hence it is an overhead tax).

> For the requirement of IOAM to not have separate ECMP characteristics then
> the entire IOAM domain will have to be configured to use 2-tuple + flow
> label?
>
It is a SHOULD. IMO, it's a less invasive requirement than requiring
all routers in the domain to support IOAM or that IOAM must be set in
every packet.

> Do we have data on how much end systems use flow labels nowadays? If this
> is low, do we have data from OS vendors that they're considering
> increasing the use of flow labels?

All major OSes (Windows, iOS, FreeBSD, Linux) now set the label by
default per RFC6437 and the flow label is usable for ECMP as described
in RFC6438. Linux has been automatically setting flow labels since
2014. So they are definitely being set on packets in the Internet. I'm
not sure if anyone has yet done measurements on how pervasive they
are, but it would be easy enough for a major application or service
provider to count them.

I should also point out that even if the flow label is not set, ECMP
still works and gives consistent results where a "flow" is all packets
sent from one IP address to another. The granularity of doing ECMP per
transport flow is really only needed when there are a lot of flows
over some IP address pair like in a tunnel for instance. There is a
lot of incentive to use flow labels with tunnels to get ECMP. For a
tunnel packet, the flow label is set as a hash for flow of an
encapsulated packet and ECMP is effective just by using the three
tuple of fields in the IP header. For a device trying to extract the
5-tuple they would need to parse over encapsulation shim layers to
find the transport layer. Again, finding the 5-tuple is considerable
work and there's no guarantee that parsing a particular encapsulation
protocol (there are a lot of them) is supported by all devices or that
inner five tuple is even observable (e.g. the tunnel could be
encrypted).

Tom

>
> --
> Mikael Abrahamsson    email: swmike@swm.pp.se