IETF Logo Mail Archive

Re: Re: I-D Action: draft-smith-6man-in-flight-eh-insertion-harmful-00.txt

li zhenqiang <li_zhenqiang@hotmail.com> Mon, 14 October 2019 10:06 UTC

Return-Path: <li_zhenqiang@hotmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B05EC12016E for <ipv6@ietfa.amsl.com>; Mon, 14 Oct 2019 03:06:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.124
X-Spam-Level:
X-Spam-Status: No, score=-1.124 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UtE68XtY8iq2 for <ipv6@ietfa.amsl.com>; Mon, 14 Oct 2019 03:06:52 -0700 (PDT)
Received: from APC01-SG2-obe.outbound.protection.outlook.com (mail-oln040092253018.outbound.protection.outlook.com [40.92.253.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30D84120143 for <ipv6@ietf.org>; Mon, 14 Oct 2019 03:06:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SsVtUEiq1tWzWP+t7Bur0ZP8mcdmxVrWEj80idxN9YMTEWuaEoRKoYqJHneK8vSpKLY6DGHxyUcj9pCmKbM/xxBJThQyOvnKy4Bk648MrOk1WAcBmwT8GYmWuiCP3GIAJXEex4LHfS0MldNKIfRlISMHdNzpai0IMWET1OLF4RGUrKqvTCSAKSqLiXkmcow7ihpReZ9xEpWuKwuT6OqjoAW42c51c7pIjl2A4GGK834xG28r4Pw7PeaJeVbyJ+UfVdlPXyGuYxicFfPy1io6gm7kXZFTBW9QbKXW6lx1hHWFSJ1OWbyLjt8udRoBHod5v6cFm/aU/OM8FfIuADWvBA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=P9iVuAnwNRtiN3wGz1kqKsgCy2mu2//kZlLp0PHOfp0=; b=VIB14Z2OinB+rb2YpeLP/n6zmxe9uJZetAdkr/JrVBQtrA759bPuPaAL+N2qxzR2RAaoxOxZJhAodjY8pRHHrqPBc2xK9zBaqx4t8xiXvK43658MUVaIu8FHeS3KgjMKt04qUgxCR2QYNwoVxVba8E3RB1h9/kGh7XR0PJIZRIrCvoIWK3g0AUfP2vfd0ZjQEhuWPjURG9MG+btx4HmXqpYNT+Gj1l2ephXvT7EvgzHY9fSg3bAr6MW/UXjkX9Z5n1texE+fRdVS5Vc9hPsz6FU2Fkptn3FTES0aR7TJ3OJlM3TtcAjNnNbtSLsW20RQB67febWK/Fg1Vf9LengcTQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=P9iVuAnwNRtiN3wGz1kqKsgCy2mu2//kZlLp0PHOfp0=; b=j5vJwk6u3kvI5ul3QHuUe6WVouu1HxtqXuw7Engyg3wwbLo+RAumkMrzYNYwp0ZLpO7KmPvZIkGYwU2objvbfUNtzgAVT6JPqyZyvGFzxNffRYvMo8KMQ/FWiGZ/OwaQtXTrKnCE39BRFmEL0snDeMZx2qdMBUpSvhWhPmRoZ2gfVDpQJOBspBOehxLYiKkNjW4ppj4vPYG2+gkgb5FDq/Bj2OEznqNku3VuaE+2zU0D8Xfzk+xuiwKXPoSZFJmImT8YMEkAZA8gzWuT/u5CP7CT6W2NoFuKX8hi0HcERwEmLWq8bD4qg7EkRZp+et53hGShK5dgU3kkKFQP6LGGxA==
Received: from HK2APC01FT021.eop-APC01.prod.protection.outlook.com (10.152.248.53) by HK2APC01HT244.eop-APC01.prod.protection.outlook.com (10.152.249.91) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2347.16; Mon, 14 Oct 2019 10:06:48 +0000
Received: from HK0PR03MB4066.apcprd03.prod.outlook.com (10.152.248.56) by HK2APC01FT021.mail.protection.outlook.com (10.152.248.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2347.16 via Frontend Transport; Mon, 14 Oct 2019 10:06:48 +0000
Received: from HK0PR03MB4066.apcprd03.prod.outlook.com ([fe80::7dba:f7ea:56a0:2b70]) by HK0PR03MB4066.apcprd03.prod.outlook.com ([fe80::7dba:f7ea:56a0:2b70%3]) with mapi id 15.20.2347.021; Mon, 14 Oct 2019 10:06:48 +0000
From: li zhenqiang <li_zhenqiang@hotmail.com>
To: Mark Smith <markzzzsmith@gmail.com>
CC: Gyan Mishra <hayabusagsm@gmail.com>, "ipv6@ietf.org" <ipv6@ietf.org>
Subject: Re: Re: I-D Action: draft-smith-6man-in-flight-eh-insertion-harmful-00.txt
Thread-Topic: Re: I-D Action: draft-smith-6man-in-flight-eh-insertion-harmful-00.txt
Thread-Index: AQHVgd/mgbdnbAyZdUytdj9YO9ECUg==
Date: Mon, 14 Oct 2019 10:06:48 +0000
Message-ID: <HK0PR03MB4066CE26C5E9CF8025488D06FC900@HK0PR03MB4066.apcprd03.prod.outlook.com>
References: <79F13DA9-2B14-4885-B0E4-272EFB0E25FC@gmail.com>, <HK0PR03MB4066B72F338821CD93E6ADD7FC900@HK0PR03MB4066.apcprd03.prod.outlook.com>, <CAO42Z2xFk7cJOP2-AuFhZWN7LY6nphnqarv5s26ae-oM=_e5xA@mail.gmail.com>, <CAO42Z2xCPjhVNHa0sf_pceQSRCMJF4-_BmuWHRwPshBP1vuE9w@mail.gmail.com>
Accept-Language: zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: HK0PR01CA0037.apcprd01.prod.exchangelabs.com (2603:1096:203:3e::25) To HK0PR03MB4066.apcprd03.prod.outlook.com (2603:1096:203:9d::21)
x-incomingtopheadermarker: OriginalChecksum:F4C6149F36BFAA0B6509A6FBC1DBE7243EC545AC45D1A75307977A5F7906CECC; UpperCasedChecksum:AAA7E6CE0FBDAC8E313291D5883CC3B36FFC638BE03B01D205AE4B262D83934B; SizeAsReceived:7849; Count:52
x-ms-exchange-messagesentrepresentingtype: 1
x-has-attach: no
x-mailer: Foxmail 7.2.9.156[cn]
x-tmn: [s+P8G97i0Nf/c/xlimWqWtP9c8DhzkN7H6NGHP3TTn8=]
x-microsoft-original-message-id: <2019101418064874803042@hotmail.com>
x-ms-publictraffictype: Email
x-incomingheadercount: 52
x-eopattributedmessage: 0
x-ms-traffictypediagnostic: HK2APC01HT244:
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: r3MJVhnoAv9d1Cp6fmRnnLWDSp81aKwjmSUqzwTgw66adGDAXVL6MWivj6cOO3arOoDCgxtmqyng+/rBPX8K+2z6YNx0gLDsg/cLA1/Mkxp1odVZnczaTqt17K+JjgPTNvqden+UwjroapWlnUboDVkXCUGg8wbEd/2IbchFX426/4fY7stm+wcLXeUlqTkc
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_HK0PR03MB4066CE26C5E9CF8025488D06FC900HK0PR03MB4066apcp_"
MIME-Version: 1.0
X-OriginatorOrg: hotmail.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: e705bd10-61a8-46e3-1043-08d7508e38ff
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Oct 2019 10:06:48.7861 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HK2APC01HT244
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/0wRLPxHS1rh4zwdrvj4uipIf1Yg>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Oct 2019 10:06:55 -0000

Agree. SRv6 is totally different from MPLS.
Since Gyan puts them together to do comparison, what I want to say is that encapsulating one more IPv6 outer header when needed if something like pushing one more MPLS label at the very top of the label stack in mechanism. However SRH insertion is definitely different from MPLS label stack push and SRH insertion doesn't comply with RFC8200.

One more concern in Gyan's example is PSP for SRv6. As mentioned in my previous mail , the benifits of PSP and USP are unclear, the behaviors of PSP and USP defined in srv6-network-programming draft may have problems.  In my understanding, only encapsulation and decapsulation of an outer IPv6 header are allowed. PSP and USP should be discussed further.

Best Regards,
Zhenqiang Li
________________________________
li_zhenqiang@hotmail.com

From: Mark Smith<mailto:markzzzsmith@gmail.com>
Date: 2019-10-14 15:13
To: li zhenqiang<mailto:li_zhenqiang@hotmail.com>
CC: Gyan Mishra<mailto:hayabusagsm@gmail.com>; 6man WG<mailto:ipv6@ietf.org>
Subject: Re: Re: I-D Action: draft-smith-6man-in-flight-eh-insertion-harmful-00.txt
On Mon, 14 Oct 2019 at 17:18, Mark Smith <markzzzsmith@gmail.com> wrote:
>
>
>
> On Mon, 14 Oct 2019, 13:05 li zhenqiang, <li_zhenqiang@hotmail.com> wrote:
>>
>> Hi Gyan,
>>
>> In my understanding, MPLS Label insertion is more like encapsulation, because the outer header is handled, one more label is added at the top. For SRv6 SRH insertion, the outer IPv6 header is still used, only destination address is updated when SRH is inserted.
>
>
>
> So the SA of this packet is now a lie.
>
>>
>> In your exmaple, if P2 performs SRv6 Ti-LFA by adding one more outer IPv6 header, this is similar to MPLS label insertion.
>
>
> There is no such thing as label insertion in MPLS.
>

To be more specific, when does this happen in MPLS to "insert" Label 2
(LB2): (LLF = Link Layer Frame)


[LLF SA:X, DA:Y] [MPLS LB1] [Payload]

<MPLS LSR processing>

[LLF SA:X, DA:Y] [MPLS LB2, LB1] [Payload]


Specifically note that the SA:X, DA:Y haven't changed.

This doesn't happen in MPLS. At each LSR, a new Link Layer Frame is
created and used upon egress. The SA and DA of that new LLF will be
different from the LSR ingress SA and DA. The SA of the new LLF will
be that of the current LSR, and the DA will be of the next LSR.

MPLS labels are not inserted into an existing LLF with the SA and DA
being left unchanged or the link-layer frame being entirely replaced,
even if if the ingress and egress interfaces are the same link-layer
type.

If that was the way MPLS worked, then it wouldn't be possible to have
an MPLS LSR with both an Ethernet interface and a Frame Relay
interface, because Ethernet frames can't travel across a Frame Relay
link or vice versa.

MPLS labels may be inserted into an existing set of labels within the
LSR, but they're never inserted into an existing Link-Layer frame that
is both received and then sent by that LSR.

Insertion of EHs into IPv6 packets is unprecedented in any protocol at
the network layer. It is not copying what has been done in before in
MPLS, so there is no similarity.


>>
>> Best Regards,
>> Zhenqiang Li
>> ________________________________
>> li_zhenqiang@hotmail.com
>>
>>
>> From: Gyan Mishra
>> Date: 2019-10-14 00:03
>> To: Gyan Mishra
>> CC: 6man
>> Subject: Re: I-D Action: draft-smith-6man-in-flight-eh-insertion-harmful-00.txt
>>
>> Mark
>>
>> In tried to add this comment in-line but does not look like it came through.
>>
>> See below
>>
>> Comparing MPLS in flight label insertion to SRv6 in flight EH insertion below:
>>
>> We will use the Service Provider scenario for SRv6 to compare apples to apples use case since SRv6 has a much wider scope as it pertains to IPv6 data plane traffic engineering capabilities.
>>
>> Typical SP mpls core / SRv6 core with L3 VPN services CEs attached.
>>
>> So for both scenarios the the packet originates from the customer network.
>>
>> CE - customer edge originating packet
>> PE1 - ingress PE device performing label imposition or EH insertion for SRH header
>> P2 - LDP Remote LFA PLR node/path protection
>> Performs LDP tunneling to PQ node by inserting MPLS label for FRR link and node protection. For SRv6 Ti-LFA PLR node performs EH SRH header insertion for the “LFA” backup protected path during a link or node failure
>> P3 - PQ node tunnel for R-LFA
>> P4 - egress P performing MPLS PHP pop implicit null value 3 or SRv6 PSP SRH segment pop and removal of SRH EH header type 4
>> PE2 - egress PE label disposition of bottom of stack L3 VPN  labels for MPLS use case
>>
>> CE - PE1 - P1 - P2 - P3 - P4 - PE2 - CE
>>
>> So in both cases the MPLS LDP or SRv6 domain the MPLS PE does in flight label imposition similar to SRv6 on the same ingress PE SRv6 does in flight SRv6 EH SRH Routing header type 4 insertion.
>>
>> So in both cases the MPLS LDP or SRv6 domain the MPLS P2 “IP FRR PLR node”  does in flight label imposition similar to SRv6 on the same  P2 node SRv6 does in flight SRv6 EH SRH Routing header type 4 insertion as well for Ti-LFA 50ms FRR link and node protection.
>>
>> So basically both MPLS and SRv6 perform in flight insertion of a header mpls 4 byte shim for mpls scenario and SRv6 EH SRH Routing header type 4 influencing the packet.
>>
>> The major difference with mpls and why that in flight label insertion has never been an issue is that MPLS is considered “Layer 2 1/2” due to the label stack being placed between the L2 link layer header and the L3 header.  So impact to routing related to mpls shim not being removed or security implications don’t exist since in the mpls core you are not IP routing you are “label switching” so forwarding plane is at that “layer 2 1/2” swapping the local label with remote label along the LSP path to FEC destination.
>>
>> With SRv6 since the EH headers are all inserted after the IPv6 header and before the transport header their are MAJOR security implications with EH headers not being removed as the EH headers are part of the L3 routing functionality.
>>
>> One other major impact to EH insertion in flight with IPv6 is that SRv6 can be used ubiquitously in almost any scenario where traffic engineering is required.
>>
>> With mpls the downside but from a security perspective upside as why mpls label imposition insertion in flight is not impacting is that with mpls state has to be maintained hop by hop for mpls data plane forwarding plane with either LDP or TE topmost label so mpls forwarding plane due to this “mpls state” LFIB dependency cannot exist outside of the mpls domain the egress P must to a PHP or if Default implicit null mpls label value type 3 is used or explicit null where the label is preserved on the egress P and popped on the egress PE along with the entire label stack is popped “label disposition” so the egress PE on the PE-CE link can forward as native IP packet..
>>
>>
>> RFC R-LFA used with MPLS LDP IP FRR
>>
>> https://datatracker.ietf.org/doc/rfc7490/
>>
>> What I think needs to change and we need to discuss with Spring folks is on the PLR node doing the 2nd EH insertion for Ti-LFA  to achieve link and node protection 50ms failover they need to do another IPV6 header encapsulation.
>>
>> So the ingress PE in SRv6 domain would add the 1st outer layer IPv6 header but then on the Ti-LFA node now we would require from a 6MAN RFC 8200 a 2nd IPv6 encapsulation and the FRR steering would be done through the PQ node via the 2nd encapsulation and and the PQ node would remove the 2nd encapsulation which would contain the SRH Ti-LFA SID list for the traffic engineered path.
>>
>> In the Voyer draft addressing EH insertion we should also have them make a bore that Ti-LFA would not exist in every scenario using SRV6 due to the ubiquitous use cases of SRv6 so that 2nd encapsulation would only be required wherever the 2nd or I guess even 3rd or every time an EH SRH type 4 routing header is added for that matter a IPv6 encapsulation is required to satisfy IPv6.
>>
>> Regards
>>
>> Gyan
>>
>>
>> Sent from my iPhone
>>
>> On Oct 13, 2019, at 11:59 AM, Gyan Mishra <hayabusagsm@gmail.com> wrote:
>>
>> Mark
>>
>> Few comments on the draft in-line and also comparison of MPLS label insertio=
>> n to SRV6 EH insertion.
>>
>> Sent from my iPhone
>>
>> On Oct 13, 2019, at 6:25 AM, Nick Hilliard <nick@foobar.org> wrote:
>>
>> =20
>>
>> Brian E Carpenter wrote on 13/10/2019 01:36:
>>
>> The packet is too dumb to know anything ;-). My question is how each
>>
>> node it traverses knows. Indeed, Mark's draft
>>
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6@ietf.org
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email