IETF Logo Mail Archive

Re: 6man w.g. last call for <draft-ietf-6man-segment-routing-header-11.txt>

Tom Herbert <tom@herbertland.com> Fri, 30 March 2018 15:59 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DB2D126FDC for <ipv6@ietfa.amsl.com>; Fri, 30 Mar 2018 08:59:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tt4WEc42sg_u for <ipv6@ietfa.amsl.com>; Fri, 30 Mar 2018 08:59:46 -0700 (PDT)
Received: from mail-qt0-x22c.google.com (mail-qt0-x22c.google.com [IPv6:2607:f8b0:400d:c0d::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 446FF120454 for <ipv6@ietf.org>; Fri, 30 Mar 2018 08:59:46 -0700 (PDT)
Received: by mail-qt0-x22c.google.com with SMTP id s48so9764029qtb.10 for <ipv6@ietf.org>; Fri, 30 Mar 2018 08:59:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=3IU9F6kEQv9X0lCWdOMc/8AcUddh07sZR+dHiifd8a8=; b=ThYPG7DJdM8rdYmxoOYKA2cTXjiQi/3xj9RTLfKS5WL6qyOmNTQkzzksHWJff8uV7s ZAKQu8X5ZG0VV6qi4IOEGFbCNC50HGfe38RTSmnJzXfLutVmF3dQTjwnqfAInLAR6Hal Mfy/CPAIHmS78AJqdKwNURPKCZRrTvjfLjxAxtxFVm2dbJXjFgq5A56e+LlSUowiKA5R psKSlcE6LPLSXEk1Wp+zvhyrQTrk9Bv28Vfrm3tJdcPicTIwp68FEpKllFxhcMOHu+Zn FfSoD9PSc/N8ocKd32Pss5Tngz70oirOvlE0b9NsntFouMT+CZMJZncUabwaQrhNLVL3 ypcg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=3IU9F6kEQv9X0lCWdOMc/8AcUddh07sZR+dHiifd8a8=; b=Trkt7dVdIWZZcBTv1efm9Oml6RaJuOakGl93MKFX7J6GGlLkXna3EkR1vmtNNf+Lxk T4STMUceB7SLwH7euiHojOQPW4DXZc/m+LELECaHSWdTZNrvdw8PqGrHaWBTcgTvpSNd me9iTpXxUvtdWZ3SfAxmIhmKAqEW0Ws1xdh7Aro9K54SDrIRCAH08K3i7dGGXUgGLVNa AXX4SBOcBIyVQz+5pKVJp1g4e+JNopeQNrAltPVoWGeTdfNNdsR5zqlReD3Izw5uC19v nCNQ3asVSfS0aqxWu1sLWzxQodGxGPMZiJ35T21syw5K8/an5sltRpXnnQR50OIr97Gb Bx6Q==
X-Gm-Message-State: AElRT7GTuGaB/knGbWB8ZkcnUcIcD2V8C7tOXBgij4O1sAn+AhrBgrXx Em45p6q0YSYcNnMcg3TcAUhlpStUh8YX3G2nFpr/clN4
X-Google-Smtp-Source: AIpwx49GIqZY/q/b3rTG6ahIOVw0t9wivSOwxtDwYmu2WQqFI3mCWpI4QL3iZUUHmLIy8Ck5/XnL7KcTwDX+auEDyok=
X-Received: by 10.237.37.50 with SMTP id v47mr18323970qtc.66.1522425585024; Fri, 30 Mar 2018 08:59:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.200.26.135 with HTTP; Fri, 30 Mar 2018 08:59:44 -0700 (PDT)
In-Reply-To: <523d27a3-285e-6bcf-2b07-2cd8d31b0915@joelhalpern.com>
References: <20160428004904.25189.43047.idtracker@ietfa.amsl.com> <FB1C6E49-81F7-49DD-8E8B-2C0C4735071B@gmail.com> <523d27a3-285e-6bcf-2b07-2cd8d31b0915@joelhalpern.com>
From: Tom Herbert <tom@herbertland.com>
Date: Fri, 30 Mar 2018 08:59:44 -0700
Message-ID: <CALx6S34s-XjgwYaiqFJVvPwmmUYD4qPaCv-Ku+h6q1A9aLz9hA@mail.gmail.com>
Subject: Re: 6man w.g. last call for <draft-ietf-6man-segment-routing-header-11.txt>
To: "Joel M. Halpern" <jmh@joelhalpern.com>
Cc: IPv6 List <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/1nHeNNfUPNdqoJ8iCkDQEp1XntQ>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Mar 2018 15:59:48 -0000

On Fri, Mar 30, 2018 at 7:51 AM, Joel M. Halpern <jmh@joelhalpern.com> wrote:
> I do not think this document is ready to be sent to the IETF and IESG for
> final approval.
> There are several kinds of problems.
>
> ECMP1: The document asserts that entropy information is put into the flow
> label.   I wish this worked.  I helped bring this idea forward years ago,
> independent of SRH.  Unfortunately, there are two related problems.  First,
> adoption appears to be low.  Second, and more important, there are reports
> from the field that doing thi actually breaks other things and cause packet
> re-ordering under some circumstances.  As a result, vendors are suggesting
> that people turn it off even when it is available.

Joel,

I assume you're referring to:

"If an array of layer-3 adjacencies is bound to the End.X SID, then
one entry of the array is selected based on a hash of the packet's
header (at least SA, DA, Flow Label)."

The problem with flow label isn't that it can cause OOO packets, it's
interaction with stateful techniques in intermediate nodes like
firewalls and load balancer that require all packets for a flow to
consistently hit the same stateful device. When the flow label changes
in mid flow, packets might be routed to a different device that
doesn't have the flow state and hence are dropped.

I imagine that one could argue that SRH is intended to be used in
closed domains so the operator could ensure there are no stateful
nodes present that would have an issue, but that makes correct
operation of the protocol conditional.

IMO the fix for the flow label/ECMP problem needs to include an update
to RFC6437 specifying 1) the flow label can only be set by the source,
nodes in the path MUST NOT set it, 2) if the flow label is set, it
MUST be an entropy identifier of the encapsulated transport flow so
that (SA, DA, flow label) is a good tuple representation of the flow,
3) the flow label MUST be the same for all packets sent on a flow
including fragments.

Tom

> ECMP2: If, with suitable analysis, we decide that this is actually safe to
> do, then the document needs to include both that analysis and clearly
> spelled out requirements that operators MUST verify that all their routers
> support this behavior and that they have enabled this behavior before
> turning on SRv6 usage.
>
> Structure: The text in section 2.3 says "It is assumed in this document that
> the SRH is added to the packet by its source".  This is at best
> disingenuous.  It is very clear that the value of this behavior lies
> primarily in use by the network, not by the packet sources.  Claiming
> otherwise results in a document with minimal utility.  Even this document
> itself disagrees with this assertion.  Tucked into the very next section is
> text saying that "outer header with an SRH applied to the incoming packet".
> If this behavior were a clearly spelled out requirement, rather than a
> "typically" and if the text in 2.3 were replaced with something realistic,
> then the document would at least be itnernally consistent and match the
> expected usages.
>
> Edge filtering: The text on edge filtering does not actually state that
> prevention of packets with SRH and a current DA of an internal node is
> mandatory.  Unless it is clearly stated, the security considerations text as
> currently written is significantly weakened.  If it is mandatory, then again
> the deployment section needs to note that an operator needs to verify that
> all of his edge devices support such filtering and have it properly enabled
> in order to use SRv6.
>
> Edge Filtering and hybrids: Other documents have talked about allowing
> external packets with SRv6 entries pointing to internal nodes (which means
> the DA upon arrival at the operator edge will be an internal node as I
> understand it).  It the intention is to permit that with appropriate
> security, then the edge filtering requirements need to be clear about the
> requirements for cryptographic validation at the edge.
>
> Yours,
> Joel
>
>
> On 3/29/18 4:30 PM, Bob Hinden wrote:
>>
>>
>> This message starts a two week 6MAN Working Group Last Call on advancing:
>>
>>         Title           : IPv6 Segment Routing Header (SRH)
>>         Authors         : Stefano Previdi
>>                           Clarence Filsfils
>>                           John Leddy
>>                           Satoru Matsushima
>>                           Daniel Voyer
>>         Filename       : draft-ietf-6man-segment-routing-header-11.txt
>>         Pages          : 34
>>         Date           : 2018-03-28
>>
>>       https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header
>>
>> as a Proposed Standard.  Substantive comments and statements of support
>> for publishing this document should be directed to the mailing list.
>> Editorial suggestions can be sent to the author.  This last call will
>> end on 12 April 2018.
>>
>> An issue tracker will be setup to track issues raised on this document.
>>
>> Thanks,
>> Bob & Ole
>>
>>
>>
>>
>>
>>
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6@ietf.org
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------
>>
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email