IETF Logo Mail Archive

Re: What is necessity for SRH, and other EH, insertion/removal?

Mark Smith <markzzzsmith@gmail.com> Fri, 20 December 2019 03:12 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D09ED1200FA for <ipv6@ietfa.amsl.com>; Thu, 19 Dec 2019 19:12:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.498
X-Spam-Level:
X-Spam-Status: No, score=-0.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RHoNtS6j0NZ8 for <ipv6@ietfa.amsl.com>; Thu, 19 Dec 2019 19:12:15 -0800 (PST)
Received: from mail-ot1-x32c.google.com (mail-ot1-x32c.google.com [IPv6:2607:f8b0:4864:20::32c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97C461200EC for <ipv6@ietf.org>; Thu, 19 Dec 2019 19:12:15 -0800 (PST)
Received: by mail-ot1-x32c.google.com with SMTP id c22so9930513otj.13 for <ipv6@ietf.org>; Thu, 19 Dec 2019 19:12:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9dVzPwCZDN056K4ZzEttANELUcN0WIcqnsMvHELD+iQ=; b=RgNAb0wmwZy7jYNEgwyBdwhmDEoCd9uOjEHMrfWDieO6KzA+6Pruzatk1jDaIGzpAG 2jcZKCRVcwdEvX8lT/maCBoZEjuGy581VzphD+RclDk65lXfV5pfnUJ+ljfbIkpuzsxz cS51DgkLnVv7eBtbX3hEdXsTJ91ZdSKGl9Zx1ng3UimtjLUhhi1a2jAvuIg/PPvZ7o/h sayDY8HQo1hRwPcDvCEd6ULnqLkN0r+9BmbLLy/RoqiK38GTDvLNf0lDtTeS+33jB77q Yafb7hzTFhQIpWEoEyommoouwOpQwvNi9jxYDuJq/NkzNGVRtGBb/pKIi3zDK2k7VjkT psiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9dVzPwCZDN056K4ZzEttANELUcN0WIcqnsMvHELD+iQ=; b=rnSm/ZYWMKThelKv9sQAKtp3LWvsVNsret22bbtllFNCeP/tRXP94iHNALhrMdz+5i BtO40axuOIyAB0u1NHuugXKT8zX9RzK2i20nCWyQcLu4hEDTqsdXGWFOWinJ3ovfI4bX GqPuHV0Gj4c2OUQA2gm3QT3w8bOR8buRqeco6RsmxP/z8IT9vpyG5DaEy5BqH6Iw5OJl uOlljBeOi8czcZCduc3GmQCmwjGQ/uiNLipIn7b6PMfOgtDpUino8Shoo6+Ufw7w+7WB KjO/GtXXmO0YZTMpLyeyxHSsC4RBmSJO22zoyiUpM708Zv07e2XJyceTuXPV2SC1BlaJ 0MzA==
X-Gm-Message-State: APjAAAUgRBjBfZkalPb8iYivZkMxKoyCX/GLDR7JYtrDQDWszYP1mHms 36toWgAoO9ks8erZzG3hMRNPGW2vTv5vwqW879k=
X-Google-Smtp-Source: APXvYqw110AFYxyO456ToHNxEnsLDSvcM5ZE4NeqqGPTN1Z0Kwz0u+aj2ZrqEy7RPcjBuy2YC3g5s8xbjlnuCwk/Bxw=
X-Received: by 2002:a05:6830:9:: with SMTP id c9mr12723580otp.94.1576811534790; Thu, 19 Dec 2019 19:12:14 -0800 (PST)
MIME-Version: 1.0
References: <CALx6S34vG=L_5nw_FzxHBUy+7tbWH4dhOh8xodOfKf2oOdrarg@mail.gmail.com> <CALx6S36g6gDJNp=unQJaGoGoMxnRpbqGni=JHvPFJ3ovmuzO4A@mail.gmail.com>
In-Reply-To: <CALx6S36g6gDJNp=unQJaGoGoMxnRpbqGni=JHvPFJ3ovmuzO4A@mail.gmail.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Fri, 20 Dec 2019 14:11:48 +1100
Message-ID: <CAO42Z2ywKVkQU0NWkPE1kS9o=Tw3dCMCivo3xBw96UKtHKdEsg@mail.gmail.com>
Subject: Re: What is necessity for SRH, and other EH, insertion/removal?
To: Tom Herbert <tom@herbertland.com>
Cc: 6man <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/5mTI4OhXN62GH4KHm8pZq0-wy2E>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Dec 2019 03:12:17 -0000

On Thu, 19 Dec 2019 at 09:08, Tom Herbert <tom@herbertland.com> wrote:
>
> On Sat, Dec 7, 2019 at 9:17 AM Tom Herbert <tom@herbertland.com> wrote:
> >
> > Pulling this out into a separate thread. Pertinent questions are:
> >
> > Why is extension header insertion and removal at necessary?
> >
> > Why isn't the proposed alternative of IPIP encapsulation sufficient?
> > (where the encapsulating headers contain the extension headers that
> > would otherwise be inserted)
> >
> I believe that inband network telemetry (INT and IOAM ) might provide
> the best motivation for extension header insertion. One of the goals
> is to allow network operators to perform telemetry on packets as they
> traverse their network. A telemetry header, INT or IOAM, is put into
> packets on ingress to the domain and removed at egress, and
> intermediate nodes modify the packet with measurement data.
>

So I assume that within an IOAM domain, the design would be that all
IP routers the packet passes through, from domain ingress to domain
egress, are IOAM capable.

Therefore, IOAM could be implemented as a layer 2 shim between the
link-layer header and the IPv6 original packet. The additional
overhead would only be the IOAM shim itself.

This is of course how MPLS works to add the label stack to existing IP packets.

Similar to MPLS, a FEC at ingress could be used to select which
packets have IOAM added or not.


> Key requirements are that not all packets for a flow need to be
> measured, and measured packets need to follow the same path as those
> not measured  in order for the measurements to reflect what is
> happening for the flow. IPIP encapsulation would change the hash that
> ECMP uses so encapsulated packets might traverse a different path--
> therefore it's not sufficient in this case. Extension header insertion
> would maintain the routing in ECMP (although the fact that extension
> headers aren't supported in IPv4 creates another problem).
>
> Some of the inband telemetry implementations are already addressing
> this by inserting the inband telemetry headers directly into the UDP
> or TCP payload of existing packets and removing the inserted payload
> bytes at the egress point. Since only transport payload is being
> modified, the packets will be routed the same way as other modified
> packets for a flow. The obvious problem with this approach is that
> payload is being changed by intermediate nodes such that if the end
> host were to ever receive the modified packet this could result in
> silent data corruption of users' data. So this protocol mechanism is
> fundamentally not robust and probably dangerous. I think this actually
> makes extension header insertion, where the worst case scenario is
> probably unexplained packet loss, look palatable!
>

The reason I have such strong opinions on this is that I first thought
about insertion verses encapsulation starting about 20 years ago.

I deployed Cisco's pre-standard version of "VLAN tagging",
Inter-Switch Link (ISL)*, which used Ethernet-in-Ethernet
encapsulation to add information to existing PDUs, back in the late
1990s. Then came along the IEEE 802.1Q spec in 1998, which specified
VLAN tagging using insertion into the frame, after the Ethernet header
and before the payload.

Thinking about the pros-and-cons at the time, I realised the Cisco
method was better, despite the E-in-E overhead, because the original
frame was preserved without modification. Although probably not by
design, the protection of the inner frame frame is strengthened while
being "VLAN trunked", because there is now the outer Eth FCS covering
the whole of the inner frame as well as the inner frame's own FCS
protecting its payload.

VLAN tagging via insertion corrupts the purpose and integrity of the
tagged frame's checksum / FCS, because it is recalculated and replaced
each time the VLAN tag is inserted and removed. It is now not a
reliable check that the frame received by the SA is the same frame
that was sent by the DA. VLAN tagging reduces the strength and purpose
of the FCS.

The only thing the checksum/FCS validates, in the presence of VLAN tag
insertion, is the last hop between the last switch/brige that removed
the VLAN tag and the device with the DA. The checksum/FCS is not
end-to-end anymore, and is failing to achieve its original purpose.
Frame corruption can occur within any of the VLAN tagging devices and
it won't be possible to detect, because the FCS is being recalculated
on the way out of the device after the VLAN tag has been added.

People might say this corruption hasn't ever happened because they
haven't heard of it happening. The trouble is that absence of evidence
is not evidence of absence.

So why insertion was used for VLAN tagging?

Radia Perlman explained it in her "Interconnections" book (2nd
edition). It was to accommodate existing Ethernet hardware at the time
that couldn't support frames large enough to use encapsulation. It's a
work around, not an ideal. Cisco could use Eth-in-Eth tunnelling
because they knew all of their hardware could support frames big
enough for that.

Regards,
Mark.


* "Inter-Switch Link and IEEE 802.1Q Frame Format",
https://www.cisco.com/c/en/us/support/docs/lan-switching/8021q/17056-741-4.html

> Tom
>
> > Please note, I'm asking for the technical justification of the
> > protocol design, saying that it's necessary because it's already being
> > deployed isn't useful in this regard.
> >
> > Tom
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email