IETF Logo Mail Archive

Re: END SID Without SRH

"Darren Dukes (ddukes)" <ddukes@cisco.com> Thu, 13 June 2019 07:25 UTC

Return-Path: <ddukes@cisco.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39CF7120261 for <ipv6@ietfa.amsl.com>; Thu, 13 Jun 2019 00:25:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=K8+LVo0r; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=vvCm6ph8
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5qfHlQeDhw_t for <ipv6@ietfa.amsl.com>; Thu, 13 Jun 2019 00:25:35 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9005C1201D5 for <ipv6@ietf.org>; Thu, 13 Jun 2019 00:25:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10267; q=dns/txt; s=iport; t=1560410735; x=1561620335; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=BvK6N+JAVImWRZp+fjcKa2Buev6TqhTONY/D67bAzsE=; b=K8+LVo0rp6YQudhnnTXobVQicByuFGfge1Ai4tvjZUVo7YkkqhCk2wWE cRcNfulzzZK3CZ5E6zbnEeBQtrZhp75TUxwB1AlMV4058JH/ePY985pAU v9/yHRw6dyhk9x3UxzwHGCb0HqnnVvJyYVWLlllSy5um3TCRtSt0MdLdO 4=;
IronPort-PHdr: 9a23:c7xT4heGus0sN11IDyYo9FYFlGMj4e+mNxMJ6pchl7NFe7ii+JKnJkHE+PFxlwKYD57D5adCjOzb++D7VGoM7IzJkUhKcYcEFnpnwd4TgxRmBceEDUPhK/u/YyAnH8lZfFRk5Hq8d0NSHZW2ag==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BPAQBn+QFd/5FdJa1lHAEBAQQBAQcEAQGBVAQBAQsBgT1QA4E/IAQLKAqEDINHA45ggjKJaIkdhFOBQoEQA1QJAQEBDAEBLQIBAYRAAheCLyM3Bg4BAwEBBAEBAgEEbRwMhUsCAQMSER0BATcBDwIBCD8DAgICHxEUEQIEDgUigwCBHk0DHQECAZ8MAoE4iF9xgTGCeQEBBYUCDQuCDwmBNAGEb4ZtF4FAP4ERJwwTgkw+ghqBdwESAYMpMoImjjSEcohHjSI+CQKCEI8SToNrG4IlL4paiXuWGo1PAgQCBAUCDgEBBYFlImdxcBVlAYJBgg8MF4NNilNygSmMXIEiAYEgAQE
X-IronPort-AV: E=Sophos;i="5.63,368,1557187200"; d="scan'208,217";a="287118517"
Received: from rcdn-core-9.cisco.com ([173.37.93.145]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 13 Jun 2019 07:25:34 +0000
Received: from XCH-ALN-019.cisco.com (xch-aln-019.cisco.com [173.36.7.29]) by rcdn-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id x5D7PXL0015725 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 13 Jun 2019 07:25:34 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-ALN-019.cisco.com (173.36.7.29) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 13 Jun 2019 02:25:33 -0500
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 13 Jun 2019 02:25:33 -0500
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 13 Jun 2019 03:25:32 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BvK6N+JAVImWRZp+fjcKa2Buev6TqhTONY/D67bAzsE=; b=vvCm6ph8KCr/M7dQCujFqkMc5YBmwDH7caIcIzVNBuu1+wbZqFafe7jg4+/Zt5N1WIGN/JFKU0rYOCKrmgtPNloRlt+++1+6wws89rsDUkoj6b2oYqd5IHz51JJqgmkWsPJ46C2eWZMjWLA8mANTLbtlL4HeVTTOUaWzFsHee+0=
Received: from DM6PR11MB3516.namprd11.prod.outlook.com (20.177.220.141) by DM6PR11MB3626.namprd11.prod.outlook.com (20.178.230.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1987.12; Thu, 13 Jun 2019 07:25:31 +0000
Received: from DM6PR11MB3516.namprd11.prod.outlook.com ([fe80::d59f:9fbe:1f8b:bac7]) by DM6PR11MB3516.namprd11.prod.outlook.com ([fe80::d59f:9fbe:1f8b:bac7%7]) with mapi id 15.20.1987.010; Thu, 13 Jun 2019 07:25:31 +0000
From: "Darren Dukes (ddukes)" <ddukes@cisco.com>
To: Mark Smith <markzzzsmith@gmail.com>
CC: 6man WG <ipv6@ietf.org>, Ole Troan <otroan@employees.org>, Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>
Subject: Re: END SID Without SRH
Thread-Topic: END SID Without SRH
Thread-Index: AdUdO5q1Xl8r4Qz1TcuQQsHzUSUW9ADfn2IAAA2gNoAAAwk/gAAAY9aAABR63GAABjnxAAAN0AwAAAYzctg=
Date: Thu, 13 Jun 2019 07:25:31 +0000
Message-ID: <07B7D3ED-55AC-4698-900A-E6828A1AAC20@cisco.com>
References: <BYAPR05MB42456C75487CF9283A0ED1D0AE100@BYAPR05MB4245.namprd05.prod.outlook.com> <CAO42Z2y_D-xe+tX9n-KQYjnk5bkYXibO0Zs3E=JfAWWMZnJcSA@mail.gmail.com> <3030A68F-6CE1-4179-930C-D60BEB73063A@employees.org> <CAO42Z2yLkCRNXKp8KKnqh8VRRo6p1dx4h0-gyLBFZ=Jq0xQj2w@mail.gmail.com> <0C40BEFF-B050-40A1-BCB7-F76ADF18E3E0@employees.org> <BYAPR05MB42457C37AE7DC3F4CACC8FD7AEEC0@BYAPR05MB4245.namprd05.prod.outlook.com> <B254E985-A848-4FC4-868D-E2F04CF7E0DB@cisco.com>, <CAO42Z2wXRe9XyMMVetzPMTY4Og=B=wQLz3LUVB0DFzRLL-BPQQ@mail.gmail.com>
In-Reply-To: <CAO42Z2wXRe9XyMMVetzPMTY4Og=B=wQLz3LUVB0DFzRLL-BPQQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-CA
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ddukes@cisco.com;
x-originating-ip: [212.76.253.171]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 15167e17-42ea-44c4-f26b-08d6efd05158
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM6PR11MB3626;
x-ms-traffictypediagnostic: DM6PR11MB3626:
x-microsoft-antispam-prvs: <DM6PR11MB36262F2736C2A55F6D030F32C8EF0@DM6PR11MB3626.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6430;
x-forefront-prvs: 0067A8BA2A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(979002)(39860400002)(366004)(346002)(376002)(396003)(136003)(199004)(189003)(53754006)(446003)(66066001)(102836004)(76176011)(6506007)(53546011)(26005)(6916009)(54906003)(316002)(2906002)(86362001)(486006)(71200400001)(1411001)(71190400001)(64756008)(11346002)(2616005)(186003)(256004)(476003)(14444005)(99286004)(25786009)(8936002)(81166006)(3480700005)(73956011)(6116002)(76116006)(66446008)(8676002)(3846002)(36756003)(66946007)(6486002)(7736002)(229853002)(91956017)(66476007)(81156014)(66556008)(6246003)(54896002)(6512007)(478600001)(4326008)(236005)(68736007)(53936002)(14454004)(33656002)(5660300002)(6436002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR11MB3626; H:DM6PR11MB3516.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: JzkQnFkf+fqR3JRf2nuWgpUJGaVgTpesQePoV9HqmV8g2gIsViKASHjZs4AG1XuHK0TI3/rQVkaM2OcLzIPrxqWdP5PiCmg7+aRQ8j3zDPDveJalPLpYAPFRcg+0xSvSS1Ug3euCbuxSa32F0AI9wJ4SLJroZ9mhrxhLLtKguTtO8u8DvBOCiY7KzT2UTMUDdTUjEr87ONHFay32+odgFf2ETvYJb42zashOZQFmWa7zwFBn09PW+bbhHUMqtkc2oc43sXV3PKvAup0Kpb/almrdoxJw3eVjqX2zYq/dL20cpVsyFWSdY7mH9Wz6yksWK9rtzNGVFXKC2uqgATTkkL3wb0MFzZUMityZKWrxcxhFFlMEGteBoHBUUyidC2Poog3UP+H69j6VOgB2OpoShlBLAwqUzLhhz0iobOOmsPQ=
Content-Type: multipart/alternative; boundary="_000_07B7D3ED55AC4698900AE6828A1AAC20ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 15167e17-42ea-44c4-f26b-08d6efd05158
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jun 2019 07:25:31.4754 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ddukes@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3626
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.29, xch-aln-019.cisco.com
X-Outbound-Node: rcdn-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/Couc0I_KlNv-hPy8XuJ1nrHgokI>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jun 2019 07:25:38 -0000

Mark.

You remember your SIDs in your SR domain come from a SID block you created, S/s (see section 5.1) and this destination address falls within that space.

You notice the destination sending an ICMP parameter problem error with a code that says “SR Upper-layer Header Error”.

This is how you tell the source is trying to talk to a destination address that doesn’t speak TCP.

Darren

On Jun 13, 2019, at 6:28 AM, Mark Smith <markzzzsmith@gmail.com<mailto:markzzzsmith@gmail.com>> wrote:



On Thu., 13 Jun. 2019, 07:52 Darren Dukes (ddukes), <ddukes@cisco.com<mailto:ddukes@cisco.com>> wrote:
Hello everyone.

This document defines an SRH and a SID, and how that SID is processed.

I expect anyone "surprised" by this fact should have read this draft at some point:
a - within the past 2 years; since this document has defined a SID and its processing.
b - within the past 13 months; since section 4.3.1 specifically described discarding the packet based on upper layer header being processed.
c - within the past 8 months; since the current version of 4.3.1.2 was updated with the new ICMP error code, published, and the WG was notified via email.

And recall section 3.1 defines a Source SR node as
   "any node that originates an IPv6 packet with a
   segment (i.e.  SRv6 SID) in the destination address of the IPv6
   header.  The packet leaving the source SR Node may or may not contain
   an SRH."

In other words, there is no surprise.

So one of the contexts I consider is sitting in front of a packet capture tool like Wireshark, and trying to troubleshoot a fault by looking at the packet.

For the packet Ron described, with no SRH header, there is nothing to distinguish it from a normal IPv6 packet. The fault would be that the packet contains a TCP header, yet TCP processing is not occurring.

The DA address in the packet might actually be a SID, but if it is coming from within the existing IPv6 unicast or multicast spaces, there is no indication of that.

This SR processing is failing the principle of least surprise. That failure can cause longer than necessary troubleshooting and longer customers' services impacts. A network's MTTR is negatively impacted.

Mandating that all packets to be SR processed have an SRH would prevent this problem. It would also be compliant with RFC 8200, because the processing to occur on the packet when it arrives at the device with the DA is explicitly encoded in the packet.

Without a formal SID address space, encoding functions to perform on a packet in addresses is ambiguous, implicit and when troubleshooting, non-obvious.

Regards,
Mark.


Darren.

v2.23.0 | Report a Bug | By Email