IETF Logo Mail Archive

Re: What is necessity for SRH, and other EH, insertion/removal?

Tom Herbert <tom@herbertland.com> Fri, 20 December 2019 04:24 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AB26120219 for <ipv6@ietfa.amsl.com>; Thu, 19 Dec 2019 20:24:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q_wLgpuuLAzV for <ipv6@ietfa.amsl.com>; Thu, 19 Dec 2019 20:24:07 -0800 (PST)
Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F157120116 for <ipv6@ietf.org>; Thu, 19 Dec 2019 20:24:07 -0800 (PST)
Received: by mail-ed1-x536.google.com with SMTP id cy15so7008170edb.4 for <ipv6@ietf.org>; Thu, 19 Dec 2019 20:24:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mpMNMn0cn359JP6iVPLoKYZpVvyXShOBPAVtidwG0Ec=; b=MJM05siO8Gx/fDW1fmlPIvgWlRATYe4DLJSz24B0niZc9ANf+l2a3lPEfdbrhGdygf mHt8ZDmz3q6rT84F+nk65JoByNOamYWs9zr2HLgvX4SgabnWpnf2en6y4lpj4PTQ3Y9w IZsLLlrQ7FzldDqKhuqb2p8ChW1Zh0+GKZYNi6S9f268pQJefGxxz9LgZj75Bf1QEvpX 9emHHmsxrsk7JqkwZ70FHvvKl59wgdL8t0Iw56Pa5YYdlp0iSInk0te04fsDdjbvJajp J8D1AmGIe1g/iKyy+kQsyDzR6PCz8L/4vUQC7miIdj6uUicMLwaVlO1U40hxdx+Bq5WN 73qA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mpMNMn0cn359JP6iVPLoKYZpVvyXShOBPAVtidwG0Ec=; b=BiTN5RNorHmvnEwsS613GcRzRbqfxQ0jY3Vygd9cwc8vZ4Iw84J97nWewL0r+HzHP2 yXvajMtHgNyJiRw9+ofOGl1apO6X7lDH6dnniDrfiirSq2KL2tZ+FBoLR0ZRvy6jTcqr 3BKYwDBM2QG9B0wh0I0aMU0kBr9k5/tR23s/5d1p0NNjamw3AaeXKP5IYZ7pPKlm1S6o rHnPwrgSHp/gaqwuW2SA9d4J8rrpIvt3yyLVdyV0VvmYDcBbFz5BlzRfbc0RGIIdw24o /xSvNtFryyTg5hHVzUm+Ho1pbKg+bxHjLdWLyHk+B1VYLabkxZmuHVfhLI6aO7KDjW+9 700Q==
X-Gm-Message-State: APjAAAUMm1TnAYSd18oTvgfs+0N4uE/7biWIQGWroiRrhuRIXki/BJwi QOW6F3Q49aGmMcpThH9T+CNEqw/7Oj9ryQR6c5Ov3xD7
X-Google-Smtp-Source: APXvYqyrDXpXhDePLk2U1lRdNrWWAskT7iyDKeIip8WjtDhcK/pnuRhD0LDr7ePejFkzLp45VANxp6QCSEcTtIU6mic=
X-Received: by 2002:a50:fb13:: with SMTP id d19mr13515074edq.87.1576815845653; Thu, 19 Dec 2019 20:24:05 -0800 (PST)
MIME-Version: 1.0
References: <CALx6S34vG=L_5nw_FzxHBUy+7tbWH4dhOh8xodOfKf2oOdrarg@mail.gmail.com> <CALx6S36g6gDJNp=unQJaGoGoMxnRpbqGni=JHvPFJ3ovmuzO4A@mail.gmail.com> <CAO42Z2ywKVkQU0NWkPE1kS9o=Tw3dCMCivo3xBw96UKtHKdEsg@mail.gmail.com>
In-Reply-To: <CAO42Z2ywKVkQU0NWkPE1kS9o=Tw3dCMCivo3xBw96UKtHKdEsg@mail.gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Thu, 19 Dec 2019 20:23:56 -0800
Message-ID: <CALx6S35EkOZ_mfpCyoiSNheirkUcnWw9Q22EDHBb-b8OLZZZkw@mail.gmail.com>
Subject: Re: What is necessity for SRH, and other EH, insertion/removal?
To: Mark Smith <markzzzsmith@gmail.com>
Cc: 6man <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/MPuSc_8y267GaOUe_ixYTk5wegs>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Dec 2019 04:24:09 -0000

On Thu, Dec 19, 2019 at 7:12 PM Mark Smith <markzzzsmith@gmail.com> wrote:
>
> On Thu, 19 Dec 2019 at 09:08, Tom Herbert <tom@herbertland.com> wrote:
> >
> > On Sat, Dec 7, 2019 at 9:17 AM Tom Herbert <tom@herbertland.com> wrote:
> > >
> > > Pulling this out into a separate thread. Pertinent questions are:
> > >
> > > Why is extension header insertion and removal at necessary?
> > >
> > > Why isn't the proposed alternative of IPIP encapsulation sufficient?
> > > (where the encapsulating headers contain the extension headers that
> > > would otherwise be inserted)
> > >
> > I believe that inband network telemetry (INT and IOAM ) might provide
> > the best motivation for extension header insertion. One of the goals
> > is to allow network operators to perform telemetry on packets as they
> > traverse their network. A telemetry header, INT or IOAM, is put into
> > packets on ingress to the domain and removed at egress, and
> > intermediate nodes modify the packet with measurement data.
> >
>
> So I assume that within an IOAM domain, the design would be that all
> IP routers the packet passes through, from domain ingress to domain
> egress, are IOAM capable.
>

Mark,

That's an awfully big assumption/requirement to make. I'm doubtful
that would be feasible for deployment in a large network. Note that
RFC2460 also required all nodes in the path to support HBH options and
look what happened!

> Therefore, IOAM could be implemented as a layer 2 shim between the
> link-layer header and the IPv6 original packet. The additional
> overhead would only be the IOAM shim itself.
>
> This is of course how MPLS works to add the label stack to existing IP packets.
>
> Similar to MPLS, a FEC at ingress could be used to select which
> packets have IOAM added or not.
>
>
> > Key requirements are that not all packets for a flow need to be
> > measured, and measured packets need to follow the same path as those
> > not measured  in order for the measurements to reflect what is
> > happening for the flow. IPIP encapsulation would change the hash that
> > ECMP uses so encapsulated packets might traverse a different path--
> > therefore it's not sufficient in this case. Extension header insertion
> > would maintain the routing in ECMP (although the fact that extension
> > headers aren't supported in IPv4 creates another problem).
> >
> > Some of the inband telemetry implementations are already addressing
> > this by inserting the inband telemetry headers directly into the UDP
> > or TCP payload of existing packets and removing the inserted payload
> > bytes at the egress point. Since only transport payload is being
> > modified, the packets will be routed the same way as other modified
> > packets for a flow. The obvious problem with this approach is that
> > payload is being changed by intermediate nodes such that if the end
> > host were to ever receive the modified packet this could result in
> > silent data corruption of users' data. So this protocol mechanism is
> > fundamentally not robust and probably dangerous. I think this actually
> > makes extension header insertion, where the worst case scenario is
> > probably unexplained packet loss, look palatable!
> >
>
> The reason I have such strong opinions on this is that I first thought
> about insertion verses encapsulation starting about 20 years ago.
>
> I deployed Cisco's pre-standard version of "VLAN tagging",
> Inter-Switch Link (ISL)*, which used Ethernet-in-Ethernet
> encapsulation to add information to existing PDUs, back in the late
> 1990s. Then came along the IEEE 802.1Q spec in 1998, which specified
> VLAN tagging using insertion into the frame, after the Ethernet header
> and before the payload.
>
> Thinking about the pros-and-cons at the time, I realised the Cisco
> method was better, despite the E-in-E overhead, because the original
> frame was preserved without modification. Although probably not by
> design, the protection of the inner frame frame is strengthened while
> being "VLAN trunked", because there is now the outer Eth FCS covering
> the whole of the inner frame as well as the inner frame's own FCS
> protecting its payload.
>
> VLAN tagging via insertion corrupts the purpose and integrity of the
> tagged frame's checksum / FCS, because it is recalculated and replaced
> each time the VLAN tag is inserted and removed. It is now not a
> reliable check that the frame received by the SA is the same frame
> that was sent by the DA. VLAN tagging reduces the strength and purpose
> of the FCS.
>
> The only thing the checksum/FCS validates, in the presence of VLAN tag
> insertion, is the last hop between the last switch/brige that removed
> the VLAN tag and the device with the DA. The checksum/FCS is not
> end-to-end anymore, and is failing to achieve its original purpose.
> Frame corruption can occur within any of the VLAN tagging devices and
> it won't be possible to detect, because the FCS is being recalculated
> on the way out of the device after the VLAN tag has been added.
>
> People might say this corruption hasn't ever happened because they
> haven't heard of it happening. The trouble is that absence of evidence
> is not evidence of absence.
>
> So why insertion was used for VLAN tagging?
>
> Radia Perlman explained it in her "Interconnections" book (2nd
> edition). It was to accommodate existing Ethernet hardware at the time
> that couldn't support frames large enough to use encapsulation. It's a
> work around, not an ideal. Cisco could use Eth-in-Eth tunnelling
> because they knew all of their hardware could support frames big
> enough for that.
>
All good points, but I'm not sure that punting problems because their
hard to L2 is the answer. I could just as easily ask if MPLS was so
good, then why was segment routing even invented? Clearly there's
incentive to standardize on IP protocols for carrying end-to-end
information. Besides that, things are pretty far down the path for
sending IOAM over IPv6 and in fact there might even be consensus that
HBH options are the correct way to do that as opposed to a lot of
other hacks that have been suggested.

Tom

> Regards,
> Mark.
>
>
> * "Inter-Switch Link and IEEE 802.1Q Frame Format",
> https://www.cisco.com/c/en/us/support/docs/lan-switching/8021q/17056-741-4.html
>
> > Tom
> >
> > > Please note, I'm asking for the technical justification of the
> > > protocol design, saying that it's necessary because it's already being
> > > deployed isn't useful in this regard.
> > >
> > > Tom
> >
> > --------------------------------------------------------------------
> > IETF IPv6 working group mailing list
> > ipv6@ietf.org
> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email