IETF Logo Mail Archive

Re: What is necessity for SRH, and other EH, insertion/removal?

Tom Herbert <tom@herbertland.com> Fri, 20 December 2019 16:08 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8632212012C for <ipv6@ietfa.amsl.com>; Fri, 20 Dec 2019 08:08:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eKoMKORp5QXw for <ipv6@ietfa.amsl.com>; Fri, 20 Dec 2019 08:08:43 -0800 (PST)
Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37E2D120128 for <ipv6@ietf.org>; Fri, 20 Dec 2019 08:08:43 -0800 (PST)
Received: by mail-ed1-x536.google.com with SMTP id f8so8746745edv.2 for <ipv6@ietf.org>; Fri, 20 Dec 2019 08:08:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Y9x352cLn2KmDIYYSlPTb7vfDb6lLlE3RS2tiSgVHFk=; b=DX4oRTYLvPq0X9YcI/I4P2CwLIBIBdu5HizdoHAFAvDeXpMaMimGjOIqArigcUYsE+ dtOn4egXB7BvTcSOgyFdo+xdWAVtjlSrZn0w16ONY6BlrVSDFUFHqk45etUVfuUNE53S rdqlQ8epJOoa9doxwS6fXa/AU8AxxBCSD3cuPJSONLTbIKRQNuS+BPeJglN0YU9n3t/2 xfKjuTJljxgV5iO0CpuK6YAvkNb5shA1QSUKetAP/Cv1iFVjjTg7vqa4h/SSYYllatW5 Rhfk1uL+qnVolgJYCLbNQUF9hFTaeZMHj6ZHr+t5R4IlRSyGaPSpS14j5igtJ1DOtg7e J0PQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Y9x352cLn2KmDIYYSlPTb7vfDb6lLlE3RS2tiSgVHFk=; b=RxUX8OJJXUY+xOIOVc0CT1Pr/Jai6nQUL+wbGDIf8cpPxkYlVgOBX+95NQSTSNcJgl CGmT2albcpF4bKQlpmeBLJ2XsQzdAY8XH/4ufmVyLu87R1v5yH3Z7BtJ9C2He5x8aTdb 6pFEZKT7Fg00wrf8jq9EdiFO80wFQIPS/v0w77aECxznkTWTdTIteI+zXd1Ea1W8f0lD x3mFsKXENRQR4M4WyrA8reaJVVXJcrM7m2rzaLaNS8EsWbazUKRDmyg/I+B9k+aGOOZy tXIUrjfAd/i0VzXDscTm2Hr44RH0NxCTaV+sGEMW3LBiroc35FnL75Sr6BeFA2tjNPbB VVNA==
X-Gm-Message-State: APjAAAUy4dZtcRl29Cu37vIFvRPwy1NDDVyYuiqc4+P4NBF21N+Of+ix c00lL8WftuD7hajD60pkrDLrXeEgRZGvDk9+ypm3S6Gmots=
X-Google-Smtp-Source: APXvYqxqBu1zgh313tdS4c85LIkfojYM33iw+eQI6Jfy3gGqclLcX2ZSRXFY/uYasRyVTcyHZie+PMpPG9K3r9njB4Q=
X-Received: by 2002:aa7:db04:: with SMTP id t4mr16633782eds.122.1576858121508; Fri, 20 Dec 2019 08:08:41 -0800 (PST)
MIME-Version: 1.0
References: <CALx6S34vG=L_5nw_FzxHBUy+7tbWH4dhOh8xodOfKf2oOdrarg@mail.gmail.com> <CALx6S36g6gDJNp=unQJaGoGoMxnRpbqGni=JHvPFJ3ovmuzO4A@mail.gmail.com> <077155a7-cd14-6b9e-eab9-0da00c234406@gmail.com> <CALx6S34P+5xcsw-prqk9L8Co9aqtbfcmD_PXG1EM9hY1q02J4Q@mail.gmail.com> <1e6debe8-ded1-18fb-6dcf-73a6d4818d85@gmail.com>
In-Reply-To: <1e6debe8-ded1-18fb-6dcf-73a6d4818d85@gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Fri, 20 Dec 2019 08:08:28 -0800
Message-ID: <CALx6S34x009qwipQncGC9wt=_9F0CN7kSE-z9cd8zAmF_R1c4A@mail.gmail.com>
Subject: Re: What is necessity for SRH, and other EH, insertion/removal?
To: Alexandre Petrescu <alexandre.petrescu@gmail.com>
Cc: 6man <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/N37_2Mji46-BJNA2hqkIrLcoLDE>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Dec 2019 16:08:45 -0000

On Fri, Dec 20, 2019 at 7:00 AM Alexandre Petrescu
<alexandre.petrescu@gmail.com> wrote:
>
>
>
> Le 19/12/2019 à 19:55, Tom Herbert a écrit :
> > On Thu, Dec 19, 2019 at 5:05 AM Alexandre Petrescu
> > <alexandre.petrescu@gmail.com> wrote:
> >>
> >>
> >>
> >> Le 18/12/2019 à 23:07, Tom Herbert a écrit :
> >>> On Sat, Dec 7, 2019 at 9:17 AM Tom Herbert <tom@herbertland.com>
> >>> wrote:
> >>>>
> >>>> Pulling this out into a separate thread. Pertinent questions are:
> >>>>
> >>>> Why is extension header insertion and removal at necessary?
> >>>>
> >>>> Why isn't the proposed alternative of IPIP encapsulation
> >>>> sufficient? (where the encapsulating headers contain the extension
> >>>> headers that would otherwise be inserted)
> >>>>
> >>> I believe that inband network telemetry (INT and IOAM ) might
> >>> provide the best motivation for extension header insertion. One of
> >>> the goals is to allow network operators to perform telemetry on
> >>> packets as they traverse their network. A telemetry header, INT or
> >>> IOAM, is put into packets on ingress to the domain and removed at
> >>> egress, and intermediate nodes modify the packet with measurement
> >>> data.
> >>>
> >>> Key requirements are that not all packets for a flow need to be
> >>> measured, and measured packets need to follow the same path as those
> >>> not measured  in order for the measurements to reflect what is
> >>> happening for the flow. IPIP encapsulation would change the hash
> >>> that ECMP uses so encapsulated packets might traverse a different
> >>> path-- therefore it's not sufficient in this case.
> >>
> >> Why would ECMP (Equal-cost multi-path routing) be influenced by an
> >> addition of an IP header (IPIP encapsulation) but not influenced by the
> >> insertion of an extension header?
> >>
> > Alexandre,
> >
> > When IP encapsulation is performed, unless the outer destination
> > happens to be the same as the inner destination, the destination
> > address will be different and hence packet can be routed over a
> > different path even with just simple destination based routing. The
> > outer source address will also presumably be different, so even if the
> > destination address were the same, the ECMP hash computed as routers
> > would still be different so packets could take a different path.
> >
> > With extension header insertion, the IP addresses are not changed.
> > Neither is the flow label, nor any transport ports. So the network
> > still routes to the same destination address, and if ECMP is in use
> > the same hash is always produced since the inputs to the hash remain
> > the same after the header insertion.
>
> But in that case (dont change src and dst addresses, just insert
> headers) then the packet would not pass through other enforced
> intermediary destinations before reaching the final destination.
>
> In such a case, there could be headers inserted but the contents in
> these headers would not be IP addresses of intermediaries, but some
> other applicatioin-layer data.
>
> If so, why would not be these data added as a payload, and not as an IP
> extension header?  I.e... encapsulate?
>
> >>> Extension header insertion would maintain the routing in ECMP
> >>> (although the fact that extension headers aren't supported in IPv4
> >>> creates another problem).
> >>
> >> ECMP distinguishes between IP headers being extension headers vs base
> >> headers?  IF yes, it should be modified to work with base headers
> >> addition as well (encapsulation IPIP).
> >
> > Some implementations might do that, but not all. In IPv6 this is
> > unnecessary since the flow label contains per flow information so
> > routers don't need to parse beyond the IPv6 header to do EMCP. Also,
> > packets must be routed based on (outer) destination address, ECMP is
> > only used to pick amongst possible paths to a destination. Even if the
> > EMCP hash computation is the same, the packets might still follow
> > different paths when destination address is different.
> >
> >>
> >>> Some of the inband telemetry implementations are already addressing
> >>> this by inserting the inband telemetry headers directly into the UDP
> >>> or TCP payload of existing packets and removing the inserted payload
> >>> bytes at the egress point. Since only transport payload is being
> >>> modified, the packets will be routed the same way as other modified
> >>> packets for a flow. The obvious problem with this approach is that
> >>> payload is being changed by intermediate nodes such that if the end
> >>> host were to ever receive the modified packet this could result in
> >>> silent data corruption of users' data. So this protocol mechanism is
> >>> fundamentally not robust and probably dangerous. I think this
> >>> actually makes extension header insertion, where the worst case
> >>> scenario is probably unexplained packet loss, look palatable!
> >>
> >> Inserting data in the packets and then measuring them - isn't it an
> >> interference with the phenomenon to be measured?
> >>
> > Yes, there certainly is some uncertainty principle effects, however I
> > imagine  not measuring the "actual" path for a flow would probably be
> > considered as invalid results.
>
> I agree.  It depends what is measured, and how the routing is realized.
>
> Some routing might put bigger packets on a different path, just because
> of their size.  This mechanism would be fooled by someone inserting
> headers because it created bigger packets.
>
> Other routing might work hand-in-hand with the header insertion
> mechanism (in same computer the process deciding a path be same process
> inserting headers).
>
> To my mind it comes down again to the concept of a limited domain: if in
> a limited domain the routing and header inserters are bound closely, and
> ends of the comm are both there, then it migh work.
>
> It might be that measurement mechanisms you mentioned, and ECMP
> (multi-path routing), and header insertion, might be appropriate in a
> limited domain.

Alexandre,

I think there's two questions that need to be answered: Is extension
header insertion needed? If it is needed, how can we make work as
robustly as possible?

For the first question, so far it seems like there's three
possibilities why header insertion is better than encapsulation:
1) The alternate routing path problem (talking about here)
2) The right address of the domain egress to set as the destination
address of encapsulation might not be known to the ingress node (i.e.,
not all networks are going to be doing source routing)
3) Header insertion might be less overhead

For segment routing I don't believe #1 or #2 apply, and the overhead
savings of #3 don't seem like a big win relative to overhead of SRH
itself which can be substantial; also the potential overhead savings
for SRH insertion is probably more like twenty-four bytes or less
since encapsulation destination address should save one address one
address routing list. Nevertheless, it's plausible there are use cases
that show a valid need for header insertion (IOAM as one example).

For the second question, IMO, if extension header insertion is needed
then it's essential that the attribution problem is addressed. It must
be clearly indicated in a packet which extension headers have been
inserted and by whom. draft-herbert-6man-eh-attrib-00 proposes an the
Attribution Option for this purpose. Please take a look.

Tom

>
> Alex
>
> >
> > Tom
> >
> >> Alex
> >>
> >>>
> >>> Tom
> >>>
> >>>> Please note, I'm asking for the technical justification of the
> >>>> protocol design, saying that it's necessary because it's already
> >>>> being deployed isn't useful in this regard.
> >>>>
> >>>> Tom
> >>>
> >>> --------------------------------------------------------------------
> >>> IETF IPv6 working group mailing list ipv6@ietf.org Administrative
> >>> Requests: https://www.ietf.org/mailman/listinfo/ipv6
> >>> --------------------------------------------------------------------
> >>>
> >>
> >> --------------------------------------------------------------------
> >> IETF IPv6 working group mailing list
> >> ipv6@ietf.org
> >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> >> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email