Re: I-D Action: draft-voyer-6man-extension-header-insertion-07.txt
Gyan Mishra <hayabusagsm@gmail.com> Mon, 14 October 2019 23:32 UTC
Return-Path: <hayabusagsm@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F749120894 for <ipv6@ietfa.amsl.com>; Mon, 14 Oct 2019 16:32:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pj5xKdABiLjU for <ipv6@ietfa.amsl.com>; Mon, 14 Oct 2019 16:31:57 -0700 (PDT)
Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C0481200EB for <ipv6@ietf.org>; Mon, 14 Oct 2019 16:31:57 -0700 (PDT)
Received: by mail-io1-xd36.google.com with SMTP id b19so41749349iob.4 for <ipv6@ietf.org>; Mon, 14 Oct 2019 16:31:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2cXR3CdiwX0HJISp+4P6+s+ziCLGNOMjRV4C2MOxSZ8=; b=Ma9AgFf9NrFVBEtxM6Tb2PAzhsBE1RvqRFdrVfKN0lEhM8JJuoV3LA2UTDgX+g2G2p 4LPBvxXC/wIlTNCxsfNwxjd7up5EhDK6e/BtYzQumBuhX6Ay2YfdXor14JZOZG821BhW sBCNnTORZz0f+kRnKFFCUdpmkl1KdU6DHLRJlDwj97Scz+V2AlL4KPSU9ssSmtYigDuu HnJYz1s18TMEqvKBSJWmFRzu0nRS8Oh1m93noabIgrR4dEXkzMGVoXtvV/DWSMqY+7Dr 0y6GeE0I6vWUM7Eg3TIzGxbvqZcoIwlx/EuuYGWO0YQvbLOk7tSsiAwr353TvpksjOiZ A2kA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2cXR3CdiwX0HJISp+4P6+s+ziCLGNOMjRV4C2MOxSZ8=; b=dNFTdURP0Zl8bqJ9ZWNvwZvBcAD/02iI1xHkqHMML8l1Bc58xsDN3BxrizIbhd/n7d +VmHLgPJlN5/3nPIiWAt8O0cPotXwvFn/VXOTDG7+WbwqMKhtLO+5suQFaLc+WAL2RId kUaunuklZyhZZ0V2u8Be1QlXySGfX7tMkVjLc8hYFIJu1F+7veNTAJzkGjwKBocxkBCP RWmUCVvEZgMPwljVMQ/6Yi1k4Npj9cTa2m8Q7X0fCSvlM/fpSYcF7NntMsiqVSjkKTVW BPv6H1/0KOvLMo2bLdSdHb5QVQpjbiPyOGolMSms2/SkoAsy+oHggHz6hzIi5oQpsP0C o8rA==
X-Gm-Message-State: APjAAAWQ4oovDRug0m8pqlTVxG7gBR7OnH2yqP7pPoaTFF6y4eiD72+h SAAC25BEzFw7GgRUFjui+CXArFV0QmEI/eUwjwY=
X-Google-Smtp-Source: APXvYqyXCqrKOF7/7kgxrgB6oD7CxggvOhvi3v8PCqJT1tcriPmsqW332kG6SAF3FVxEd360VK4+U4FpwfaeujfcSKc=
X-Received: by 2002:a92:d652:: with SMTP id x18mr3062481ilp.58.1571095916203; Mon, 14 Oct 2019 16:31:56 -0700 (PDT)
MIME-Version: 1.0
References: <156903961333.5092.16807379687598480151@ietfa.amsl.com> <c9702ec2-61d9-66e4-1d2c-d462eaf00f21@gmail.com> <CALx6S37TrL_SsJ3o1FqzskZ4xqyDo8AeHDhXiKpPTd2e8vP_sw@mail.gmail.com> <CAO42Z2w+ZS55QzbSJ=vEcbWpyWKx2wS+O2QSSwHEOVLz1WQR6g@mail.gmail.com> <CALx6S37gwTuW1yF=Z_EchozBJMQ+29XZYGE3WT5FJg+ko9dDdw@mail.gmail.com> <CAO42Z2zOie5c+zvq4iR5wu9G92XoE39uQo_UeQJyKK_rP=fHPg@mail.gmail.com>
In-Reply-To: <CAO42Z2zOie5c+zvq4iR5wu9G92XoE39uQo_UeQJyKK_rP=fHPg@mail.gmail.com>
From: Gyan Mishra <hayabusagsm@gmail.com>
Date: Mon, 14 Oct 2019 19:31:43 -0400
Message-ID: <CABNhwV2GYdf7jQW2JjhzfbZ9Deekw7KUngCmx+8DK3roEne2iQ@mail.gmail.com>
Subject: Re: I-D Action: draft-voyer-6man-extension-header-insertion-07.txt
To: Mark Smith <markzzzsmith@gmail.com>
Cc: 6man WG <ipv6@ietf.org>, Tom Herbert <tom@herbertland.com>
Content-Type: multipart/alternative; boundary="000000000000fe54510594e74567"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/PDd_M2dXMdxAjX7p8eNlVo7NGOI>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Oct 2019 23:32:02 -0000
On Mon, Oct 14, 2019 at 6:56 PM Mark Smith <markzzzsmith@gmail.com> wrote: > Hi Tom, > > On Tue, 15 Oct 2019 at 08:53, Tom Herbert <tom@herbertland.com> wrote: > > > > On Mon, Oct 14, 2019 at 2:15 PM Mark Smith <markzzzsmith@gmail.com> > wrote: > > > > > > Now that tunnelling has been accepted, and that a distinct IP tunnel > could be created for each segment, 1:1, with tunnel/segment heads or tails > being the place where the SRH can be created or transferred, with or > without modification, or over from the previous segment/tunnel, which does > comply with RFC8200 (as tunnel endpoints are IPv6 hosts), there is no > functional need for mid-tunnel anonymous insertion. > > > > > Mark, > > > > I would tend to agree. It seems that the only purported benefit of SR > > insertion over tunneling is that it saves packet overhead. But I don't > > think that really pans out. In insertion without attribution, the > > difference is twenty-four bytes overhead, but if attribution is done > > (like node modifying the packet puts it address in it somewhere), then > > the overhead is as little as eight bytes (possibly even less if there > > is only one entry in the SID list). Relative to the potential large > > size of the SRH itself, I don't seethe potential savings in overhead > > to be very impressive especially relative to the complexities of > > defining a robust and secure protocol for EH insertion. > > > > Once an IPv6 tunnel is considered a link-layer (because it is and is > being used that way), then there are opportunities to perform forms of > compression on the inner payload packet to reduce overhead between the > tunnel end-points, as link-layers don't process payloads (nothing new > here, no lower layers are supposed to process their upper layer > payloads at any layer). > > I don't know much about it, however it looks like Robust Header > Compression (RoHC) could be used (RFC5795) to compress the inner > packet headers while the packet is in flight across the current IPv6 > tunnel/SR segment/virtual link. A quick Internet search finds a few > implementations, including a couple of open source ones. > > RoHC might be too stateful or not able to be performed fast enough on > high speed links. The following method is stateless, takes advantage > of IPv6 networks having many /64s, using them to identify tunnel > endpoints (rather than /128s), and leverages the common fields and > field semantics between the inner and outer header, using the outer > header fields as proxies for the inner header fields while the packets > are in flight. > > "Skinny IPv6 in IPv6 Tunnelling" > https://tools.ietf.org/html/draft-smith-skinny-ipv6-in-ipv6-tunnelling-00 > > As long as it provides attribution (the source /64 in its case), and > is fully reverseable, excepting the mutable Traffic Class and Flow > Label fields, I think it too could be an option to reduce inner packet > overhead if 128 bit SIDs are used. > > Regards, > Mark. > > [Gyan] unfortunately we would have multiple EH insertions so that GRE > tunnel won’t work. In that stick diagram I had sent the 1st EH insertion is on the ingress PE of the SRv6 domain and then for Ti-LFA at the PLR (point of local repair) for IP fast reroute backup path a 2nd EH insertion which would be at mid point somewhere along the path to the 1st outer tunnel endpoint so you would have at a minimum 2 encapsulations in following RFC 8200. So 6in6 tunnel won’t work unfortunately. > I think the only viable option is the using a virtual interface like a loopback for the /64 SID to be in compliance with RFC 8200. Gyan > > > > > > > Tom > > > > > > > So what is the reason to persist with it? It doesn't make sense to me > that people are clinging to an idea that has so many flaws and > contradictions to standard behaviour, when there is a method that works > without these flaws and contradictions. > > > > > > Determining whether or not to perform deeper packet processing (SRH > processing in this case) on a packet, using the packets' DA, is > conventional, traditional, and implemented in billions of deployed devices, > both hosts and routers. > > > > > > Contrast that with a device having to purposely ignore literally every > packets' DA that it looks at, to search all of those packets for an SRH to > then determine if it should perform SR processing on it. Unconventional, > non-traditional, and a capability I'd guess is likely to be deployed in way > less than 10 000 devices, and likely less than 1000. > > > > > > Not updating SAs after packet modification, and having to purposely > ignoring packets' DAs, is down a rat hole that NAT also lives in. > > > > > > Regards, > > > Mark. > > > > > > On Tue, 15 Oct 2019, 02:54 Tom Herbert, <tom@herbertland.com> wrote: > > >> > > >> On Sat, Oct 12, 2019 at 2:58 PM Brian E Carpenter > > >> <brian.e.carpenter@gmail.com> wrote: > > >> > > > >> > Hi, > > >> > > > >> > I'd like to comment on this version. It is in fact a complete > rewrite compared to > > >> > its predecessors and I thank the authors for that. The tone is now > purely technical, > > >> > and that's a great improvement. > > >> > > > >> > It's also, IMHO, accurate in its statements about the relationship > with RFC 8200. > > >> > In particular: > > >> > > > >> > > Action 2 inserts an SRH in a packet within the SR domain at a > node > > >> > > not in the destination address, and inserts more than one SRH > in a > > >> > > packet. This does not appear to be permitted by the statements > > >> > > quoted above from RFC8200. However, the restrictions above > are not > > >> > > applicable within the SR domain. Every source node > participating in > > >> > > the SR domain expects SRH insertion, relies on it for services > > >> > > provided by the SR domain, correctly processes ICMP errors, and > > >> > > according to RFC8200 must process multiple SRH in the same > packet. > > >> > > > >> > That statement "the restrictions above are not applicable within > the SR domain" > > >> > is (it seems to me) a normative statement. It might be even clearer > to state it > > >> > as such: > > >> > ...the restrictions above SHOULD NOT be applied within the SR > domain. > > >> > > > >> Brian, > > >> > > >> Dissecting this a bit: > > >> > > >> "Every source node participating in the SR domain expects SRH > insertion" > > >> > > >> That is awfully inclusive and seems to be retroactively creating a > > >> fundamental property of SR domains. Also, no opt out form source? I > > >> would expect that in most use cases, probably all in deployment today, > > >> the SR EH is set at the ingress node into the SR domain and describes > > >> the path to egress. The fact that some intermediate node might insert > > >> an EH could conceivably be a security issue in such deployments more > > >> than anything. IMO, if EH is allowed then source nodes should be able > > >> to opt out, or even better EH insertion should always be opt in from > > >> the source. If a source node wishes to enforce that no EHs are > > >> inserted it can do that with AH (assuming that AH were properly > > >> specified to interact with SRH).. > > >> > > >> The draft also states that the source and destination are required to > > >> be in the same SR domain for EH insertion. This needs to be specified > > >> as a MUST. The obvious question this raises is: how does an > > >> intermediate node know that a source and destination are in the SR > > >> domain? I would infer that the authors are probably assuming that this > > >> can be done by specifying a prefix for the SR domain or maybe a > > >> whitelist of addresses? This is easy enough to propose, but on a > > >> network of even moderate scale I'm not convinced it's manageable. I > > >> suggest an alternative is for the source node to mark packets for > > >> which EH insertion is permissible (i.e. the opt in model). This could > > >> be done for instance by the source setting a null SR header (no SIDs) > > >> with a flag that indicates EH insert is permitted. > > >> > > >> "correctly processes ICMP errors" > > >> > > >> That presumes that correct processing of ICMP errors is well defined. > > >> Consider this scenario: > > >> > > >> An intermediate node inserts an SRH with HMAC, a subsequent downstream > > >> node attempts to verify the HMAC and fails to verify. The downstream > > >> node sends an ICMP packet back to the source. What is source supposed > > >> to do with this ICMP error? (note this is just one scenario, the > > >> general case is how to deal with ICMP errors sent because of error in > > >> the inserted EH). There is nothing that source host can do within the > > >> protocol to avoid further occurrences of the error. At best they'll > > >> log it, but since there's no attribution so now somebody someone needs > > >> to track down who is inserting the EH-- in a complex network that may > > >> be non-trivial. > > >> > > >> Attribution is critical. One obvious way to address this would be for > > >> the node inserting the EH to put its address into the SRH, but then > > >> that reduces the overhead savings of SR EH insertion compared to > > >> encapsulation to be just eight bytes (destination address in > > >> encapsulation is same as last address in insert SID list). IMO, it > > >> would be better to just do encapsulation instead. > > >> > > >> Another hole is correct ICMP processing is reflected in: > > >> > > >> "The SR domain ingress edge processing the ICMP error SHOULD log the > > >> error and decrement the ingress edge MTU for traffic traversing the SR > > >> domain (if it's greater than the IPv6 minimum MTU of 1280 bytes)" > > >> > > >> Okay, but what if the source _is_ already at minimum MTU for PMTU? > > >> Note that SRH can be hundreds of byte and now with insertion there can > > >> be multiple SRHs of these is a packet, I don't think this is something > > >> that can be easily dismissed with the typical assumption that all > > >> networks can just set MTUs large enough. > > >> > > >> "However, the restrictions above are not applicable within the SR > domain" > > >> > > >> I think the wording here is wrong for the intent of the draft. All the > > >> normative "MUSTs" in RFC8200 and other appropriate standards are > > >> applicable to _all_ use cases of the protocol. I see no provision in > > >> RFC8200 that its requirements, like prohibition of EH insertion, are > > >> conditional based on the environment in which the protocol is > > >> deployed. So RFC8200 is applicable in SR domains, limited domains, and > > >> the Internet. IMO, this draft is trying to justify an exception to the > > >> requirements and should be written as such. Presumably, the exception > > >> might be palatable if it maintains robustness, interoperability, and > > >> spirit of requirements of RFC8200. > > >> > > >> Tom > > >> > > >> > > the SR domain expects SRH insertion > > >> > Clearly it's a WG question whether on not we want to put this on > the standards > > >> > track. I hope we can discuss it as a technical question. My > subsidiary > > >> > question is: does the description of an SR domain (here and in > RFC8402) > > >> > provide enough security and operational assurance that this SHOULD > NOT is > > >> > safe? > > >> > > > >> Hi Brain, > > >> > > >> > > >> > > >> > Regards > > >> > Brian Carpenter > > >> >j > > >> > On 21-Sep-19 16:20, internet-drafts@ietf.org wrote: > > >> > > > > >> > > A New Internet-Draft is available from the on-line > Internet-Drafts directories. > > >> > > > > >> > > > > >> > > Title : Insertion of IPv6 Segment Routing > Headers in a Controlled Domain > > >> > > Authors : Daniel Voyer > > >> > > Clarence Filsfils > > >> > > Darren Dukes > > >> > > Satoru Matsushima > > >> > > John Leddy > > >> > > Filename : > draft-voyer-6man-extension-header-insertion-07.txt > > >> > > Pages : 13 > > >> > > Date : 2019-09-20 > > >> > > > > >> > > Abstract: > > >> > > Traffic traversing an SR domain is encapsulated in an outer > IPv6 > > >> > > header for its journey through the SR domain. > > >> > > > > >> > > To implement transport services strictly within the SR domain, > the SR > > >> > > domain may require insertion or removal of an SRH after the > outer > > >> > > IPv6 header of the SR domain. Any segment within the SRH is > strictly > > >> > > contained within the SR domain. > > >> > > > > >> > > The SR domain always preserves the end-to-end integrity of > traffic > > >> > > traversing it. No extension header is manipulated, inserted or > > >> > > removed from an inner transported packet. The packet leaving > the SR > > >> > > domain is exactly the same (except for the hop-limit update) > as the > > >> > > packet entering the SR domain. > > >> > > > > >> > > The SR domain is designed with link MTU sufficiently greater > than the > > >> > > MTU at the ingress edge of the SR domain. > > >> > > > > >> > > > > >> > > > > >> > > The IETF datatracker status page for this draft is: > > >> > > > https://datatracker.ietf.org/doc/draft-voyer-6man-extension-header-insertion/ > > >> > > > > >> > > There are also htmlized versions available at: > > >> > > > https://tools.ietf.org/html/draft-voyer-6man-extension-header-insertion-07 > > >> > > > https://datatracker.ietf.org/doc/html/draft-voyer-6man-extension-header-insertion-07 > > >> > > > > >> > > A diff from the previous version is available at: > > >> > > > https://www.ietf.org/rfcdiff?url2=draft-voyer-6man-extension-header-insertion-07 > > >> > > > > >> > > > > >> > > Please note that it may take a couple of minutes from the time of > submission > > >> > > until the htmlized version and diff are available at > tools.ietf.org. > > >> > > > > >> > > Internet-Drafts are also available by anonymous FTP at: > > >> > > ftp://ftp.ietf.org/internet-drafts/ > > >> > > > > >> > > _______________________________________________ > > >> > > I-D-Announce mailing list > > >> > > I-D-Announce@ietf.org > > >> > > https://www.ietf.org/mailman/listinfo/i-d-announce > > >> > > Internet-Draft directories: http://www.ietf.org/shadow.html > > >> > > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > > >> > > > > >> > > > >> > -------------------------------------------------------------------- > > >> > IETF IPv6 working group mailing list > > >> > ipv6@ietf.org > > >> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > > >> > -------------------------------------------------------------------- > > >> > > >> -------------------------------------------------------------------- > > >> IETF IPv6 working group mailing list > > >> ipv6@ietf.org > > >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > > >> -------------------------------------------------------------------- > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > -- Gyan S. Mishra IT Network Engineering & Technology Verizon Communications Inc. (VZ) 13101 Columbia Pike FDC1 3rd Floor Silver Spring, MD 20904 United States Phone: 301 502-1347 Email: gyan.s.mishra@verizon.com www.linkedin.com/in/networking-technologies-consultant
- Re: I-D Action: draft-voyer-6man-extension-header… Brian E Carpenter
- Re: I-D Action: draft-voyer-6man-extension-header… Tom Herbert
- Re: I-D Action: draft-voyer-6man-extension-header… Brian E Carpenter
- Re: I-D Action: draft-voyer-6man-extension-header… Mark Smith
- Re: I-D Action: draft-voyer-6man-extension-header… Tom Herbert
- Re: I-D Action: draft-voyer-6man-extension-header… Fernando Gont
- Re: I-D Action: draft-voyer-6man-extension-header… Fernando Gont
- Re: I-D Action: draft-voyer-6man-extension-header… Fernando Gont
- Re: I-D Action: draft-voyer-6man-extension-header… Mark Smith
- Re: I-D Action: draft-voyer-6man-extension-header… Gyan Mishra
- Re: I-D Action: draft-voyer-6man-extension-header… Mark Smith
- Re: I-D Action: draft-voyer-6man-extension-header… Alexandre Petrescu
- Re: I-D Action: draft-voyer-6man-extension-header… Tom Herbert
- Re: I-D Action: draft-voyer-6man-extension-header… Gyan Mishra
- Re: I-D Action: draft-voyer-6man-extension-header… Gyan Mishra
- Re: I-D Action: draft-voyer-6man-extension-header… Mark Smith
- Re: I-D Action: draft-voyer-6man-extension-header… Alexandre Petrescu
- Re: I-D Action: draft-voyer-6man-extension-header… Tom Herbert
- Re: I-D Action: draft-voyer-6man-extension-header… Alexandre Petrescu
- Re: I-D Action: draft-voyer-6man-extension-header… Tom Herbert
- Re: I-D Action: draft-voyer-6man-extension-header… Gyan Mishra