IETF Logo Mail Archive

Re: 6MAN WG Last Call: <draft-ietf-6man-flow-3697bis-02.txt>

Bob Hinden <bob.hinden@gmail.com> Tue, 12 April 2011 22:46 UTC

Return-Path: <bob.hinden@gmail.com>
X-Original-To: ipv6@ietfc.amsl.com
Delivered-To: ipv6@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 844E2E0859 for <ipv6@ietfc.amsl.com>; Tue, 12 Apr 2011 15:46:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.099
X-Spam-Level:
X-Spam-Status: No, score=-103.099 tagged_above=-999 required=5 tests=[AWL=0.500, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W9x4SH8bjGRo for <ipv6@ietfc.amsl.com>; Tue, 12 Apr 2011 15:46:46 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by ietfc.amsl.com (Postfix) with ESMTP id 36270E07F4 for <ipv6@ietf.org>; Tue, 12 Apr 2011 15:46:46 -0700 (PDT)
Received: by iwn39 with SMTP id 39so55075iwn.31 for <ipv6@ietf.org>; Tue, 12 Apr 2011 15:46:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:subject:mime-version:content-type:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to:x-mailer; bh=fbIZUT8+/Cvhef52oe2CiW598hGCmBF3D3flIgyG170=; b=h08Bv/sOk+IbDYGdu/i/xVpFu4HMKeZvEKpqMuMF5NbIxlLjBDGHfWhUHwG1VV1VKb dFpKkRGMrtuUcgQZ2LJHcrFvRUg38Z1woSK8KduXHh+lsK1xA8Swn2KVxkPxA+46+ysT xYSty78BGTW5y/OJkKkajVXcjtx1KagJZ4quE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=fU3BLaznbyvScEZnjqR/+RKk5ujaMOTVs0vEOzXW2yvEg3M+hR95Siuct4Jh5Dna58 83Jgyta8Moe/z5X88SCWttRp+qXtOq+QP1qjZoPXyUU2oWTT7hdKICPld2ASiBRsg+Yf YJ3VsiLTfnHpJMMd16QxpIB8pFWKAvF0oCQ68=
Received: by 10.42.154.131 with SMTP id q3mr694576icw.465.1302648404054; Tue, 12 Apr 2011 15:46:44 -0700 (PDT)
Received: from [172.16.224.217] ([209.97.127.34]) by mx.google.com with ESMTPS id d9sm5217329ibb.19.2011.04.12.15.46.42 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 12 Apr 2011 15:46:43 -0700 (PDT)
Subject: Re: 6MAN WG Last Call: <draft-ietf-6man-flow-3697bis-02.txt>
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Bob Hinden <bob.hinden@gmail.com>
In-Reply-To: <201104051740.p35HeoU9018197@cichlid.raleigh.ibm.com>
Date: Tue, 12 Apr 2011 15:46:41 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <46218705-942F-4483-8C2D-3E5AA1D97B25@gmail.com>
References: <E6B0E090-0FC1-482F-A7D3-E47A747539A8@gmail.com> <201104051740.p35HeoU9018197@cichlid.raleigh.ibm.com>
To: Thomas Narten <narten@us.ibm.com>
X-Mailer: Apple Mail (2.1082)
Cc: 6man Mailing List <ipv6@ietf.org>, Brian Haberman <brian@innovationslab.net>, Bob Hinden <bob.hinden@gmail.com>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Apr 2011 22:46:47 -0000

Thomas,

Finally catching up on email after IETF.

On Apr 5, 2011, at 10:40 AM, Thomas Narten wrote:

> Here are my detailed comments on the document. I did chat with Brian
> directly in Prague about these points as well. Overall, I support this
> document. But I think the wording in places needs another round of
> revision.
> 
>   A flow is a sequence of packets sent from a particular source to a
>   particular unicast, anycast, or multicast destination that a node
>   desires to label as a flow.  A flow could consist of all packets in a
> 
> This is a circular definition. I think it would be useful to give two
> definitions, something like the following:

Like Scott, I don't have any difficulty with the current text, nor find it circular.    My preference is to leave it as is.

I agree with the rest of your proposed changes.  Thanks for taking a another close look.

Bob


> 
>    A Flow is a sequence of packets originating from a particular
>    application that should be treated "the same" by the network as
>    they are forwarded along to their ultimate destination. Packets
>    within a flow should not be reordered, should not be given
>    dissimilar QOS treatment, etc. What constitutes a Flow can only be
>    defined by the application itself.
> 
>    At the network level, routers need to be able to identify packets
>    belonging to the same Flow in order to process them
>    consistently. At the same time, it may be beneficial to process
>    packets between the same src/destination pairs (but from different
>    application flows) differently, e.g., to support ECMP or other
>    types of load splitting.
> 
> Then:    
> 
>    Traditionally, flow classifiers have been based on the 5-tuple of the
>    source and destination addresses, ports, and the transport
>    protocol
> 
> add "flow classifiers at the network layer"
> 
>   The 20-bit Flow Label field in the IPv6 header [RFC2460] is used by a
>   node to label packets of a flow.  A Flow Label of zero is used to
>   indicate packets not part of any flow.  Packet classifiers can use
> 
> reword to say "that have not been labeled" (Packets will almost always
> be part of some Flow).
> 
>   specification.  However, any node that sets flow label values
>   according to a stateful scheme MUST ensure that packets conform to
>   Section 3 of the present specification if they are sent outside the
>   network domain using the stateful scheme.
> 
> The above wording regarding "sent outside the network domain" is
> problematic. It hints that maybe you can do things with the Flow Label
> within a domain so long as you don't send such packets outside the
> domain. We shouldn't even hint that that is acceptable. I'd suggest
> removing all references to the "stateful" flow label scheme to one
> section. And that section could be very short.
> 
>   1.  Implementers are advised that forwarding nodes, especially those
>       acting as domain border devices, might nevertheless be configured
>       to change the flow label value in packets.  This is undetectable,
>       unless some future version of IPsec authentication [RFC4302]
>       protects the flow label value.
> 
> Remove this. Again, the Flow Label is  not allowed to be modified
> accept when zero. That is all that needs to be said.
> 
>       if the packet will leave their domain.  If it is known to a
>       border router that flow labels originated within the domain are
>       not uniformly distributed, it will need to set outgoing flow
>       labels in the same manner as described for forwarding nodes in
>       Section 3.
> 
> Remove this. It agains suggests border routers will be resetting Flow
> Label values.
> 
>   o  Implementers should be aware that the flow label is an unprotected
>      field that could have been accidentally or intentionally changed
>      en route.  Implementations MUST take appropriate steps to protect
>      themselves from being vulnerable to denial of service and other
>      types of attack that could result (see Section 6.1).
> 
> Can we just move this advice to the Security Considerations section?
> IMO, we are giving it too much weight by having it in the main text.
> 
>   o  Forwarding nodes such as routers and load balancers MUST NOT
>      depend only on Flow Label values being uniformly distributed.  In
>      any usage such as a hash key for load distribution, the Flow Label
>      bits MUST be combined at least with bits from other sources within
>      the packet, so as to produce a constant hash value for each flow
>      and a suitable distribution of hash values across flows.
> 
> 
> Can't we just come out and say that routers should:
> 
> 1) use the src/dest/flow/port numbers? this is the most prefered.
> 
> 2) if you can't use the port numbers, hash on the 3 tuple.
> 
> 3) you could also say hash on teh src/dest alone as a last resort, but
> why the Flow Label RFC would suggest that isn't immediately obvious to
> me. :-)
> 
>   The use of the Flow Label field does not necessarily signal any
>   requirement on packet reordering.  Especially, the zero label does
>   not imply that significant reordering is acceptable.
> 
> The first sentence above isn't right. One SHOULD NOT reorder packets
> from the same flow. Period. 
> 
>   An IPv6 node that does not set the flow label to a non-zero value, or
>   make use of it in any way, MUST ignore it when receiving or
>   forwarding a packet.
> 
> I don't understand why this wording is in here. For the stateless
> case, nodes should simply ignore the received Flow Label value. We
> should probably just say that.
> 
>   It is desirable that flow label values should be uniformly
>   distributed to assist load distribution.  It is therefore RECOMMENDED
>   that source hosts support the flow label by setting the flow label
>   field for all packets of a given flow to the same uniformly
>   distributed pseudo-random value.  Both stateful and stateless methods
>   of assigning a pseudo-random value could be used, but it is outside
>   the scope of this specification to mandate an algorithm.  In a
>   stateless mechanism, the algorithm SHOULD ensure that the resulting
>   flow label values are unique with high probability.
> 
> I think we need to specify some recommended algorithms. They can be
> SHOULDs (rather than MUST), but saying nothing leaves things too
> unclear. In particular, if we think just doing a simple hash based on
> the port numbers (or something) is good enough, we should recommend
> that.
> 
> Also, this document should not be requiring (or  even use SHOULD) to
> say pseudo randomness is necessary. This document has not made the
> case for that.
> 
>   An OPTIONAL algorithm for generating such a pseudo-random value is
>   described in [I-D.gont-6man-flowlabel-security].
> 
>   [[ NOTE TO RFC EDITOR: The preceding sentence should be deleted, and
>   the reference should be changed to Informative, if the cited draft is
>   not on the standards track at the time of publication. ]]
> 
> I'd prefer that this document provide a suggested algorithm.
> 
>   A source node which does not otherwise set the flow label MUST set
>   its value to zero.
> 
> Better: just say that the default value should be zero, unless set
> explicitely.
> 
>   A node that forwards a flow whose flow label value in arriving
>   packets is zero MAY set the flow label value.  In that case, it is
> 
> s/MAY set/MAY change/
> 
>   A node that sets the flow label MAY also take part in a flow state
>   establishment method that results in assigning specific treatments to
>   specific flows, possibly including signaling.  Any such method MUST
>   NOT disturb nodes taking part in the stateless model just described.
>   Further details are not discussed in this document.
> 
> I don't understand what does this is really intended to mean. IMO,
> just say the first sentence, and then say the details of stateful are
> out of scope for this document.
> 
>   would cause a stateful mechanism to behave incorrectly.  For this
>   reason, stateless mechanisms should not use the flow label alone to
>   control load distribution, and stateful mechanisms should include
> 
> s/stateless mechanisms/stateless classifiers/
> 
> Thomas

v2.23.0 | Report a Bug | By Email