Re: 6MAN WG Last Call: <draft-ietf-6man-flow-3697bis-02.txt>
Bob Hinden <bob.hinden@gmail.com> Tue, 12 April 2011 22:46 UTC
Return-Path: <bob.hinden@gmail.com>
X-Original-To: ipv6@ietfc.amsl.com
Delivered-To: ipv6@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 844E2E0859 for <ipv6@ietfc.amsl.com>; Tue, 12 Apr 2011 15:46:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.099
X-Spam-Level:
X-Spam-Status: No, score=-103.099 tagged_above=-999 required=5 tests=[AWL=0.500, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W9x4SH8bjGRo for <ipv6@ietfc.amsl.com>; Tue, 12 Apr 2011 15:46:46 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by ietfc.amsl.com (Postfix) with ESMTP id 36270E07F4 for <ipv6@ietf.org>; Tue, 12 Apr 2011 15:46:46 -0700 (PDT)
Received: by iwn39 with SMTP id 39so55075iwn.31 for <ipv6@ietf.org>; Tue, 12 Apr 2011 15:46:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:subject:mime-version:content-type:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to:x-mailer; bh=fbIZUT8+/Cvhef52oe2CiW598hGCmBF3D3flIgyG170=; b=h08Bv/sOk+IbDYGdu/i/xVpFu4HMKeZvEKpqMuMF5NbIxlLjBDGHfWhUHwG1VV1VKb dFpKkRGMrtuUcgQZ2LJHcrFvRUg38Z1woSK8KduXHh+lsK1xA8Swn2KVxkPxA+46+ysT xYSty78BGTW5y/OJkKkajVXcjtx1KagJZ4quE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=fU3BLaznbyvScEZnjqR/+RKk5ujaMOTVs0vEOzXW2yvEg3M+hR95Siuct4Jh5Dna58 83Jgyta8Moe/z5X88SCWttRp+qXtOq+QP1qjZoPXyUU2oWTT7hdKICPld2ASiBRsg+Yf YJ3VsiLTfnHpJMMd16QxpIB8pFWKAvF0oCQ68=
Received: by 10.42.154.131 with SMTP id q3mr694576icw.465.1302648404054; Tue, 12 Apr 2011 15:46:44 -0700 (PDT)
Received: from [172.16.224.217] ([209.97.127.34]) by mx.google.com with ESMTPS id d9sm5217329ibb.19.2011.04.12.15.46.42 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 12 Apr 2011 15:46:43 -0700 (PDT)
Subject: Re: 6MAN WG Last Call: <draft-ietf-6man-flow-3697bis-02.txt>
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Bob Hinden <bob.hinden@gmail.com>
In-Reply-To: <201104051740.p35HeoU9018197@cichlid.raleigh.ibm.com>
Date: Tue, 12 Apr 2011 15:46:41 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <46218705-942F-4483-8C2D-3E5AA1D97B25@gmail.com>
References: <E6B0E090-0FC1-482F-A7D3-E47A747539A8@gmail.com> <201104051740.p35HeoU9018197@cichlid.raleigh.ibm.com>
To: Thomas Narten <narten@us.ibm.com>
X-Mailer: Apple Mail (2.1082)
Cc: 6man Mailing List <ipv6@ietf.org>, Brian Haberman <brian@innovationslab.net>, Bob Hinden <bob.hinden@gmail.com>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Apr 2011 22:46:47 -0000
Thomas, Finally catching up on email after IETF. On Apr 5, 2011, at 10:40 AM, Thomas Narten wrote: > Here are my detailed comments on the document. I did chat with Brian > directly in Prague about these points as well. Overall, I support this > document. But I think the wording in places needs another round of > revision. > > A flow is a sequence of packets sent from a particular source to a > particular unicast, anycast, or multicast destination that a node > desires to label as a flow. A flow could consist of all packets in a > > This is a circular definition. I think it would be useful to give two > definitions, something like the following: Like Scott, I don't have any difficulty with the current text, nor find it circular. My preference is to leave it as is. I agree with the rest of your proposed changes. Thanks for taking a another close look. Bob > > A Flow is a sequence of packets originating from a particular > application that should be treated "the same" by the network as > they are forwarded along to their ultimate destination. Packets > within a flow should not be reordered, should not be given > dissimilar QOS treatment, etc. What constitutes a Flow can only be > defined by the application itself. > > At the network level, routers need to be able to identify packets > belonging to the same Flow in order to process them > consistently. At the same time, it may be beneficial to process > packets between the same src/destination pairs (but from different > application flows) differently, e.g., to support ECMP or other > types of load splitting. > > Then: > > Traditionally, flow classifiers have been based on the 5-tuple of the > source and destination addresses, ports, and the transport > protocol > > add "flow classifiers at the network layer" > > The 20-bit Flow Label field in the IPv6 header [RFC2460] is used by a > node to label packets of a flow. A Flow Label of zero is used to > indicate packets not part of any flow. Packet classifiers can use > > reword to say "that have not been labeled" (Packets will almost always > be part of some Flow). > > specification. However, any node that sets flow label values > according to a stateful scheme MUST ensure that packets conform to > Section 3 of the present specification if they are sent outside the > network domain using the stateful scheme. > > The above wording regarding "sent outside the network domain" is > problematic. It hints that maybe you can do things with the Flow Label > within a domain so long as you don't send such packets outside the > domain. We shouldn't even hint that that is acceptable. I'd suggest > removing all references to the "stateful" flow label scheme to one > section. And that section could be very short. > > 1. Implementers are advised that forwarding nodes, especially those > acting as domain border devices, might nevertheless be configured > to change the flow label value in packets. This is undetectable, > unless some future version of IPsec authentication [RFC4302] > protects the flow label value. > > Remove this. Again, the Flow Label is not allowed to be modified > accept when zero. That is all that needs to be said. > > if the packet will leave their domain. If it is known to a > border router that flow labels originated within the domain are > not uniformly distributed, it will need to set outgoing flow > labels in the same manner as described for forwarding nodes in > Section 3. > > Remove this. It agains suggests border routers will be resetting Flow > Label values. > > o Implementers should be aware that the flow label is an unprotected > field that could have been accidentally or intentionally changed > en route. Implementations MUST take appropriate steps to protect > themselves from being vulnerable to denial of service and other > types of attack that could result (see Section 6.1). > > Can we just move this advice to the Security Considerations section? > IMO, we are giving it too much weight by having it in the main text. > > o Forwarding nodes such as routers and load balancers MUST NOT > depend only on Flow Label values being uniformly distributed. In > any usage such as a hash key for load distribution, the Flow Label > bits MUST be combined at least with bits from other sources within > the packet, so as to produce a constant hash value for each flow > and a suitable distribution of hash values across flows. > > > Can't we just come out and say that routers should: > > 1) use the src/dest/flow/port numbers? this is the most prefered. > > 2) if you can't use the port numbers, hash on the 3 tuple. > > 3) you could also say hash on teh src/dest alone as a last resort, but > why the Flow Label RFC would suggest that isn't immediately obvious to > me. :-) > > The use of the Flow Label field does not necessarily signal any > requirement on packet reordering. Especially, the zero label does > not imply that significant reordering is acceptable. > > The first sentence above isn't right. One SHOULD NOT reorder packets > from the same flow. Period. > > An IPv6 node that does not set the flow label to a non-zero value, or > make use of it in any way, MUST ignore it when receiving or > forwarding a packet. > > I don't understand why this wording is in here. For the stateless > case, nodes should simply ignore the received Flow Label value. We > should probably just say that. > > It is desirable that flow label values should be uniformly > distributed to assist load distribution. It is therefore RECOMMENDED > that source hosts support the flow label by setting the flow label > field for all packets of a given flow to the same uniformly > distributed pseudo-random value. Both stateful and stateless methods > of assigning a pseudo-random value could be used, but it is outside > the scope of this specification to mandate an algorithm. In a > stateless mechanism, the algorithm SHOULD ensure that the resulting > flow label values are unique with high probability. > > I think we need to specify some recommended algorithms. They can be > SHOULDs (rather than MUST), but saying nothing leaves things too > unclear. In particular, if we think just doing a simple hash based on > the port numbers (or something) is good enough, we should recommend > that. > > Also, this document should not be requiring (or even use SHOULD) to > say pseudo randomness is necessary. This document has not made the > case for that. > > An OPTIONAL algorithm for generating such a pseudo-random value is > described in [I-D.gont-6man-flowlabel-security]. > > [[ NOTE TO RFC EDITOR: The preceding sentence should be deleted, and > the reference should be changed to Informative, if the cited draft is > not on the standards track at the time of publication. ]] > > I'd prefer that this document provide a suggested algorithm. > > A source node which does not otherwise set the flow label MUST set > its value to zero. > > Better: just say that the default value should be zero, unless set > explicitely. > > A node that forwards a flow whose flow label value in arriving > packets is zero MAY set the flow label value. In that case, it is > > s/MAY set/MAY change/ > > A node that sets the flow label MAY also take part in a flow state > establishment method that results in assigning specific treatments to > specific flows, possibly including signaling. Any such method MUST > NOT disturb nodes taking part in the stateless model just described. > Further details are not discussed in this document. > > I don't understand what does this is really intended to mean. IMO, > just say the first sentence, and then say the details of stateful are > out of scope for this document. > > would cause a stateful mechanism to behave incorrectly. For this > reason, stateless mechanisms should not use the flow label alone to > control load distribution, and stateful mechanisms should include > > s/stateless mechanisms/stateless classifiers/ > > Thomas
- 6MAN WG Last Call: <draft-ietf-6man-flow-3697bis-… Bob Hinden
- Re: 6MAN WG Last Call: <draft-ietf-6man-flow-3697… Thomas Narten
- Re: 6MAN WG Last Call: <draft-ietf-6man-flow-3697… Brian E Carpenter
- Re: 6MAN WG Last Call: <draft-ietf-6man-flow-3697… Scott Brim
- Re: 6MAN WG Last Call: <draft-ietf-6man-flow-3697… Thomas Narten
- Re: 6MAN WG Last Call: <draft-ietf-6man-flow-3697… Scott Brim
- Re: 6MAN WG Last Call: <draft-ietf-6man-flow-3697… Brian E Carpenter
- Re: 6MAN WG Last Call: <draft-ietf-6man-flow-3697… Bob Hinden
- Re: 6MAN WG Last Call: <draft-ietf-6man-flow-3697… Brian E Carpenter
- Re: 6MAN WG Last Call: <draft-ietf-6man-flow-3697… Thomas Narten