IETF Logo Mail Archive

Re: Re: I-D Action: draft-smith-6man-in-flight-eh-insertion-harmful-00.txt

Mark Smith <markzzzsmith@gmail.com> Mon, 14 October 2019 06:19 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20BE1120099 for <ipv6@ietfa.amsl.com>; Sun, 13 Oct 2019 23:19:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.503
X-Spam-Level:
X-Spam-Status: No, score=0.503 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wqto4lbcnu_3 for <ipv6@ietfa.amsl.com>; Sun, 13 Oct 2019 23:18:59 -0700 (PDT)
Received: from mail-ot1-x332.google.com (mail-ot1-x332.google.com [IPv6:2607:f8b0:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17F51120041 for <ipv6@ietf.org>; Sun, 13 Oct 2019 23:18:59 -0700 (PDT)
Received: by mail-ot1-x332.google.com with SMTP id o44so12837914ota.10 for <ipv6@ietf.org>; Sun, 13 Oct 2019 23:18:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vEzMFV9p5jYtMAswIP3vTZ3tR8i9Zmxg/ckyA0eMPE0=; b=lxYX4Y+wOEflwLRPaB/5opKGfee5J9fK6tnxzm+IGuOd4Ye/j0Sg+rXvJll7zQi+n6 MsgJto0FFK8KN6250u0qrFLYFlmnSh/Gyk+7ZRpdLQwzx1NYeFavoY1dVt0NXfU/8nQa v/FfwIafoLUefZs1NM8BDEe6vHLvtVzR9BAxnxYyntFi5CjBFWqT/apek7ysT8iY3qQl 58HbutzB4ZFMLZtv/+o41bSN0L98U8BKFQ1/FfNYgeKqosHCZS5ImeeFMwKzRwvKPA0J UX//squLve+eDLSFdlU+Ajp9XAWOmr9W/1b/BsdWmSpTeMNgG+qOh1KofDEC9DC5cKgE bFfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vEzMFV9p5jYtMAswIP3vTZ3tR8i9Zmxg/ckyA0eMPE0=; b=sdSndktm7A1QgVHumNTP5Ey4VHDiuzye2KvbFtzhYIY9jjbvRqwPmfhOqUo32nGIUm t9Y1wcn4G2m5HX/1Yf+xb5WQWPGllYeeZGRYmZYN1REG6JxuYLPXMJFSnex5M72vvOxc KX+Dh6DM1djNZ1O1Ji+8RHRrbvRs83DcIhVjTZ9/MlBH8KHP4ulQhg9mheJ9F6osaxXR LrkO39US+4xpZmlfyJdK4vlXvcX8p2iq8s62b4/7dK8bNxFtDtSYHl5urwRN3xzluoka ko19EWteo9joUKf3Nlv7GQMigS4+zqs4ob9BkMjBkKH8AyNNE02TjJMGFcoaz8SMtzdf luTw==
X-Gm-Message-State: APjAAAVvmehC7Pimp+Hl12j2Y9hxfv3juFS2U6A3E4UHoLP0VWLoQSMB /LFq9p02s2ijKA0KgPwdE9Sf68MnI11gDdwE5fU=
X-Google-Smtp-Source: APXvYqwB9sOPDtEs9ZQtSaXqu1+0wISpk+8h/wfCV8NMaUmMYDUY2fESVclZfGhxa5rE4pKgcDtM0MaIPBXiQd2UepM=
X-Received: by 2002:a9d:5544:: with SMTP id h4mr10266147oti.94.1571033938399; Sun, 13 Oct 2019 23:18:58 -0700 (PDT)
MIME-Version: 1.0
References: <79F13DA9-2B14-4885-B0E4-272EFB0E25FC@gmail.com> <HK0PR03MB4066B72F338821CD93E6ADD7FC900@HK0PR03MB4066.apcprd03.prod.outlook.com>
In-Reply-To: <HK0PR03MB4066B72F338821CD93E6ADD7FC900@HK0PR03MB4066.apcprd03.prod.outlook.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Mon, 14 Oct 2019 17:18:46 +1100
Message-ID: <CAO42Z2xFk7cJOP2-AuFhZWN7LY6nphnqarv5s26ae-oM=_e5xA@mail.gmail.com>
Subject: Re: Re: I-D Action: draft-smith-6man-in-flight-eh-insertion-harmful-00.txt
To: li zhenqiang <li_zhenqiang@hotmail.com>
Cc: Gyan Mishra <hayabusagsm@gmail.com>, 6man WG <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d414090594d8d703"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/RVgra4Rza4o6-Wa7ByVfK1vX-70>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Oct 2019 06:19:01 -0000

On Mon, 14 Oct 2019, 13:05 li zhenqiang, <li_zhenqiang@hotmail.com> wrote:

> Hi Gyan,
>
> In my understanding, MPLS Label insertion is more like encapsulation,
> because the outer header is handled, one more label is added at the top.
> For SRv6 SRH insertion, the outer IPv6 header is still used, only
> destination address is updated when SRH is inserted.
>


So the SA of this packet is now a lie.


> In your exmaple, if P2 performs SRv6 Ti-LFA by adding one more outer IPv6
> header, this is similar to MPLS label insertion.
>

There is no such thing as label insertion in MPLS.


> Best Regards,
> Zhenqiang Li
> ------------------------------
> li_zhenqiang@hotmail.com
>
>
> *From:* Gyan Mishra <hayabusagsm@gmail.com>
> *Date:* 2019-10-14 00:03
> *To:* Gyan Mishra <hayabusagsm@gmail.com>
> *CC:* 6man <ipv6@ietf.org>
> *Subject:* Re: I-D Action:
> draft-smith-6man-in-flight-eh-insertion-harmful-00.txt
>
> Mark
>
> In tried to add this comment in-line but does not look like it came
> through.
>
> See below
>
> Comparing MPLS in flight label insertion to SRv6 in flight EH insertion
> below:
>
> We will use the Service Provider scenario for SRv6 to compare apples to
> apples use case since SRv6 has a much wider scope as it pertains to IPv6
> data plane traffic engineering capabilities.
>
> Typical SP mpls core / SRv6 core with L3 VPN services CEs attached.
>
> So for both scenarios the the packet originates from the customer network.
>
> CE - customer edge originating packet
> PE1 - ingress PE device performing label imposition or EH insertion for
> SRH header
> P2 - LDP Remote LFA PLR node/path protection
> Performs LDP tunneling to PQ node by inserting MPLS label for FRR link and
> node protection. For SRv6 Ti-LFA PLR node performs EH SRH header insertion
> for the “LFA” backup protected path during a link or node failure
> P3 - PQ node tunnel for R-LFA
> P4 - egress P performing MPLS PHP pop implicit null value 3 or SRv6 PSP
> SRH segment pop and removal of SRH EH header type 4
> PE2 - egress PE label disposition of bottom of stack L3 VPN  labels for
> MPLS use case
>
> CE - PE1 - P1 - P2 - P3 - P4 - PE2 - CE
>
> So in both cases the MPLS LDP or SRv6 domain the MPLS PE does in flight
> label imposition similar to SRv6 on the same ingress PE SRv6 does in flight
> SRv6 EH SRH Routing header type 4 insertion.
>
> So in both cases the MPLS LDP or SRv6 domain the MPLS P2 “IP FRR PLR node”
>  does in flight label imposition similar to SRv6 on the same  P2 node SRv6
> does in flight SRv6 EH SRH Routing header type 4 insertion as well for
> Ti-LFA 50ms FRR link and node protection.
>
> So basically both MPLS and SRv6 perform in flight insertion of a header
> mpls 4 byte shim for mpls scenario and SRv6 EH SRH Routing header type 4
> influencing the packet.
>
> The major difference with mpls and why that in flight label insertion has
> never been an issue is that MPLS is considered “Layer 2 1/2” due to the
> label stack being placed between the L2 link layer header and the L3
> header.  So impact to routing related to mpls shim not being removed or
> security implications don’t exist since in the mpls core you are not IP
> routing you are “label switching” so forwarding plane is at that “layer 2
> 1/2” swapping the local label with remote label along the LSP path to FEC
> destination.
>
> With SRv6 since the EH headers are all inserted after the IPv6 header and
> before the transport header their are MAJOR security implications with EH
> headers not being removed as the EH headers are part of the L3 routing
> functionality.
>
> One other major impact to EH insertion in flight with IPv6 is that SRv6
> can be used ubiquitously in almost any scenario where traffic engineering
> is required.
>
> With mpls the downside but from a security perspective upside as why mpls
> label imposition insertion in flight is not impacting is that with mpls
> state has to be maintained hop by hop for mpls data plane forwarding plane
> with either LDP or TE topmost label so mpls forwarding plane due to this
> “mpls state” LFIB dependency cannot exist outside of the mpls domain the
> egress P must to a PHP or if Default implicit null mpls label value type 3
> is used or explicit null where the label is preserved on the egress P and
> popped on the egress PE along with the entire label stack is popped “label
> disposition” so the egress PE on the PE-CE link can forward as native IP
> packet..
>
>
> RFC R-LFA used with MPLS LDP IP FRR
>
> https://datatracker.ietf.org/doc/rfc7490/
>
> What I think needs to change and we need to discuss with Spring folks is
> on the PLR node doing the 2nd EH insertion for Ti-LFA  to achieve link and
> node protection 50ms failover they need to do another IPV6 header
> encapsulation.
>
> So the ingress PE in SRv6 domain would add the 1st outer layer IPv6 header
> but then on the Ti-LFA node now we would require from a 6MAN RFC 8200 a 2nd
> IPv6 encapsulation and the FRR steering would be done through the PQ node
> via the 2nd encapsulation and and the PQ node would remove the 2nd
> encapsulation which would contain the SRH Ti-LFA SID list for the traffic
> engineered path.
>
> In the Voyer draft addressing EH insertion we should also have them make a
> bore that Ti-LFA would not exist in every scenario using SRV6 due to the
> ubiquitous use cases of SRv6 so that 2nd encapsulation would only be
> required wherever the 2nd or I guess even 3rd or every time an EH SRH type
> 4 routing header is added for that matter a IPv6 encapsulation is required
> to satisfy IPv6.
>
> Regards
>
> Gyan
>
>
> Sent from my iPhone
>
> On Oct 13, 2019, at 11:59 AM, Gyan Mishra <hayabusagsm@gmail.com> wrote:
>
> Mark
>
> Few comments on the draft in-line and also comparison of MPLS label
> insertio=
> n to SRV6 EH insertion.
>
> Sent from my iPhone
>
> On Oct 13, 2019, at 6:25 AM, Nick Hilliard <nick@foobar.org> wrote:
>
> =20
>
> Brian E Carpenter wrote on 13/10/2019 01:36:
>
> The packet is too dumb to know anything ;-). My question is how each
>
> node it traverses knows. Indeed, Mark's draft
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email