RE: Questions/comments about draft-dunbar-6man-5g-edge-compute-sticky-service

["Jeffrey (Zhaohui) Zhang" <zzhang@juniper.net>]

Since it is for "sticky service", you don't want to get a new server address every time you move - unless the previous one is no longer appropriate. That means it is best for a controller to determine which one to use both initially and later when situation changes (when a UE relocates or server load situation changes), and that does not necessarily mean it is always through DNS.

Jeffrey

-----Original Message-----
From: Linda Dunbar <linda.dunbar@futurewei.com>
Sent: Monday, March 29, 2021 1:15 PM
To: Jeffrey (Zhaohui) Zhang <zzhang@juniper.net>; Vasilenko Eduard <vasilenko.eduard@huawei.com>; Kaippallimalil John <john.kaippallimalil@futurewei.com>; 'IPv6 List' <ipv6@ietf.org>
Subject: RE: Questions/comments about draft-dunbar-6man-5g-edge-compute-sticky-service

[External Email. Be cautious of content]


Jeffrey,

The Devices are moving consistently, it is not reasonable to require them to consistently query DNS for the "correct" non-ANYcast address .

Linda

-----Original Message-----
From: Jeffrey (Zhaohui) Zhang <zzhang@juniper.net>
Sent: Monday, March 29, 2021 12:04 PM
To: Linda Dunbar <linda.dunbar@futurewei.com>; Vasilenko Eduard <vasilenko.eduard@huawei.com>; Kaippallimalil John <john.kaippallimalil@futurewei.com>; 'IPv6 List' <ipv6@ietf.org>
Subject: RE: Questions/comments about draft-dunbar-6man-5g-edge-compute-sticky-service

Even if you could get over the security/trust hurdle, using a controller to let the UEs know which unicast non-anycast address to use is a much simpler/better solution.

Jeffrey

-----Original Message-----
From: Linda Dunbar <linda.dunbar@futurewei.com>
Sent: Monday, March 29, 2021 12:50 PM
To: Vasilenko Eduard <vasilenko.eduard@huawei.com>; Jeffrey (Zhaohui) Zhang <zzhang@juniper.net>; Kaippallimalil John <john.kaippallimalil@futurewei.com>; 'IPv6 List' <ipv6@ietf.org>
Subject: RE: Questions/comments about draft-dunbar-6man-5g-edge-compute-sticky-service

[External Email. Be cautious of content]


Ed,

Yes, they are in one domain. Here is one example:

5G Connected devices, such as drones for fighting fires or natural disasters or robots in Industry 4.0  environments,  need ultra-low latency  responses from their analytic servers hosted in the Edge data centers. To reach ultra-low latency, there are multiple servers hosting the analytic functions in the Edge DCs.
All the functions (including networking and analytics) and devices are administrated by one operator.  Those functions might be provided by different vendors, therefore needing interoperable solutions.

Linda

-----Original Message-----
From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
Sent: Monday, March 29, 2021 11:41 AM
To: Linda Dunbar <linda.dunbar@futurewei.com>; Jeffrey (Zhaohui) Zhang <zzhang@juniper.net>; Kaippallimalil John <john.kaippallimalil@futurewei.com>; 'IPv6 List' <ipv6@ietf.org>
Subject: RE: Questions/comments about draft-dunbar-6man-5g-edge-compute-sticky-service

It could be the problem.
Because all SR RFCs and drafts clearly say: only inside the domain.
Else could be a huge security risk. UE could not be trusted.
Cross-domain security is the principal question that should be discussed in SPRING first.
Current SR architecture does not try to resolve it yet.


Segment Routing in general and SRv6 in particular are claimed to be designed for Trusted environments only:
- Segment routing architecture (RFC 8402) section 8
- SRH - Segment Routing Header (RFC 8754) section 5
- SRv6 Network Programming (draft-ietf-spring-srv6-network-programming-25) section 9 SRH RFC is especially verbal how to filter-out any SR-related information on the border of "SR domain".
Ed/
-----Original Message-----
From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Linda Dunbar
Sent: Monday, March 29, 2021 7:09 PM
To: Jeffrey (Zhaohui) Zhang <zzhang@juniper.net>; Kaippallimalil John <john.kaippallimalil@futurewei.com>; 'IPv6 List' <ipv6@ietf.org>
Subject: RE: Questions/comments about draft-dunbar-6man-5g-edge-compute-sticky-service

Jeffrey,

We can definitely add the option of UE inserting SRH. I am just not sure how many UEs or end devices will do those actions. If very few UEs can do this action, the solution itself is not useful. However, it doesn't hurt for IETF to specify such a solution so that future IoT or 5G devices can have a reference to do the actions.

Another point, the number of Sticky Service is not large. The Ingress routers are configured with the policies ( ACLs) to filter those flows.

Linda

-----Original Message-----
From: Jeffrey (Zhaohui) Zhang <zzhang@juniper.net>
Sent: Monday, March 29, 2021 9:18 AM
To: Linda Dunbar <linda.dunbar@futurewei.com>; Kaippallimalil John <john.kaippallimalil@futurewei.com>; 'IPv6 List' <ipv6@ietf.org>
Subject: RE: Questions/comments about draft-dunbar-6man-5g-edge-compute-sticky-service

Hi Linda,

You proposed two ways of providing "sticky services" - when a UE moves to a new location, the ingress router at that new location will still route the packets of the same flow to the previous egress router. That flow cannot be identified by the destination address alone, since it is an anycast address that are shared by servers behind different egress routers.

Essentially, you're trying to turn the ingress router into a load balancer, especially with your option #2 (section 5, "tunnel based" solution). I don't think we want the routers to do that - while routers can make use of 5-tuple for ECMP hashing, we don't want to make routers more complicated and do forwarding based on a sticky-service-table with (Sticky Service ID, Flow Label. Sticky Egress address, Timer) entries. It's not only complicated but also does not scale (we can discuss the scaling aspect wrt the flow labels separately).

The variation of option #1 that I suggested would be better, if the following were true:

1. The UE can insert an SRH
2. The ingress router can trust the SRH from the UEs

In that case, it would be better for the UE to learn the egress router via 5G/MEC control plane, instead of relying on the egress router to put that into the DOH of every server->UE packets for sticky services and for the UE to retrieve that information from each incoming sticky service packets. One thing I learned is that the entire 5G system is very much heavy with control/management plane and I would think it is a much better option to provide that information to the UEs.

On the other hand, once you go that way, the control plane can simply provide the regular, non-anycast addresses of the servers instead of the egress router address. Then, all the problems disappear and corresponding proposals are no longer needed, including the ones in draft-dunbar-idr-5g-edge-compute-app-meta-data, and we only need existing simple routing functions.

Thanks.

Jeffrey

-----Original Message-----
From: Linda Dunbar <linda.dunbar@futurewei.com>
Sent: Saturday, March 27, 2021 10:45 PM
To: Jeffrey (Zhaohui) Zhang <zzhang@juniper.net>; Kaippallimalil John <john.kaippallimalil@futurewei.com>; 'IPv6 List' <ipv6@ietf.org>
Subject: RE: Questions/comments about draft-dunbar-6man-5g-edge-compute-sticky-service

[External Email. Be cautious of content]


Jeffrey,

Thank you very much for the constructive comments.
Replies are inserted below:

-----Original Message-----
From: Jeffrey (Zhaohui) Zhang <zzhang@juniper.net>
Sent: Friday, March 26, 2021 3:59 PM
To: Linda Dunbar <linda.dunbar@futurewei.com>; Kaippallimalil John <john.kaippallimalil@futurewei.com>; 'IPv6 List' <ipv6@ietf.org>
Subject: Questions/comments about draft-dunbar-6man-5g-edge-compute-sticky-service

Hi Linda, John,

   When a UE (User Equipment) initiates application packets using the
   destination address from a DNS reply or from its own cache, the
   packets from the UE are carried in a PDU session through 5G Core
   [5GC] to the 5G UPF-PSA (User Plan Function - PDU Session Anchor).
   The UPF-PSA decapsulate the 5G GTP outer header and forwards the
   packets from the UEs to the Ingress router of the Edge Computing (EC)
   Local Data Network (LDN). The LDN for 5G EC, which is the IP Networks
   from 5GC perspective, is responsible for forwarding the packets to
   the intended destinations.

A nit comment about "5G Core" above. When I first started learning 4G/5G It took me a while to realize the 3GPP "core network" concept in vastly different from what IETF people are used to. It's not about topology and now the "core network" functions are being more and more distributed into edges. Therefore, in this context it may be better to simply strike the "through 5G Core [5GC]" wording to reduce the confusion to some readers.

[Linda] That is very true. Removed the term per your suggestion. 5G Core refers to all the functions from Radio to UPF.

  1.3. Problem #1: ANYCAST in 5G EC Environment

   Increasingly, ANYCAST is used extensively by various application
   providers and CDNs because it is possible to dynamically load balance
   across multiple locations of the same address based on network
   conditions. BGP is an integral part in the way IP anycast usually
   functions. Within BGP routing there are multiple routes for the same
   IP address which are pointing to different locations.

Not only BGP - but all IP routing protocols should work well with anycast. My understanding is that BGP being integral part here is really that the data network here is likely realized by VPNs over the same transport network. Is that a correct understanding?

[Linda] ANYCAST has traditionally been used for servers or loader balancers that are placed in geographically diverse locations, so that BGP alone is enough for the traffic in one region to be forwarded to one server.  But for the 5G Edge Computing where multiple Servers/load Balancers with the same ANYCAST addresses are placed close proximity, IGP is needed.

Of course, BGP does have flexibility in providing better/more control of route selection than IGP does in the context of the companion draft-dunbar-idr-5g-edge-compute-app-meta-data.
[Linda] Correct.

   But, having multiple locations for the same ANYCAST address in 5G
   Edge Computing environment can be problematic because all those edge
   computing Data Centers can be close in proximity.  There might not be
   any difference in the routing cost to reach the Application Servers
   in different Edge DCs.   Same routing cost to multiple ANYCAST
   locations can cause packets from one flow to be forwarded to
   different locations, which can cause service glitches.

As pointed out later in this same document, modern routers support "Flow Affinity" and should not cause packets of a flow on a specific router to be forwarded to different locations. The real problem is when a UE moves to a different location, the new router at that location may send it to a different egress router. However, that is the "sticky service" problem described in 1.4.
[Linda] Correct.

>From draft-dunbar-idr-5g-edge-compute-app-meta-data, I understand that on a specific router it needs to choose a location that can best serve an application based on some non-routing factors. If 1.3 is really for that purpose, it should be reworded accordingly. As I mentioned in an earlier email, the two documents should better align on the problem descriptions.

   Here is the overview of the End-Node based Sticky Service solution:
     - Each ANYCAST Edge Computing server either learns or is informed
        of the unicast Sticky Egress address (Section 3). The goal of
        the network is to deliver packets belonging to one flow to the
        same Sticky Egress address for the ANYCAST address. Section 4.1
        describes how Edge Computing Servers discover their
        corresponding Sticky Egress unicast addresses.
     - When an Edge Computing server sends data packets to a UE (or
        client), it inserts the Sticky-Dst-SubTLV (described in Section
        4.2) into the packets' Destination Option Header.
     - UE (or client) needs to copy the Destination Option Header from
        the received packet to the next packet's Destination Header if
        the next packet belongs to the same flow as the previous packet.

I was really confused by "next packet". I finally realized you may be referring to response packets from the UE to the server, and the "same flow" should be "same service". Better wording is needed here.

     - If the following conditions are true, the ingress router
        encapsulates the packet from the UE in a tunnel whose outer
        destination address is set to the Sticky Egress Address
        extracted from the packet's Sticky-Dst-SubTLV:
          o The destination of the packet from the UE side matches
             with one of the Sticky Service ACLs configured on the
             ingress router of the LDN,
          o the packet header has the Destination Option present with
             Sticky-Dst-SubTLV.

Wouldn't it be better for the UE to put in an SRH with one SID for the server address and set the DA to be the egress router address? That way you don't need the ACL or the DOH (the Sticky-Dst-SubTLV  information in the DOH is not for consumption by the server anyway), and you don't even need tunneling or BGP (unless VPN is used - but that's orthogonal to this). Existing SRv6 function takes care of it.

[Linda] 3GPP has rejected using SRH in the 5G Core. We can think about using them in the N6 interface.

Also, the Sticky-Dst-SubTLV in DOH of the server->UE traffic would be better renamed as "return waypoint" for more generic purpose.
[Linda]  that is interesting suggestion.

4.1. Sticky Egress Address Discovery

   To an App server with ANYCAST address, the Sticky Egress address is
   same as its default Gateway address.

   To prevent malicious UEs (or clients) sending DDOS attacks to routers
   within 5G EC LDN, e.g. the Sticky Egress address that is encoded in
   the Destination option header in the packets sent back to the UEs (or
   clients), a proxy Sticky Egress address can be encoded in the
   Destination option header. The proxy Sticky Egress address is only
   recognizable by the 5G EC LDN ingress nodes, i.e. the Ra and Rb in
   the Figure 1, but not routable in other networks. The LDN ingress
   routers can translate the proxy Sticky Egress to a routable address
   for the Sticky Egress node after the source addresses of the packets
   are authenticated.

Why is the 4.1 title called "... discovery"? Does not seem to be about "discovery".
[Linda] it is about remembering which Egress router was used for the flow. Should it be "Sticky Egress Memory"?

 4.3. Expected behavior at the UE
   ...
   Section 4 describes the network layer processing if UEs do not
   perform the steps described here.

Should be "Section 5".

[Linda] Thank you.

5. Tunnel based Sticky Service Solutions 5.1. Ingress and Egress Routers Processing Behavior

   The solution assumes that both ingress routers and egress routers
   support at least one type of tunnel and are configured with ACLs to
   filter out packets whose destination or source addresses match with
   the Sticky Service Identifier. The solution also assumes there are
   only limited number of Sticky Services to be supported.
   An ingress router needs to build a Sticky-Service-Table, with the
   minimum following attributes. The Sticky-Service-Table is initialized
   to be empty.
     - Sticky Service ID
     - Flow Label
     - Sticky Egress address
     - Timer

   Editor's Note:
     When a UE moves from one 5G Site to another, the same UE will have
     a new IP address. "Flow Label + Sticky Service ID" stays the same
     when a UE is anchored to a new PSA. Therefore, this solution use
     "Flow Label + Sticky Service ID" to identify a sticky flow. Since
     the chance of different UEs sending packets to the same ANYCAST
     address using the same Flow Label is very low, it is with high
     probability that "Flow Label + Sticky Service ID" can uniquely
     identify a flow. When multiple UEs using the same Flow Label
     sending packets to the same ANYCAST address, the solution described
     in this section will stick the flows to the same ANYCAST server
     attached to the Sticky Egress router. This behavior doesn't cause
     any harm.

It seems that the same flow label is used for traffic of the same service in both directions. So who will assign the flow label?
[Linda] The "flow label" from the IPv6 header should be managed by the hosts & servers.

If two UEs of the same service happen to use the same flow label, then sticky service is not guaranteed. For example, initially they're anchored at different UPFs, and UE1 traffic is sent to egress router 1 while UE2 traffic is sent to egress router 2. When UE 1 relocates to the same UPF as UE 2's, its traffic will be sent to egress node 2 because the same flow label is used.

Therefore, there should be a central controller to assign flow labels based on UE id, and the UE id is not based on IP address (since it could change).
[Linda] Since the "Flow Label" is randomly generated (by Host OS), the chance of two UEs reaching the same service having the same Flow Label is very small.  We can explore the option of getting the Control Plane involved.

   Note: since there are only small number of Sticky services, the
   Sticky-Service-Table is not very large.

With the above understanding, the table could get large?
[Linda]?

   When an ingress router receives a packet from a UE matching with one
   of the Sticky Service ACLs and there is no entry in the Sticky-
   Service-Table matching the Flow Label and the Sticky Service ID, the
   ingress router considers the packet to be the first packet of the
   flow. There is no need to sticking the packet to any location. The
   ingress router uses its own algorithm to select the optimal egress
   node as the Sticky Egress address for the ANYCAST address,
   encapsulates the packet with a tunnel that is supported by the egress
   node. The tunnel's destination address is set to the egress node
   address.

If a UE was using egress router 1 and it relocates to a new UPF, the new ingress router will likely have no corresponding entry for it? What if the new ingress router pick egress router 2?
It seems that the ingress routers need to pre-exchange entries in the table?
I see it's discussed later that the routers do exchange the information. It should be mentioned up front when the table is introduced.
[Linda] Would Adding a reference be enough?

   When an ingress router receives a packet in a tunnel from any egress
   router and the packet's source address matches with a Sticky Service
   ID, the egress router address is set as the Sticky Egress address for
   the Sticky Service ID. The ingress router adds the entry of "Sticky-
   Service-ID + Flow Label + the associated Sticky Egress address +
   Timer" to the Sticky-Service-Table if the entry doesn't exist yet in
   the table. If the entry exists, the ingress router refreshes the
   Timer of the entry in the table.

   When the ingress router receives the subsequent packets of a flow
   from the 5G side matching with an Sticky Service ID and the Sticky-
   Service ID exists in the Sticky-Service-Table, the ingress router
   uses the Sticky Egress address found in the Sticky-Service-Table to
   encapsulate the packet and refresh the Timer of the entry. If the
   Sticky-Service ID doesn't exist in the table, the ingress router
   considers the packet as the first packet of a flow.

The above is what leads me to believe that the flow label is the same in both directions.
[Linda] they don't have to be the same, do they?

 5.3. Scenario 2: With communication with 5G system
   ...
   The ingress and egress router processing are the same as described in
   Section 5.1 except a flow is now uniquely identified by the "Sticky
   Service ID" + "UE address" instead of "Sticky Service ID" + "Flow
   Label".

This confirms my earlier understanding for scenario 1 that "there should be a central controller to assign flow labels based on UE id, and the UE id is not based on IP address (since it could change)" and that the table could get large.

Of course now for scenario 2, you're not using the flow label any more. While the table only contains entries that this ingress router actually need, the following are still true:
- The table could still get large (if the number of attached UEs for the sticky services is large)
- On demand fetching of the table entry may not be fast enough

Additionally, instead of "scenario", "option" or "solution" would be a better wording.
[Linda] Good suggestion!

More importantly, this stateful flow steering based on the additional table is just too heavy and complicated. Why not simply have the UEs support SRH so that traffic will be routed via the desired egress router using standard SRv6 mechanism?
[Linda] It is not realistic for UEs (your smart phone) to support SRH.

Jeffrey


-----Original Message-----
From: Jeffrey (Zhaohui) Zhang
Sent: Thursday, March 25, 2021 3:46 PM
To: Linda Dunbar <linda.dunbar@futurewei.com>; Kaippallimalil John <john.kaippallimalil@FUTUREWEI.COM>; IPv6 List <ipv6@ietf.org>; idr@ietf. org <idr@ietf.org>
Subject: questions about draft-dunbar-idr-5g-edge-compute-app-meta-data and draft-dunbar-6man-5g-edge-compute-sticky-service

Hi Linda, John,

I have the following questions.

The two related drafts listed the following three problems respectively:

      1.3. Problem#1: ANYCAST in 5G EC Environment.............. 6
      1.4. Problem #2: Unbalanced Anycast Distribution due to UE Mobility.................................................. 7
      1.5. Problem 3: Application Server Relocation............. 7

      1.2. Problem #1: ANYCAST in 5G EC Environment.............. 4
      1.3. Problem #2: sticking to original App Server........... 5
      1.4. Problem #3: Application Server Relocation............. 5

Why is problem #2 different in the two drafts? Is it true that none of the two drafts address problem #3?
The idr draft talk about "soft anchoring" problem and solution - how is that different from the "sticky service"?

Thanks.
Jeffrey

Juniper Business Use Only

Juniper Business Use Only

Juniper Business Use Only
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://urldefense.com/v3/__https://nam11.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.com*2Fv3*2F__https*3A*2F*2Fnam11.safelinks.protection.outlook.com*2F*3Furl*3Dhttps*3A*2F*2Fwww.ietf.org*2Fmailman*2Flistinfo*2Fipv6*26amp*3Bdata*3D04*7C01*7Clinda.dunbar*40futurewei.com*7C4209e8a9acae47b96d1808d8f2d16b8d*7C0fee8ff2a3b240189c753a1d5591fedc*7C1*7C0*7C637526328578769822*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000*26amp*3Bsdata*3DA39pqHVUBFsssO3DLSqrTUtPpcXAr*2F8pi*2Bmw*2BtIJNME*3D*26amp*3Breserved*3D0__*3BJSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!NEt6yMaO-gk!QWI34EOzIdgzRLkkdD3rdv_fn4CLHXnnMvDpOOeQB4ELlElbfawu6WXv0nbjgi-z*24&amp;data=04*7C01*7Clinda.dunbar*40futurewei.com*7C2b126cc5be8541bd43cc08d8f2d4a7ab*7C0fee8ff2a3b240189c753a1d5591fedc*7C1*7C0*7C637526342463012256*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&amp;sdata=aOw1DkDcQu0*2FmMi6RfWlUyRcLB2jRcsbBAhcpoaX5yE*3D&amp;reserved=0__;JSUlJSUlJSUlJSUqKioqKiolJSUqKioqKioqKioqKiolJSUqKioqJSUlJSUlJSUlJSUlJSUlJSUlJQ!!NEt6yMaO-gk!Q-hLtDzPuot4CQsvyUhfrEcNgHIIBEdRDT4RgyHgVCE1f5Vt6DlvzYC-o7693kZ1$
--------------------------------------------------------------------

Juniper Business Use Only

Juniper Business Use Only

Juniper Business Use Only