IETF Logo Mail Archive

Re: [IPv6] Comparing hbh-processing and eh-limits drafts with comments

Tom Herbert <tom@herbertland.com> Thu, 27 October 2022 20:48 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2E96C1524B4 for <ipv6@ietfa.amsl.com>; Thu, 27 Oct 2022 13:48:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_PERMERROR=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gpsRIR6lFakV for <ipv6@ietfa.amsl.com>; Thu, 27 Oct 2022 13:48:24 -0700 (PDT)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6563C1524A3 for <ipv6@ietf.org>; Thu, 27 Oct 2022 13:48:24 -0700 (PDT)
Received: by mail-lf1-x129.google.com with SMTP id p8so4668456lfu.11 for <ipv6@ietf.org>; Thu, 27 Oct 2022 13:48:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=kxpa+UXqb2PwA4qRzLpupGXaLeH/ZYDOEbUibrixhg8=; b=UbuRCZmndqfm63CieLSKHDWfqSS+ijIUTe4dt9Bs8PUgewwbiFn/Iya67Yzh8LR2QX aFMR6j4WjmAF6JryYkmoOccUtHDa3YCHBQ0Yer1+YZM9PvW2OTW5ZV6Eyr6JNq3vOfsg VmMNjWuQjE9zg+EoflxnAM6Ui3MQdL4jOUj4U9sX3GEGoq75wBuUvR49Q02cEA2RBO+R WGf9kDVwScPEwCu5joJpWp/eK95YjOda1FDdy8DWjnakhfcMcag+reKf3+RAssIxTnQp lTu2J4SaBjbOWSz8WAmx9CxoA8oS4JX12JhowNHSUkvOj1kvLGHaQukH9ryJapO+MgA7 hDIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=kxpa+UXqb2PwA4qRzLpupGXaLeH/ZYDOEbUibrixhg8=; b=WLBx1Dxt44QY9ZR7FiNrXRrcbswGRdnAV8PqsviOc6xmueoXcQjEi8GHdcJse2Ey5U aQVtILfYzpxtjGpqcQEAMvfggUpGbrEvxAsRWHDhLdCK6UqwqGKRwPIJcG4jX8OfTuM3 Enz78CHj022zf5/FwvISO67LSvyoObpdCfZhg0Y8ByJjYcd8AAdkKEMKR+vbESu71Tz2 hA0hQL63JNW4j4NCZpYIynbLRg8OAUdZxwAWiHz0S5eTk8Yja685VahdPlPifhCYLOqr 2GOBAKx0z7ZWZfm5SRF3NoIGPQfkf74iUuYGSa8nnd8Ks6dERluGGqEBU/pZHEyn69nK 13dw==
X-Gm-Message-State: ACrzQf3iCyCE7j4kqIgtv7lSd5KG+8k/Vqgw4CsNuTfGneEB7/OMT900 7Eibj/diHs9fnTRFJSONKi5erjoq8GQ5ld9lFJxM9Q==
X-Google-Smtp-Source: AMsMyM6HrV/5HsVCso+HJL/dkFS2pmk31CDAbnjcibAXB1KBC99TVv1w+vvgPdzZt/fBQMF58Jue4l/DoGXJyprDpTk=
X-Received: by 2002:a05:6512:2350:b0:4a2:2447:9c42 with SMTP id p16-20020a056512235000b004a224479c42mr17111468lfu.260.1666903701785; Thu, 27 Oct 2022 13:48:21 -0700 (PDT)
MIME-Version: 1.0
References: <CALx6S34nuac_0KgJOosOz1QBBGSd0tZ2ZEdk_iQLXAHn2HGAgg@mail.gmail.com> <CALx6S35uYtWmRwfVhEYVDkc=O8_HxcZ_Ysmc9KexXXf48j6nWg@mail.gmail.com> <CALx6S36gjqoDqa7oSrNZbta3gjcRzOkSeoZM8fwFQcZXqMOFJQ@mail.gmail.com> <489a06d3-ae30-c50f-98d3-50dae5448d8c@gmail.com>
In-Reply-To: <489a06d3-ae30-c50f-98d3-50dae5448d8c@gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Thu, 27 Oct 2022 13:48:10 -0700
Message-ID: <CALx6S35ufqDjwLnW4Uw5eCer8SBoi3Cek1J-hJ=6GeM=PEpUHQ@mail.gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: 6man <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/iSoI4F0UmpFnhE5eW0fEPbLn3RA>
Subject: Re: [IPv6] Comparing hbh-processing and eh-limits drafts with comments
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Oct 2022 20:48:26 -0000

On Thu, Oct 27, 2022 at 1:03 PM Brian E Carpenter
<brian.e.carpenter@gmail.com> wrote:
>
> Tom, thanks for doing this! 6man would look silly if we advanced
> two documents simultaneously that were mutually inconsistent. A
> few comments below.
>
> On 28-Oct-22 06:57, Tom Herbert wrote:
> > Comparing draft-ietf-6man-hbh-processing-04 and draft-ietf-6man-eh-limits-01
> >
> >>From hbh-processing: "This document updates [RFC8200] to specify that
> > a node MUST process the first Option in the Hop-by-Hop Header at full
> > forwarding rate (e.g. on the router's Fast Path) and MAY process
> > additional Hop-by-Hop Options if configured to do so."
> >
> >>From eh-limits: "An intermediate node MAY limit the number of
> > non-padding Hop-by-Hop options that it processes.  If a limit is
> > exceeded, that is a packet contains more non-padding options than are
> > configured to process, the intermediate node SHOULD stop processing
> > the Hop-by-Hop Option and ignore any options in the chain beyond the
> > limit."
> >
> > Both drafts seem to allow an intermediate node to process some subset
> > of HBH options, but IMO eh-limits gives more guidance on how to handle
> > the case where there are more options in the packet then the node is
> > willing to process.
> >
> > hbh-processing requires that intermediate nodes process the first HBH
> > option in a packet. IMO, that proverbial ship has sailed. The data
> > show that there are a lot of deployed devices that don't process even
> > one HBH option, this is why the HBH options processing requirements
> > were relaxed in RFC8200.
>
> Yes, I think the requirement in hbh-processing is unrealistic. I can't
> imagine a world in which the highest speed routers in the backbone
> waste a nanosecond that way. Definitely a SHOULD, not a MUST. With a
> proviso such as "a node SHOULD process the first Option in the Hop-by-Hop
> Header at full forwarding rate *unless it inspects only the destination
> address*" or something like that.
>
> > Also, I believe it's unnecessary. Given that
> > HBH options aren't universally supported in the path, there's no
> > motivation to define HBH options where every node on the path needs to
> > process. Host stacks already assume that HBH options may or may not be
> > processed by any or all nodes. The trend seems to be to define HBH
> > options that are defined for limited domains or that are meant to be
> > processed by specific nodes such as the egress router in the local
> > network.
> >
> > In order for HBH options to work at all regardless of how many options
> > are present, intermediate nodes MUST NOT summarily drop packets just
> > because they contain the HBH extension header. Both drafts describe
> > this hard requirement although it's a bit more explicit in eh-limits.
>
> Right. The authors could perhaps figure out how to avoid any semblance
> of difference on this point.
>
> >
> > hbh-processing makes some nice, long changes needed for processing of
> > the two high order bits. However, considering that both the drafts
> > allow some or all HBH options to be ignored, effectively, any HBH
> > option can be treated like it has 00 in the two high order bits.
> > Perhaps it should be recommended that all new HBH options are defined
> > with 00 in the top bits (this could be a requirement in section 6).
> >
> >>From hbh-processing: "The size of an option SHOULD NOT extend beyond
> > what can be reasonably expected to be executed at full forwarding rate
> > (e.g., forwarded on a router's fast path).
> >
> >>From eh-limits: "An intermediate node MUST be able to correctly
> > forward packets that contain an IPv6 header chain of 104 or fewer
> > bytes" and "An intermediate node MAY set a limit on the maximum length
> > of Hop-by-Hop Options extension headers"
> >
> > Both drafts allude to the problem that intermediate nodes may not be
> > able to process variable length headers that are too long. IMO
> > eh-limits is more specific on the requirements around this.
> >
> > hbh-processing has some nice definitions for Fast Path and Slow Path,
> > but it's not clear to me that these are sufficient to be used in
> > normative requirements. Similarly, there are references to "full
> > forwarding rate", which I believe needs a definition in the
> > Terminology section, but also doesn't seem sufficiently understood to
> > be in normative requirements such as "Nodes MUST process all
> > Hop-by-Hop options at full forwarding rates." The fast/slow path split
> > is implementation dependent; what's considered to be a fast path in
> > one implementation
> > might be a slow path on another. Also, note that the adverse effect of
> > the slow/fast path split isn't necessarily the additional per packet
> > latency, it's that taking the slow path can cause OOO packets and high
> > variances in RTT which in turn wreaks havoc on congestion control and
> > retransmission algorithms in transport protocols. I suggest that
> > alternative might be to say that hop-by-hop options processing MUST
> > NOT cause packets to be processed or received out of order (in
> > practice that would mean that everything needs to be processed in the
> > "fast path")
>
> How would that look in an ECMP scenario?
>
Brian,

There's a general assumption in implementations that in order
processing and delivery needs to be maintained only for packets within
a flow, not necessarily maintaining order between packets in different
flows. ECMP does this by computing a hash over the flow identifying
information in a packet, e.g. the TCP five-tuple, and then using the
low order bits of the hash to select the outbound port. The algorithm
works well except that it requires intermediate devices to parse into
the transport layer to extract the port numbers for computing the flow
hash.

BTW, ECMP is one rationale why intermediate devices set an implicit
requirement that they must be able to parse into the transport layer,
and hence one of the motivations in eh-limits to require that
intermediate nodes doing DPI can correctly process packets with up to
sixty-four bytes of extension headers. The IPv6 flow label was
supposed to eliminate the need for DPI to do things like ECMP, but
unfortunately there still seems to be some lingering concerns that it
might not be sufficiently stable during the lifetime of a flow.

Tom

>      Brian
>
> >
> > Tom
> >
> > On Thu, Oct 27, 2022 at 10:40 AM Tom Herbert <tom@herbertland.com> wrote:
> >>
> >> Oops, I just noticed I was looking at an older draft of hbh-options. Will resend
> >>
> >> Tom
> >>
> >> On Thu, Oct 27, 2022 at 10:32 AM Tom Herbert <tom@herbertland.com> wrote:
> >>>
> >>> Hi,
> >>>
> >>> Per Brian's feedback on draft-ietf-6man-eh-limits-01, I'm looking at
> >>> draft-hinden-6man-hbh-processing-01 (hbh-processing) and
> >>> draft-ietf-6man-eh-limits-01 (eh-limits) to compare and hopefully
> >>> rectify them to be consistent. Comparing the drafts and comments are
> >>> below.
> >>>
> >>>  From hbh-processing: "This document updates [RFC8200] that a node MUST
> >>> process the first Option in the Hop-by-Hop Header in the Fast Path and
> >>> MAY process additional Hop-by-Hop Options if configured to do so... If
> >>> there are more than one Hop-by-Hop options in the Hop-by-Hop Options
> >>> header, the node MAY skip the rest of the options"
> >>>
> >>>  From eh-limits: "An intermediate node MAY limit the number of
> >>> non-padding Hop-by-Hop options that it processes.  If a limit is
> >>> exceeded, that is a packet contains more non-padding options than are
> >>> configured to process, the intermediate node SHOULD stop processing
> >>> the Hop-by-Hop Option and ignore any options in the chain beyond the
> >>> limit."
> >>>
> >>> Both drafts seem to allow an intermediate node to process some subset
> >>> of HBH options, but IMO eh-limits gives more guidance on how to handle
> >>> the case where there are more options in the packet then the node is
> >>> willing to process.
> >>>
> >>> hbh-processing requires that intermediate nodes process the first HBH
> >>> option in a packet. IMO, that proverbial ship has sailed. The data
> >>> show that there are a lot of deployed devices that don't process even
> >>> one HBH option, this is why the HBH options processing requirements
> >>> were relaxed in RFC8200. Also, I believe it's unnecessary. Given that
> >>> HBH options aren't universally supported in the path, there's no
> >>> motivation to define HBH options where every node on the path needs to
> >>> process. Host stacks already assume that HBH options may or may not be
> >>> processed by any or all nodes. The trend seems to be to define HBH
> >>> options that are defined for limited domains or that are meant to be
> >>> processed by specific nodes such as the egress router in the local
> >>> network.
> >>>
> >>> In order for HBH options to work at all regardless of how many options
> >>> are present, intermediate nodes MUST NOT summarily drop packets just
> >>> because they contain the HBH extension header. Both drafts describe
> >>> this hard requirement although it's a bit more explicit in eh-limits.
> >>>
> >>> hbh-processing makes some nice, long changes needed for processing of
> >>> the two high order bits. However, considering that both the drafts
> >>> allow some or all HBH options to be ignored, effectively, any HBH
> >>> option can be treated like it has 00 in the two high order bits.
> >>> Perhaps it should be recommended that all new HBH options are defined
> >>> with 00 in the top bits (this could be a requirement in section 6).
> >>>
> >>>  From hbh-processing: "Fixed size in 8-octet units.  Specifically, any
> >>> new Hop-by-Hop options should not be variable size that could extend
> >>> beyond what  can be executed in the Fast Path."
> >>>
> >>>  From eh-limits: "An intermediate node MUST be able to correctly
> >>> forward packets that contain an IPv6 header chain of 104 or fewer
> >>> bytes" and "An intermediate node MAY set a limit on the maximum length
> >>> of Hop-by-Hop Options extension headers"
> >>>
> >>> Both drafts allude to the problem that intermediate nodes may not be
> >>> able to process variable length headers that are too long. IMO
> >>> eh-limits is more specific on the requirements around this.
> >>>
> >>> hbh-processing has some nice definitions for Fast Path and Slow Path,
> >>> but it's not clear to me that these are sufficient to be used in
> >>> normative requirements. For instance, hbh-processing states "Nodes
> >>> that implement a differentiation between a Fast Path and a Slow Path
> >>> MUST process all (with one exception noted below) Hop-by-Hop options
> >>> in the Fast Path." The fast/slow path split is implementation
> >>> dependent; what's considered to be a fast path in one implementation
> >>> might be a slow path on another. Also, note that the adverse effect of
> >>> the slow/fast path split isn't necessarily the additional per packet
> >>> latency, it's that taking the slow path can cause OOO packets and high
> >>> variances in RTT which in turn wreaks havoc on congestion control and
> >>> retransmission algorithms in transport protocols. I suggest that
> >>> alternative might be to say that hop-by-hop options processing MUST
> >>> NOT cause packets to be processed or received out of order (in
> >>> practice that would mean that everything needs to be processed in the
> >>> "fast path")
> >>>
> >>> Tom
> >
> > --------------------------------------------------------------------
> > IETF IPv6 working group mailing list
> > ipv6@ietf.org
> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email