IETF Logo Mail Archive

[IPv6]Re: Gorry Fairhurst's Discuss on draft-ietf-6man-vpn-dest-opt-03: (with DISCUSS and COMMENT)

Adrian Farrel <adrian@olddog.co.uk> Tue, 25 March 2025 12:34 UTC

Return-Path: <adrian@olddog.co.uk>
X-Original-To: ipv6@mail2.ietf.org
Delivered-To: ipv6@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id E9563120F4CC; Tue, 25 Mar 2025 05:34:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.695
X-Spam-Level:
X-Spam-Status: No, score=-2.695 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=olddog.co.uk
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ma8_KKNuvkIn; Tue, 25 Mar 2025 05:34:05 -0700 (PDT)
Received: from mta6.iomartmail.com (mta6.iomartmail.com [62.128.193.156]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 08017120EC09; Tue, 25 Mar 2025 05:33:27 -0700 (PDT)
Received: from vs4.iomartmail.com (vs4.iomartmail.com [10.12.10.122]) by mta6.iomartmail.com (8.14.7/8.14.7) with ESMTP id 52PCXOGt019670; Tue, 25 Mar 2025 12:33:24 GMT
Received: from vs4.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E4F5346043; Tue, 25 Mar 2025 12:33:23 +0000 (GMT)
Received: from vs4.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CDDCB4604A; Tue, 25 Mar 2025 12:33:23 +0000 (GMT)
Received: from asmtp3.iomartmail.com (unknown [10.12.10.224]) by vs4.iomartmail.com (Postfix) with ESMTPS; Tue, 25 Mar 2025 12:33:23 +0000 (GMT)
Received: from ioxnode3.iomartmail.com (ioxnode3.iomartmail.com [10.12.10.70]) (authenticated bits=0) by asmtp3.iomartmail.com (8.14.7/8.14.7) with ESMTP id 52PCXNSg023844 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 25 Mar 2025 12:33:23 GMT
Date: Tue, 25 Mar 2025 12:33:23 +0000
From: Adrian Farrel <adrian@olddog.co.uk>
To: Gorry Fairhurst <gorry@erg.abdn.ac.uk>, The IESG <iesg@ietf.org>
Message-ID: <39381948.103858.1742906003339@www.getmymail.co.uk>
In-Reply-To: <a957883e-29b8-4bf2-a9bb-9691b6fe034f@erg.abdn.ac.uk>
References: <174284676433.1592246.10595784810414822659@dt-datatracker-5b9b68c5b6-zxk6z> <0d8001db9d7a$0882c380$19884a80$@olddog.co.uk> <a957883e-29b8-4bf2-a9bb-9691b6fe034f@erg.abdn.ac.uk>
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Priority: 3
Importance: Normal
X-Mailer: Open-Xchange Mailer v7.10.6-Rev70
X-Originating-IP: 146.90.132.154
X-Originating-Client: open-xchange-appsuite
X-Thinkmail-Auth: adrian@olddog.co.uk
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=olddog.co.uk; h=date :from:to:cc:message-id:in-reply-to:references:subject :mime-version:content-type:content-transfer-encoding; s= 20221128; bh=DiIr3JvHE1zOO9mOXXcGzwC1jKfHb4sFm7VDVmP7FDA=; b=IMk qloHfHIp6TX0zSLITaANjACi7Fdq3sfo52jBjW4asp+vUaAw5YC1jXWivfO311+Q j0X64iloi2tVg6u/Aqndj9RygQ72c/i3OZgx1FwJELLYUosMZW3wW/ZMHjdxp00n HMJMeHrn1icM/NrLeH1ofCPoW5emacpiBDHIrQx33C5hFo+ockRErA2ALRuu6rej uR1IftL59lT4acsahEF1vOz59PKBk2ov2ugKMFy9948cGZpZjW1e5JzZlt4HVX7G Uce+X28PrertgogFnqybbFgmLtapl+2LlAy+071/dPjBVd3AL5xZ5737+EaMAJ89 DU5vp0CfWzI1NX0v6dg==
X-TM-AS-GCONF: 00
X-TM-AS-Product-Ver: IMSVA-9.1.0.2090-9.0.0.1002-28352.003
X-TM-AS-Result: No--24.956-10.0-31-10
X-imss-scan-details: No--24.956-10.0-31-10
X-TMASE-Version: IMSVA-9.1.0.2090-9.0.1002-28352.003
X-TMASE-Result: 10--24.955900-10.000000
X-TMASE-MatchedRID: IeZYkn8zfFqnvGCyBToTI8G0UNgaZpYqnSd2cRY8xQNWcVQdwdqmz45h luopTaWkbSL9AN4UjltdGdXpDccA9EtHpMdfrXMK0oNxPV/0KMQ0YL9SJPufX0zp7CT88mw47ae CMtVJVxN+J/o+y9+xUmIeoogfffdBJ9dgBhH1liWdOp1TjDrlaQXOZ4foH6PYPCZpicYzmkEwoj Gi/Ev7ldmSN6aiFHldge5spQTladHuIpq23EU8xW2+CcjCvpMwB8N4SAwGIo5YC5LPd7BvbWiXc D8fWgFvUZBL966rYcCRlo1QWxTtF0mGR3lkoV1JL7p//vLv4bNRMEg8Dnr1Ic3/nbjAiSxMXb3Y 2+SMHW4EJ+6FDAUwZ4Eq7HkkaFaPRumyXgqnKtbcgUVP3Cp+vaVjgXyvS9c/bsHtQ0J95tTCKyc hs7yHQ7pq6HClvKK8pP2evCJOn8X5S+IvXI7mDeT02pOa52nUqf/efKFN1nBFms6YEs23D/8GgE mTXUs2xJFKQWMN61g9RdYTB5ilOLZR/qrhAi/ayKTEsCRIdyU0000sN/tt6bkiJ/BgvX6r96F3F /r/ihynceLJy5PCoJCGJjJSFQRixbnXMPdnLtcSEYfcJF0pRWmQExgOfwV4X30pMm+iz0i6uund Bb+HlMhlbHJ9vRnNvWYdMHmaR5ro4oSmK0Wehmgws6g0ewz2jkDrBOJwwnQbFxo211+Z/bEOoit FQVcIxyyDzu/8MJtiHqKIH333QbketMx0T38URZfQN+FVqbAU/rbDiDYao/SUvBPfrsd9KYU5gk ls+qkB3DtEcQBnNu2m4eeglpGz80agMA16DhXog9l0AIlL/n0tCKdnhB58jGzxQPJa3rWDs3J5K aPHTKdAX3+ptoGrp8Odl1VwpCSUTGVAhB5EbQ==
X-TMASE-SNAP-Result: 1.821001.0001-0-1-22:0,33:0,34:0-0
Message-ID-Hash: R6JR37YJEUQMZIDFFBZ3G6BVWLJ3XO4G
X-Message-ID-Hash: R6JR37YJEUQMZIDFFBZ3G6BVWLJ3XO4G
X-MailFrom: adrian@olddog.co.uk
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ipv6.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-6man-vpn-dest-opt@ietf.org, 6man-chairs@ietf.org, ipv6@ietf.org, bob.hinden@gmail.com
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [IPv6]Re: Gorry Fairhurst's Discuss on draft-ietf-6man-vpn-dest-opt-03: (with DISCUSS and COMMENT)
List-Id: "IPv6 Maintenance Working Group (6man)" <ipv6.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/iw7JmrZAScf2VdrZ0pyp-WId0nM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Owner: <mailto:ipv6-owner@ietf.org>
List-Post: <mailto:ipv6@ietf.org>
List-Subscribe: <mailto:ipv6-join@ietf.org>
List-Unsubscribe: <mailto:ipv6-leave@ietf.org>

I confirm agreement.
Ron has the pen, so I'll wait for him to ack that he has this in the buffer.
A
On 25/03/2025 12:00 GMT Gorry Fairhurst <gorry@erg.abdn.ac.uk> wrote:
 
 
On 25/03/2025 11:35, Adrian Farrel wrote: 
Hi Gorry,

Welcome to the joy of reviewing documents for AD evaluation, and thanks for this review.
Thanks Adrian for getting back, and for being gentle and quick in answering my first AD evaluation that resulting in questions! 
 
1.: The document says:

  It MUST NOT appear in any other extension header.
  If VPN Service option appears in another extension
  header, the receiver MUST discard the packet.

This adds a requirement to drop a packet if the new option appears in a HBH EH,
whereas the processing defined in RFC 9673 would skip this option if present in
a HBH EH, and therefore would require explicit configuration to drop this
packet. Can the rule for the HBH EH be to ignore this option?

Hmmm, there is a conflict of order of processing going on here, I think.
If a router is configured to ignore whole EHs then, I guess, it never looks inside to find the option that would cause it to drop the packet.
Indeed. 
I think the point is that the high order bits are set to 01 meaning that if the processing router doesn't understand the option it must discard the packet. Then, if the option appears in another EH it cannot be understood so the packet will be discarded. 
Perhaps we can...
OLD
   The VPN Service Option MAY appear in a Destination Options header
   that precedes an upper-layer header.  It MUST NOT appear in any other
   extension header.  If VPN Service option appears in another extension
   header, the receiver MUST discard the packet.
NEW
   The VPN Service Option MAY appear in a Destination Options header
   that precedes an upper-layer header.  It MUST NOT appear in any other
   extension header.  If a receiver finds the VPN Service option in another
   extension header that it is processing, the option will be unrecognized,
   and according to the setting of the two highest order bits of the Option
   Type (see below), the receiver MUST discard the packet.
END

For me, this text is better, beause it explains this does not require a configured ACL. I have one niggle, that the HBH EH was changed by 6man, in RFC 9673, so that these "action bits" for the HBH do not need to result in drop. Would something like this be acceptable?

NEW
   The VPN Service Option MAY appear in a Destination Options header
   that precedes an upper-layer header.  It MUST NOT appear in any other
   extension header.  If a receiver finds the VPN Service option in another
   extension header that it is processing, the option will be unrecognized,
   and the packet MUST be processed according to the setting of the two highest 
   order bits of the Option Type (see below). 
END


2. I understand the intent is to specify a new DO for use by a router at the PE
edge. However, I cannot tell from the text whether this experiment is also
scoped to require filtering of destination options that are processed by the
final destination of the packet (host) (see Section 4.1., Note 2) of RFC 8200.
This does not seem to be quite what was intended.

Hmm. Not sure. I think a DO is a DO. That is, it applies to the node identified by the destination address.
In our cases, there is IP-in-IP encapsulation. That is, the outer header has a DA that identifies the PE and carries the new DO. The inner header has a DA that identifies the "final destination" (host).
I think the host would not recognise the new DO if it showed up (and so would drop the packet), but there is no reason why it would show up.

I think no change needed here, but happy to hear suggestions.
OK (1) above improves this, and now I don't think this implies hosts have to do any special processing. 
3. Section 7 assumes that the only processing of this option is by an egress PE
device. It says “It cannot be deployed where one or both of the PEs does not
support MPLS.”  Would scoping the receiver processing rules only to egress PE
devices reduce the deployment challenges in using an experimental number?

First, the quote you picked is describing pre-existing MPLS VPN solutions. So not really applicable to this solution.
But it is true that the intention (i.e., the whole point of VPNs?) is that the target of the DO is the remote PE. This is a PE-to-PE communication of the VPN ID.
I don't see any substantial benefits to scoping this down to PE deployments. Practically, it is true that support only needs to be implemented on PEs. But we need to specify for what would happen if another node accidentally found the DO (errors do happen!).
The issue of nodes that are not part of the experiment is easy: the high order bits take care of it because such nodes will not recognise the Option Type.
The risk is what happens if there are two experiments going on at the same time - they need to use different experimental Option Types. But we expect a network to know which experiments are running.

I don't believe any change is needed here, but happy to hear suggestions.
Again, the text in (1) addresses this mostly, and I'm OK to clear the discuss if we have removed any implication that special processing needs to be configured in non-participating nodes. 
COMMENT:

1. Section 9 does not explain how to clean-up after the experiment. Section 1.1
of RFC 3692 includes text that I thought was helpful, and I’m surprised that
this text (preferably quoted as-is) did not appear in this document’s
deployment section.

  When protocols that use experimental numbers are included in
  products, the shipping versions of the products must disable
  recognition of protocol experimental numbers by default -- that is,
  the end user of the product must explicitly "turn on" the
  experimental protocol functionality.

We can certainly include something like that.
Thanks. 
 
2. The text in section 8 only seems to assume “care” about potentially
overlapping use. I recognise that the experimental numbers are not guaranteed
to be unique in any environment, however could this format include a prefix
that could help distinguish this experiment from other uses. For example, I’m
curious why the option does not include an identifier to associate it with the
closed domain in which it is intended to operate? That might reduce the
potential for accidental misinterpretation if a packet was forwarded to another
closed domain. Even a short randomly chosen identifier could help reduce any
confusion if this same code point was to be used by another experimental option
(or perhaps more significantly were to remain deployed at the end of the
experiment).

IP VPNs are widely deployed "across the Internet" and section 8 notes this as a target for deployment. In that context, I don't know what a "closed domain" is in this context. 

Perhaps, to set a context, imagine a TCP experiment. You would happily run this across the Internet and not need to limit the IP addresses to which you run it (I think).

Now, another way to think about this is how VPNs are configured in any case. Not all PEs participate in every VPN, they need to be configured for participation. So this is really pretty much the same thing.
I struggled a little to understand what would happen if multiple entities used the same experimental numbers, but if the WG was fine with this, then so am I for an experimental spec. 
4. Please could you fix the following NiTs:
/OAM mechanism/OAM mechanisms/
/If VPN Service option/If the VPN Service option/
/Was there a need to synchronize configurations at each node or could nodes be
configured independently/ please add a question mark.

Ack to all those.

Many thanks.
Do come back with discussion as you feel.

Adrian

Please confirm if we're in agreement,

Gorry

v2.31.3 | Report a Bug | By Email | System Status