Re: Limited Domains:

[Brian E Carpenter <brian.e.carpenter@gmail.com>]

On 14-Apr-21 04:46, Tom Herbert wrote:
> On Tue, Apr 13, 2021 at 9:18 AM Ahmed Abdelsalam (ahabdels)
> <ahabdels@cisco.com> wrote:
>>
>> Hi Nick,
>> Please find my answers inline [AA]
>>
>> -----Original Message-----
>> From: Nick Hilliard <nick@foobar.org>
>> Date: Tuesday, 13 April 2021 at 11:58
>> To: ahabdels <ahabdels@cisco.com>
>> Cc: Tom Herbert <tom@herbertland.com>, Brian E Carpenter <brian.e.carpenter@gmail.com>, "draft-filsfils-6man-structured-flow-label@ietf.org" <draft-filsfils-6man-structured-flow-label@ietf.org>, "6man@ietf.org" <6man@ietf.org>
>> Subject: Re: Limited Domains:
>>
>>     Ahmed Abdelsalam (ahabdels) wrote on 13/04/2021 09:59:
>>     > [AA] I don't think we need a new codepoint.
>>     > The operator explicitly configures the routers under his
>>     > administrative domain to support Structured Flow Label.
>>
>>     a codepoint is a marker to cause something to be interpreted in a
>>     specific and different way.  Moving this flag to the configuration
>>     domain is essentially admitting that the semantics of a codepoint are
>>     necessary, except that it removes the possibility of having these
>>     semantics interpreted automatically on a per-packet basis, and turns it
>>     into a per-router or possibly per-interface flag.  This is an unusual
>>     type of regression in terms of a protocol where so much work has been
>>     put into auto-configuration, and where the syntactic mechanism has been
>>     created for protocol extensions.
>> [AA] This is a domain wide config applied to all nodes of the domain. So either you decide to do on all routers or not. It doesn’t on per packet treatment.

But what happens if a packet sourced inside the domain has a destination
outside the domain, where flow labels are 20 bits? What happens when a
packet from outside the domain with a 20 bit flow label arrives inside
the domain?

The only model I can imagine is that every router in the domain (not just
the border routers) would need to check every packet and, if either
the source or the destination prefix is outside the domain, then apply
the rules of RFC6437. That's mathematically possible, I suppose, but
it absolutely requires a per-packet treatment.

If you're going to steal codepoints for local use, steal them from the
DSCP. That is potentially rewritten at the domain boundary, and what's
more it's IP-version independent and belongs to another WG.

(Fair warning: this would be contentious too.)

Regards
     Brian

>>
> Ahmed,
> 
> So this is all or nothing then, replete with a so-called "flag day".
> What is the protocol that guarantees that every router in the domain
> is properly configured, that no one ever inadvertently brings up a
> router without proper configuration? And if configuration fails, which
> even in a moderately sized domain will inevitably happen at some
> point, how will the user detect the issue and debug it?
> 
> Tom
> 
>>
>>     As a separate issue, if a regular ip packet from the outside
>>     accidentally enters into this administrative domain, how does a router
>>     on the inside of the domain know not to attempt to interpret the flow
>>     label as a SFL, as it could end up effectively parsing random junk?
>>
>> [AA] All packet coming from external interfaces will be encapsulated in outer IPv6 header as explained the in section 3. The outer IPv6 is what matters for forwarding inside the domain. If a packet from outside accidentally enters into this administrative domain, then that is a bigger problem than SFL.
>>
>>     Nick
>>
> .
>