IETF Logo Mail Archive

Re: END SID Without SRH

Mark Smith <markzzzsmith@gmail.com> Thu, 13 June 2019 23:36 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0D84120189 for <ipv6@ietfa.amsl.com>; Thu, 13 Jun 2019 16:36:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.498
X-Spam-Level:
X-Spam-Status: No, score=-0.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BzB6ZSUN5xlv for <ipv6@ietfa.amsl.com>; Thu, 13 Jun 2019 16:36:30 -0700 (PDT)
Received: from mail-ot1-x332.google.com (mail-ot1-x332.google.com [IPv6:2607:f8b0:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A35B51200F8 for <ipv6@ietf.org>; Thu, 13 Jun 2019 16:36:29 -0700 (PDT)
Received: by mail-ot1-x332.google.com with SMTP id p4so953050oti.0 for <ipv6@ietf.org>; Thu, 13 Jun 2019 16:36:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=s9m6ObZ7poybjkbts3scZo3BFAbOLmKwlPmTofl6lcY=; b=mlZoRB5VVzkIthC7O42UoyfHY6AqtJVuBkDibYtoapzyWbdaDpHq/XKLcqEGGYje/Y D9nkDgaAkzNqkZwGrErvFkYnIuTTaFKzupxp3q2gOqnqkZIN3BOJIByuHjpCCsQatbRi O2/p0+KKOPG6Rrl+Rbe10DhMPfQwc7J4G4rf+Lh5xVrtkiZZtq/6L+Iem/+xJI2T6cnC SXrfZIZWfgQ653S1lU8pPMXMuWqxIKpn3hER/jpo2T7feAn+KhulhwikUHwu6rknA9BK Jf++WDYR7OytM51/d3vgW36H9/9oIJR5vulY7CfkYk/hP/mxI39+1eWMo7Y3VwTox0A2 I5Kw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=s9m6ObZ7poybjkbts3scZo3BFAbOLmKwlPmTofl6lcY=; b=J1m6NYUfhl1ErClgNB9955xAxSmpYbAUkAWfGPg6mlF09tukuFgw731kRJt9ANyk+L HMrnVm+WcJKk7IpnMVxfuonHn22qx0pQo205O4VSdk/JNtPjx1kCa7IAdl0cjpxrDIuS DEdc/jgjr+XPC3VwtKMUiNVWkISMd1mlEnykJ0OIqi5xIUU8J1qf7SQ/ssGK8s7d3hYi zPzRUVT6jcdIamEDpqhk6/Io+MlbwRmG5k23TpzdoZ9H1dBOTU/5HVXWMM+jPtrUhbJm sb37Yl6feztN+wEQRZaKlxvc9rOsokWLs/QbbbzHJ3ViPMsxZUjYk83b5gktWkcVMqNR LelA==
X-Gm-Message-State: APjAAAUguiuyMb1ZgiANGeefYSIqdCxRnNycJfzT1bVvlQAkfZ3JPHaA tnhHP4orBTeccGHtuIp05mjLCFGYKlnAgczf3Oo=
X-Google-Smtp-Source: APXvYqzhMpECd69MNabbORK/xkS50Q93JX6V6vtcTXQimhFsWm+QD4E3mfwzvty+ItcH39XYqokjiX8iVciPtNK1Tjw=
X-Received: by 2002:a05:6830:1192:: with SMTP id u18mr40760882otq.74.1560468988965; Thu, 13 Jun 2019 16:36:28 -0700 (PDT)
MIME-Version: 1.0
References: <BYAPR05MB42456C75487CF9283A0ED1D0AE100@BYAPR05MB4245.namprd05.prod.outlook.com> <CAO42Z2y_D-xe+tX9n-KQYjnk5bkYXibO0Zs3E=JfAWWMZnJcSA@mail.gmail.com> <3030A68F-6CE1-4179-930C-D60BEB73063A@employees.org> <CAO42Z2yLkCRNXKp8KKnqh8VRRo6p1dx4h0-gyLBFZ=Jq0xQj2w@mail.gmail.com> <0C40BEFF-B050-40A1-BCB7-F76ADF18E3E0@employees.org> <BYAPR05MB42457C37AE7DC3F4CACC8FD7AEEC0@BYAPR05MB4245.namprd05.prod.outlook.com> <B254E985-A848-4FC4-868D-E2F04CF7E0DB@cisco.com> <CAO42Z2wXRe9XyMMVetzPMTY4Og=B=wQLz3LUVB0DFzRLL-BPQQ@mail.gmail.com> <07B7D3ED-55AC-4698-900A-E6828A1AAC20@cisco.com>
In-Reply-To: <07B7D3ED-55AC-4698-900A-E6828A1AAC20@cisco.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Fri, 14 Jun 2019 09:36:02 +1000
Message-ID: <CAO42Z2xvaW3gAKymaYDT=DPoBJFkjiBi0C=Rnkda-usZnHA12g@mail.gmail.com>
Subject: Re: END SID Without SRH
To: "Darren Dukes (ddukes)" <ddukes@cisco.com>
Cc: 6man WG <ipv6@ietf.org>, Ole Troan <otroan@employees.org>, Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/oCERTiO__xgeTbtPp75fIu9-mJY>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jun 2019 23:36:32 -0000

On Thu, 13 Jun 2019 at 17:25, Darren Dukes (ddukes) <ddukes@cisco.com> wrote:
>
> Mark.
>
> You remember your SIDs in your SR domain come from a SID block you created, S/s (see section 5.1) and this destination address falls within that space.
>

Humans really aren't all that good at remembering numbers. We even
make errors when

If IPv6 addresses are going to have special meaning and unconventional
RFC 8200 processing, they should come from a special purpose address
space - not one that is from within any of the the existing unicast
address spaces.

That would make it possible for if tools like Wireshark could have
know of a well known SID prefix so that they can identify and mark SR
packets. It reduces the operator's mental load while troubleshooting.
(Having

There are a lot of defined reserved IPv6 and IPv4 prefixes, for uses
that are more obscure than I'd think SR is intended to be e.g.
198.18.0.0/15 for Benchmarking, or 2001::/32 TEREDO.


I still think mandating the SRH in all to be SR processed packets is
better, even with a common well-known IANA assigned SID specific IPv6
prefix. It is explicit, rather than implicit in the packet's IPv6
addresses, and leverages existing mechanisms to deal with received
packet errors (i.e., ICMPv6 Parameter Problem,


> You notice the destination sending an ICMP parameter problem error with a code that says “SR Upper-layer Header Error”.
>

What if the device receiving the packet isn't SR capable or aware? It
will try to pass the packet to up to the TCP stack and process it. If
it generates a TCP RESET, it'll send the TCP RESET back to the SR
aware node than sent the packet in the first place.

Would that receiving SR node know what to do with a TCP RESET (or a
UDP triggered ICMPv6 Destination Unreachable Port Unreachable?) from
what is supposed to be an SR node?

I don't see any advice to only use ULA address space for SIDs
(assuming an IANA reserved prefix isn't chose), so with SIDs that fall
from within the GUA unicast address space, the likelihood of packets
leaking to non-SR aware nodes increases.

Regards,
Mark.



> This is how you tell the source is trying to talk to a destination address that doesn’t speak TCP.
>
> Darren
>
> On Jun 13, 2019, at 6:28 AM, Mark Smith <markzzzsmith@gmail.com> wrote:
>
>
>
> On Thu., 13 Jun. 2019, 07:52 Darren Dukes (ddukes), <ddukes@cisco.com> wrote:
>>
>> Hello everyone.
>>
>> This document defines an SRH and a SID, and how that SID is processed.
>>
>> I expect anyone "surprised" by this fact should have read this draft at some point:
>> a - within the past 2 years; since this document has defined a SID and its processing.
>> b - within the past 13 months; since section 4.3.1 specifically described discarding the packet based on upper layer header being processed.
>> c - within the past 8 months; since the current version of 4.3.1.2 was updated with the new ICMP error code, published, and the WG was notified via email.
>>
>> And recall section 3.1 defines a Source SR node as
>>    "any node that originates an IPv6 packet with a
>>    segment (i.e.  SRv6 SID) in the destination address of the IPv6
>>    header.  The packet leaving the source SR Node may or may not contain
>>    an SRH."
>>
>> In other words, there is no surprise.
>
>
> So one of the contexts I consider is sitting in front of a packet capture tool like Wireshark, and trying to troubleshoot a fault by looking at the packet.
>
> For the packet Ron described, with no SRH header, there is nothing to distinguish it from a normal IPv6 packet. The fault would be that the packet contains a TCP header, yet TCP processing is not occurring.
>
> The DA address in the packet might actually be a SID, but if it is coming from within the existing IPv6 unicast or multicast spaces, there is no indication of that.
>
> This SR processing is failing the principle of least surprise. That failure can cause longer than necessary troubleshooting and longer customers' services impacts. A network's MTTR is negatively impacted.
>
> Mandating that all packets to be SR processed have an SRH would prevent this problem. It would also be compliant with RFC 8200, because the processing to occur on the packet when it arrives at the device with the DA is explicitly encoded in the packet.
>
> Without a formal SID address space, encoding functions to perform on a packet in addresses is ambiguous, implicit and when troubleshooting, non-obvious.
>
> Regards,
> Mark.
>
>>
>> Darren.
>>
>>

v2.23.0 | Report a Bug | By Email