IETF Logo Mail Archive

[IPv6]Re: New draft: draft-varhal-6man-icmp-srv6-vpn-00.txt

xiao.min2@zte.com.cn Sat, 28 February 2026 01:25 UTC

Return-Path: <xiao.min2@zte.com.cn>
X-Original-To: ipv6@mail2.ietf.org
Delivered-To: ipv6@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 0B466C019968 for <ipv6@mail2.ietf.org>; Fri, 27 Feb 2026 17:25:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y1Dk696zgK4D for <ipv6@mail2.ietf.org>; Fri, 27 Feb 2026 17:25:48 -0800 (PST)
Received: from mxhk.zte.com.cn (mxhk.zte.com.cn [160.30.148.34]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id BA023C01994C for <ipv6@ietf.org>; Fri, 27 Feb 2026 17:25:47 -0800 (PST)
Received: from mse-fl2.zte.com.cn (unknown [10.5.228.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mxhk.zte.com.cn (FangMail) with ESMTPS id 4fN6vl6zS2z5BNRf; Sat, 28 Feb 2026 09:25:39 +0800 (CST)
Received: from njy2app03.zte.com.cn ([10.40.13.14]) by mse-fl2.zte.com.cn with SMTP id 61S1PV8F072008; Sat, 28 Feb 2026 09:25:31 +0800 (+08) (envelope-from xiao.min2@zte.com.cn)
Received: from mapi (njb2app05[null]) by mapi (Zmail) with MAPI id mid201; Sat, 28 Feb 2026 09:25:32 +0800 (CST)
X-Zmail-TransId: 2afd69a2440c5b1-afa1b
X-Mailer: Zmail v1.0
Message-ID: <20260228092532649f5cH9V9S7_7FlULrMwbpW@zte.com.cn>
In-Reply-To: <AM0PR07MB5938BF25643F94846EF2F23AAC73A@AM0PR07MB5938.eurprd07.prod.outlook.com>
References: 177200324431.2487508.7953118699974385272@dt-datatracker-6ff7c68975-7k42g,20260227110947926eEGtyVt5w7-XUNAn4h3M2@zte.com.cn,AM0PR07MB5938BF25643F94846EF2F23AAC73A@AM0PR07MB5938.eurprd07.prod.outlook.com
Date: Sat, 28 Feb 2026 09:25:32 +0800
Mime-Version: 1.0
From: xiao.min2@zte.com.cn
To: balazs.a.varga@ericsson.com
Content-Type: multipart/mixed; boundary="=====_001_next====="
X-MAIL: mse-fl2.zte.com.cn 61S1PV8F072008
X-TLS: YES
X-SPF-DOMAIN: zte.com.cn
X-ENVELOPE-SENDER: xiao.min2@zte.com.cn
X-SPF: None
X-SOURCE-IP: 10.5.228.133 unknown Sat, 28 Feb 2026 09:25:39 +0800
X-Fangmail-Anti-Spam-Filtered: true
X-Fangmail-MID-QID: 69A24413.000/4fN6vl6zS2z5BNRf
Message-ID-Hash: UPQUM3AAHPB3CNKOII7BLH7FDKTALX5Z
X-Message-ID-Hash: UPQUM3AAHPB3CNKOII7BLH7FDKTALX5Z
X-MailFrom: xiao.min2@zte.com.cn
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ipv6.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: ipv6@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [IPv6]Re: New draft: draft-varhal-6man-icmp-srv6-vpn-00.txt
List-Id: "IPv6 Maintenance Working Group (6man)" <ipv6.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/prP1YYAHXe3fSnTr4u0wefr8tOQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Owner: <mailto:ipv6-owner@ietf.org>
List-Post: <mailto:ipv6@ietf.org>
List-Subscribe: <mailto:ipv6-join@ietf.org>
List-Unsubscribe: <mailto:ipv6-leave@ietf.org>

Hi Bala'zs,

Thank you for the productive discussion and considering my comments.
On the "VPN SID flooding", you're correct. There is no need to flood the whole VPN SID, and only the locator part of VPN SID needs to be flooded, if that's already there, adding a reference to this draft would help.
Cheers,
Xiao Min


Original



From: BalázsVargaA <balazs.a.varga@ericsson.com>
  
To: 肖敏10093570;
  
Cc: ipv6@ietf.org <ipv6@ietf.org>;
Date: 2026年02月27日 18:14
  
Subject: RE: [IPv6]New draft: draft-varhal-6man-icmp-srv6-vpn-00.txt
  




Hi Xiao Min,
 
Ok, note taken regarding item 2. That part will be described with more 
detail in the next version. Thanks for pointing it out.
 
Just a clarification on the “VPN SID flooding” in the underlay network:
The underlay network must be aware only the locator part of the VPN SID.
E.g., B:N::/64 (like the example in RFC8986 Section 3.2) 
 
Thanks & cheers
Bala’zs
 

From: xiao.min2@zte.com.cn <xiao.min2@zte.com.cn> Sent: Friday, February 27, 2026 4:10 AM To: Balázs Varga A <balazs.a.varga@ericsson.com> Cc: ipv6@ietf.org Subject: Re: [IPv6]New draft: draft-varhal-6man-icmp-srv6-vpn-00.txt


 


Hi Bala'zs,



Thank you for the prompt responses.



Please see inline.



Original




From: BalázsVargaA <balazs.a.varga@ericsson.com>   



To: 肖敏10093570;   



Cc: ipv6@ietf.org <ipv6@ietf.org>;



Date: 2026年02月26日  18:57  



Subject: RE: [IPv6]New draft: draft-varhal-6man-icmp-srv6-vpn-00.txt  




Hi Xiao Min,
 
Many thanks for your comments. My answers below regarding your good and
essential questions:
 
1, The VPN-associated-SID is locally allocated by the PE. Its processing already
defines the upper-layer header steps (see rfc8986, section 4.1.1). In our case the
upper-layer = ICMPv6, therefore no need for extra parsing rules.  
Anyway, You are right, PE could parse the payload of ICMP Error Message and find
the VPN ID, however it is somewhat more complicated as the VPN specific SID in
the dstIP was allocated by the (remote) egress PE. So, following the already existing
upper-layer processing steps for a locally allocated SID is more simple.

[XM]>>> Make sense to me.



 


2, Yes, this is also a relevant part of the solution. There is no need for extra node SID
per VPN. You can use the same SID per VPN, what was allocated for the VPN service.
Being more specific: for a VPN service one can allocate SID(s) per-prefix (e.g., End.DX6)
or per-vrf (e.g., End.DT6). In the draft we propose to use a per-vrf SID (e.g., End.DT6) in
the srcIP on the PE. SID selection by the remote PE is not affected by the solution.

[XM]>>> I think this part is not clear in the current draft, so you may consider to elaborate it. As far as I know, the VPN SIDs won't be flooded within the SRv6 underlay networks,  however your solution requires the transit nodes between the ICMP Error Message sending node (P node) and the receiving node (ingress PE node) to forward the ICMP Error Message based on VPN SID (as the dstIP), so the VPN SIDs need to be flooded. IMHO that's  a big change and must be documented clearly.



 



Cheers,



Xiao Min



 


Thanks & Cheers
Bala’zs
 

From: xiao.min2@zte.com.cn <xiao.min2@zte.com.cn> Sent: Thursday, February 26, 2026 8:49 AM To: Balázs Varga A <balazs.a.varga@ericsson.com> Cc: ipv6@ietf.org Subject: Re: [IPv6]New draft: draft-varhal-6man-icmp-srv6-vpn-00.txt


 


Hi Bala'zs,



 



I like to see an alternative proposal for resolving the SRv6 VPN traceroute problem.



Actually I've also noticed the shortcomings of the MPLS based solution stated in section 3.3 of your draft.



After a quick reading I believe your proposed solution works, while I still have two questions as below.



1, Now that some complexity on PE is required by this solution, what's the advantage by using a VPN-associated-SID as the srcIP over applying a local policy to PE? Applying a local policy to PE, I mean mandating PE to parse the payload   of ICMP Error Message and find the VPN ID.



2, If I understand it correctly, this solution requires the PE to advertise multiple node SIDs (one node SID per VPN), then which one SID will be used as the dstIP by the remote PE while doing SRv6 encapsulation? 



 



Cheers,



Xiao Min



Original




From: BalázsVargaA <balazs.a.varga=40ericsson.com@dmarc.ietf.org>    



To: IPv6 List <ipv6@ietf.org>;   



Date: 2026年02月25日   16:18  



Subject: [IPv6]New draft: draft-varhal-6man-icmp-srv6-vpn-00.txt  




Hi, We have uploaded a new draft on "ICMP Error Handling for VPNs in SRv6 Networks". The draft proposes a solution that provides a native IPv6 method what does NOT have the drawbacks inherited by methods based on the MPLS based VPN ping or traceroute concept. It solves the problem that P nodes are not VPN aware without sending the ICMP error message to the egress PE router for a VPN lookup. It makes P nodes service agnostic and allows building IPv6-only core networks. Comments and suggestions are welcome. Thanks & Cheers Bala'zs -----Original Message----- From: internet-drafts@ietf.org <internet-drafts@ietf.org> Sent: Wednesday, February 25, 2026 8:07 AM To: Balázs Varga A <balazs.a.varga@ericsson.com>; Joel Halpern <joel.halpern@ericsson.com> Subject: New Version Notification for draft-varhal-6man-icmp-srv6-vpn-00.txt A new version of Internet-Draft draft-varhal-6man-icmp-srv6-vpn-00.txt has been successfully submitted by Balazs Varga and posted to the IETF repository. Name:     draft-varhal-6man-icmp-srv6-vpn Revision: 00 Title:    ICMP Error Handling for VPNs in SRv6 Networks Date:     2026-02-24 Group:    Individual Submission Pages:    7 URL:      https://www.ietf.org/archive/id/draft-varhal-6man-icmp-srv6-vpn-00.txt Status:   https://datatracker.ietf.org/doc/draft-varhal-6man-icmp-srv6-vpn/ HTMLized: https://datatracker.ietf.org/doc/html/draft-varhal-6man-icmp-srv6-vpn Abstract:    This document specifies ICMP error handling in SRv6-based Virtual    Private Networks. The IETF Secretariat -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org List Info: https://mailman3.ietf.org/mailman3/lists/ipv6@ietf.org/ --------------------------------------------------------------------

v2.43.4 | Report a Bug | By Email | System Status