Re: [spring] Typo correction Re: Question from SPRING regarding draft-filsfilscheng-spring-srv6-srh-compression

Erik Kline <ek.ietf@gmail.com> Mon, 25 October 2021 19:41 UTC

Return-Path: <ek.ietf@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C8A33A086C; Mon, 25 Oct 2021 12:41:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5As-tpBKj31L; Mon, 25 Oct 2021 12:41:06 -0700 (PDT)
Received: from mail-ot1-x32b.google.com (mail-ot1-x32b.google.com [IPv6:2607:f8b0:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9670E3A0EFC; Mon, 25 Oct 2021 12:39:22 -0700 (PDT)
Received: by mail-ot1-x32b.google.com with SMTP id l16-20020a9d6a90000000b0054e7ab56f27so16378088otq.12; Mon, 25 Oct 2021 12:39:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zl1sjgnyKlfEpNqaJfDXZSTUu3BuWYGd4GxPDw6gXcw=; b=AkcP0bnpoOyxlxLCeIXx8q8txFJnFzwi2kIAJMvzKq+XHOAbjhOWnsy+VaJa0aE48Q 8dskquzug+nx5a0z8mUYceTT/ufkfB7RBV63i61VbqUmrZyMrpY6RwHIPnqtKJOE649A b0MS7+2xw7jp/ExkBex3+sC0M3VzPuV+VlPWMZKkiDNPJtwpcGDPRnlH/wFbeiG8p8F1 FTmvEgARhK+DwJGOZUujCaiVhM479HUeCaFEld8l4Z0tPZ8eb4Is8UuBZYm0T3j9pYwS 633QZxWtZaRzSI/mRXdEfZR/mgM0FPNkFta6HcPeuYpWyPAlGwZgjZBX25wGH8TRvgkK 8z7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zl1sjgnyKlfEpNqaJfDXZSTUu3BuWYGd4GxPDw6gXcw=; b=nt+GZjMykjTjMRW6LM6oIz8K+9PKek1FIU/sDZBQzxXw5Y96UwIIuFolST/1I2JKIy 7iyRVcZAArfUUYVi84V7nHDR+XcVwyD1pT8DOBEYOJE7BTyv9NPOLs8BaQWMMYaGnInA tzMTb371UwR21vrYQZciaUR17k/3JMAlDgCWgY1TB/U3DwxfE6baWTTq+zLVKsrQp7jX upKjJoOHPUqPZrMdzb3vAQOhtqvr0HeSxAwGrY6BJXHxDgHb4YcFRD84WxsVBHJX9wd3 n4V63ZMNwyp3OYbrVCbt3xjN356luNhA5fQ5dNCZDhF412pdkOEVcVOlg/J4mXZ18Xw/ XzvQ==
X-Gm-Message-State: AOAM530N5nGTC5biV+Ozty85+EHF5EAejWcWrxt5xmoDtqAHcdxZepif Psy8C/saVR4npzCSuS1hMfxJiaJxFzVH/qgSkHs=
X-Google-Smtp-Source: ABdhPJwCHXXPl+f+Km11VMt6R5/yFWjb0c2nhfc07FKoSgfIiKsK/7h9BYko5CqKRT84C1rMucgb3pv+QBgS8+h3VbQ=
X-Received: by 2002:a05:6830:86:: with SMTP id a6mr15470026oto.380.1635190761796; Mon, 25 Oct 2021 12:39:21 -0700 (PDT)
MIME-Version: 1.0
References: <85fddbe9-4eb8-7d90-d246-a888fe8bdcd3@joelhalpern.com> <139d72fd-98de-f46a-767f-6a493c4facc9@joelhalpern.com>
In-Reply-To: <139d72fd-98de-f46a-767f-6a493c4facc9@joelhalpern.com>
From: Erik Kline <ek.ietf@gmail.com>
Date: Mon, 25 Oct 2021 12:39:12 -0700
Message-ID: <CAMGpriWGFWmCj+_osEoYcPU7fr4C0vgxq9W1-4mhZcL2F9Tu6Q@mail.gmail.com>
Subject: Re: [spring] Typo correction Re: Question from SPRING regarding draft-filsfilscheng-spring-srv6-srh-compression
To: "Joel M. Halpern" <jmh@joelhalpern.com>
Cc: "ipv6@ietf.org" <ipv6@ietf.org>, "John G. Scudder" <jgs@juniper.net>, "spring@ietf.org" <spring@ietf.org>, Martin Vigoureux <martin.vigoureux@nokia.com>, Alvaro Retana <aretana.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000007f3b8405cf328498"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/rGgpWZyPaKonLaeuT37D7qZ1Vcw>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Oct 2021 19:41:11 -0000

[replying on this thread as is has more folks cc'd]

Joel,

First: thank you to everyone who has commented, clarified, sat for
meetings, and reviewed and edited text, often repeatedly.  It is very much
appreciated.

This reply is on behalf of the 6MAN chairs and INT ADs.

-- Erik, Éric, Bob, Ole

[1] Does the placement of a list of SIDs in the IPv6 DA field change the
IPv6 architectural description of that field?

It is understood that from the perspective of an IPv6 transit node the DA
field remains a valid DA, and from the perspective of an SR-aware node the
DA remains a SID of the LOC:FUNC:ARG form of RFC 8986.  On the surface,
then, these would not appear to represent any change to the IPv6 data plane
from currently published specifications.  However, this new category of
address seems as though it can in fact go against current specifications in
certain circumstances.

SIDs of the RFC 8754 and RFC 8986 form can reasonably be expected to obey
general unicast semantics: RFC 8986 section 4.1.1 permits Endpoint handling
of any inner payload type that is “allowed by local configuration” and even
explicitly gives the example of “an operator might permit pinging of SIDs.”
 In the case of ICMPv6 Echo Replies specifically RFC 4443 section 4.2
places requirements on the source address of the reply: it MUST be a
unicast address and MUST be the same as the DA if the DA was unicast
otherwise another unicast SA is chosen if the DA was an anycast or
multicast address.

In the SR C-SID topology A--B--C--D, sending a ping from A to D, could in
theory be done two ways: (1) ping D via SR policy B,C or (2) ping
LOC:FUNC:B:C:D (the SID of B with a set of CSIDs as the argument). In the
first case the ping is sent to the final destination D, via an SR path. In
the second case, the ping is sent to the final destination LOC:FUNC:B:C:D.
The IPv6 destination address as observed on the wire between A and B
(LOC:FUNC:B:C:D) and on reception at D (D::) will be the same in both
cases.  In the first case, the ICMP checksum based on address D is valid
and an ICMP reply will be sent from D to A.  In the second case though, the
ICMP echo request packet will have an invalid ICMP checksum and will be
dropped.

Can an IPv6 destination address when it's a C-SID (an “End with Next SID
arguments”) behave like a normal IPv6 end-point? Based on this, we may have
some new category of addresses and we feel the characteristics of SRv6
C-SID addresses should be more clearly defined.  We think that any
architectural issues can be resolved with such a document as outlined in
[A] below.

[2] Does the operation of shifting information around in the IPv6
destination address field represent a modification or extension of the IPv6
data plane?

The use of a SID with an ARG with a series of C-SIDs to generate the next
SID (a.k.a. “shifting”) form of compression (NEXT-C-SID) has an additional
deviation from the expected behavior of unicast addresses in the IPv6 data
plane, primarily by introducing a mechanism that achieves the objectives of
an SRH without requiring the presence of an SRH (section 4.1 of RFC 8754)
or without requiring the existence of Segment List in an attached SRH
(reduced SRH per section 4.1.1 of RFC 8754).

With existing SIDs, with REPLACE-C-SID behavior, and with NEXT-C-SID
behavior with a complete SRH, an ICMP error packet generated in response
to, for example, a traceroute packet with an attached SR policy can
trivially be correlated by the error receiver if the invoking packet
payload contains a sufficient portion of the SRH (section 5.4 of RFC 8754).

In the case of C-SIDs, the original sender can correlate the ICMP error by
doing a lookup in the segment prefix list of the SRH or in the DA and
finding the last SID representing the final destination as the final
destination is guaranteed to always be present even in the absence of SRH.
The behavior required of the original sender needs to be described in the
C-SID draft.

Beyond the concerns and questions raised in this response so far, within an
SR domain or set of cooperating SR domains, where restrictions on behavior
can be clearly defined and documented, these changes are limited to the
SRv6 data plane.

To summarize: we do not object to C-SID behavior work continuing in SPRING,
we simply need a clarifying document described in [A].

---

Next steps for consideration:

[A] A separate 6MAN document to clarify and categorize SRv6 SIDs is
needed.  We are happy to work to find authors for this document.

The document should explain SIDs’ deviation from RFC 4291 (probably
likening them to other addresses within prefixes handled by some virtual
network function, like NAT64 prefixes, and clarify that they are not
assigned to an interface) and capture many of the observations like those
in Brian Carpenter’s recent email [BC].  We think the document should also
clarify when a SID can appear in the Source Address field vs. when it can
only appear in the Destination Address field, and whether such a
distinction should exist. It should describe the behaviour of IPv6
addresses in the case of C-SIDs (SIDs “End with Next SID args”). The
document should also make it clear which parts are documenting existing
behavior of RFC 8754 and RFC 8986 SIDs -- therefore not really up for
extended debate -- and hopefully lay the framework for understanding any
future categories of SIDs (like whatever is coming at us next after C-SIDs)
that are in development.

This proposed “SRv6 SID Addressing Clarifications” 6MAN document should be
a normative reference for final C-SID publication.

[B] We think there are also operational considerations that warrant
attention prior to standardization.  Primarily we are concerned that there
is no analog to the SRH. SegmentsLeft field, i.e., no “compressed segments
left” field. The definition of the SRH.SegmentsLeft field points to the
definition from RFC 8200 section 4.4, which says it’s the “number of
explicitly listed intermediate nodes still to be visited before reaching
the final destination.”  Previously, there was a 1:1 mapping between this
text and the list of IPv6 addresses in the SegmentList array.  This
definition should be reviewed and updated for the compressed information
case.

Relatedly, the semantic intent might be restored by adding some indication
in the SRH of the size and number of the compressed SIDs.  We suspect this
would aid the usefulness of analysis of a packet capture: a captured packet
in tcpdump/wireshark could be dissected to show helpful information without
additional control plane knowledge.  Otherwise some means of injecting
control plane information into network diagnostics would be needed.

[C] We also suggest that, as SID/C-SID behaviors could be confused with
existing unicast/anycast address behaviour, it might be worth considering
isolating SIDs to a dedicated prefix.  RFC 4291 and other documents (e.g.,
RFCs 6052, 7343, ...) put addresses with different properties into defined
prefixes, and SIDs/C-SIDs could be similarly compartmentalized into a
well-defined prefix (e.g., a /16 to be requested of the IANA).  If no
dedicated prefix is used then the rationale should be documented (probably
in the same document mentioned in [A]).

[BC] https://mailarchive.ietf.org/arch/msg/ipv6/37bH3Ag7jaNgKwnZY_mKIxWRwdM/