IETF Logo Mail Archive

Re: [IPv6] Subject: Mandating SRH when using C-SIDs (draft-ietf-spring-srv6-srh-compression)

Robert Raszuk <robert@raszuk.net> Thu, 04 April 2024 21:00 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5B24C169430 for <ipv6@ietfa.amsl.com>; Thu, 4 Apr 2024 14:00:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4DziX2Rbb0Sa for <ipv6@ietfa.amsl.com>; Thu, 4 Apr 2024 14:00:08 -0700 (PDT)
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F101C180B62 for <ipv6@ietf.org>; Thu, 4 Apr 2024 13:59:54 -0700 (PDT)
Received: by mail-ed1-x52f.google.com with SMTP id 4fb4d7f45d1cf-56e0c29ad5dso1821889a12.1 for <ipv6@ietf.org>; Thu, 04 Apr 2024 13:59:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; t=1712264392; x=1712869192; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=sMN/qRraXdv7q17I6m/spfq8AXdPYn3Y/dudEmF/fiw=; b=ZUyNy3fkTG11u1mt7oZOjN2K5Wpgew0yDXBp+EEWW/JO5nEL+547o/0xS59sIzaQ/b /tL0t1YKCdY0C34jaxVI+3ZlG5NhYe900AnR/l/kKlO3N29hdJUVeRixf52Ndlk1z2lL b5xbIEFwwMc3wnH8e35XwOng7c3U330e8sN8LLNEqnOhpjZEXBnMDSyczbhqNjs+JF9U HK9dulHHJnmv+D9SA3ty/k2mDsCDP2HeBk4W8Qs+77Z33tA7Iz32eg5u0r+mcKf8XObg rTSbQ9beOnNuiemeQc/p2nZMJsu2d3k6J90WCtpIAZtfw0ckwVsnIPvMUo0w8W2ktDy5 Btag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712264392; x=1712869192; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=sMN/qRraXdv7q17I6m/spfq8AXdPYn3Y/dudEmF/fiw=; b=qADb9bKmcEh4uzMK4hPF2VFauAH1gah0+lL9G0HfCAsYyUufBlTzWC1/ycW4mLBs4I zmPH+itQzSbm/waZJl5RdA5GD1B1XmnphHBZLcCOkQ53MAC4y35Qp45k+UcVuwefS6M3 qN5+Fsl5TLZU+H+2ZnygHXgi1vTq99pxqclM1HMzH7iTHMgTaeBfhD+7+suIPWXMnPDc /BR4UKBmqbpOn3Bv2S7R8EBQrNDcI+C7fc+SdGZtjkVTtYUs5Vc2kEv6WMMOdsG024sp 4T3iBCaSIG0UQX/+AyWP+jtXpPbjwo440Wuk0md1FF3yqgepmfloKEwWg63h1B5vhHRC uV5w==
X-Forwarded-Encrypted: i=1; AJvYcCUs+8D9R/CDLPZEPb2vfFEoXqY2fdZHtxq5dhdrk2j/XHKoBbM5GFOPBGJvFvpxQO2LyeGok98PPDuNikYo
X-Gm-Message-State: AOJu0Yz9V9Yqwb47BIegwlUKzfdmov7kFmgKlUQwjDcRxun2+MHGfeYo XM+DBn+k82pN7vNVS500FZwDYL6Uu3U22Iess8enRG+YZ84OTITkT1M1T5IWclnxZHXGxXQvbYP 5cuTrixD3JmdQa14N4HdOtY5JO60PUdr0Gp4Ppg==
X-Google-Smtp-Source: AGHT+IEnoJ1eu/bZQIN6Eca8t43QFEW/V+QKxTx+3LwJq/69xYm8355yKTQZ1ibe0q6/QSTc3+9QoGHfy5MGXE12oCs=
X-Received: by 2002:a50:9998:0:b0:56b:d15b:6dc1 with SMTP id m24-20020a509998000000b0056bd15b6dc1mr2291160edb.23.1712264392095; Thu, 04 Apr 2024 13:59:52 -0700 (PDT)
MIME-Version: 1.0
References: <CALx6S34WAJxqZzcOVFUw4-L36kBJOx7rowcKbvzJLGUykTmzTg@mail.gmail.com> <3D87E6A7-2487-4E18-9553-008AE4DB37C1@employees.org> <CALx6S35C3BARfQPn42yHb8a-MZF5hoei39z4ezOLDYAuN=o=fA@mail.gmail.com> <CAOj+MMHNOW1Yao8qTukNx3ykEALeco_4A=L78=O+VLH=Dgx7rg@mail.gmail.com> <CALx6S35oyyXpUwEMw0v0ToujhXHfKzg39TAkmpUjiG9rJQqfvQ@mail.gmail.com>
In-Reply-To: <CALx6S35oyyXpUwEMw0v0ToujhXHfKzg39TAkmpUjiG9rJQqfvQ@mail.gmail.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Thu, 04 Apr 2024 22:59:40 +0200
Message-ID: <CAOj+MMG8VhGOMBeN=COiFbnQvmQS0nesY_rY9_TKGWrxV_2gfA@mail.gmail.com>
To: Tom Herbert <tom@herbertland.com>
Cc: Ole Trøan <otroan=40employees.org@dmarc.ietf.org>, spring-chairs@ietf.org, SPRING WG List <spring@ietf.org>, 6man <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000da55be06154b9e34"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/ssFfPTbOhOn41r_MumoL5LbkyKA>
Subject: Re: [IPv6] Subject: Mandating SRH when using C-SIDs (draft-ietf-spring-srv6-srh-compression)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2024 21:00:12 -0000

Well software could know that but not NICs nor ASICs ...

On Thu, Apr 4, 2024 at 10:57 PM Tom Herbert <tom@herbertland.com> wrote:

>
>
> On Thu, Apr 4, 2024, 4:00 PM Robert Raszuk <robert@raszuk.net> wrote:
>
>> Tom,
>>
>> I have full sympathy for your points.
>>
>> But I can not understand how suddenly SR uSID is the issue and normal
>> IPv6 vanilla Routing Headers are ok as defined checksum wise in RFC8200.
>>
>> Maybe someone could elaborate a bit on that ?
>>
>
> Robert,
>
> Because, when a routing header is present we know that the final address
> in the list is the one to used as the destination address in the pseudo
> header. If the last address is uncompressed or can be decompressed without
> additional state then we can calculate the checksum based on that (also,
> that allows us to track flows in the network which is another useful thing
> in a data center).
>
> Tom
>
>
>> Thx,
>> R.
>>
>> PS. And of course in spite of all effort from Alvaro to sort the topics
>> the threads again got completely mangled and everyone is describing their
>> perceived issue in random thread. My gently hint for the chairs would be to
>> log issues in github and have more structured processing them there.
>>
>>
>>
>> On Thu, Apr 4, 2024 at 9:50 PM Tom Herbert <tom@herbertland.com> wrote:
>>
>>>
>>>
>>> On Thu, Apr 4, 2024, 3:37 PM Ole Trøan <otroan=
>>> 40employees.org@dmarc.ietf.org> wrote:
>>>
>>>> Tom,
>>>>
>>>> Can you point to any IETF specification requiring that middle boxes
>>>> should be able to validate a l4 checksum? IPsec be damn.  It just seems
>>>> like a path we should not go down.
>>>>
>>>
>>> Ole,
>>>
>>> No, but neither can I point to an RFC that says firewalls have to parse
>>> deep into packets. The point is that we know people can and do such things
>>> (packet traces and checksum offload are deployed use cases for this).
>>>
>>> The transport checksum has been maintained to be correct on the wire in
>>> plain UDP,TCP/IPv6 for thirty years even in NAT. Breaking that convention
>>> without considering the ramifications could very well lead to some
>>> unhappiness. And my concern is that problems would not just be confined to
>>> SR packets, but could affect non-SR (like how we debug checksum problems in
>>> non-SR traffic).
>>>
>>> Tom
>>>
>>>
>>>> O.
>>>>
>>>>
>>>>
>>>> On 4 Apr 2024, at 21:22, Tom Herbert <tom=
>>>> 40herbertland.com@dmarc.ietf.org> wrote:
>>>>
>>>> 
>>>>
>>>>
>>>> On Thu, Apr 4, 2024, 3:12 PM Robert Raszuk <robert@raszuk.net> wrote:
>>>>
>>>>> Tom,
>>>>>
>>>>> >  SR aware routers to update L4 checksum
>>>>>
>>>>> That is completely unrealistic.
>>>>>
>>>>> Show me the box which can forward all interfaces at 800 Gb/s and read
>>>>> entire each packet and compute upper layer checksum on it.
>>>>>
>>>>
>>>> Robert,
>>>>
>>>> It's not necessary to calculate the whole checksum, only the L4
>>>> checksum needs to be updated by adding in the delta checksum. With IPv6 we
>>>> can also do a checksum neutral mapping. Basically, this uses the low order
>>>> 16 bits in the DA address as the checksum adjustment value. For instance,
>>>> if we can use the low order bits in a SID block then that would be simplest
>>>> to implement.
>>>>
>>>> Tom
>>>>
>>>>
>>>>> If anything just do encap and move on.
>>>>>
>>>>> Thx,
>>>>> R.
>>>>>
>>>>>
>>>>> On Thu, Apr 4, 2024 at 7:06 PM Tom Herbert <tom@herbertland.com>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>>
>>>>>> On Thu, Apr 4, 2024, 12:30 PM Robert Raszuk <robert@raszuk.net>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Tom,
>>>>>>>
>>>>>>> Yes I am with you here.
>>>>>>>
>>>>>>> However let's observe that this is pretty common best practice to
>>>>>>> disable any hardware offload on the box when running tcpdump or wireshark.
>>>>>>>
>>>>>>> In fact some implementations (F5) do it for you automagically :)
>>>>>>>
>>>>>>> And as it has been said based on the fact that hardware offload does
>>>>>>> not understand any Routing Headers it really does not matter if it is there
>>>>>>> or not :)
>>>>>>>
>>>>>>
>>>>>> Robert,
>>>>>>
>>>>>> tcpdump is independent of hardware offload. If the checksum is
>>>>>> incorrect per the packet contents we'll see bad checksums reported if we
>>>>>> snoop packets, but like I said, we can't differentiate the bad from the
>>>>>> good.
>>>>>>
>>>>>> Offload becomes an issue for NICs that do protocol specific checksum
>>>>>> offload. We lose the capability on RX which is an inconvenience, on TX we'd
>>>>>> need to change the implementation to ensure the checksum is not computed by
>>>>>> HW.
>>>>>>
>>>>>> If SR without SRH is needed, then I believe the best answer is for SR
>>>>>> aware routers to update L4 checksum when they change DA per NAT
>>>>>> requirements. This solves tcpdump as well as offloads.
>>>>>>
>>>>>> Tom
>>>>>>
>>>>>>
>>>>>>> Cheers,
>>>>>>> R.
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Apr 4, 2024 at 6:11 PM Tom Herbert <tom=
>>>>>>> 40herbertland.com@dmarc.ietf.org> wrote:
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, Apr 4, 2024, 11:48 AM Francois Clad <fclad.ietf@gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hi Tom,
>>>>>>>>>
>>>>>>>>> Tcpdump can determine that this packet is steered onto an SRv6
>>>>>>>>> path by checking if the DA matches the SRv6 SID block.
>>>>>>>>>
>>>>>>>>
>>>>>>>> Francois,
>>>>>>>>
>>>>>>>> That would require introducing external state to tcpdump for
>>>>>>>> correct operation. This would be a major divergence in both implementation
>>>>>>>> and ops compared to how things work today.
>>>>>>>>
>>>>>>>> Tom
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Francois
>>>>>>>>>
>>>>>>>>> On 4 Apr 2024 at 16:59:59, Tom Herbert <tom@herbertland.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Thu, Apr 4, 2024, 9:39 AM Francois Clad <fclad.ietf@gmail.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi Mark,
>>>>>>>>>>>
>>>>>>>>>>> Tcpdump/wireshark decodes the IPv6 header just fine. I do not
>>>>>>>>>>> see any issue here.
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Francois,
>>>>>>>>>>
>>>>>>>>>> The problem is that tcpdump can't tell that a packet is an SR
>>>>>>>>>> packet if there's no SRH. For instance, if the checksum is not maintained
>>>>>>>>>> to be correct in the wire then tcpdump will show that the packet has a bad
>>>>>>>>>> L4 checksum, but there's no way to tell if that is an SR packet or if the
>>>>>>>>>> checksum is actually bad. This will make debugging checksum failures in the
>>>>>>>>>> network much more difficult, and this affects our ability to debug all
>>>>>>>>>> traffic not just SR packets.
>>>>>>>>>>
>>>>>>>>>> Tom
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> Cheers,
>>>>>>>>>>> Francois
>>>>>>>>>>>
>>>>>>>>>>> On 4 Apr 2024 at 14:09:43, Mark Smith <markzzzsmith@gmail.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Thu, 4 Apr 2024, 22:50 Francois Clad, <fclad.ietf@gmail.com>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hi Alvaro, all,
>>>>>>>>>>>>>
>>>>>>>>>>>>> RFC 8754 allows the SR source node to omit the SRH when it
>>>>>>>>>>>>> contains redundant information with what is already carried in the base
>>>>>>>>>>>>> IPv6 header. Mandating its presence for C-SID does not resolve any problem
>>>>>>>>>>>>> because it will not provide any extra information to the nodes along the
>>>>>>>>>>>>> packet path.
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> How are troubleshooting tools like 'tcpdump' going to know how
>>>>>>>>>>>> to automatically decode these packets as SRv6 packets if there is no SRH?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>> Specifically for the case of middleboxes attempting to verify
>>>>>>>>>>>>> the upper-layer checksum,
>>>>>>>>>>>>>
>>>>>>>>>>>>>    - An SRv6-unaware middlebox will not be able to verify the
>>>>>>>>>>>>>    upper-layer checksum of SRv6 packets in flight, regardless of whether an
>>>>>>>>>>>>>    SRH is present or not.
>>>>>>>>>>>>>    - An SRv6 and C-SID aware middlebox will be able to find
>>>>>>>>>>>>>    the ultimate DA and verify the upper-layer checksum in flight, regardless
>>>>>>>>>>>>>    of whether an SRH is present or not.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Furthermore, transit nodes (e.g., middleboxes) should not
>>>>>>>>>>>>> attempt to identify SRv6 traffic based on the presence of the SRH, because
>>>>>>>>>>>>> they will miss a significant portion of it: all the best-effort or
>>>>>>>>>>>>> Flex-Algo traffic steered with a single segment may not include an SRH,
>>>>>>>>>>>>> even without C-SID. Instead, RFC 8402, 8754, and 8986 define identification
>>>>>>>>>>>>> rules based on the SRv6 SID block.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>> Francois
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 2 Apr 2024 at 19:44:51, Alvaro Retana <
>>>>>>>>>>>>> aretana.ietf@gmail.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> [Moving this conversation up on your mailbox. :-) ]
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [Thanks, Robert and Tom for your input!]
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> We want to hear from more of you, including the authors. Even
>>>>>>>>>>>>>> if you already expressed your opinion in a different thread, please chime
>>>>>>>>>>>>>> in here.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> We will collect feedback until the end of this week.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks!
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Alvaro.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On March 28, 2024 at 8:06:18 AM, Alvaro Retana (
>>>>>>>>>>>>>> aretana.ietf@gmail.com) wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Focusing on the C-SID draft, some have suggested requiring
>>>>>>>>>>>>>> the presence of the SRH whenever C-SIDs are used. Please discuss whether
>>>>>>>>>>>>>> that is the desired behavior (or not) -- please be specific when debating
>>>>>>>>>>>>>> the benefits or consequences of either behavior.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Please keep the related (but independent) discussion of
>>>>>>>>>>>>>> requiring the SRH whenever SRv6 is used separate. This larger topic may
>>>>>>>>>>>>>> impact several documents and is better handled in a different thread (with
>>>>>>>>>>>>>> 6man and spring included).
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks!
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Alvaro
>>>>>>>>>>>>>> -- for spring-chairs
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>>>>>>> IETF IPv6 working group mailing list
>>>>>>>>>>>>>> ipv6@ietf.org
>>>>>>>>>>>>>> Administrative Requests:
>>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/ipv6
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>>>>>> IETF IPv6 working group mailing list
>>>>>>>>>>>>> ipv6@ietf.org
>>>>>>>>>>>>> Administrative Requests:
>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/ipv6
>>>>>>>>>>>>>
>>>>>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>>>> IETF IPv6 working group mailing list
>>>>>>>>>>> ipv6@ietf.org
>>>>>>>>>>> Administrative Requests:
>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/ipv6
>>>>>>>>>>>
>>>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>> --------------------------------------------------------------------
>>>>>>>> IETF IPv6 working group mailing list
>>>>>>>> ipv6@ietf.org
>>>>>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>>>>>> --------------------------------------------------------------------
>>>>>>>>
>>>>>>> --------------------------------------------------------------------
>>>> IETF IPv6 working group mailing list
>>>> ipv6@ietf.org
>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>> --------------------------------------------------------------------
>>>>
>>>>

v2.23.0 | Report a Bug | By Email