IETF Logo Mail Archive

Re: [IPv6] Requiring Tunneling - subject change

Robert Raszuk <robert@raszuk.net> Thu, 28 March 2024 16:37 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66D91C14F710 for <ipv6@ietfa.amsl.com>; Thu, 28 Mar 2024 09:37:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DBNOF51l2nIm for <ipv6@ietfa.amsl.com>; Thu, 28 Mar 2024 09:37:27 -0700 (PDT)
Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AD2CC15108C for <ipv6@ietf.org>; Thu, 28 Mar 2024 09:37:26 -0700 (PDT)
Received: by mail-ed1-x531.google.com with SMTP id 4fb4d7f45d1cf-56c583f5381so766307a12.1 for <ipv6@ietf.org>; Thu, 28 Mar 2024 09:37:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; t=1711643845; x=1712248645; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=tMWgPq5O6MV0WRzJH0+mzyt5QNenR7JyN/CnPyqiSRg=; b=Idq6jPF58eUlgMBujpuINSZ/rpKNYCRUvbYLe4XyAjbSXRuRMVtDS6PeQksfMNiz+4 dBUdomfLqfRSZKBoa1kIji71ESTbSQCW59m2hxpEfVA7dZiNwcVwRVSS6dr0wo/tIvKY mmtwEPe8zhuZ3oJuYG0BQcwI8BvPOCzoG8EHoGn/TMTETb13AozBYqQtLCvIgIpBrg+0 yQV/1UItwTOMK9mEi+F/nW4s6f4SnZXvfBM74hVbijYGsEf1AXqr4AEnKzFJeNLhQCbY K4K6En0PGvJrD5/hIsIzwIZqUtP8mK5Y6ctjfqt0Ybw/Ni6GFxpxCJTieZVckSdOZRdK deWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711643845; x=1712248645; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=tMWgPq5O6MV0WRzJH0+mzyt5QNenR7JyN/CnPyqiSRg=; b=Q7/BcBW1E3sbcaq5P96BzLJrNVIxDxhhjAst5Ubj9nAJ6QjzaClzv8ZlxezKUZi/71 Cbzo/9qLkWm73/K5K3Nwxv8jVHEhSfTCZsNSPIS/JeziRn+A5ahkoBqU9tOie4auRd8E DjeFTET6OL8Pm1UkvxIamwxF2ovqCD4vxRokEvIgnmtPXQqM8zjJ7CNOkOgTpnUDRCy5 qMxrtV37I0yvAuZEli5pfOYX4bmfm3yokxcapWi2hnjzlS+WKRsydu8H3LlUYx9B8T8y esf3bDErSwYc9d2j/5MVxWM/HlzCkcFZ2TT3a459KVw+/GmnWcS4TxzI+6eO8YNW1fhr ZH7w==
X-Forwarded-Encrypted: i=1; AJvYcCVHTCZkk6G7jshLLME6rovZinWZlXpDc7pry22nndhtXI7jLDJ871Th8TKmeTf4y40zfiVjWPwxZBY18i0K
X-Gm-Message-State: AOJu0YyBJmp4R91u0C0f7YiJDRVFAOqgiximO5ostdPl4ymKguFp3DSL llrGYVY3lT4xy0RAoPRZbTyAx9yu25CeXFpaxCQU+pEJPgYaIqSDSIUEsOZ13qhdWnodd4ry2Xv tjSeDwVnRuWiPEdybEJmPmsGFXQoWBwFU2FG1H9eyEYQAy5mz
X-Google-Smtp-Source: AGHT+IGj2vacfWhmAjxU63EBSaeOIUgiqFDVTWTSQo67Cmyl7O/n8JVddcNu4EMS/d01+z4kfi3JRxeIPL0r+KwOc20=
X-Received: by 2002:a50:8d13:0:b0:56c:195d:b162 with SMTP id s19-20020a508d13000000b0056c195db162mr2138142eds.6.1711643844843; Thu, 28 Mar 2024 09:37:24 -0700 (PDT)
MIME-Version: 1.0
References: <CAMMESszUUdDw-xnDtZKqz75g6SXZ+7mXtZujBKwN+hxypC-Kuw@mail.gmail.com> <CAOj+MMFTpKdNtE2SGubsBKkwbgdX2G5qBxBCViCu-EFmUXjfHw@mail.gmail.com> <CALx6S37CK69EU+59r_M8caO4MNRQFC8fgo4+VyTSgSE0aNTVTQ@mail.gmail.com> <CAOj+MMFHC6vdUK3MQ8xU44=ESf-_mq=PCT=8W_jr5WiTp50hyQ@mail.gmail.com> <CALx6S35Dn03qt9ziMv3=xtYKpdgR88SU0HDYirXr1tm4-Nz-ng@mail.gmail.com> <CAOj+MMF6D+fsDY-8tt7R9MJRAf3x+bk13MXadSPT2ozOpq7zrg@mail.gmail.com> <53e9e432-db61-4129-b766-b4c675b13012@joelhalpern.com>
In-Reply-To: <53e9e432-db61-4129-b766-b4c675b13012@joelhalpern.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Thu, 28 Mar 2024 17:37:13 +0100
Message-ID: <CAOj+MMGTRH9tFoKnjTQraeY2+wrJXaWFq18Xq_Jhe3JH_pn2uw@mail.gmail.com>
To: Joel Halpern <jmh@joelhalpern.com>
Cc: Tom Herbert <tom@herbertland.com>, Francois Clad <fclad.ietf@gmail.com>, "Pablo Camarillo (pcamaril)" <pcamaril@cisco.com>, SPRING WG List <spring@ietf.org>, 6man <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005abed80614bb237b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/t5ArYyItBYTryKaM3gaV0GeqdBg>
Subject: Re: [IPv6] Requiring Tunneling - subject change
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2024 16:37:31 -0000

Hi Joel,

Let me very clear here.

I am not really proposing any changes. What is already standardized is
sufficient to address all issues raised.

All I was doing in those threads is to clarify what problem are we talking
about and how could it be fixed reasonably.

And yes I did read RFC6936 and it does seems to very well fit the subject
of concern few people are expressing.

To restate - if end SRv6 hosts have issues to connect due to checksum then
can encap the SRv6. Solved.

If we want to automate such fallback is a different topic and folks who
think such fallback should be automatic can start a separate thread.

The crux of the matter is that for 99.99% of deployments using today uSID
there are no issues.

Kind regards,
Robert

On Thu, Mar 28, 2024 at 4:46 PM Joel Halpern <jmh@joelhalpern.com> wrote:

> Robert, as far as I can tell, you are asking for a different change than
> any of the other proposals.  If I understand, you are proposing that even
> end hosts inside an SRv6 domain should encapsulate the underlying IPv6
> packet.  In order to help the chairs keep track, and tell if there are
> other folks who also support such a change, I have changed the subject line
> and ask that if there is more to say, people use this subject line.
>
> I look forward to comments from folks beyond Tom and Robert on this
> subject.
>
> Yours,
>
> Joel M. Halpern
> On 3/28/2024 11:40 AM, Robert Raszuk wrote:
>
> Hi Tom,
>
> Not really.
>
> RFC8200 defines an exception which is tunneling and says:
>
>          As an exception to the default behavior, protocols that use UDP
>          as a tunnel encapsulation may enable zero-checksum mode for a
>          specific port (or set of ports) for sending and/or receiving.
>          Any node implementing zero-checksum mode must follow the
>          requirements specified in "Applicability Statement for the Use
>          of IPv6 UDP Datagrams with Zero Checksums" [RFC6936 <https://datatracker.ietf.org/doc/html/rfc6936>].
>
>
> So in practice if we always tunnel SRv6 there is no issue.
>
> Even Andrew agreed with that :)
>
> Cheers,
> Robert
>
> On Thu, Mar 28, 2024 at 4:36 PM Tom Herbert <tom@herbertland.com> wrote:
>
>> On Thu, Mar 28, 2024 at 7:46 AM Robert Raszuk <robert@raszuk.net> wrote:
>> >
>> > Hi Tom,
>> >
>> > > because of SRH
>> >
>> > Ok I buy this that there are devices which do check checksum and are
>> not final destination of the packets  ... I was more talking about plain
>> forwarding devices (aka P routers). Then I doubt firewalls would be sitting
>> in the core of the networks.
>> >
>> > But let me come black to what I believe is the main disconnect.
>> >
>> > Why SRH would cause an issue ? I think there is claimed issue *ONLY*
>> with SRv6 packets which are not encapsulated - call it raw - sent by the
>> hosts which talk SRv6 and sent with more then one SID/uSID which may get
>> swapped on the way.
>> >
>> > Because only in those cases the destination address will be changing
>> while checksum of the tunnel header will not be zero.
>> >
>> > So what we should I think discuss are really B.1 and B.2.2 cases.
>>
>> Robert,
>>
>> The scenario that I'm talking about is really simple, and it's not
>> specific to segment routing.  If someone sends a TCP in an IPv6 packet
>> with no routing header then the convention is that the TCP checksum is
>> valid end to end. So if the addresses are changed in flight, like in
>> NAT, then we expect that some part of the packet covered by the
>> checksum is adjusted to offset the change. If a packet is sent in
>> segment routing without an SRH with EtherType 0x86DD then it IS an
>> IPv6 packet to the network so all the conventions and requirements of
>> IPv6 should be applied. IMO, if SRv6 can't maintain these conventions
>> and requirements then it should fork from IPv6 and use a different
>> EtherType.
>>
>> Tom
>>
>> >
>> > Francois, Pablo - could you comment on this how often do we see those
>> type of SRv6 deployments ? And also could you comment if operator who
>> enables SRv6 in the first place sees those checksum errors how difficult is
>> to address it ?
>> >
>> > Thx,
>> > Robert
>> >
>> >
>> > On Thu, Mar 28, 2024 at 3:29 PM Tom Herbert <tom@herbertland.com>
>> wrote:
>> >>
>> >> On Thu, Mar 28, 2024 at 6:26 AM Robert Raszuk <robert@raszuk.net>
>> wrote:
>> >> >
>> >> > Hi Alvaro,
>> >> >
>> >> > On this specific topic I think you have flatted it a bit too much.
>> >> >
>> >> > These are apparently the options on the table:
>> >> >
>> >> > A) Original packet get's encapsulated with IPv6 header
>> >> >
>> >> >       A.1 SHR is added to it
>> >> >
>> >> >              A.1.1. Regular SIDs are used
>> >> >              A.1.2  Compresses SIDs are used
>> >> >
>> >> >       A.2 SRH is not added to it
>> >> >
>> >> >              A.2.1. Regular SID is used as destination
>> >> >              A.2.2  Compresses SIDs are used in a container
>> >> >              A.2.3  Compresses SID is used
>> >> >
>> >> > B) Original packet get's send from SRv6 host (without encapsulation)
>> >> >
>> >> >     B.1 SHR is added to it
>> >> >
>> >> >              B.1.1. Regular SIDs are used
>> >> >              B.1.2  Compresses SIDs are used
>> >> >
>> >> >       B.2 SRH is not added to it
>> >> >
>> >> >              B.2.1. Regular SID is used as destination
>> >> >              B.2.2  Compresses SIDs are used in a container
>> >> >              B.2.3  Compresses SID is used
>> >> >
>> >> > So within all checksum related discussions so far it seems that the
>> only concern is about B.2.2 and perhaps B.1 however folks did state that if
>> there is SRH added there is no issue so I am not sure how the presence of
>> SRH fixes it.
>> >> >
>> >> > Maybe there was some assumption that presence of SRH mandates
>> encapsulation, but I do not believe this is the case for native SRv6 hosts.
>> >> >
>> >> > All in all I think it should be no business for transit nodes to
>> verify packet's upper layer checksum. I do not know if there is any RFC
>> which would describe what is an expected behavior for transit nodes or even
>> say that they MAY do it.
>> >>
>> >> Robert,
>> >>
>> >> I can go further than that. I believe that intermediate nodes have no
>> >> business parsing into the transport layer, and yet firewalls do that
>> >> all the time even though there is no standard RFC on it (I've asked
>> >> for someone to formalize the requirements of firewalls, but to no
>> >> avail). Validating the checksum in flight is an instance of this, and
>> >> there are devices that commonly do this in deployment. Protocol
>> >> specific checksum offload in NICs is one example. Also, if someone is
>> >> seeing checksum failures in their network, an obvious action is to
>> >> sample packets from routers in the path and look at the traces. If the
>> >> checksum is incorrect on the wire because of SRH then the operator
>> >> sees a whole bunch of checksum errors at the router, but has no way to
>> >> distinguish those packets that are actually good from those that are
>> >> bad.
>> >>
>> >> It's a long established convention in IP that the transport checksum
>> >> is maintained to be correct on the wire-- this is done in NAT by
>> >> adjusting the checksum directly, there's also checksum neutral NAT
>> >> that adjusts another part of the IPv6 header to keep the transport
>> >> layer checksum correct. IMO, deviating from this convention is risky,
>> >> not just to SRH packets but that can have collateral damage like
>> >> breaking the user's ability to debug bad links as I described above.
>> >>
>> >> Tom
>> >>
>> >> >
>> >> > Kind regards,
>> >> > Robert
>> >> >
>> >> >
>> >> >
>> >> > On Thu, Mar 28, 2024 at 1:06 PM Alvaro Retana <
>> aretana.ietf@gmail.com> wrote:
>> >> >>
>> >> >> Focusing on the C-SID draft, some have suggested requiring the
>> >> >> presence of the SRH whenever C-SIDs are used. Please discuss whether
>> >> >> that is the desired behavior (or not) -- please be specific when
>> >> >> debating the benefits or consequences of either behavior.
>> >> >>
>> >> >> Please keep the related (but independent) discussion of requiring
>> the
>> >> >> SRH whenever SRv6 is used separate. This larger topic may impact
>> >> >> several documents and is better handled in a different thread (with
>> >> >> 6man and spring included).
>> >> >>
>> >> >> Thanks!
>> >> >>
>> >> >> Alvaro
>> >> >> -- for spring-chairs
>> >> >>
>> >> >> --------------------------------------------------------------------
>> >> >> IETF IPv6 working group mailing list
>> >> >> ipv6@ietf.org
>> >> >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> >> >> --------------------------------------------------------------------
>> >> >
>> >> > --------------------------------------------------------------------
>> >> > IETF IPv6 working group mailing list
>> >> > ipv6@ietf.org
>> >> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> >> > --------------------------------------------------------------------
>>
>

v2.23.0 | Report a Bug | By Email