IETF Logo Mail Archive

Re: [Isis-wg] [Technical Errata Reported] RFC5309 (5007)

"Naiming Shen (naiming)" <naiming@cisco.com> Fri, 05 May 2017 05:43 UTC

Return-Path: <naiming@cisco.com>
X-Original-To: isis-wg@ietfa.amsl.com
Delivered-To: isis-wg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D01D81273B1 for <isis-wg@ietfa.amsl.com>; Thu, 4 May 2017 22:43:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.502
X-Spam-Level:
X-Spam-Status: No, score=-14.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, T_KAM_HTML_FONT_INVALID=0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J0Wlib-3KC0C for <isis-wg@ietfa.amsl.com>; Thu, 4 May 2017 22:43:52 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 876C4127F0E for <isis-wg@ietf.org>; Thu, 4 May 2017 22:43:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=120772; q=dns/txt; s=iport; t=1493963031; x=1495172631; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=7qnknD4WTfw4Lha+Sh/wZBSUI7e/9I1J/TULeu6VevE=; b=cTO9alO1EIqtn+0veJgfXWZitLn0KaDwPBdiPuXzQVPenGooOXn4A7fW K/dGhjO3GHkGDxLFzwCuZpOlaAUwOun3n6lUwp+NTS95blvUPMWT6OOH5 Mldd7HnABOir91XE44cg/C+skC1EJnTE9lV4ghA5LkGAye40KPZmjWkuh I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BxAgCMEAxZ/4MNJK1DGhkBAQEBAQEBAQEBAQcBAQEBAYJuPCtigQwHg2GKGJE1IYJohTqMWHaCDAMhAQeFewIahCo/GAECAQEBAQEBAWsohRUBAQEBAgEBARgJBEcLBQcCAgIBBgIRBAEBIQEGAwICAhQLBgsUCQgCBA4FiggDDQgOMZNInWGBbDqHLQ2DLgEBAQEBAQEBAQEBAQEBAQEBAQEBAR0FiDcBKwuBWYEMgTyBGE2BExIBIwkHDwYKAgaCSC6CMQWJQhGIG4Rvhk87AYcagQOGJoRSggRVhGSKK4sjiRMBDxA4FmkLbxUcKhIBhF0DDBCBY3YBE4YmDRcHgQOBDQEBAQ
X-IronPort-AV: E=Sophos;i="5.38,291,1491264000"; d="scan'208,217";a="420314960"
Received: from alln-core-1.cisco.com ([173.36.13.131]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 05 May 2017 05:43:49 +0000
Received: from XCH-ALN-004.cisco.com (xch-aln-004.cisco.com [173.36.7.14]) by alln-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id v455hnH8019117 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 5 May 2017 05:43:49 GMT
Received: from xch-rcd-004.cisco.com (173.37.102.14) by XCH-ALN-004.cisco.com (173.36.7.14) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 5 May 2017 00:43:48 -0500
Received: from xch-rcd-004.cisco.com ([173.37.102.14]) by XCH-RCD-004.cisco.com ([173.37.102.14]) with mapi id 15.00.1210.000; Fri, 5 May 2017 00:43:48 -0500
From: "Naiming Shen (naiming)" <naiming@cisco.com>
To: Alexander Vainshtein <Alexander.Vainshtein@ecitele.com>
CC: "Les Ginsberg (ginsberg)" <ginsberg@cisco.com>, "isis-wg@ietf.org" <isis-wg@ietf.org>, RFC Errata System <rfc-editor@rfc-editor.org>, "alex.zinin@alcatel-lucent.com" <alex.zinin@alcatel-lucent.com>, "akatlas@gmail.com" <akatlas@gmail.com>, "db3546@att.com" <db3546@att.com>, "Alvaro Retana (aretana)" <aretana@cisco.com>, "chopps@chopps.org" <chopps@chopps.org>, "hannes@gredler.at" <hannes@gredler.at>
Thread-Topic: [Isis-wg] [Technical Errata Reported] RFC5309 (5007)
Thread-Index: AQHSwZVpYjRBuN4W+UWjHHVAZGnaGKHd9FxQgABvZ4CAALOHAIAAVdUAgAYoqgA=
Date: Fri, 05 May 2017 05:43:48 +0000
Message-ID: <5C8FC259-C018-4542-B77D-F23BC3E212A9@cisco.com>
References: <20170430081555.026C1B8183C@rfc-editor.org> <bd426412060143b18b888f9fb9135728@XCH-ALN-001.cisco.com> <AM4PR03MB171368B3A0BC936159ABE14A9D150@AM4PR03MB1713.eurprd03.prod.outlook.com> <F45DED94-22FE-436D-A2E9-AD01AB454832@cisco.com> <AM4PR03MB171381904BE473010383FAD89D140@AM4PR03MB1713.eurprd03.prod.outlook.com>
In-Reply-To: <AM4PR03MB171381904BE473010383FAD89D140@AM4PR03MB1713.eurprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.24.28.52]
Content-Type: multipart/alternative; boundary="_000_5C8FC259C0184542B77DF23BC3E212A9ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/isis-wg/FihUcNLwkMLwuiXegYeSPp0b63c>
Subject: Re: [Isis-wg] [Technical Errata Reported] RFC5309 (5007)
X-BeenThere: isis-wg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF IS-IS working group <isis-wg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/isis-wg/>
List-Post: <mailto:isis-wg@ietf.org>
List-Help: <mailto:isis-wg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 May 2017 05:43:58 -0000

Sasha,

Thanks for the comments.

In OS implementations, in particular linux, there are various releases and
configure options, so it varies quite a bit for ARP. This pointer shows how to change
the ARP behavior on linux:

http://kb.linuxvirtualserver.org/wiki/Using_arp_announce/arp_ignore_to_disable_ARP

For example, the variable ‘arp_ignore’, has the code sample in ‘arp.c’:
http://elixir.free-electrons.com/linux/latest/source/net/ipv4/arp.c


static int arp_ignore<http://elixir.free-electrons.com/linux/latest/ident/arp_ignore>(struct in_device<http://elixir.free-electrons.com/linux/latest/ident/in_device> *in_dev, __be32<http://elixir.free-electrons.com/linux/latest/ident/__be32> sip<http://elixir.free-electrons.com/linux/latest/ident/sip>, __be32<http://elixir.free-electrons.com/linux/latest/ident/__be32> tip)
{
        struct net *net = dev_net<http://elixir.free-electrons.com/linux/latest/ident/dev_net>(in_dev->dev);
        int scope<http://elixir.free-electrons.com/linux/latest/ident/scope>;

        switch (IN_DEV_ARP_IGNORE<http://elixir.free-electrons.com/linux/latest/ident/IN_DEV_ARP_IGNORE>(in_dev)) {
        case 0: /* Reply, the tip is already validated */
                return 0;
        case 1: /* Reply only if tip is configured on the incoming interface */
                sip<http://elixir.free-electrons.com/linux/latest/ident/sip> = 0;
                scope<http://elixir.free-electrons.com/linux/latest/ident/scope> = RT_SCOPE_HOST<http://elixir.free-electrons.com/linux/latest/ident/RT_SCOPE_HOST>;
                break;
        case 2: /*
                 * Reply only if tip is configured on the incoming interface
                 * and is in same subnet as sip
                 */
                scope<http://elixir.free-electrons.com/linux/latest/ident/scope> = RT_SCOPE_HOST<http://elixir.free-electrons.com/linux/latest/ident/RT_SCOPE_HOST>;
                break;

I have two linux boxes with ubuntu 16.04 connected on an ethernet
and with two different subnet:
lenovo (enp3s0 with IP 192.168.1.35/24) <—> vaio (enp2s8 with IP 192.168.2.100/24)

on vaio: I run an arping to request ARP resolution of 192.168.1.35:
vaio:~$ sudo arping 192.168.1.35 -i enp2s8
60 bytes from ec:a8:6b:c0:82:23 (192.168.1.35): index=0 time=6.538 msec
60 bytes from ec:a8:6b:c0:82:23 (192.168.1.35): index=1 time=1.464 msec
60 bytes from ec:a8:6b:c0:82:23 (192.168.1.35): index=2 time=8.418 msec

I made sure on lenovo as described arp_announce is ‘2’, and arp_ignore is ‘0’:
root@lenovo:/proc/sys/net/ipv4/conf/enp3s0# echo 2 > arp_announce
root@lenovo:/proc/sys/net/ipv4/conf/enp3s0# cat arp_ignore

Run tcpdump on lenovo interface enp3s0 to get ARP packets:
root@lenovo:/proc/sys/net/ipv4/conf/enp3s0# tcpdump -i enp3s0 arp -vv

22:14:01.774491 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.35 tell 192.168.2.100, length 46
22:14:01.774511 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.35 is-at ec:a8:6b:c0:82:23 (oui Unknown), length 28
22:14:02.775522 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.35 tell 192.168.2.100, length 46
22:14:02.775541 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.35 is-at ec:a8:6b:c0:82:23 (oui Unknown), length 28


Ok, so what I’m getting at is that, if you know the system needs to run
numbered and mismatched IP addresses over the same cable, then
regardless of p2p-over-lan or other applications, you probably need to
adjust the local ARP behavior to match what is expected on the OS.

I agree that RFC 5309 does mention the matching IP subnet, and probably
should refer to unnumbered is the most useful use case.

Best Regards,
- Naiming

On May 1, 2017, at 12:40 AM, Alexander Vainshtein <Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>> wrote:

Naiming,
Lots of thanks for a prompt response.

Unfortunately, I do not think that your response addresses your concern.

RFC 5309 explicitly mentions “ARP implementation (which checks that the subnet of the source address of the ARP request matches the local interface address)”. Actually, ARP implementations frequently check that the source IP address in an ARP request is in the subnet of the local interface address. E.g., AFAIK, this is the standard behavior of the Linux ARP implementation. To the best of my understanding this was the check that RFC 5309 implied, because there is no way the subnet of the source address of the ARP request could be known.

If such check is applied, then the scenario I’ve described becomes valid. I can add that I have observed several implementations that experience the described behavior (i.e., blackholing of unicast IP traffic that OSPF tries to route via such a link). Some other implementations seem to behave better.

Regards,
Sasha





Regards,
Sasha

Office: +972-39266302
Cell:      +972-549266302
Email:   Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>

From: Naiming Shen (naiming) [mailto:naiming@cisco.com]
Sent: Monday, May 01, 2017 5:34 AM
To: Alexander Vainshtein <Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>>
Cc: Les Ginsberg (ginsberg) <ginsberg@cisco.com<mailto:ginsberg@cisco.com>>; isis-wg@ietf.org<mailto:isis-wg@ietf.org>; RFC Errata System <rfc-editor@rfc-editor.org<mailto:rfc-editor@rfc-editor.org>>; alex.zinin@alcatel-lucent.com<mailto:alex.zinin@alcatel-lucent.com>; akatlas@gmail.com<mailto:akatlas@gmail.com>; db3546@att.com<mailto:db3546@att.com>; Alvaro Retana (aretana) <aretana@cisco.com<mailto:aretana@cisco.com>>; chopps@chopps.org<mailto:chopps@chopps.org>; hannes@gredler.at<mailto:hannes@gredler.at>
Subject: Re: [Isis-wg] [Technical Errata Reported] RFC5309 (5007)


Alexander,

If you are saying the local LAN interface is explicitly configured with
a different subnet IP address then the peer, I don’t think there is any
problem with the ARP, and also with this RFC. Since ARP will always
reply to answer its own IP addresses on the interface upon request.

This RFC is only saying, if it’s p2p-over-lan over an unnumbered IP address,
and this LAN interface needs to proxy-ARP the IP address it binds to.
If the ARP already replies since you have an IP address, and our
p2p-over-LAN intf also uses this IP address, nothing is broken.

thanks.
- Naiming

On Apr 30, 2017, at 8:50 AM, Alexander Vainshtein <Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>> wrote:

Les,
Lots of thanks for a prompt response.

As I see it, the difference between the P2P and LAN modes is essential for OSPF:
- If an OSPF interface is a LAN (broadcast) interface, there is a check of the same subnet for received Hello packets. If the received Hello packets do not pass this check, they are discarded and an error is reported via SNMP.
- However, if an OSPF interface is a P2P interface, then the subnet check on the Hello packets is bypassed  by design as defined in Section 10.5 of RFC 2328:

                     The generic input processing of OSPF packets will
        have checked the validity of the IP header and the OSPF packet
        header.  Next, the values of the Network Mask, HelloInterval,
        and RouterDeadInterval fields in the received Hello packet must
        be checked against the values configured for the receiving
        interface.  Any mismatch causes processing to stop and the
        packet to be dropped.  In other words, the above fields are
        really describing the attached network's configuration. However,
        there is one exception to the above rule: on point-to-point
        networks and on virtual links, the Network Mask in the received
        Hello Packet should be ignored.

I.e., having different subnets on two ends of a PPP link would not cause any problems for OSPF - the adjacency would be successfully recognized, it would progress to its FULL state, and unicast traffic would cross such a link without any problem.

But if we have a P2P-over-LAN link (which is the case for RFC 5309), the result would be quite different - unless the ARP implementations go beyond what 5309 says and relax the check for all such links, be they numbered or unnumbered.

Do I miss something substantial here?



Regards,
Sasha

Office: +972-39266302
Cell:      +972-549266302
Email:   Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>


-----Original Message-----
From: Les Ginsberg (ginsberg) [mailto:ginsberg@cisco.com]
Sent: Sunday, April 30, 2017 5:19 PM
To: RFC Errata System <rfc-editor@rfc-editor.org<mailto:rfc-editor@rfc-editor.org>>; Naiming Shen (naiming) <naiming@cisco.com<mailto:naiming@cisco.com>>;alex.zinin@alcatel-lucent.com<mailto:alex.zinin@alcatel-lucent.com>; akatlas@gmail.com<mailto:akatlas@gmail.com>; db3546@att.com<mailto:db3546@att.com>; Alvaro Retana (aretana) <aretana@cisco.com<mailto:aretana@cisco.com>>; chopps@chopps.org<mailto:chopps@chopps.org>; hannes@gredler.at<mailto:hannes@gredler.at>
Cc: Alexander Vainshtein <Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>>; isis-wg@ietf.org<mailto:isis-wg@ietf.org>
Subject: RE: [Isis-wg] [Technical Errata Reported] RFC5309 (5007)

Alexander -

I am not speaking for the RFC authors, but regarding your point:

> o          Are assigned with IP addresses and subnet masks yielding different
> subnets

I fail to see why this issue is unique to (or associated with) running in P2P mode.

The unnumbered case is specifically mentioned because in such a case it can be expected that the next hop address will be a loopback address and therefore there will be no common subnet.
But in the numbered case whether you have one neighbor in P2P mode or many neighbors in multi-access mode the msimatched subnet issue is the same. Therefore I see no reason why these RFCs should discuss it.

???

   Les


> -----Original Message-----
> From: Isis-wg [mailto:isis-wg-bounces@ietf.org] On Behalf Of RFC
> Errata System
> Sent: Sunday, April 30, 2017 1:16 AM
> To: Naiming Shen (naiming); alex.zinin@alcatel-lucent.com<mailto:alex.zinin@alcatel-lucent.com>;
> akatlas@gmail.com<mailto:akatlas@gmail.com>; db3546@att.com<mailto:db3546@att.com>; Alvaro Retana (aretana);
> chopps@chopps.org<mailto:chopps@chopps.org>; hannes@gredler.at<mailto:hannes@gredler.at>
> Cc: Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>; isis-wg@ietf.org<mailto:isis-wg@ietf.org>;
> rfc-editor@rfc- editor.org<http://webdefence.global.blackspider.com/urlwrap/?q=AXicE3RmiL7GwDDlCANDUU6lgUmSXnFRmV5uYmZOcn5eSVF-jl5yfi5DmYmhUUREcLmBkaGRuQmDY05qRWJeSmqRXlhiZl5xRklqZp5DanJmSWpOKlh9RklJgZW-fmpKZkl-kV5-UToDA0PFQQYGAOFQJGs&Z>
> Subject: [Isis-wg] [Technical Errata Reported] RFC5309 (5007)
>
> The following errata report has been submitted for RFC5309,
> "Point-to-Point Operation over LAN in Link State Routing Protocols".
>
> --------------------------------------
> You may review the report below and at:
> http://www.rfc-editor.org/errata_search.php?rfc=5309&eid=5007
>
> --------------------------------------
> Type: Technical
> Reported by: Alexander Vainshtein <Alexander.Vainshtein@ecitele.com<mailto:Alexander.Vainshtein@ecitele.com>>
>
> Section: 4.3
>
> Original Text
> -------------
> For the ARP implementation (which checks that the subnet of the source
> address of the ARP request matches the local interface address), this
> check needs to be relaxed for the unnumbered p2p-over-lan circuits.
>
> Corrected Text
> --------------
> For the ARP implementation (which checks that the subnet of the source
> address of the ARP request matches the local interface address), this
> check needs to be relaxed for the p2p-over-lan circuits (both numbered
> and unnumbered).
>
> Notes
> -----
> Consider the following situation:
> 1.         Two routers, R1 and R2, are connected by a physical P2P  Ethernet
> link
> 2.         OSPFv2 is enabled on the interfaces representing the endpoints of
> this link.
> 3.      From the OSPF POV these interfaces:
> o          Are configured as P2P
> o          Belong to the same area
> o          Are assigned with IP addresses and subnet masks yielding different
> subnets
> 4.    ARP check mentioned in the problematic text is not relaxed.
>
> Under this conditions:
> -Both R1 and R2 will accept Hello messages sent by the other router
> (becase it ignores subnet in Hello messages received via P2P
> interfaces)
> - Adjacency between R1 and R2 will progress to FULL state (because all
> OSPFv2 messages will be sent with AllSPFRouters multicast IPv4
> address)
> - Unicast traffic sent by R1 to R2 (and vice versa) will be blackholed
> because ARP will not resolve addresses assigned to the corresponding interfaces.
>
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or rejected.
> When a decision is reached, the verifying party can log in to change
> the status and edit the report, if necessary.
>
> --------------------------------------
> RFC5309 (draft-ietf-isis-igp-p2p-over-lan-06)
> --------------------------------------
> Title               : Point-to-Point Operation over LAN in Link State Routing
> Protocols
> Publication Date    : October 2008
> Author(s)           : N. Shen, Ed., A. Zinin, Ed.
> Category            : INFORMATIONAL
> Source              : IS-IS for IP Internets
> Area                : Routing
> Stream              : IETF
> Verifying Party     : IESG
>
> _______________________________________________
> Isis-wg mailing list
> Isis-wg@ietf.org<mailto:Isis-wg@ietf.org>
> https://www.ietf.org/mailman/listinfo/isis-wg

___________________________________________________________________________

This e-mail message is intended for the recipient only and contains information which is
CONFIDENTIAL and which may be proprietary to ECI Telecom. If you have received this
transmission in error, please inform us by e-mail, phone or fax, and then delete the original
and all copies thereof.
___________________________________________________________________________


___________________________________________________________________________

This e-mail message is intended for the recipient only and contains information which is
CONFIDENTIAL and which may be proprietary to ECI Telecom. If you have received this
transmission in error, please inform us by e-mail, phone or fax, and then delete the original
and all copies thereof.
___________________________________________________________________________

v2.23.0 | Report a Bug | By Email