IETF Logo Mail Archive

Re: [lisp] 6830bis Review

Albert Cabellos <albert.cabellos@gmail.com> Thu, 28 December 2017 00:25 UTC

Return-Path: <albert.cabellos@gmail.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4224126C2F for <lisp@ietfa.amsl.com>; Wed, 27 Dec 2017 16:25:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LOn6fAF7FnLN for <lisp@ietfa.amsl.com>; Wed, 27 Dec 2017 16:25:49 -0800 (PST)
Received: from mail-yw0-x22a.google.com (mail-yw0-x22a.google.com [IPv6:2607:f8b0:4002:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE4561200B9 for <lisp@ietf.org>; Wed, 27 Dec 2017 16:25:48 -0800 (PST)
Received: by mail-yw0-x22a.google.com with SMTP id r205so8044163ywb.3 for <lisp@ietf.org>; Wed, 27 Dec 2017 16:25:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=HOymE9bD59l9deWtWkSiz03gKy81xzohW7MJDe5cZIg=; b=tIPl3QgMhN8Nv7fCKzcwtPGR2KuCBp+aqvuzKtpN3Qunk/lWNLNzGaguywxQri9H4c A4d8Ws85r8cgRFd9doU+kg4WAWDBQpd72UIBWYSgWeoKIA5OG5/b9P3JPKgxZt3ybY75 qhyhb28v+BQiNHoXUtD+XoLoIGPoiFMBQewFnyhYcsZnn/FUbEjfuEy5V2p94RI/JwUL NVfYe355xp78M9ZFeYnkfO7Oh+XFK8aSJ3Gh8/0MpngOQfFqJMyk1fLKDh0PkdYLNAv0 JjA72SzwhK8kqZsBy6WcbxNmjXNW5BHzn5Dy+lgSRBltN6IxwcVFAsZjBar6/1T++pST dJMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=HOymE9bD59l9deWtWkSiz03gKy81xzohW7MJDe5cZIg=; b=l4YzvMuY2qQh2X4JpyTwMBzGeshyJvyb84xzvSGI0FXIwz2vClqS7cdg2hnH0B4lZP YpSjDz9ZSc5nM+76I7XV7jB7p1BcH4C6ABJTxcnLQKclA3X/QCzfaUKZzRM8iOLsN8GY xz+VP2UyrqAezvflviu3tU7/klUdp10pHzTI6M94UCBIwBfF3N6GpAHuvpc6mP91OshO iNSDatHZ1VTOrtu0n8DIXFp8EGKYY1yTG7D9X76bSfT27Sj1pt0dpRI/rgufrVZscr69 ewsHfwII9/W2uom4cmhB6Cvlj4EObrn9MbTHa5PFoNLQih0Hpc7zyFHCTfWrAAYdJZof qbaQ==
X-Gm-Message-State: AKGB3mKjil2sMgjVgm7mgkxJh5Eh1oM6RFBIPm5TY1296GDs4dadXs43 2OS6WNfbH3WU5jGTvLXY69ap/2Xpn72SfjkxAfH4YLID
X-Google-Smtp-Source: ACJfBotwoHHPjWLDriQdsU+TE8YP7hw2H64gptdxKZVZvFIuUf5kCNgzsFJOJwnz5TZr1BTqwsnbab3t3qrPhAjRHzo=
X-Received: by 10.129.193.5 with SMTP id f5mr20203858ywi.475.1514420747985; Wed, 27 Dec 2017 16:25:47 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.183.142 with HTTP; Wed, 27 Dec 2017 16:25:47 -0800 (PST)
In-Reply-To: <6FEB1404-FA34-432A-8441-3F6B394A8217@gmail.com>
References: <907CD955-B043-4728-ABD6-5AD96192EC5F@inria.fr> <4EAD1E98-E8E7-4A0A-8300-2D185B9109CC@gigix.net> <CAGE_QexqW=q51kXR9fo_8YDu6VVUHCBz-XrGt5iZ6FOTRxDLiA@mail.gmail.com> <6FEB1404-FA34-432A-8441-3F6B394A8217@gmail.com>
From: Albert Cabellos <albert.cabellos@gmail.com>
Date: Thu, 28 Dec 2017 01:25:47 +0100
Message-ID: <CAGE_QezkoJ_Y+Yxq+JBP3QACfzrkB_Xk2NjAw6A+aqEQGjZf6g@mail.gmail.com>
To: Dino Farinacci <farinacci@gmail.com>
Cc: Luigi Iannone <ggx@gigix.net>, "lisp@ietf.org list" <lisp@ietf.org>, lisp-chairs@tools.ietf.org
Content-Type: multipart/alternative; boundary="f403043ee044b967ee05615b8e63"
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/WEVYZKVm5ufMTAZvrEu29Inj7To>
Subject: Re: [lisp] 6830bis Review
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Dec 2017 00:25:52 -0000

Hi all

Please find my comments inline:


On Wed, Dec 27, 2017 at 5:13 AM, Dino Farinacci <farinacci@gmail.com> wrote:

> I will comment here before providing a new update and response to Luigi’s
> latest email.
>
> > On Dec 26, 2017, at 5:48 PM, Albert Cabellos <albert.cabellos@gmail.com>
> wrote:
> >
> > Hi
> >
> > Thanks for the review, please find my comments inline.
> >
> > I have removed all the comments for which I **agree**:
> >
> > >
> > >   Provider-Assigned (PA) Addresses:   PA addresses are an address block
> > >      assigned to a site by each service provider to which a site
> > >      connects.  Typically, each block is a sub-block of a service
> > >      provider Classless Inter-Domain Routing (CIDR) [RFC4632] block and
> > >      is aggregated into the larger block before being advertised into
> > >      the global Internet.  Traditionally, IP multihoming has been
> > >      implemented by each multihomed site acquiring its own globally
> > >      visible prefix.  LISP uses only topologically assigned and
> > >      aggregatable address blocks for RLOCs, eliminating this
> > >      demonstrably non-scalable practice.
> > >
> > > Last sentence to be deleted is a relic of scalability discussion.
> > >
> > >
> >
> > Agreed. I suggest deleting entirely the definitions for both PA and PI,
> they are not used throughout the document.
>
> Note, we still care about scalability of any underlay, especially the
> Internet core, so we should leave this in. Note, we ARE still solving the
> scalability problem.
>
> I don’t know why any of you would think differently.
>

We are solving this issue and many others. But the point of the document is
specifying a data-plane, not the benefits of this data-plane.


>
> >
> > [snip]
> > >
> > >
> > >   Endpoint ID (EID):   An EID is a 32-bit (for IPv4) or 128-bit (for
> > >      IPv6) value used in the source and destination address fields of
> > >      the first (most inner) LISP header of a packet.  The host obtains
> > >      a destination EID the same way it obtains a destination address
> > >      today, for example, through a Domain Name System (DNS) [RFC1034]
> > >      lookup or Session Initiation Protocol (SIP) [RFC3261] exchange.
> > >      The source EID is obtained via existing mechanisms used to set a
> > >      host's "local" IP address.  An EID used on the public Internet
> > >      must have the same properties as any other IP address used in that
> > >      manner; this means, among other things, that it must be globally
> > >      unique.  An EID is allocated to a host from an EID-Prefix block
> > >      associated with the site where the host is located.  An EID can be
> > >      used by a host to refer to other hosts.  Note that EID blocks MAY
> > >      be assigned in a hierarchical manner, independent of the network
> > >      topology, to facilitate scaling of the mapping database.  In
> > >      addition, an EID block assigned to a site may have site-local
> > >      structure (subnetting) for routing within the site; this structure
> > >      is not visible to the global routing system.  In theory, the bit
> > >      string that represents an EID for one device can represent an RLOC
> > >      for a different device.  As the architecture is realized, if a
> > >      given bit string is both an RLOC and an EID, it must refer to the
> > >      same entity in both cases.
> > >
> > >
> > > Is the above sentence really necessary?
> > >
> >
> > Agreed, why not simplify the definitions. They are written from the
> ‘Internet scalability mindset’, why not say that an EID is an address of
> the overlay and an RLOC an address of the overlay. This change may require
> further changes on the document so I am not 100% sure if this is a good
> idea.
>
> I have planned to remove the sentence.
>

What do you think about defining an EID as an identifier of the overlay and
an RLOC as an identifier of the underlay? (Probably this needs to be
reworded, but you get my point).

In my view this definition is broader and accounts for many of the LCAF
uses.


>
>
>
> >
> > >
> > > The description of the encap/decap operation lacks of clarity
> concerning how to deal with
> > > ECN bits and DSCP .
> > >
> > > 1. I think that the text should make explicitly the difference between
> DSCP and ECN fields.
> > >
> > > 2. How to deal with ECN should be part of the description of the
> encap/decap not a paragraph apart.
> > >    This basically means that half of the last paragraph should be a
> bullet of the ITR/PITR encapsulation
> > >    and the other half  in the ETR/PETR operation.
> >
> >
> > Agreed, what about this (please comment):
> >
> >    When doing ITR/PITR encapsulation:
> >
> >     o  The outer-header 'Time to Live' field (or 'Hop Limit' field, in
> the case of IPv6) SHOULD be copied from the inner-header 'Time to Live'
> field.
> >     o  The outer-header 'Differentiated Services Code Point' (DSCP)
> field (or the 'Traffic Class' field, in the case of IPv6) SHOULD be copied
> from the inner-header DSCP field ('Traffic Class' field, in the case of
> IPv6) considering the exception listed below.
> >    o  The 'Explicit Congestion Notification' (ECN) field (bits 6 and 7
> of the IPv6 'Traffic Class' field) requires special treatment in order to
> avoid discarding indications of congestion [RFC3168]. ITR encapsulation
> MUST copy the 2-bit 'ECN' field from the inner header to the outer header.
> Re-encapsulation MUST copy the 2-bit 'ECN' field from the stripped outer
> header to the new outer header.
> >
> > When doing ETR/PETR decapsulation:
> >
> >    o  The inner-header 'Time to Live' field (or 'Hop Limit' field, in
> the case of IPv6) SHOULD be copied from the outer-header 'Time to Live'
> field, when the Time to Live value of the outer header is less than the
> Time to Live value of the inner header.  Failing to perform this check can
> cause the Time to Live of the inner header to increment across
> encapsulation/decapsulation cycles.  This check is also performed when
> doing initial encapsulation, when a packet comes to an ITR or PITR destined
> for a LISP site.
> >    o  The inner-header 'Differentiated Services Code Point' (DSCP) field
> (or the 'Traffic Class' field, in the case of IPv6) SHOULD be copied from
> the outer-header DSCP field ('Traffic Class' field, in the case of IPv6)
> considering the exception listed below.
> >    o  The 'Explicit Congestion Notification' (ECN) field (bits 6 and 7
> of the IPv6 'Traffic Class' field) requires special treatment in order to
> avoid discarding indications of congestion [RFC3168]. If the 'ECN' field
> contains a congestion indication codepoint (the value is '11', the
> Congestion Experienced (CE) codepoint), then ETR decapsulation MUST copy
> the 2-bit 'ECN' field from the stripped outer header to the surviving inner
> header that is used to forward the packet beyond the ETR.  These
> requirements preserve CE indications when a packet that uses ECN traverses
> a LISP tunnel and becomes marked with a CE indication due to congestion
> between the tunnel endpoints.
> >
> > Note that if an ETR/PETR is also an ITR/PITR and chooses to
> re-encapsulate after decapsulating, the net effect of this is that the new
> outer header will carry the same Time to Live as the old outer header minus
> 1.
> >
> > Copying the Time to Live (TTL) serves two purposes: first, it preserves
> the distance the host intended the packet to travel; second, and more
> importantly, it provides for suppression of looping packets in the event
> there is a loop of concatenated tunnels due to misconfiguration.  See
> Section 18.3 for TTL exception handling for traceroute packets.
>
> I had planned to take Luigi’s suggestion. I did not want to rewrite this
> section. It was carefully written by David Black with consolation from the
> ECN experts. I do not want to lose this technical text.
>

I still think that Luigi's suggestion clarifies the text and that my edit
(hopefully) makes it easier for readers to understand. I just moved some
sentences .

>
> > >
> > > Large part of this section is about control plane issues and as such
> should be put in 6833bis.
> > >
> > > What this section should state is that priority and weight are used to
> select the RLOC to use.
> > > Only exception is gleaning where we have one single RLOC and we do not
> know neither priority nor weight.
> > >
> > > All the other operational discussion goes elsewhere, but not in this
> document.
> > >
> >
> > Agree, I suggest moving it to 6833bis. What to leave in 6830bis is less
> obvious, maybe something like (not final, just a couple of ideas):
> >
> > The data-plane must follow the state stored in the map-cache to
> encapsulate and decapsulate packets. The map-cache is populated using a
> control-plane, such as [6833bis]. ETRs encapsulate packets following the
> Priorities and Weights stored in the map-cache.
> >
> > Actually we should merge this section with 'Routing Locator Hashing’
>
> I disagree with you guys. Who do you think punts packets when there is a
> map-cache miss? The data-plane. Note there are many users of the
> control-plane, an SDN controller, many data-planes, and lig/rig. How they
> each use the control-plane is documented in their own documents.
>
> And please do not suggest that lig/rig usage of the control plane move to
> 6833bis.
>

As an example, if we keep the 'Routing Locator Hashing' text as it is then
it only works with Map-Reply messages:

"When an ETR provides an EID-to-RLOC mapping in a Map-Reply message that is
stored in the map-cache of a requesting ITR"

 The point is to allow LISP data-plane to work with any control-plane.

>
> >
> >
> > > We need to cite the threats document because of the security issues of
> LSB.
> >
> > What about this:
> >
> > Therefore, when a Locator becomes unreachable, the Locator-Status-Bit
> that corresponds to that Locator's position in the list returned by the
> last Map-Reply will be set to zero for that particular EID-Prefix.
> *****There are security risks associated to the use of Locator-Status-Bits,
> we recommend to follow the guidelines described in [THREATS]******
>
> This has been fixed in the last revision.
>

thanks!


>
>
>

v2.23.0 | Report a Bug | By Email