IETF Logo Mail Archive

Re: [mpls] Last Call: <draft-ietf-mpls-in-udp-04.txt> (Encapsulating MPLS in UDP) to Proposed Standard

"Eggert, Lars" <lars@netapp.com> Wed, 22 January 2014 07:51 UTC

Return-Path: <lars@netapp.com>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 793F21A0355 for <mpls@ietfa.amsl.com>; Tue, 21 Jan 2014 23:51:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.437
X-Spam-Level:
X-Spam-Status: No, score=-2.437 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.535, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OqEg-nJkEFxW for <mpls@ietfa.amsl.com>; Tue, 21 Jan 2014 23:51:38 -0800 (PST)
Received: from mx11.netapp.com (mx11.netapp.com [216.240.18.76]) by ietfa.amsl.com (Postfix) with ESMTP id 12F481A01C8 for <mpls@ietf.org>; Tue, 21 Jan 2014 23:51:38 -0800 (PST)
X-IronPort-AV: E=Sophos; i="4.95,698,1384329600"; d="asc'?scan'208"; a="97424697"
Received: from vmwexceht05-prd.hq.netapp.com ([10.106.77.35]) by mx11-out.netapp.com with ESMTP; 21 Jan 2014 23:51:37 -0800
Received: from SACEXCMBX06-PRD.hq.netapp.com ([169.254.9.60]) by vmwexceht05-prd.hq.netapp.com ([10.106.77.35]) with mapi id 14.03.0123.003; Tue, 21 Jan 2014 23:51:37 -0800
From: "Eggert, Lars" <lars@netapp.com>
To: "curtis@ipv6.occnc.com" <curtis@ipv6.occnc.com>
Thread-Topic: [mpls] Last Call: <draft-ietf-mpls-in-udp-04.txt> (Encapsulating MPLS in UDP) to Proposed Standard
Thread-Index: AQHPFuVZZzPPQlRcgk6ua2U45NfiYJqQ5eGA
Date: Wed, 22 Jan 2014 07:51:37 +0000
Message-ID: <1811208D-230A-4EA7-B5AA-07E2C0460120@netapp.com>
References: <201401212014.s0LKEDXM065730@maildrop2.v6ds.occnc.com>
In-Reply-To: <201401212014.s0LKEDXM065730@maildrop2.v6ds.occnc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.106.53.51]
Content-Type: multipart/signed; boundary="Apple-Mail=_A0A4435E-B289-48A2-BBFC-F40094C16E2F"; protocol="application/pgp-signature"; micalg="pgp-sha1"
MIME-Version: 1.0
Cc: Joel Jaeggli <joelja@bogus.com>, "mpls@ietf.org" <mpls@ietf.org>
Subject: Re: [mpls] Last Call: <draft-ietf-mpls-in-udp-04.txt> (Encapsulating MPLS in UDP) to Proposed Standard
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2014 07:51:40 -0000

This is not at all the argument I am making. My emails have not touched at all on the issue of zero checksums.

My point is that UDP encapsulation changes the potential *reach* of congestion-uncontrolled traffic that was otherwise limited to L2 networks.

Lars

On 2014-1-21, at 21:14, Curtis Villamizar <curtis@ipv6.occnc.com> wrote:

> 
> In message <558A15A9-204A-4447-923C-58DC2A3CED8A@netapp.com>
> "Eggert, Lars" writes:
> 
>> Hi,
>> 
>> On 2014-1-21, at 12:50, Stewart Bryant <stbryant@cisco.com> wrote:
>>> In terms of congestion and misdelivery it is interesting looking
>>> at the number of horses that are already bounding around
>>> in the paddock outside the stable:
>>> 
>>> IP types: 47 (GRE) and 137 (MPLS-in-IP) for example.
>> 
>> there is a big difference between encapsulation in IP and
>> encapsulation in UDP. Everything encapsulated with "obscure" IP
>> protocol numbers will get dropped by default at NATs and firewalls,
>> whereas UDO traffic happily traverses them. The reach of UDP traffic
>> is much broader.
>> 
>> Lars
> 
> 
> Stray UDP packets carrying MPLS getting to grandma's firewall is
> really stretching the argument but ...
> 
> When encapsulating in UDP, the UDP checksum might be zero but the IP
> checksum can still be filled in so the IP destination is checked and
> grandma need not worry about these packets.  But ...
> 
> Grandma's firewall would block since there is no state established on
> the firewall with the opposite port pair pattern.  But ...
> 
> Even if it went through when the packet reached grandma's subnet the
> payload is junk bound to an unused port.  Maybe it hits grandma's DNS
> server and is interpreted as a badly malformed DNS request.
> 
> So grandma seems safe from these bad packets.
> 
> Lack of UDP checksum should at worst mean that the destination gets a
> packet with a munged payload, pulls off the IP and UDP headers and
> continues to forward.  At worst has the wrong MPLS label and gets
> blackholed in the provider network somewhere.  If it ends up at the
> correct MPLS egress, if IP, the IP checksum is checked.  If a TCP or
> UDP payload carried in that IP got munged the packet could end up at
> the destination with a bad TCP or UDP checksum and get dropped.
> 
> Curtis

v2.23.0 | Report a Bug | By Email