IETF Logo Mail Archive

Re: [mpls] Last Call: <draft-ietf-mpls-in-udp-04.txt> (Encapsulating MPLS in UDP) to Proposed Standard

<l.wood@surrey.ac.uk> Tue, 21 January 2014 21:16 UTC

Return-Path: <l.wood@surrey.ac.uk>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B126F1A0169 for <mpls@ietfa.amsl.com>; Tue, 21 Jan 2014 13:16:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DDSSRGLTym2W for <mpls@ietfa.amsl.com>; Tue, 21 Jan 2014 13:16:51 -0800 (PST)
Received: from mail1.bemta5.messagelabs.com (mail1.bemta5.messagelabs.com [195.245.231.146]) by ietfa.amsl.com (Postfix) with ESMTP id 8C4681A0125 for <mpls@ietf.org>; Tue, 21 Jan 2014 13:16:50 -0800 (PST)
Received: from [195.245.231.67:9601] by server-10.bemta-5.messagelabs.com id 1D/ED-01405-1C3EED25; Tue, 21 Jan 2014 21:16:49 +0000
X-Env-Sender: l.wood@surrey.ac.uk
X-Msg-Ref: server-13.tower-82.messagelabs.com!1390339005!36510989!15
X-Originating-IP: [131.227.200.43]
X-StarScan-Received:
X-StarScan-Version: 6.9.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 31054 invoked from network); 21 Jan 2014 21:16:49 -0000
Received: from exht022p.surrey.ac.uk (HELO EXHT022P.surrey.ac.uk) (131.227.200.43) by server-13.tower-82.messagelabs.com with AES128-SHA encrypted SMTP; 21 Jan 2014 21:16:49 -0000
Received: from EXMB01CMS.surrey.ac.uk ([169.254.1.204]) by EXHT022P.surrey.ac.uk ([131.227.200.43]) with mapi; Tue, 21 Jan 2014 21:15:28 +0000
From: l.wood@surrey.ac.uk
To: edc@google.com
Date: Tue, 21 Jan 2014 21:11:59 +0000
Thread-Topic: [mpls] Last Call: <draft-ietf-mpls-in-udp-04.txt> (Encapsulating MPLS in UDP) to Proposed Standard
Thread-Index: Ac8W59UyyVVsp9FER8uHgsmcEGA8iQABZazk
Message-ID: <290E20B455C66743BE178C5C84F1240847E63346DD@EXMB01CMS.surrey.ac.uk>
References: <290E20B455C66743BE178C5C84F1240847E63346D1@EXMB01CMS.surrey.ac.uk> <201401202247.s0KMllSl047284@maildrop2.v6ds.occnc.com> <290E20B455C66743BE178C5C84F1240847E63346D6@EXMB01CMS.surrey.ac.uk> <52DE5F19.1060907@cisco.com> <558A15A9-204A-4447-923C-58DC2A3CED8A@netapp.com> <52DE680C.30704@cisco.com> <290E20B455C66743BE178C5C84F1240847E63346D9@EXMB01CMS.surrey.ac.uk> <CACKN6JFuwKPMmKWuooJqoGR9zL87k-pqv87MVt3fCPnLuEOMhQ@mail.gmail.com> <290E20B455C66743BE178C5C84F1240847E63346DA@EXMB01CMS.surrey.ac.uk>, <CACKN6JGyJxr4d=LcvzE7HokVW=o-rmzYoJ7nwdfTKonapuiHEQ@mail.gmail.com>
In-Reply-To: <CACKN6JGyJxr4d=LcvzE7HokVW=o-rmzYoJ7nwdfTKonapuiHEQ@mail.gmail.com>
Accept-Language: en-US, en-GB
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-GB
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: joelja@bogus.com, mpls@ietf.org, lars@netapp.com
Subject: Re: [mpls] Last Call: <draft-ietf-mpls-in-udp-04.txt> (Encapsulating MPLS in UDP) to Proposed Standard
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jan 2014 21:16:54 -0000

Yes, RFC6936 section 3 cites these concerns. I've cited it previously a number of times in this discussion, perhaps you've just ignored those messages?

RFC6935 ignores the concerns raised by RFC 6936  because, hey, tunnel performance.
And RFC6936, while emphasising considering the effect on the protocol using zero cUP hecksums, does not emphasise considering the effect of those checksums on other applications.

Lloyd Wood
http://about.me/lloydwood
________________________________________
From: Edward Crabbe [edc@google.com]
Sent: 21 January 2014 20:03
To: Wood L  Dr (Electronic Eng)
Cc: stbryant@cisco.com; Eggert, Lars; joel jaeggli; mpls@ietf.org
Subject: Re: [mpls] Last Call: <draft-ietf-mpls-in-udp-04.txt> (Encapsulating MPLS in UDP) to Proposed Standard

Please see 6935,6936.

You've conveniently ignored most if not all of the arguments Curtis has made in the past ~30 messages.  I won't repeat them again here.

If you really are so concerned about potential corruption scatter and header integrity issues beyond FEC/FCS for v6 protocols, perhaps you should propose a v6 checksum hop-by-hop extension header.  :)


On Tue, Jan 21, 2014 at 11:36 AM, <l.wood@surrey.ac.uk<mailto:l.wood@surrey.ac.uk>> wrote:
Oh, 'experience' is never a good play; after all, all experience is ultimately anecdotal. But as an argument, it's being used by all sides. We haven't seen missent traffic errors, because we're not looking for them.

The question is, what does the end-to-end argument support?

And surely the burden of proof falls on those making the change (this draft); first, do no harm. The end-to-end principle and the precautionary principle are strong arguments.

Stone's papers, though technologically dated, support the underlying principle and provide analysis - you want a modern setting, I'm quite happy with proof of principle. Weird stuff happens; an end-to-end check can catch it.

Lloyd Wood
http://about.me/lloydwood
________________________________________
From: Edward Crabbe [edc@google.com<mailto:edc@google.com>]
Sent: 21 January 2014 19:19
To: Wood L  Dr (Electronic Eng)
Cc: stbryant@cisco.com<mailto:stbryant@cisco.com>; Eggert, Lars; joelja@bogus.com<mailto:joelja@bogus.com>; mpls@ietf.org<mailto:mpls@ietf.org>
Subject: Re: [mpls] Last Call: <draft-ietf-mpls-in-udp-04.txt> (Encapsulating MPLS in UDP) to Proposed Standard

I don't think the 'experience' card is such a good play here Lloyd.  Many people on this list, and certainly a few of the ones you've been directly arguing with, have no small amount experience running *extremely* large, geographically distributed networks.   I've spent a bit of time running some very large backbones and major content providers myself, and I have to say, I'm finding most of your arguments here to be unconvincing at best.

I do find it a bit ironic that you're asking for (difficult to gather, vendor variable and generally poorly documented) data form Stewart, when your own argument has yet to be substantiated via any form of quantitative impact analysis, either empirically or theoretically in a modern setting.  I'd be interested in seeing empirical (back)scatter collection data (similar to what Morley or Savage have done) to get some idea of impact here.  I strongly suspect that corruption scatter will be trivial, and certainly completely overwhelmed in terms volume by typical, day to day DDoS backscatter.  Perhaps this may be an idea for your next research paper?

With regard to the congestion-control-of-all-tunnel-protocols argument: I find the argument to be specious.  Curtis summed up the end-to-end version of this argument pretty succinctly in an earlier email, to wit:

If congestion aware or using a congestion aware transport, the top
level applications are still congestion aware.  If congestion
ignorant, they are still congestion ignorant.  If hostile, they are
still hostile.


On Tue, Jan 21, 2014 at 9:56 AM, <l.wood@surrey.ac.uk<mailto:l.wood@surrey.ac.uk><mailto:l.wood@surrey.ac.uk<mailto:l.wood@surrey.ac.uk>>> wrote:
Stewart

the IP header check is not the UDP pseudoheader check - and IPv6 has neither.

If a NAT gets a corrupted header, won't it open up new state and attempt to translate for that header? Remember, this is UDP, not TCP - it's not on an existing connection that must have already been opened by SYN/ACK, where the NAT is more likely to reject it as unknown.

'NATs, which rewrite and can trash headers, demonstrate and validate the integrity of the Internet' is not a good argument imo.

I'd like to see some evidence for '"obscure" IP protocol numbers will get dropped by default at NATs and firewalls.'. IP/GRE is relatively state-free, nothing much to translate at transport there - it's not SCTP. I've spent a couple of years running an ISP, and the 'oh, that protocol won't go through your NAT' has not come up.

Lloyd Wood
http://about.me/lloydwood
________________________________________
From: Stewart Bryant [stbryant@cisco.com<mailto:stbryant@cisco.com><mailto:stbryant@cisco.com<mailto:stbryant@cisco.com>>]
Sent: 21 January 2014 12:29
To: Eggert, Lars
Cc: Wood L  Dr (Electronic Eng); curtis@ipv6.occnc.com<mailto:curtis@ipv6.occnc.com><mailto:curtis@ipv6.occnc.com<mailto:curtis@ipv6.occnc.com>>; Joel Jaeggli; mpls@ietf.org<mailto:mpls@ietf.org><mailto:mpls@ietf.org<mailto:mpls@ietf.org>>
Subject: Re: [mpls] Last Call: <draft-ietf-mpls-in-udp-04.txt> (Encapsulating MPLS in UDP) to Proposed Standard

On 21/01/2014 12:07, Eggert, Lars wrote:
> Hi,
>
> On 2014-1-21, at 12:50, Stewart Bryant <stbryant@cisco.com<mailto:stbryant@cisco.com><mailto:stbryant@cisco.com<mailto:stbryant@cisco.com>>> wrote:
>> In terms of congestion and misdelivery it is interesting looking
>> at the number of horses that are already bounding around
>> in the paddock outside the stable:
>>
>> IP types: 47 (GRE) and 137 (MPLS-in-IP) for example.
> there is a big difference between encapsulation in IP and encapsulation in UDP. Everything encapsulated with "obscure" IP protocol numbers will get dropped by default at NATs and firewalls, whereas UDO traffic happily traverses them. The reach of UDP traffic is much broader.
>
> Lars
So we have established that it's not the load on the NATs and Firewalls
we are worried about.

Seemingly from the above congestion is off the table as well.

Now surely those same NATs and firewalls will be looking for an SA, DA,
Type, SP, DP match
and that is a lot of things that have to be right for a header
corruption misdelivery to get
through.

- Stewart


_______________________________________________
mpls mailing list
mpls@ietf.org<mailto:mpls@ietf.org><mailto:mpls@ietf.org<mailto:mpls@ietf.org>>
https://www.ietf.org/mailman/listinfo/mpls

v2.23.0 | Report a Bug | By Email