IETF Logo Mail Archive

Re: [mpls] [tsvwg] on UDP encapsulation

Tom Herbert <tom@herbertland.com> Sat, 14 November 2015 18:06 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 071411ACEDE for <mpls@ietfa.amsl.com>; Sat, 14 Nov 2015 10:06:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wdnCh7g7C8rR for <mpls@ietfa.amsl.com>; Sat, 14 Nov 2015 10:06:17 -0800 (PST)
Received: from mail-ig0-x236.google.com (mail-ig0-x236.google.com [IPv6:2607:f8b0:4001:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B82D1ACED9 for <mpls@ietf.org>; Sat, 14 Nov 2015 10:06:17 -0800 (PST)
Received: by igvg19 with SMTP id g19so54025556igv.1 for <mpls@ietf.org>; Sat, 14 Nov 2015 10:06:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland_com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=QgB4PELWReAP4UbeytCiKxAcKfE6j2rasZc+60FLhhM=; b=oANiMCDCpbQt/OQPZY7FXM8YEQ6H/GPkY+FeoDyK0PaDgwMIRhmcoe1puznJpWYhDS 19aIpwkRYDIXffyOataRH4MyG3FsZfM6ioH+2+KgR1ePE0ALRHQHB3QQ7qksGYNN3KHe dQ40mjDExHtVxqUMQjrfOJM84fkvaHV6y/tQAJzttrK3dfcFat36FwdfXZwkX9aRdt45 gMxghm94LQVd7dnmdhUBSsAFpV2iDTkdiAY78cKc/aI3LY1/T2Gk9tHEUn9l2DKjFjwt V3Md20G2+8+zH3qwT0sFyk44s5IghgZvJLrxyitCaPooYXSVYG4pcfy6fFzxpNSd6S7U pBFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=QgB4PELWReAP4UbeytCiKxAcKfE6j2rasZc+60FLhhM=; b=k8R1nPGNS/84wK1zldvVvTcDEUXPsyXuWfvrc6Ima+fKAMx7sWy7b1CwEeqrgu/JIF r0F83mNfsbdRiN/5nzEyyngHcTHb6WKSGVaA3hRbXmZ3zAbhKQA7rqwlIsvdKML1j7YO 4bYj7PtenUnAa2IEVCG913qVBS+73mawJYNosYrl6EKeeTgCW/gDZFJLnIjjHj6/PTfq K03AGDSECbQLxxQNnV4wCip1upl2eUXHt8LtTS5DdyvNupRXB+lHrNzJ2wbzAlg/6H0m DUlI3zhhpYSY3FknYtAsBxFwMbGGV26tIYk7tiNNnzzuPuBkMyVgzpKrW76V3rfM+Qqz nhGw==
X-Gm-Message-State: ALoCoQmB+NOTZo3najFanmjQi820XimHHGMQNFJ9PCs3ayAZ6z3VPu9OKw9SDwfRfRGYpwVbdWMy
MIME-Version: 1.0
X-Received: by 10.50.8.72 with SMTP id p8mr6216482iga.65.1447524376714; Sat, 14 Nov 2015 10:06:16 -0800 (PST)
Received: by 10.107.41.70 with HTTP; Sat, 14 Nov 2015 10:06:16 -0800 (PST)
In-Reply-To: <580302963.7269727.1447470634943.JavaMail.yahoo@mail.yahoo.com>
References: <580302963.7269727.1447470634943.JavaMail.yahoo.ref@mail.yahoo.com> <580302963.7269727.1447470634943.JavaMail.yahoo@mail.yahoo.com>
Date: Sat, 14 Nov 2015 10:06:16 -0800
Message-ID: <CALx6S37uFpzx8_Cz4WjV2Boo0rD_6NP-X2MAmvuCt3S0KkSVCA@mail.gmail.com>
From: Tom Herbert <tom@herbertland.com>
To: lloyd.wood@yahoo.co.uk
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/mpls/RLEbGRCkeFeCCcwukZ5fY3bd9Dg>
Cc: mpls@ietf.org, "tsvwg@ietf.org" <tsvwg@ietf.org>
Subject: Re: [mpls] [tsvwg] on UDP encapsulation
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Nov 2015 18:06:19 -0000

On Fri, Nov 13, 2015 at 7:10 PM,  <lloyd.wood@yahoo.co.uk> wrote:
> https://tools.ietf.org/html/rfc7510
>
> I finally noticed that RFC7510, on MPLS in UDP encap, has
> been published. Do take a look at all of section 3, which
> laboriously goes through the nuances of when to choose
> between UDP checksums, for safety, and turning them off,
> for speed, at slight risk. That section and the RFCs it
> refers to are quite the complex read. And that's just on
> UDP checksums and whether to choose to turn them off. (It
> gives dull security documents a run for their money.)
>
> What's odd is that this is standards track, and the third
> option, use standards-track UDP-Lite to provide checksum
> protection of the UDP/IP pseudoheader to avoid zero-checksum
> port pollution on the host (on IPv4) or anywhere pollution
> (IPv6) is not mentioned as an alternative - particularly as
> UDP-Lite's partial payload coverage can cover the MPLS stack
> s well.
>
> In some cases the Lite checksum is just a precomputed value
> across a generated header that doesn't change, at no encode
> cost and little decode cost, and within corporate private
> networks the barriers to running UDP-Lite are less.
>
> It's unfortunate that UDP-Lite is the ideal approach for
> this, yet doesn't deserve consideration. Going back further
> in time, one might argue it's unfortunate that UDP-Lite was
> pushed to a separate protocol number, dooming it to oblivion.
> And, further back, that it was unfortunate that designers of
> IPv6 thought leaving the pseudo-header demux check up to
> separate transports that could then skip it, while insisting
> UDP always have its checksum on, which was always going
> to be relaxed, was a good idea for consistent error-detecting
> demux...
>

Lloyd, the potential for UDP-Lite is mentioned in Encapsulation
Considerations draft (draft-ietf-rtgwg-dt-encap-00):

"Conceptually, the ideal solution to this problem is a checksum that
   covers only the newly added headers of interest.  There is little
   value in the portion of the UDP checksum that covers the encapsulated
   packet because that would generally be protected by other checksums
   and this is the expensive portion to compute.  In fact, this solution
   already exists in the form of UDP-Lite and UDP based encapsulations
   could be easily ported to run on top of it.  Unfortunately, the main
   value in using UDP as part of the encapsulation header is that it is
   recognized by already deployed equipment for the purposes of ECMP,
   RSS, and middlebox operations.  As UDP-Lite uses a different protocol
   number than UDP and it is not widely implemented in middleboxes, this
   value is lost.  A possible solution is to incorporate the same
   partial-checksum concept as UDP-Lite or other header checksum
   protection into the encapsulation header and continue using UDP as
   the outer protocol.  One potential challenge with this approach is
   the use of NAT or other form of translation on the outer header will
   result in an invalid checksum as the translator will not know to
   update the encapsulation header."

IMO, the allowance that nodes may send a zero UDP checksum is a
concession being made for devices that are unable to perform the
computation. These are precisely devices in the network that before
the advent of UDP tunneling never had any reason to source UDP
packets. At end hosts we've had checksum offload capabilities in NICs
for years, so there is no reason a host should send zero UDP checksums
for IPv6 (except if it knows that the receiver is an aforementioned
device that can't do the checksum calculation).

Also, one of primary reasons for UDP encapsulation (e.g. MPLS/UDP,
GRE/UDP) is to get ECMP in the network for non-TCP, non-UDP protocols.
For IPv6 we can use the flow label to provide for this in lieu of
devices parsing the transport layer (RFC6438). We do need switch
support for this and there does seem to be good progress on this. So
the use of the flow label for ECMP should obviate the motivation to
use UDP encapsulation in the first place (for many use cases).

Tom

v2.23.0 | Report a Bug | By Email