[mpls] fast-path in draft-villamizar-mpls-forwarding (was Re: Comments ...)
Curtis Villamizar <curtis@occnc.com> Sat, 16 March 2013 19:12 UTC
Return-Path: <curtis@occnc.com>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C608B21F8915 for <mpls@ietfa.amsl.com>; Sat, 16 Mar 2013 12:12:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.495
X-Spam-Level:
X-Spam-Status: No, score=-0.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I4D2DvvQ30gd for <mpls@ietfa.amsl.com>; Sat, 16 Mar 2013 12:12:50 -0700 (PDT)
Received: from gateway1.orleans.occnc.com (unknown [173.9.106.132]) by ietfa.amsl.com (Postfix) with ESMTP id 4DE6321F8861 for <mpls@ietf.org>; Sat, 16 Mar 2013 12:12:50 -0700 (PDT)
Received: from harbor1.ipv6.occnc.com (harbor1.ipv6.occnc.com [IPv6:2001:470:1f07:1545::2:819]) (authenticated bits=0) by gateway1.orleans.occnc.com (8.14.5/8.14.5) with ESMTP id r2GJBWi2081622; Sat, 16 Mar 2013 15:11:34 -0400 (EDT) (envelope-from curtis@occnc.com)
Message-Id: <201303161911.r2GJBWi2081622@gateway1.orleans.occnc.com>
To: Tal Mizrahi <talmi@marvell.com>
From: Curtis Villamizar <curtis@occnc.com>
In-reply-to: Your message of "Tue, 12 Mar 2013 14:49:08 EDT." <201303121849.r2CIn882022072@gateway1.orleans.occnc.com>
Date: Sat, 16 Mar 2013 15:11:31 -0400
Cc: mpls@ietf.org
Subject: [mpls] fast-path in draft-villamizar-mpls-forwarding (was Re: Comments ...)
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: curtis@occnc.com
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mpls>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Mar 2013 19:12:51 -0000
Tal, This is about one part of a thread that you started where I promised follow-up. In message <201303121849.r2CIn882022072@gateway1.orleans.occnc.com> Curtis Villamizar writes: > > In message <74470498B659FA4687F0B0018C19A89C01A0F9726814@IL-MB01.marvell.com> > Tal Mizrahi writes: > > > > Hi Curtis, > > Hi Tal, > > > Very interesting draft. I definitely think it is worth pursuing. > > Thank you for the comments. > > > Some comments below: > > > > 1. I think it is a good idea to describe the common practices of > > where you draw the line between hardware and software. However, > > as a chip vendor I do not feel comfortable with *mandating* what > > should be implemented in hardware. > > > > Terms like: "hardware should", "hardware MUST be capable of", or > > "MUST be recognized by hardware" are a bit harsh. > > > > In general, I suggest to relax the phrasing in a way that > > describes what typically is done in hardware, but does mandate > > what should be done in hardware. > > This is a very good comment. Just prior to the 01 version I went > through the use of the words SHOULD and MUST (with help from Shane) > and tried to do one of the following: > > 1. Find and existing RFC where SHOULD or MUST is already specified > and cite it as the source of the requirement (not applicable in > this case). > > 2. Change the wording to match SHOULD or MUST in an existing RFC. > The same as #1. > > 3. Clearly indicate a recommendation that is not required for > compliance but is required for some other reason such as > provider scalability needs but retain strong wording. > > 4. Just make a statement about common practice and reasons and > leave it at that. > > Any recommendation about implementing something in hardware should be > of the form #4, unless there is strong evidence that it cannot be > implemented without hardware support. Packet filtering or any other > operation that may have to run at line rate qualifies. > > This is similar to the argument almost two decades ago about whether > such things as packets with IP options, source routed packets, > IP fragmentation, etc, needed to be in hardware. In some cases you > could crash a router with too high a load of these so clearly these > all had to be implemented in hardware. > > If you would like to meet here at IETF the two of us can go through > each statement in the DoS and OAM sections and review the wording. If > so, we can take this off line (I'll send another email without the WG > on the Cc). > > If not, I will go through the wording and send a later reply. [trimmed rest of response] Since we didn't meet at IETF, I've taken this longish topic back to the list. Here are the recommendations regarding "fast-path". I added the following to the preview version as a result of the MPLS-RT request to define the scope up front. This is just one paragraph of that definition of scope. + Implementation details are a local matter and are out of + scope. Most interfaces today operate at 1 Gb/s or greater. + It is assumed that all forwarding operations are implemented + in specialized forwarding hardware rather than on a special + purpose processor. This is often referred to as "fast path" + and "slow path" processing. Some recommendations are made + regarding implemeting control or management plane + functionality in specialized hardware or with limited + assistance from specialized hardware. This advise is based on + expected control or management protocol loads and on the need + for denial of service (DoS) protection. The section you are referring to is "OAM and DoS Protection". The openning paragraph is: Denial of service (DoS) protection is an area requiring hardware support that is often overlooked or inadequately considered. Hardware assist is also needed for OAM, particularly the more demanding MPLS-TP OAM. Except for support of only the very slowest of interfaces, the above is true. It is probably true for even 10/100 Ethernet since the accompanying processors are often slow enough that a control plane DoS is possible at even these slow rates. Later the following statement is made. Used along, the compromise of a single node, including a small computer at a network operations center, could compromise an entire network. Implementations which send all G-ACh/GAL traffic directly to a routing engine CPU are subject to DoS attack as a result of such a compromise. That should be "used alone", referring to OOB only. This type of leveraged attack has occurred in other types of "firewalled" control planes. Still later: For very low speed interfaces cryptographic authentication can be performed by the general purpose CPU used as a routing engine. For all other cases, cryptographic hardware may be needed. For very high speed interfaces, even cryptographic hardware can be overwhelmed. This is true as stated. At the high end, you can either put more of your chip real estate and power budget into more and/or faster crypto engines, or front-end the crypto with more efficient alternate techniques. such as filtering. Later preferencing additional warnings: Some control and management protocols are often carried with payload traffic. This is commonly the case with BGP, T-LDP, and SNMP. It is often the case with RSVP-TE. Even when carried over G-ACh/GAL additional measures can reduce the potential for a minor breach to be leveraged to a full network attack. I don't think there is any issue with the technical validity of the above statements. GTSM is described. GTSM is specified as a filtering technique, with filtering applied to the TTL value. The following is advice stating a common (and effective) strategy. At the very minimum, packet filtering plus classification and use of multiple queues supporting rate limiting is needed for traffic that could potentially be sent to a general purpose CPU used as a routing engine. The first level of filtering only allows connections to be initiated from specific IP prefixes to specific destination ports and then preferably passes traffic directly to a cryptographic engine and/or rate limits. The second level of filtering passes connected traffic, such as TCP connections having received at least one authenticated SYN or having been locally initiated. The second level of filtering only passes traffic to specific address and port pairs to be checked for cryptographic authentication. The words "is needed" is used but "for traffic that could potentially be sent to a general purpose CPU used as a routing engine". The rest describes a strategy to protect against TCP SYN attack, even TCP SYN with crypto that could swamp the crypto hardware. Any such attack is reduced to a delay in getting a connection established, but once established, filtering does most of the work. This paragraph is intended to indicate that the packet must go to the crypto engine before hitting the main CPU for best results. The cryptographic authentication is generally the last resort in DoS attack mitigation. If a packet must be first sent to a general purpose CPU, then sent to a cryptographic engine, a DoS attack is possible on high speed interfaces. Only where hardware can identify a signature and the portion of packet covered by the signature is cryptographic authentication highly beneficial in protecting against DoS attacks. This paragraph simply states that full line rate crypto is hard at very fast line rates and small packets and isn't a good solution. For chips supporting multiple 100 Gb/s interfaces, only a very large number of parallel cryptographic engines can provide the processing capacity to handle a large scale DoS or distributed DoS (DDoS) attack. For many forwarding chips this much processing power requires significant chip real estate and power, and therefore reduces system space and power density. For this reason, cryptographic authentication is not considered a viable first line of defense. This paragraph talks about OOB and perimeter filtering as a better first line of defense. For some networks the first line of defense is some means of supporting OOB control and management traffic. In the past this OOB channel migh make use of overhead bits in SONET or OTN or a dedicated DWDM wavelength. G-ACh and GAL provide an alternative OOB mechanism which is independent of underlying layers. In other networks, including most IP/MPLS networks, perimeter filtering serves a similar purpose, though less effective without extreme vigilance. Finally additional lines of defense are described. A second line of defense is filtering, including GTSM. For protocols such as EBGP, GTSM and other filtering is often the first line of defense. Cryptographic authentication is usually the last line of defense and insufficient by itself to mitigate DoS or DDoS attacks. If you can help better word the above recommendations regarding DoS, please do so. There were no absolute requirements to do anything in particular in hardware though the option of doing everything on a general purpose CPU with no hardware assist for DoS is described (accurately) as infeasible when high speed interfaces are used. Even the bad option of attempting to put a lot of very fast crypto hardware is not prohibited, but discouraged due to the existance of less real estate and power hungry solutions. There are stronger wordings about fast-path (aka done in some form of hardware) for OAM. It is well known that ICMP, most IP options, and TTL expire has to be done in hardware. That was figured out the hard way in the early 1990s. There is brief mention of this (in RFC4950 context). The ICMP message generation can be implemented in forwarding hardware, but if sent to a general purpose CPU must be rate limited to avoid a potential denial or service (DoS) attack. Later: Both BFD and LSP Ping MUST be recognized by hardware and at the very minimum forwarded to the main CPU. Hardware assistance for BFD is often provided and is considered necessary for relatively high rate proactive monitoring. Both BFD and LSP Ping MUST be recognized in any filtering prior to passing traffic to a general purpose CPU and appropriate DoS protection applied (see <"DoS Protection" section>). Failure to recognize BFD and LSP Ping and at least rate limit creates the potential for misconfiguration to cause outages rather than cause errors in the misconfigured OAM. This could be softenned, but the best it can say is that if a network is not to be exposed to a OAM misconfiguration or a single breach in the NOC potentially leveraging a substantial denial of service, then hardware assist is needed. It does say that the minimum is to filter and rate limit before sending to the CPU. Do you disagree with the above paragraph? Would you like it to be worded better? Next is PW VCCV. No further advice on fast-path is given there. Last is MPLS-TP OAM. It has a few statements about hardware. For fast RDI initiation, RDI SHOULD be initiated and handled by hardware if BFD is handled in forwarding hardware. That is a "SHOULD" and it contains an important "if". Alarm Reporting [RFC6427] describes the details of a new protocol supporting Alarm Indication Signal (AIS), Link Down Indication, and fault management. This functionality SHOULD be supported in forwarding hardware on high speed interfaces. Perhaps the reasoning can be given here, replacing the "SHOULD" with the consequences (slow AIS, LDI, fault management which are specified as being fast). Loopback of packet traffic SHOULD be implemented in forwarding hardware on high speed interfaces. I hope no one disagrees with the statement above. Regarding DM and LM: [...] This capture and insertion MUST be implemented in forwarding hardware for LM OAM to be sufficiently accurate. [...] This timestamp capture and insertion MUST be implemented in forwarding hardware for DM OAM to be sufficiently accurate. It is clear that DM and direct LM can't be accurate unless implemented in hardware. Finally for OAM: CC-CV and alarm reporting is tied to protection and therefore SHOULD be supported in forwarding hardware in order to provide protection for a large number of affected LSP within target response intervals. Since CC-CV is supported by BFD, for MPLS-TP, BFD SHOULD be supported in forwarding hardware. Next is layer-2 OAM interworking. This functionality SHOULD be supported in forwarding hardware. An MPLS OAM implementation SHOULD interwork with the underlying server layer and provide a means to interwork with a client layer. For high speed interfaces, this interworking SHOULD be supported in forwarding hardware. This one is a SHOULD and thought to be evident. If the layer-2 OAM already must be in hardware, and the MPLS OAM needs fast response in some cases, then it makes sense. I could explain further. I can rewrite all of the above without the use of SHOULD and MUST instead stating what the conquences would be. The text would get even longer than it is right now. Keeping it short was the reason to just state SHOULD and MUST. The next section is "Extent of OAM Support by Hardware" and it tries to summarize the advice. Perhaps here we could clarify that advice is given based on known consequences and that failure to provide support or assistance in hardware may be at one's own peril, whether at the chip, system, or deployment. The document might become a little longer if each "for reason X .." followed by SHOULD or MUST is replaced with "Y is the common practice" and "the consequences of not doing so is X". I have no objection to doing that type of rewording. Would the type of rewording described above be sufficient, or do you have any technical objections to the advice given? Curtis ps- also note - spelling and grammar nits are abundant. I'll spell check before the next iteration (02) comes out and try to check for grammar. Right now focus is content.
- [mpls] fast-path in draft-villamizar-mpls-forward… Curtis Villamizar
- [mpls] Comments about draft-villamizar-mpls-forwa… Tal Mizrahi
- Re: [mpls] Comments about draft-villamizar-mpls-f… Curtis Villamizar