[nvo3] Extensions in nvo3 encapsulations
Tom Herbert <tom@herbertland.com> Thu, 18 August 2016 23:24 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D05E712D533 for <nvo3@ietfa.amsl.com>; Thu, 18 Aug 2016 16:24:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lG7OIyznTWq2 for <nvo3@ietfa.amsl.com>; Thu, 18 Aug 2016 16:24:44 -0700 (PDT)
Received: from mail-io0-x236.google.com (mail-io0-x236.google.com [IPv6:2607:f8b0:4001:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36FFC12D0FB for <nvo3@ietf.org>; Thu, 18 Aug 2016 16:24:44 -0700 (PDT)
Received: by mail-io0-x236.google.com with SMTP id 38so33632031iol.0 for <nvo3@ietf.org>; Thu, 18 Aug 2016 16:24:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=QDoxakCCmPhmhSzl/eGdgXJXei6PbkG0kKbY0b66tVU=; b=duVdNAXDKGc5olwWXt3B7dD9T34EvPed0pC/OGgmTNE5SXmhjyr7U0S1Ti3tYnEoNA l4ufNAwt67LGNAs3huuFOF8SByu2NYLPS/y6V2TMjszCCF/odXaVw6WiQDcVHePYCVCt c3urP5bcghgB7Sjo6/gSHvsHR6RcNaEZhTHMBEmWJd3SnagpstvyRDjzFLKiZC9UI1PB NKQ++x0r84TJgIyd2Gd5ma+aOoyR3746CSgiBKLZ7FcOge18hbaEcWc5zN9Y89sxyXO2 jCGAkwtJv0j8gP/sLgBCQPls2K3BQOKIu2YGb+a1bLXOpuDtZEOPMxlRqHW0VtgNCQjB IKPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=QDoxakCCmPhmhSzl/eGdgXJXei6PbkG0kKbY0b66tVU=; b=IR0InR6Tj7LmSGjwO2dstahQQSUU5JXIbAP78k7ro0tUsQ6j8Ctfyvg81soCyGEBHf 4XpAbjOMVH8u5SzvsEs9JU/et8Rcx2I5kelYIV++YpH8ksmtSNvANkDy7+nK4qnRCunG p3SClFGpwmcM8ezERT0cDf5d/ZNOYP+zdlG6viu84QxT4VN6bFokkMFKWx4uXVssnk1P EgpbqvgCg5h4mEWBvZGwmqYjMe1Ek0O6qoINXviFJ/FIKtTwGlaSI07wbAsPocGfLZkM zhc8XTreK4uUa/vEucx5zjvnWNV23oTR40pgiERFW7cMxC0Qz5ee3QPQoXSnzVU0wSWv pghQ==
X-Gm-Message-State: AEkoouv6MN0gCYqbuORs826+YqlHxcXPulR1N650LPixdgXCACBT5R0IYf7h8ZtO3QsbwbrMIc4T7chUjNkBrw==
X-Received: by 10.107.25.75 with SMTP id 72mr6441672ioz.50.1471562682902; Thu, 18 Aug 2016 16:24:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.21.130 with HTTP; Thu, 18 Aug 2016 16:24:42 -0700 (PDT)
From: Tom Herbert <tom@herbertland.com>
Date: Thu, 18 Aug 2016 16:24:42 -0700
Message-ID: <CALx6S34tS8rL5WfEZixMg=1tazHKic5dA4TKg=PfDk-XQb7vtw@mail.gmail.com>
To: "nvo3@ietf.org" <nvo3@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/2A0YZHQeoqZuSyJ8NImqUExXrdg>
Subject: [nvo3] Extensions in nvo3 encapsulations
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2016 23:24:46 -0000
Alia has asked that we provide some more information as to what the motivations for extensions are for nvo3 and to what form they should take. Here is some high level explanation with respect to GUE. Six fundamental extensions have been defined for GUE 1) VNID (draft-hy-nvo3-gue-4-nvo-03) 2) Checksum (draft-herbert-gue-extensions-00) 3) Remote checksum offload or RCO (draft-herbert-gue-extensions-00) 4) Fragmentation (draft-herbert-gue-extensions-00) 5) Security (draft-herbert-gue-extensions-00) 6) Payload transform (draft-herbert-gue-extensions-00) All of these share some common properties: * The extensions seem cover three areas: integrity/security, addressing, and protocol processing. * These extensions break down into two classes: those that can be processed without any additional information (checksum, RCO, fragmentation), and those that require context (VNID, security, payload xfrm).. * These are all intrinsic to the encapsulation layer and are part of correct processing of the encapsulation when present. For instance the security option is expressly needed to secure the GUE header and in particular to provide security for VNID. * All of these are mandatory in the sense that they can't be ignored at a receiver. For instance, if some receiver decided to ignore RCO then that would just become a checksum error at the ultimate receiver. Anything to do with security can pretty much never be ignored. Also, as a general principle in large scale DCs, it's much better to drop a packet when we're not sure something is correct as opposed to allowing it through even if the risk is slight. Packet loss is much easier to debug than incorrectness! * With the exception of fragmentation, a subset of these will commonly be set in packets for some deployment. For instance in a nvo3 deployment, VNID and security might be set all the time. * These are not intended for processing by middleboxes in transit. As I mentioned in my response to Bob Briscoe, intermediate devices cannot correctly parse UDP payloads (port number ambiguity problem in the network). Such information should be in HBH for IPv6 or IP options in IPv4. * These are interoperable and not proprietary.We allow proprietary extensions via a private data field but do do not encourage it, to do so otherwise would be to encourage vendor lock-in. While these six fundamental cover current needs, we cannot predict that they cover all the future needs of the protocol. At some point we will need to extend a deployed encapsulation protocol in the data center. The most likely scenario that we would need to extend the protocol is to addressed a newly discovered security vulnerability. We anticipate that extending a protocol is a rare event, but at large scale we need this capability. Extending a protocol is far simpler that replacing a protocol especially if we can avoid needing to swap out massive amounts of hardware. Another general characteristic is that GUE extensions are contained within a single header, as opposed to using shim headers or following headers. There are benefits to do this: * It's very clear that the extensions refer to the encapsulation. For instance if implement a checksum in a shim header then we need some consideration as to how the checksum covers prior headers. * We can limit the extensibility. This is important consideration for efficiency and avoid DOS attacks. * This allows "skip ahead". If a device just wants to look at the encapsulated IP packet for instance it does not need to parse a header chain for that. Thanks, Tom
- Re: [nvo3] Extensions in nvo3 encapsulations Lizhong Jin
- Re: [nvo3] Extensions in nvo3 encapsulations Tom Herbert
- Re: [nvo3] Extensions in nvo3 encapsulations Lizhong Jin
- Re: [nvo3] Extensions in nvo3 encapsulations Patrick Frejborg
- Re: [nvo3] Extensions in nvo3 encapsulations Lucy yong
- [nvo3] Extensions in nvo3 encapsulations Tom Herbert