IETF Logo Mail Archive

Re: [nvo3] Extensions in nvo3 encapsulations

Lucy yong <lucy.yong@huawei.com> Fri, 19 August 2016 00:05 UTC

Return-Path: <lucy.yong@huawei.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EDB812D1E7 for <nvo3@ietfa.amsl.com>; Thu, 18 Aug 2016 17:05:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.468
X-Spam-Level:
X-Spam-Status: No, score=-5.468 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.247, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TGIHnFMYQnoO for <nvo3@ietfa.amsl.com>; Thu, 18 Aug 2016 17:05:04 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62A2012B024 for <nvo3@ietf.org>; Thu, 18 Aug 2016 17:05:02 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml704-cah.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CPS07614; Fri, 19 Aug 2016 00:04:59 +0000 (GMT)
Received: from DFWEML702-CAH.china.huawei.com (10.193.5.176) by lhreml704-cah.china.huawei.com (10.201.5.130) with Microsoft SMTP Server (TLS) id 14.3.235.1; Fri, 19 Aug 2016 01:04:59 +0100
Received: from DFWEML501-MBB.china.huawei.com ([10.193.5.179]) by dfweml702-cah.china.huawei.com ([10.193.5.176]) with mapi id 14.03.0235.001; Thu, 18 Aug 2016 17:04:55 -0700
From: Lucy yong <lucy.yong@huawei.com>
To: Tom Herbert <tom@herbertland.com>, "nvo3@ietf.org" <nvo3@ietf.org>
Thread-Topic: [nvo3] Extensions in nvo3 encapsulations
Thread-Index: AQHR+afEP/4OgeBSAkqLk15SNUeh5KBPYvOg
Date: Fri, 19 Aug 2016 00:04:55 +0000
Message-ID: <2691CE0099834E4A9C5044EEC662BB9D572C1A37@dfweml501-mbb>
References: <CALx6S34tS8rL5WfEZixMg=1tazHKic5dA4TKg=PfDk-XQb7vtw@mail.gmail.com>
In-Reply-To: <CALx6S34tS8rL5WfEZixMg=1tazHKic5dA4TKg=PfDk-XQb7vtw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.47.154.74]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A090204.57B64D2C.0083, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: bc853ff07c3bfcb1c46076698982ab04
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/RivJpjXQjAUyH3B84UARiE7yhak>
Subject: Re: [nvo3] Extensions in nvo3 encapsulations
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Aug 2016 00:05:06 -0000

This is very good summary of the motivation for extensions. GUE design was given quite thought on that.

For supporting tunnel stitching (draft-yong-nvo3-tunnel-stitching), it requires a new field in the encap. protocol to carry the next tunnel identifier. GUE can easily support that by defining a new flag and corresponding optional field.

Extensibility is important for a protocol to retain long.

Lucy 

-----Original Message-----
From: nvo3 [mailto:nvo3-bounces@ietf.org] On Behalf Of Tom Herbert
Sent: Thursday, August 18, 2016 6:25 PM
To: nvo3@ietf.org
Subject: [nvo3] Extensions in nvo3 encapsulations

Alia has asked that we provide some more information as to what the motivations for extensions are for nvo3 and to what form they should take. Here is some high level explanation with respect to GUE.

Six fundamental extensions have been defined for GUE

1) VNID (draft-hy-nvo3-gue-4-nvo-03)
2) Checksum (draft-herbert-gue-extensions-00)
3) Remote checksum offload or RCO  (draft-herbert-gue-extensions-00)
4) Fragmentation (draft-herbert-gue-extensions-00)
5) Security (draft-herbert-gue-extensions-00)
6) Payload transform (draft-herbert-gue-extensions-00)

All of these share some common properties:

* The extensions seem cover three areas: integrity/security, addressing, and protocol processing.
* These extensions break down into two classes: those that can be processed without any additional information (checksum, RCO, fragmentation), and those that require context (VNID, security, payload xfrm)..
* These are all intrinsic to the encapsulation layer and are part of correct processing of the encapsulation when present. For instance the security option is expressly needed to secure the GUE header and in particular to provide security for VNID.
* All of these are mandatory in the sense that they can't be ignored at a receiver. For instance, if some receiver decided to ignore RCO then that would just become a checksum error at the ultimate receiver.
Anything to do with security can pretty much never be ignored. Also, as a general principle in large scale DCs, it's much better to drop a packet when we're not sure something is correct as opposed to allowing it through even if the risk is slight. Packet loss is much easier to debug than incorrectness!
* With the exception of fragmentation, a subset of these will commonly be set in packets for some deployment. For instance in a nvo3 deployment, VNID and security might be set all the time.
* These are not intended for processing by middleboxes in transit. As I mentioned in my response to Bob Briscoe, intermediate devices cannot correctly parse UDP payloads (port number ambiguity problem in the network). Such information should be in HBH for IPv6 or IP options in IPv4.
* These are interoperable and not proprietary.We allow proprietary extensions via a private data field but do do not encourage it, to do so otherwise would be to encourage vendor lock-in.

While these six fundamental cover current needs, we cannot predict that they cover all the future needs of the protocol. At some point we will need to extend a deployed encapsulation protocol in the data center. The most likely scenario that we would need to extend the protocol is to addressed a newly discovered security vulnerability. We anticipate that extending a protocol is a rare event, but at large scale we need this capability. Extending a protocol is far simpler that replacing a protocol especially if we can avoid needing to swap out massive amounts of hardware.

Another general characteristic is that GUE extensions are contained within a single header, as opposed to using shim headers or following headers. There are benefits to do this:

* It's very clear that the extensions refer to the encapsulation. For instance if implement a checksum in a shim header then we need some consideration as to how the checksum covers prior headers.
* We can limit the extensibility. This is important consideration for efficiency and avoid DOS attacks.
* This allows "skip ahead". If a device just wants to look at the encapsulated IP packet for instance it does not need to parse a header chain for that.

Thanks,
Tom

_______________________________________________
nvo3 mailing list
nvo3@ietf.org
https://www.ietf.org/mailman/listinfo/nvo3

v2.23.0 | Report a Bug | By Email