Re: [nvo3] Extensions in nvo3 encapsulations
Patrick Frejborg <pfrejborg@gmail.com> Fri, 19 August 2016 10:39 UTC
Return-Path: <pfrejborg@gmail.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB6BF12D89F for <nvo3@ietfa.amsl.com>; Fri, 19 Aug 2016 03:39:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KqCN1vZBEG3n for <nvo3@ietfa.amsl.com>; Fri, 19 Aug 2016 03:39:17 -0700 (PDT)
Received: from mail-oi0-x233.google.com (mail-oi0-x233.google.com [IPv6:2607:f8b0:4003:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2005212D89E for <nvo3@ietf.org>; Fri, 19 Aug 2016 03:39:17 -0700 (PDT)
Received: by mail-oi0-x233.google.com with SMTP id l203so58120453oib.1 for <nvo3@ietf.org>; Fri, 19 Aug 2016 03:39:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=OSgakyBE8QkY7GgKIdZNJ/RBrOj9zewQTozE6AkbdhQ=; b=HRR2AVBxiyiRwoKQDgg4lNwUluzWTU5sxp5agPsaDti6gcK8jvKPubKNA/jkiimm84 Ds83cjPUHgoLPI1r99ogIAXBgXJQc7mD67lXDnV1n32HGMmPGsl5bk29Zhp/ED5taAmb jkqDBy+JUNpv2xw+XF/Ope6bB3OifK03whtkM7+VCmQNmw13mzddvHnaOOUlbvcwTkpV 603Gviv265DcH/oTjI4AmGP74BCUI43GTXxYSgmwcPhsMDJRcnzWBVFuLnPRVyIxddKI afTr4AXqxouE8EhBxZtn0dMd6XRZC3yoFSEBkPkKStn+sTE4SPVdzuMATg+EsaRHx2Uj 7axQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=OSgakyBE8QkY7GgKIdZNJ/RBrOj9zewQTozE6AkbdhQ=; b=Io5bYrs4CFc/odMA6OC7uoHqOdVBX9jRZ2K2FuAw0DO6C6uCJJdz6JJCEWHS64YNns 0ubK5QVHXIEaSdgyiZ0tJu+JI5AlTLGL9zHvwvkoOF8lczvYRGHk8nzDtawkzpMzFrz1 2Yh6qjmRWmRz6M9yO9aZ0lY+NgEb3k6HBF8VcrqcnQ/jl5G6L58ZYkilTUWLOP29ymGb BXq2LNe3pdiXaPR2Rzc7ga6O1O+TfDiSZR2jp24x/G5RhQFEG+ou/2hMJs0OvikcImmp bVZahjawJCy/JwIQXstAZc+nRf7bS4Dp2BeNNuZ6by6cgdoGBGSOW9/uFrLUItz5KZEM RHuw==
X-Gm-Message-State: AEkoouuw+XWHd/CgPzUJtJYvDZ9yQNm3uB/S+RmtJEaS4U7eRCblrEWKJrib+LFMymiuQfC+jaoA+4Y7C0bReA==
X-Received: by 10.157.43.240 with SMTP id u103mr4432193ota.126.1471603156387; Fri, 19 Aug 2016 03:39:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.202.253.149 with HTTP; Fri, 19 Aug 2016 03:39:15 -0700 (PDT)
In-Reply-To: <CALx6S34tS8rL5WfEZixMg=1tazHKic5dA4TKg=PfDk-XQb7vtw@mail.gmail.com>
References: <CALx6S34tS8rL5WfEZixMg=1tazHKic5dA4TKg=PfDk-XQb7vtw@mail.gmail.com>
From: Patrick Frejborg <pfrejborg@gmail.com>
Date: Fri, 19 Aug 2016 13:39:15 +0300
Message-ID: <CAHfUk+VxuV33O+FG8KSj=hj2V7kcxreNqO3xyiy52VHMe2Fi5Q@mail.gmail.com>
To: Tom Herbert <tom@herbertland.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/SxFZrouLa9c7nypDhlN1hvXCqI4>
Cc: "nvo3@ietf.org" <nvo3@ietf.org>
Subject: Re: [nvo3] Extensions in nvo3 encapsulations
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Aug 2016 10:39:20 -0000
Hi Tom, thinking out of the box - what will break if you slightly change the order in which the packets are processed at the VTEP/PE/NVE? >From the VM perspective, you insert a new L2 module before the packets are sent down to the virtual circuit. In this module you have e.g. MACSec for encryption, MEF modules for OAM functions, perhaps add some new mechanisms for fragmenting on L2 level , have some kind of Path MTU discovery mechanism etc. Depending on you performance requirements and amount of tunnels that need these extended features you could run this undefined module as VM or when high performance is required then have it deployed in DPDK or if hardware appliance exists insert them to your hosting device. With service chaining you can direct these extended services to appropriate tunnels regardless what kind of L3 tunnels are deployed between the VTEPs/PEs/NVEs peers as long as the remote peer supports this undefined module. If VNID is needed on the tunnel itself between the NVE peers, then chose a tunnel protocol that supports that, if not then go for the tunnel with the smallest overhead, Ethernet over UDP(?) and so on. Regards, Patrick On Fri, Aug 19, 2016 at 2:24 AM, Tom Herbert <tom@herbertland.com> wrote: > Alia has asked that we provide some more information as to what the > motivations for extensions are for nvo3 and to what form they should > take. Here is some high level explanation with respect to GUE. > > Six fundamental extensions have been defined for GUE > > 1) VNID (draft-hy-nvo3-gue-4-nvo-03) > 2) Checksum (draft-herbert-gue-extensions-00) > 3) Remote checksum offload or RCO (draft-herbert-gue-extensions-00) > 4) Fragmentation (draft-herbert-gue-extensions-00) > 5) Security (draft-herbert-gue-extensions-00) > 6) Payload transform (draft-herbert-gue-extensions-00) > > All of these share some common properties: > > * The extensions seem cover three areas: integrity/security, > addressing, and protocol processing. > * These extensions break down into two classes: those that can be > processed without any additional information (checksum, RCO, > fragmentation), and those that require context (VNID, security, > payload xfrm).. > * These are all intrinsic to the encapsulation layer and are part of > correct processing of the encapsulation when present. For instance the > security option is expressly needed to secure the GUE header and in > particular to provide security for VNID. > * All of these are mandatory in the sense that they can't be ignored > at a receiver. For instance, if some receiver decided to ignore RCO > then that would just become a checksum error at the ultimate receiver. > Anything to do with security can pretty much never be ignored. Also, > as a general principle in large scale DCs, it's much better to drop a > packet when we're not sure something is correct as opposed to allowing > it through even if the risk is slight. Packet loss is much easier to > debug than incorrectness! > * With the exception of fragmentation, a subset of these will commonly > be set in packets for some deployment. For instance in a nvo3 > deployment, VNID and security might be set all the time. > * These are not intended for processing by middleboxes in transit. As > I mentioned in my response to Bob Briscoe, intermediate devices cannot > correctly parse UDP payloads (port number ambiguity problem in the > network). Such information should be in HBH for IPv6 or IP options in > IPv4. > * These are interoperable and not proprietary.We allow proprietary > extensions via a private data field but do do not encourage it, to do > so otherwise would be to encourage vendor lock-in. > > While these six fundamental cover current needs, we cannot predict > that they cover all the future needs of the protocol. At some point we > will need to extend a deployed encapsulation protocol in the data > center. The most likely scenario that we would need to extend the > protocol is to addressed a newly discovered security vulnerability. We > anticipate that extending a protocol is a rare event, but at large > scale we need this capability. Extending a protocol is far simpler > that replacing a protocol especially if we can avoid needing to swap > out massive amounts of hardware. > > Another general characteristic is that GUE extensions are contained > within a single header, as opposed to using shim headers or following > headers. There are benefits to do this: > > * It's very clear that the extensions refer to the encapsulation. For > instance if implement a checksum in a shim header then we need some > consideration as to how the checksum covers prior headers. > * We can limit the extensibility. This is important consideration for > efficiency and avoid DOS attacks. > * This allows "skip ahead". If a device just wants to look at the > encapsulated IP packet for instance it does not need to parse a header > chain for that. > > Thanks, > Tom > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3
- Re: [nvo3] Extensions in nvo3 encapsulations Lizhong Jin
- Re: [nvo3] Extensions in nvo3 encapsulations Tom Herbert
- Re: [nvo3] Extensions in nvo3 encapsulations Lizhong Jin
- Re: [nvo3] Extensions in nvo3 encapsulations Patrick Frejborg
- Re: [nvo3] Extensions in nvo3 encapsulations Lucy yong
- [nvo3] Extensions in nvo3 encapsulations Tom Herbert