Re: [nvo3] Extensions in nvo3 encapsulations
Lizhong Jin <lizho.jin@gmail.com> Fri, 19 August 2016 15:07 UTC
Return-Path: <lizho.jin@gmail.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EE2612D8B5 for <nvo3@ietfa.amsl.com>; Fri, 19 Aug 2016 08:07:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TQlVzHCmf1bM for <nvo3@ietfa.amsl.com>; Fri, 19 Aug 2016 08:07:16 -0700 (PDT)
Received: from mail-wm0-x22a.google.com (mail-wm0-x22a.google.com [IPv6:2a00:1450:400c:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9234A12D14B for <nvo3@ietf.org>; Fri, 19 Aug 2016 08:07:15 -0700 (PDT)
Received: by mail-wm0-x22a.google.com with SMTP id f65so38040432wmi.0 for <nvo3@ietf.org>; Fri, 19 Aug 2016 08:07:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:cc; bh=/lKSCqVYH50YWdkvGzIS/3xQw8GwX7RARD3dI/yfLdE=; b=bYpW0EyT43wYKnf0cMrfDkNur4sczztT9UeTcyN/qAGKKYegsnSIF0bWCwtVoX5aoN JGGsqeSraWmkTxo5geJ6ycNjvfXCPUJe6Mi2RI3sryE1RibXDfEYXAi+JRGvFQCcEABE 6X2A8/9i8zLpK/otK59vfi1I44eUh8J44OHLRAWS2A9LZ0j5ZgeKLGw4ShP4jQiK+xsw WQqYxD24zZU0bdQs3Qa2Zp/WZiz83qVBX76QukgY9VEjAZYGdCrOm5BExVRYvw6ChEaL KGUoyyLj7iwqtgV4K2CSpGpv07xuOamEdgpqe5M190fd0Hg4xRX1Wcq8jVCqVLKWZRkc ruhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=/lKSCqVYH50YWdkvGzIS/3xQw8GwX7RARD3dI/yfLdE=; b=DNaZ03S7IszuTDKc/IaQIvkw4hB4VtvcR1SbgXPpYYWpDxwmyx112YtGthenFV5jGo /FYkyIWFepG5ZdxF6TRAloT83gMN5HCpQi5/dPsTp9oZN2t4uv3QtipE5OI2GmHBb5He torvGAINNewiz5OfSBPIQiwEwS8AVL6ekb0L0m7hcC140u+oseHF0eo0TdJxBG0KKB9V te7TNm/zsnokT9bHPiP58fzeB1JAYPgy+RN2skxBXoPmJRJNFBLMkwtwGMgyz6J/n1rS 60WBBRwd3yNVzHxW9Gyr4O/1tuHf6YuUxGUOZqUJ6u79i51EwAepZYmbOtwPIYJ84Zp2 6OUA==
X-Gm-Message-State: AEkoouu8NpqebWsYno6MKShPTtAujfq+EVDkyzHTgeR3Z9EIBC2KDQiKVKY6NHjNr4L8chQ5UosQk+rEHKaRSg==
X-Received: by 10.28.12.133 with SMTP id 127mr4255717wmm.119.1471619232925; Fri, 19 Aug 2016 08:07:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.194.107.37 with HTTP; Fri, 19 Aug 2016 08:07:12 -0700 (PDT)
From: Lizhong Jin <lizho.jin@gmail.com>
Date: Fri, 19 Aug 2016 23:07:12 +0800
Message-ID: <CAH==cJziSaZHyyRV=J6OBYxWf7OkrJDbZPYFRni9wVtYw3NpEQ@mail.gmail.com>
To: "nvo3@ietf.org" <nvo3@ietf.org>
Content-Type: multipart/alternative; boundary="001a114439c09fd704053a6e0d06"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/W8AeDvxvBDQTtxbtYaBDx7R7uMI>
Cc: Tom Herbert <tom@herbertland.com>
Subject: Re: [nvo3] Extensions in nvo3 encapsulations
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Aug 2016 15:07:21 -0000
Hi Tom, Thanks for the information. This gives me an overall view of the extensions. I try to understand, and see inline below. Lizhong ---------- Forwarded message ---------- > From: Tom Herbert <tom@herbertland.com> > To: "nvo3@ietf.org" <nvo3@ietf.org> > Cc: > Date: Thu, 18 Aug 2016 16:24:42 -0700 > Subject: [nvo3] Extensions in nvo3 encapsulations > Alia has asked that we provide some more information as to what the > motivations for extensions are for nvo3 and to what form they should > take. Here is some high level explanation with respect to GUE. > > Six fundamental extensions have been defined for GUE > > 1) VNID (draft-hy-nvo3-gue-4-nvo-03) > 2) Checksum (draft-herbert-gue-extensions-00) > [Lizhong] one more checksum will add additional load to hardware NAT, and it is required to update checksum for every NAT router which was not supposed to support GUE. > 3) Remote checksum offload or RCO (draft-herbert-gue-extensions-00) > [Lizhong] this is a feature to enhance legacy NIC. But is two checksum (e.g., both outer&inner UDP checksum enabled) enabled really useful? It seems, to me, only outer or inner UDP checksum is enough. > 4) Fragmentation (draft-herbert-gue-extensions-00) > [Lizhong] such kind of fragmentation is also not perfect. E.g., the receiver side hardware without reassembling could not get inner header, and fail to do RSS. I still like #3 as described in the draft. > 5) Security (draft-herbert-gue-extensions-00) > 6) Payload transform (draft-herbert-gue-extensions-00) > [Lizhong] I doubt if GUE header security is necessary. In MPLS network, we also use label to implicitly identify a VPN, and it works well. > All of these share some common properties: > > * The extensions seem cover three areas: integrity/security, > addressing, and protocol processing. > * These extensions break down into two classes: those that can be > processed without any additional information (checksum, RCO, > fragmentation), and those that require context (VNID, security, > payload xfrm).. > * These are all intrinsic to the encapsulation layer and are part of > correct processing of the encapsulation when present. For instance the > security option is expressly needed to secure the GUE header and in > particular to provide security for VNID. > * All of these are mandatory in the sense that they can't be ignored > at a receiver. For instance, if some receiver decided to ignore RCO > then that would just become a checksum error at the ultimate receiver. > Anything to do with security can pretty much never be ignored. Also, > as a general principle in large scale DCs, it's much better to drop a > packet when we're not sure something is correct as opposed to allowing > it through even if the risk is slight. Packet loss is much easier to > debug than incorrectness! > * With the exception of fragmentation, a subset of these will commonly > be set in packets for some deployment. For instance in a nvo3 > deployment, VNID and security might be set all the time. > * These are not intended for processing by middleboxes in transit. As > I mentioned in my response to Bob Briscoe, intermediate devices cannot > correctly parse UDP payloads (port number ambiguity problem in the > network). Such information should be in HBH for IPv6 or IP options in > IPv4. > * These are interoperable and not proprietary.We allow proprietary > extensions via a private data field but do do not encourage it, to do > so otherwise would be to encourage vendor lock-in. > > While these six fundamental cover current needs, we cannot predict > that they cover all the future needs of the protocol. At some point we > will need to extend a deployed encapsulation protocol in the data > center. The most likely scenario that we would need to extend the > protocol is to addressed a newly discovered security vulnerability. We > anticipate that extending a protocol is a rare event, but at large > scale we need this capability. Extending a protocol is far simpler > that replacing a protocol especially if we can avoid needing to swap > out massive amounts of hardware. > > Another general characteristic is that GUE extensions are contained > within a single header, as opposed to using shim headers or following > headers. There are benefits to do this: > > * It's very clear that the extensions refer to the encapsulation. For > instance if implement a checksum in a shim header then we need some > consideration as to how the checksum covers prior headers. > * We can limit the extensibility. This is important consideration for > efficiency and avoid DOS attacks. > * This allows "skip ahead". If a device just wants to look at the > encapsulated IP packet for instance it does not need to parse a header > chain for that. > > Thanks, > Tom > > > > > ---------- Forwarded message ---------- > From: Lucy yong <lucy.yong@huawei.com> > To: Tom Herbert <tom@herbertland.com>, "nvo3@ietf.org" <nvo3@ietf.org> > Cc: > Date: Fri, 19 Aug 2016 00:04:55 +0000 > Subject: Re: [nvo3] Extensions in nvo3 encapsulations > This is very good summary of the motivation for extensions. GUE design was > given quite thought on that. > > For supporting tunnel stitching (draft-yong-nvo3-tunnel-stitching), it > requires a new field in the encap. protocol to carry the next tunnel > identifier. GUE can easily support that by defining a new flag and > corresponding optional field. > > Extensibility is important for a protocol to retain long. > > Lucy > > -----Original Message----- > From: nvo3 [mailto:nvo3-bounces@ietf.org] On Behalf Of Tom Herbert > Sent: Thursday, August 18, 2016 6:25 PM > To: nvo3@ietf.org > Subject: [nvo3] Extensions in nvo3 encapsulations > > Alia has asked that we provide some more information as to what the > motivations for extensions are for nvo3 and to what form they should take. > Here is some high level explanation with respect to GUE. > > Six fundamental extensions have been defined for GUE > > 1) VNID (draft-hy-nvo3-gue-4-nvo-03) > 2) Checksum (draft-herbert-gue-extensions-00) > 3) Remote checksum offload or RCO (draft-herbert-gue-extensions-00) > 4) Fragmentation (draft-herbert-gue-extensions-00) > 5) Security (draft-herbert-gue-extensions-00) > 6) Payload transform (draft-herbert-gue-extensions-00) > > All of these share some common properties: > > * The extensions seem cover three areas: integrity/security, addressing, > and protocol processing. > * These extensions break down into two classes: those that can be > processed without any additional information (checksum, RCO, > fragmentation), and those that require context (VNID, security, payload > xfrm).. > * These are all intrinsic to the encapsulation layer and are part of > correct processing of the encapsulation when present. For instance the > security option is expressly needed to secure the GUE header and in > particular to provide security for VNID. > * All of these are mandatory in the sense that they can't be ignored at a > receiver. For instance, if some receiver decided to ignore RCO then that > would just become a checksum error at the ultimate receiver. > Anything to do with security can pretty much never be ignored. Also, as a > general principle in large scale DCs, it's much better to drop a packet > when we're not sure something is correct as opposed to allowing it through > even if the risk is slight. Packet loss is much easier to debug than > incorrectness! > * With the exception of fragmentation, a subset of these will commonly be > set in packets for some deployment. For instance in a nvo3 deployment, VNID > and security might be set all the time. > * These are not intended for processing by middleboxes in transit. As I > mentioned in my response to Bob Briscoe, intermediate devices cannot > correctly parse UDP payloads (port number ambiguity problem in the > network). Such information should be in HBH for IPv6 or IP options in IPv4. > * These are interoperable and not proprietary.We allow proprietary > extensions via a private data field but do do not encourage it, to do so > otherwise would be to encourage vendor lock-in. > > While these six fundamental cover current needs, we cannot predict that > they cover all the future needs of the protocol. At some point we will need > to extend a deployed encapsulation protocol in the data center. The most > likely scenario that we would need to extend the protocol is to addressed a > newly discovered security vulnerability. We anticipate that extending a > protocol is a rare event, but at large scale we need this capability. > Extending a protocol is far simpler that replacing a protocol especially if > we can avoid needing to swap out massive amounts of hardware. > > Another general characteristic is that GUE extensions are contained within > a single header, as opposed to using shim headers or following headers. > There are benefits to do this: > > * It's very clear that the extensions refer to the encapsulation. For > instance if implement a checksum in a shim header then we need some > consideration as to how the checksum covers prior headers. > * We can limit the extensibility. This is important consideration for > efficiency and avoid DOS attacks. > * This allows "skip ahead". If a device just wants to look at the > encapsulated IP packet for instance it does not need to parse a header > chain for that. > > Thanks, > Tom > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > > > > > ---------- Forwarded message ---------- > From: Lizhong Jin <lizho.jin@gmail.com> > To: "nvo3@ietf.org" <nvo3@ietf.org> > Cc: Matthew Bocci <matthew.bocci@nokia.com> > Date: Fri, 19 Aug 2016 14:58:53 +0800 > Subject: Re: [nvo3] Call for interest on NVO3 use case draft > Hi, > The use case draft did help us a lot at the beginning of NVO3, and will > also continue to helping other new comers. So I believe it is useful to > have this draft to be published. > > Lizhong > > > >> ---------- Forwarded message ---------- >> From: "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com> >> To: NVO3 <nvo3@ietf.org> >> Cc: >> Date: Fri, 12 Aug 2016 16:27:46 +0000 >> Subject: [nvo3] Call for interest on NVO3 use case draft >> >> WG >> >> >> >> As discussed in Berlin, the NVO3 use cases draft ( >> https://www.ietf.org/id/draft-ietf-nvo3-use-case-08.txt) is reaching >> maturity and potentially ready for WG last call. However, there have been >> some questions raised about how useful a use cases draft is at this stage >> in the working group, and whether some of the content could be more >> usefully contributed to applicability sections of solutions drafts. >> >> >> >> Before starting a last call, we would like to ask that if you have read >> the latest version of the draft, please indicate so to the list, and if so >> whether you believe we should progress this as a stand-alone draft. >> >> >> >> This call for interest will end on Friday 26th August. >> >> >> >> Best regards >> >> >> >> Matthew >> >> >> >> >> > > > ---------- Forwarded message ---------- > From: Patrick Frejborg <pfrejborg@gmail.com> > To: Tom Herbert <tom@herbertland.com> > Cc: "nvo3@ietf.org" <nvo3@ietf.org> > Date: Fri, 19 Aug 2016 13:39:15 +0300 > Subject: Re: [nvo3] Extensions in nvo3 encapsulations > Hi Tom, > > thinking out of the box - what will break if you slightly change the > order in which the packets are processed at the VTEP/PE/NVE? > >From the VM perspective, you insert a new L2 module before the packets > are sent down to the virtual circuit. In this module you have e.g. > MACSec for encryption, MEF modules for OAM functions, perhaps add some > new mechanisms for fragmenting on L2 level , have some kind of Path > MTU discovery mechanism etc. Depending on you performance requirements > and amount of tunnels that need these extended features you could run > this undefined module as VM or when high performance is required then > have it deployed in DPDK or if hardware appliance exists insert them > to your hosting device. With service chaining you can direct these > extended services to appropriate tunnels regardless what kind of L3 > tunnels are deployed between the VTEPs/PEs/NVEs peers as long as the > remote peer supports this undefined module. If VNID is needed on the > tunnel itself between the NVE peers, then chose a tunnel protocol that > supports that, if not then go for the tunnel with the smallest > overhead, Ethernet over UDP(?) and so on. > > Regards, > Patrick > > On Fri, Aug 19, 2016 at 2:24 AM, Tom Herbert <tom@herbertland.com> wrote: > > Alia has asked that we provide some more information as to what the > > motivations for extensions are for nvo3 and to what form they should > > take. Here is some high level explanation with respect to GUE. > > > > Six fundamental extensions have been defined for GUE > > > > 1) VNID (draft-hy-nvo3-gue-4-nvo-03) > > 2) Checksum (draft-herbert-gue-extensions-00) > > 3) Remote checksum offload or RCO (draft-herbert-gue-extensions-00) > > 4) Fragmentation (draft-herbert-gue-extensions-00) > > 5) Security (draft-herbert-gue-extensions-00) > > 6) Payload transform (draft-herbert-gue-extensions-00) > > > > All of these share some common properties: > > > > * The extensions seem cover three areas: integrity/security, > > addressing, and protocol processing. > > * These extensions break down into two classes: those that can be > > processed without any additional information (checksum, RCO, > > fragmentation), and those that require context (VNID, security, > > payload xfrm).. > > * These are all intrinsic to the encapsulation layer and are part of > > correct processing of the encapsulation when present. For instance the > > security option is expressly needed to secure the GUE header and in > > particular to provide security for VNID. > > * All of these are mandatory in the sense that they can't be ignored > > at a receiver. For instance, if some receiver decided to ignore RCO > > then that would just become a checksum error at the ultimate receiver. > > Anything to do with security can pretty much never be ignored. Also, > > as a general principle in large scale DCs, it's much better to drop a > > packet when we're not sure something is correct as opposed to allowing > > it through even if the risk is slight. Packet loss is much easier to > > debug than incorrectness! > > * With the exception of fragmentation, a subset of these will commonly > > be set in packets for some deployment. For instance in a nvo3 > > deployment, VNID and security might be set all the time. > > * These are not intended for processing by middleboxes in transit. As > > I mentioned in my response to Bob Briscoe, intermediate devices cannot > > correctly parse UDP payloads (port number ambiguity problem in the > > network). Such information should be in HBH for IPv6 or IP options in > > IPv4. > > * These are interoperable and not proprietary.We allow proprietary > > extensions via a private data field but do do not encourage it, to do > > so otherwise would be to encourage vendor lock-in. > > > > While these six fundamental cover current needs, we cannot predict > > that they cover all the future needs of the protocol. At some point we > > will need to extend a deployed encapsulation protocol in the data > > center. The most likely scenario that we would need to extend the > > protocol is to addressed a newly discovered security vulnerability. We > > anticipate that extending a protocol is a rare event, but at large > > scale we need this capability. Extending a protocol is far simpler > > that replacing a protocol especially if we can avoid needing to swap > > out massive amounts of hardware. > > > > Another general characteristic is that GUE extensions are contained > > within a single header, as opposed to using shim headers or following > > headers. There are benefits to do this: > > > > * It's very clear that the extensions refer to the encapsulation. For > > instance if implement a checksum in a shim header then we need some > > consideration as to how the checksum covers prior headers. > > * We can limit the extensibility. This is important consideration for > > efficiency and avoid DOS attacks. > > * This allows "skip ahead". If a device just wants to look at the > > encapsulated IP packet for instance it does not need to parse a header > > chain for that. > > > > Thanks, > > Tom > > > > _______________________________________________ > > nvo3 mailing list > > nvo3@ietf.org > > https://www.ietf.org/mailman/listinfo/nvo3 > > > > _______________________________________________ > nvo3 mailing list > nvo3@ietf.org > https://www.ietf.org/mailman/listinfo/nvo3 > >
- Re: [nvo3] Extensions in nvo3 encapsulations Lizhong Jin
- Re: [nvo3] Extensions in nvo3 encapsulations Tom Herbert
- Re: [nvo3] Extensions in nvo3 encapsulations Lizhong Jin
- Re: [nvo3] Extensions in nvo3 encapsulations Patrick Frejborg
- Re: [nvo3] Extensions in nvo3 encapsulations Lucy yong
- [nvo3] Extensions in nvo3 encapsulations Tom Herbert