Re: [nvo3] Extensions in nvo3 encapsulations
Lizhong Jin <lizho.jin@gmail.com> Sat, 20 August 2016 06:03 UTC
Return-Path: <lizho.jin@gmail.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27EDA12D142 for <nvo3@ietfa.amsl.com>; Fri, 19 Aug 2016 23:03:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B110YeaO_gtT for <nvo3@ietfa.amsl.com>; Fri, 19 Aug 2016 23:03:50 -0700 (PDT)
Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BE7A12D10E for <nvo3@ietf.org>; Fri, 19 Aug 2016 23:03:50 -0700 (PDT)
Received: by mail-wm0-x230.google.com with SMTP id f65so57338007wmi.0 for <nvo3@ietf.org>; Fri, 19 Aug 2016 23:03:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4PFzOqo7FF6iluaVj+5Ufn8PLHUBd8gOmYwQ+dO8d7Q=; b=nAYYAaYu+5IFBD4PRlZUoKONzbXd0o33jC99iMh/33Jmjx5HP5tvzO9EfRGqwywHk4 pG+O9auuiR7Q2dKL637OzIJZihCDLTYbGGI5Eta0apSkjDJNYZF/EOH7UegDs+nH5abb kr34K9Pls+8noCTcq1a8h3zni49oFFhSGdVYd2NyAGHw0SIdNm2WJei/O5BpuzEEssPx HPOqzNw3UsyJvwPLNMqPvrGpUGIfmBZGQ1JHnzy3HjUy/Fj61x4mcmUlPCosCmVMl7T5 x58duPWfgYKUJkoBoiMIwpvn0bGKdzJ7eYmjbIa7hp6R8pudEUTLy8wpL4y1rDVZX9kw Dyfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=4PFzOqo7FF6iluaVj+5Ufn8PLHUBd8gOmYwQ+dO8d7Q=; b=WgQtV8ufLwh9KrRp0BGJd35Q9N9fZgivfLqZr2A/f1U93KyQcAle8vysmwA+2aDtj9 htRg5S7yejEsRcI+9B2pVlx3DzQKESLRzv5vnRbZ8zrU27C1YCqLbfUUp4rt/iH8IINt nk39Bv1FRW0Uz+dsX6lOtXHaXq46xtnM+nX4QuCewiNcXqsqBqhCjY381yRuuapVyFRw saeV6IdT2Yk3/QVKc+g85R+qXOcxpHmK5t4XTsCOWsEPGIhdSUPhhDe/L5N6N00XH2OR Hh94rrKCu7lOJnrFzWx8FEsl7jGsYs2CG9UEXdQe0FA/dkfCjtx2Auz7NkYZBF0C7b33 fQpw==
X-Gm-Message-State: AEkoouvUaT1/vIT87Oy8D1E3BM4ns4SJrz3dH64Jgj364DWid+BDWw1bawNP+5toIfeokvtWXXxca6zWV83N0w==
X-Received: by 10.28.222.194 with SMTP id v185mr6447483wmg.119.1471673028894; Fri, 19 Aug 2016 23:03:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.194.107.37 with HTTP; Fri, 19 Aug 2016 23:03:48 -0700 (PDT)
In-Reply-To: <CALx6S36p207rtiROUjZ2CSLALjbsEjFDy1cwr4GVKtMXU_e3Pw@mail.gmail.com>
References: <CAH==cJziSaZHyyRV=J6OBYxWf7OkrJDbZPYFRni9wVtYw3NpEQ@mail.gmail.com> <CALx6S36p207rtiROUjZ2CSLALjbsEjFDy1cwr4GVKtMXU_e3Pw@mail.gmail.com>
From: Lizhong Jin <lizho.jin@gmail.com>
Date: Sat, 20 Aug 2016 14:03:48 +0800
Message-ID: <CAH==cJy9a0qpgTrXF-LzVg8aUzdjxsj79eWvkOWd=c-SXOTamg@mail.gmail.com>
To: Tom Herbert <tom@herbertland.com>
Content-Type: multipart/alternative; boundary="001a114af7121ce767053a7a94c8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/crafLW81OJBsWOaOZ_1Ur6GY0I8>
Cc: "nvo3@ietf.org" <nvo3@ietf.org>
Subject: Re: [nvo3] Extensions in nvo3 encapsulations
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Aug 2016 06:03:53 -0000
Hi Tom, see inline below. Lizhong On Sat, Aug 20, 2016 at 6:53 AM, Tom Herbert <tom@herbertland.com> wrote: > Hi Lizhong, thanks for the feedback! Some replies inline. > > On Fri, Aug 19, 2016 at 8:07 AM, Lizhong Jin <lizho.jin@gmail.com> wrote: > > Hi Tom, > > Thank > >> Six fundamental extensions have been defined for GUE > >> > >> 1) VNID (draft-hy-nvo3-gue-4-nvo-03) > >> 2) Checksum (draft-herbert-gue-extensions-00) > > > > [Lizhong] one more checksum will add additional load to hardware NAT, > and it > > is required to update checksum for every NAT router which was not > supposed > > to support GUE. > > > Right, the GUE checksum cannot be used through a NAT. In that case UDP > checksum is required. There's really no point in using UDP checksum > and GUE checksum simultaneously, the GUE checksum is really only for > those cases where a device is incapable of computing the full UDP > checksum over a packet (RX or TX). > [Lizhong] Then can I say, when checksum extension is deployed, the underlay network is restricted to be no NAT. This will be a limitation. > > >> > >> 3) Remote checksum offload or RCO (draft-herbert-gue-extensions-00) > > > > [Lizhong] this is a feature to enhance legacy NIC. But is two checksum > > (e.g., both outer&inner UDP checksum enabled) enabled really useful? It > > seems, to me, only outer or inner UDP checksum is enough. > > > I assume you mean inner transport checksum (e.g. TCP checksum) and > outer UDP checksum... Generally we found that it is better to set the > outer UDP checksum because 1) It provides coverage over more of the > packet including addresses which is especially important in IPv6 2) It > is better performance since deployed hardware, i.e. NICs, already > provide checksum offload for UDP and we are able to leverage that. > [Lizhong] Since the link layer has already provide checksum, e.g., FCS in Ethernet, it would be also safe to have only inner UDP checksum, right? Anyway, if either inner or outer transport checksum is acceptable, does that mean the motivation of RCO will not exist? > > >> > >> 4) Fragmentation (draft-herbert-gue-extensions-00) > > > > [Lizhong] such kind of fragmentation is also not perfect. E.g., the > receiver > > side hardware without reassembling could not get inner header, and fail > to > > do RSS. I still like #3 as described in the draft. > > > RSS and ECMP are performed on outer IP addresses and UDP ports so we > don't lose that, these must be the same for all fragments of a packet. > DPI cannot be done on fragments (problem with any fragmentation > method), but it is also true for payload transform such as DTLS. One > of the goals of GUE (especially like in TOU) is to discourage and > eliminate DPI in middleboxes by encrypting the whole GUE payload. > Encryption is the only proposed solution to protocol ossification. > [Lizhong] Relying on outer IP addresses and UDP ports maybe not a good way. For the IP fragmented packet, first&second fragments belong to same flow may have different source UDP ports, especially in the scenario where TS and NVE is separated. Method of generating the source UDP ports is not standardized, and using source UDP port may not have even distribution of RSS hash value. E.g., 3bits of hash value maybe enough for source UDP port, because usually ECMP in network will support 8 path. But RSS needs 7bits of hash value. Then the best way to do RSS for fragments is to parse the inner header at receive side, and do the hash based on 3/2-tuple as currently doing. > > >> > >> 5) Security (draft-herbert-gue-extensions-00) > >> 6) Payload transform (draft-herbert-gue-extensions-00) > > > > [Lizhong] I doubt if GUE header security is necessary. In MPLS network, > we > > also use label to implicitly identify a VPN, and it works well. > > > The GUE header security is primarily needed to verify the VNID. IMO in > a multi-tenant network the most critical requirement is to maintain > isolation between tenant networks. We need to protect against either > packets illegitimately crossing networks are someone attempting to > inject packets into a virtual network (the latter problem is > exacerbated by the use of UDP for encapsulations because that allows > non-priveleged applications to easily spoof packets to virtual > networks). The header security extension provides explicit security > for this. The payload transform option with DLTS should also be able > to secure the VNID as well. I would expect that we deploy with one of > those two options. > > Thanks, > Tom >
- Re: [nvo3] Extensions in nvo3 encapsulations Lizhong Jin
- Re: [nvo3] Extensions in nvo3 encapsulations Tom Herbert
- Re: [nvo3] Extensions in nvo3 encapsulations Lizhong Jin
- Re: [nvo3] Extensions in nvo3 encapsulations Patrick Frejborg
- Re: [nvo3] Extensions in nvo3 encapsulations Lucy yong
- [nvo3] Extensions in nvo3 encapsulations Tom Herbert