Re: [nvo3] Extensions in nvo3 encapsulations
Tom Herbert <tom@herbertland.com> Fri, 19 August 2016 22:53 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: nvo3@ietfa.amsl.com
Delivered-To: nvo3@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E587712D110 for <nvo3@ietfa.amsl.com>; Fri, 19 Aug 2016 15:53:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wb7e1JCOHUiD for <nvo3@ietfa.amsl.com>; Fri, 19 Aug 2016 15:53:04 -0700 (PDT)
Received: from mail-it0-x233.google.com (mail-it0-x233.google.com [IPv6:2607:f8b0:4001:c0b::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1098F127058 for <nvo3@ietf.org>; Fri, 19 Aug 2016 15:53:04 -0700 (PDT)
Received: by mail-it0-x233.google.com with SMTP id x131so41423230ite.0 for <nvo3@ietf.org>; Fri, 19 Aug 2016 15:53:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=cr6/GT2SF/ghdKWpEDyc+na0mPfepLpwrwaDDG6d5Tw=; b=PRlt5a2hWjE+mJnEkiG1ZByKmYkomEXWx7UQ3BRbmP/+M1gm3R2DLdK7mjCuzWsnTy gImCQ4MIQchN6c9wIo1uq6hko026V+lQHEmHgeEF/03Xu5MImGPwTGvKZkT49TyVs2la onGg0a83tRBciBGBRNFBZrHJdxjh5uxJUQi/DJmh9csmCoIvB50ZRpHDeY4e5v7uxISR igWj9cFA13pOqJa8H6yxDluHhh+zMJoP+HBGiQlrOZ30bSrgt540DsJMgUdf89kiHz0g hXpMBbgVbDXNrW4tZW+FADP/pSjSzGp1+LS6X1MsSEfT0PUiGAdX4SvD/MECwmrBS26B egrg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=cr6/GT2SF/ghdKWpEDyc+na0mPfepLpwrwaDDG6d5Tw=; b=b8HDEsoyq13MBtt8NxZ3MGEPO6DrZ5VN02W7a2beEK9crhXUb5S78z0B/FwpKpVhIw o6MTudGgjBjxVYPd7gqU5vYaH7XUFSc4pdrt3DMflK6SVY8IDRTPQqaKJ8Pe37W9jSJe 5Dq0Qex8qtRHD0JqUFbJCLk9lh/KbwQgOEFsPT4Hc1CHe1pXCUEkVVqniaOUlHOC6FSJ AQ3MEHe3NXQbp+piG7vQCaXUnRkR9x9pMiyatz4vPq3pPeoBzWQ65mLG3ZPbgvgWhcvg SH7pZQL16hB+JMWU/i7bNk2+j2H5CMZQ2LPUyoI+d8amxe7Xa59If/kXYISxCl2JlmSi crQA==
X-Gm-Message-State: AEkoousI3b8bHDDqtGjVYOlamxQyL7B59WvQ/vyBAxy5Ac9WynishdIyKxInZy/W6Wh1HslkKe2PudgwvlQkGA==
X-Received: by 10.36.224.75 with SMTP id c72mr9035406ith.91.1471647183257; Fri, 19 Aug 2016 15:53:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.21.130 with HTTP; Fri, 19 Aug 2016 15:53:02 -0700 (PDT)
In-Reply-To: <CAH==cJziSaZHyyRV=J6OBYxWf7OkrJDbZPYFRni9wVtYw3NpEQ@mail.gmail.com>
References: <CAH==cJziSaZHyyRV=J6OBYxWf7OkrJDbZPYFRni9wVtYw3NpEQ@mail.gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Fri, 19 Aug 2016 15:53:02 -0700
Message-ID: <CALx6S36p207rtiROUjZ2CSLALjbsEjFDy1cwr4GVKtMXU_e3Pw@mail.gmail.com>
To: Lizhong Jin <lizho.jin@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nvo3/smSx3zoClJH-Xfl3velu97ivaA8>
Cc: "nvo3@ietf.org" <nvo3@ietf.org>
Subject: Re: [nvo3] Extensions in nvo3 encapsulations
X-BeenThere: nvo3@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Network Virtualization Overlays \(NVO3\) Working Group" <nvo3.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nvo3>, <mailto:nvo3-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nvo3/>
List-Post: <mailto:nvo3@ietf.org>
List-Help: <mailto:nvo3-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nvo3>, <mailto:nvo3-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Aug 2016 22:53:06 -0000
Hi Lizhong, thanks for the feedback! Some replies inline. On Fri, Aug 19, 2016 at 8:07 AM, Lizhong Jin <lizho.jin@gmail.com> wrote: > Hi Tom, > Thank >> Six fundamental extensions have been defined for GUE >> >> 1) VNID (draft-hy-nvo3-gue-4-nvo-03) >> 2) Checksum (draft-herbert-gue-extensions-00) > > [Lizhong] one more checksum will add additional load to hardware NAT, and it > is required to update checksum for every NAT router which was not supposed > to support GUE. > Right, the GUE checksum cannot be used through a NAT. In that case UDP checksum is required. There's really no point in using UDP checksum and GUE checksum simultaneously, the GUE checksum is really only for those cases where a device is incapable of computing the full UDP checksum over a packet (RX or TX). >> >> 3) Remote checksum offload or RCO (draft-herbert-gue-extensions-00) > > [Lizhong] this is a feature to enhance legacy NIC. But is two checksum > (e.g., both outer&inner UDP checksum enabled) enabled really useful? It > seems, to me, only outer or inner UDP checksum is enough. > I assume you mean inner transport checksum (e.g. TCP checksum) and outer UDP checksum... Generally we found that it is better to set the outer UDP checksum because 1) It provides coverage over more of the packet including addresses which is especially important in IPv6 2) It is better performance since deployed hardware, i.e. NICs, already provide checksum offload for UDP and we are able to leverage that. >> >> 4) Fragmentation (draft-herbert-gue-extensions-00) > > [Lizhong] such kind of fragmentation is also not perfect. E.g., the receiver > side hardware without reassembling could not get inner header, and fail to > do RSS. I still like #3 as described in the draft. > RSS and ECMP are performed on outer IP addresses and UDP ports so we don't lose that, these must be the same for all fragments of a packet. DPI cannot be done on fragments (problem with any fragmentation method), but it is also true for payload transform such as DTLS. One of the goals of GUE (especially like in TOU) is to discourage and eliminate DPI in middleboxes by encrypting the whole GUE payload. Encryption is the only proposed solution to protocol ossification. >> >> 5) Security (draft-herbert-gue-extensions-00) >> 6) Payload transform (draft-herbert-gue-extensions-00) > > [Lizhong] I doubt if GUE header security is necessary. In MPLS network, we > also use label to implicitly identify a VPN, and it works well. > The GUE header security is primarily needed to verify the VNID. IMO in a multi-tenant network the most critical requirement is to maintain isolation between tenant networks. We need to protect against either packets illegitimately crossing networks are someone attempting to inject packets into a virtual network (the latter problem is exacerbated by the use of UDP for encapsulations because that allows non-priveleged applications to easily spoof packets to virtual networks). The header security extension provides explicit security for this. The payload transform option with DLTS should also be able to secure the VNID as well. I would expect that we deploy with one of those two options. Thanks, Tom
- Re: [nvo3] Extensions in nvo3 encapsulations Lizhong Jin
- Re: [nvo3] Extensions in nvo3 encapsulations Tom Herbert
- Re: [nvo3] Extensions in nvo3 encapsulations Lizhong Jin
- Re: [nvo3] Extensions in nvo3 encapsulations Patrick Frejborg
- Re: [nvo3] Extensions in nvo3 encapsulations Lucy yong
- [nvo3] Extensions in nvo3 encapsulations Tom Herbert