Re: Adam Roach's No Objection on draft-ietf-bfd-vxlan-09: (with COMMENT)

[Adam Roach <adam@nostrum.com>]

On 12/17/19 4:35 PM, Greg Mirsky wrote:
> Hi Adam,
> thank you for your review and the very clear suggestions, all is the 
> most helpful. I've followed your recommendations and applied changes 
> to the working version of the draft. Attached, please find the diff 
> that highlights updates. Also, please find my notes in-line tagged GIM>>.
>
> Best regards,
> Greg
>
> On Mon, Dec 16, 2019 at 11:11 PM Adam Roach via Datatracker 
> <noreply@ietf.org <mailto:noreply@ietf.org>> wrote:
>
>     Adam Roach has entered the following ballot position for
>     draft-ietf-bfd-vxlan-09: No Objection
>
>     When responding, please keep the subject line intact and reply to all
>     email addresses included in the To and CC lines. (Feel free to cut
>     this
>     introductory paragraph, however.)
>
>
>     Please refer to
>     https://www.ietf.org/iesg/statement/discuss-criteria.html
>     for more information about IESG DISCUSS and COMMENT positions.
>
>
>     The document, along with other ballot positions, can be found here:
>     https://datatracker.ietf.org/doc/draft-ietf-bfd-vxlan/
>
>
>
>     ----------------------------------------------------------------------
>     COMMENT:
>     ----------------------------------------------------------------------
>
>     Thanks for the work that everyone has put into this document. I have
>     a couple of relatively important, related comments that should be
>     taken into account prior to publication.
>
>     ---------------------------------------------------------------------------
>
>     §3:
>
>     >  As per Section 4, the inner destination IP address SHOULD be set to
>     >  one of the loopback addresses (127/8 range for IPv4 and
>     >  0:0:0:0:0:FFFF:7F00:0/104 range for IPv6).
>
>     Please consider reformatting this IPv6 address according to the
>     recommendations
>     of RFC 5952 (paying particular attention to sections 4.2.1, 4.3,
>     and 5):
>
>     ::ffff:127.0.0.0/104 <http://127.0.0.0/104>
>
>     It's also worth noting that, as a practical matter, modern
>     operating systems do
>     not seem to bind to anything in the IPv4-mapped range assigned to
>     IPv4 loopback:
>
>     Linux:
>
>       ~$ ping6 ::ffff:127.0.0.1
>       PING ::ffff:127.0.0.1(::ffff:127.0.0.1) 56 data bytes
>       ^C
>       --- ::ffff:127.0.0.1 ping statistics ---
>       14 packets transmitted, 0 received, 100% packet loss, time 13316ms
>
>     MacOS:
>
>       ~$ ping6 ::ffff:127.0.0.1
>       PING6(56=40+8+8 bytes) ::ffff:127.0.0.1 --> ::ffff:127.0.0.1
>       ping6: sendmsg: Invalid argument
>       ping6: wrote ::ffff:127.0.0.1 16 chars, ret=-1
>
>
>     It is not clear to me whether this poses an issue for your
>     intended usage.
>
> GIM>> Thank you for sharing very interesting facts on the handling of 
> these addresses. I don't think that implementation on the egress BFD 
> node would listen on the particular address, more likely it would be 
> on the value of the well-known UDP port. The goal of using one of the 
> addresses from this range is to prevent leaking packets from a broken 
> VXLAN tunnel (as was the original goal in RFC 4379/8029 and RFC 5884).


I'm a little unclear about the scope of leakage that is causing concern 
here. If you simply want to prevent the packets from making it to an end 
host, there are a lot of choices you can make that guarantee an address 
that has no ultimate destination.

If the concern is, instead, that the packet might be sent to one or more 
other routers when the tunnel is broken (even if it never reaches a 
host), then what you're doing here is unlikely to achieve your goals. As 
I attempted to highlight below, there is no reason to believe that an 
IPv6 router is going to treat ::ffff:127.0.0.0/104 any differently than 
any other IPv4-mapped address. Unless you're in the default-free zone, 
It's either heading towards a default router or a v6/v4 gateway, and 
probably won't be dropped until it reaches an ingress to the v4 network.

On the other hand, if you *are* in the DFZ, my my understanding (and I'm 
not a routing person, so it's kind of a lay understanding) is that 
guaranteeing a packet drop in the default-free zone simply requires that 
the corresponding prefix isn't configured or announced. The IETF 
protocol IP blocks I mention below have that property.

In short, I don't think your solution addresses your implied threat 
model (regardless of which of the preceding two situations apply), and 
at the same time is an abuse of the semantic meaning of loopback addresses.

I'm feeling like I might not understand the problem being addressed by 
this approach. Perhaps if you explained the exact nature of the bad 
things that might happen when a tunnel breaks and some other inner 
address is used (with the assumption that such inner address would never 
correspond to a real host, and would never correspond to an advertised 
route, as would be true for my suggestions below), it would help.


>
>     In any case, please do not refer to ::ffff:127.0.0.0/104
>     <http://127.0.0.0/104> as "loopback
>     addresses": IPv6 has only one loopback address defined (::1). The
>     range
>     you cite is best described as "IPv4-mapped IPv4 loopback addresses."
>     Alternately -- and this is probably better -- use "::1/128" instead of
>     "::ffff:127.0.0.0/104 <http://127.0.0.0/104>" for the inner IP
>     header destination address.
>
>     As an aside, I share Benjamin's unease around the use of loopback
>     addresses
>     in this fashion. It may be worth noting that IETF protocols can
>     reserve
>     addresses in the 192.0.0.0/24 <http://192.0.0.0/24> and 2001::/23
>     blocks if necessary, and such
>     reserved addresses won't ever correspond to a valid destination.
>
>     (There is corresponding text in section 4 that all of the
>     preceding pertains
>     to as well)
>
>     ---------------------------------------------------------------------------
>
>     §9:
>
>     >  This document recommends using an address from the Internal host
>     >  loopback addresses (127/8 range for IPv4 and
>     >  0:0:0:0:0:FFFF:7F00:0/104 range for IPv6) as the destination IP
>     >  address in the inner IP header.  Using such address prevents the
>     >  forwarding of the encapsulated BFD control message by a transient
>     >  node in case the VXLAN tunnel is broken as according to [RFC1812]:
>     >
>     >     A router SHOULD NOT forward, except over a loopback
>     interface, any
>     >     packet that has a destination address on network 127.  A router
>     >     MAY have a switch that allows the network manager to disable
>     these
>     >     checks.  If such a switch is provided, it MUST default to
>     >     performing the checks.
>
>     In addition to the comments above about IPv6 address formatting, the
>     improper use of "loopback" terminology as it applies to IPv6, and
>     concerns about using localhost: it's worth noting that this text in
>     RFC 1812 refers to IPv4 routers -- RFC 8504 has no equivalent
>     language,
>     and so the use of ::ffff:127.0.0.0/104 <http://127.0.0.0/104>
>     implies no special router handling.
>     ::1 *probably* does, at least as a practical matter.
>
> GIM>> As noted above, the reason of using addresses from this range 
> was to prevent packets from being routed in case a tunnel is broken. 
> Do you think that the lack of the wording similar to RFC 1812 should 
> be a concern for RFC 8029 and RFC 5884 that use the same range for the 
> destination IP address?
>