Re: [nvo3] BFD over VXLAN: Trapping BFD Control packet at VTEP

["Joel M. Halpern" <jmh@joelhalpern.com>]

I do assume there is no chance of forwarding the packet.  The reason for 
specifying it is to be clear what the VTEP is expected to do in that 
case.  (Which does mean the text has marginal, but non-zero value.)
Yours,
Joel

On 10/31/2019 12:33 PM, Anoop Ghanwani wrote:
> What is the definition of management VNI?  Is it that there is no VAP 
> corresponding to that VNI or something else?  If there is no VAP, then 
> there is no chance of forwarding such packets anyway.
> 
> Anoop
> 
> On Thu, Oct 31, 2019 at 9:22 AM Jeffrey Haas <jhaas@pfrc.org 
> <mailto:jhaas@pfrc.org>> wrote:
> 
>     I also agree with Joel.
> 
>     -- Jeff
> 
> 
>      > On Oct 31, 2019, at 11:59 AM, Joel M. Halpern
>     <jmh@joelhalpern.com <mailto:jmh@joelhalpern.com>> wrote:
>      >
>      > Explicitly restricting the discard behavior to the management VNI
>     takes care of my concern.
>      >
>      > Thank you,
>      > Joel
>      >
>      > On 10/31/2019 11:48 AM, Greg Mirsky wrote:
>      >> Hi Jeff,
>      >> thank you for the detailed clarification of your questions.
>     Please find my follow-up notes in-lined tagged GIM2>>.
>      >> Regards,
>      >> Greg
>      >> On Wed, Oct 30, 2019 at 2:14 PM Jeffrey Haas <jhaas@pfrc.org
>     <mailto:jhaas@pfrc.org> <mailto:jhaas@pfrc.org
>     <mailto:jhaas@pfrc.org>>> wrote:
>      >>    Greg,
>      >>    On Wed, Oct 30, 2019 at 01:58:30PM -0700, Greg Mirsky wrote:
>      >>     > On Wed, Oct 30, 2019 at 1:27 PM Jeffrey Haas
>     <jhaas@pfrc.org <mailto:jhaas@pfrc.org>
>      >>    <mailto:jhaas@pfrc.org <mailto:jhaas@pfrc.org>>> wrote:
>      >>     >
>      >>     > > Greg,
>      >>     > >
>      >>     > > From the updated text:
>      >>     > >
>      >>     > > "At the same time, a service layer BFD session may be used
>      >>    between the
>      >>     > > tenants of VTEPs IP1 and IP2 to provide end-to-end fault
>      >>    management. In
>      >>     > > such case, for VTEPs BFD Control packets of that session are
>      >>     > > indistinguishable from data packets.  If end-to-end defect
>      >>    detection is
>      >>     > > realized as the set of concatenated OAM domains, e.g.,
>     VM1-1 -
>      >>    IP1 --
>      >>     > > IP2 - VM2-1, then the BFD session over VXLAN between
>     VTEPs SHOULD
>      >>     > > follow the procedures described in Section 6.8.17
>     [RFC5880]."
>      >>     > >
>      >>     > > In the case that two VMs are running BFD to each other
>     as a user
>      >>     > > application
>      >>     > > rather than as part of the virtualized environment, it's
>      >>    unlikely that
>      >>     > > they'd be treated as concatenated domains.  To do so, the
>      >>    tenant VMs would
>      >>     > > have to have a sense that they are indeed virtual.
>      >>     > >
>      >>     > > Is your intent in this text that BFD implementations on the
>      >>    server should
>      >>     > > detect BFD sessions between servers and change them to a
>      >>    concatenated
>      >>     > > session?
>      >>     > >
>      >>     > GIM>> No, we do not suggest that the concatenation of BFD
>     sessions be
>      >>     > automagical. That may be controlled via the management
>     plane though.
>      >>    Then my suggestion is we may not want this text.
>      >>    It's fine to say "if tenants want to run BFD to each other,
>     and that is
>      >>    standard BFD (RFC 5881) from the perspective of those
>     tenants" if that's
>      >>    your intent.  Leave automagic out of the spec. :-)
>      >> GIM2>> I'd take the passage referring to the concatenated path
>     out. That will leave it as:
>      >>    At the same time, a service layer BFD session may be used
>     between the
>      >>    tenants of VTEPs IP1 and IP2 to provide end-to-end fault
>     management.
>      >>    In such case, for VTEPs BFD Control packets of that session are
>      >>    indistinguishable from data packets.
>      >>     > > Section 5 comment:
>      >>     > >
>      >>     > > :   The UDP destination port and the TTL of the inner IP
>     packet
>      >>    MUST be
>      >>     > > :   validated to determine if the received packet can be
>      >>    processed by
>      >>     > > :   BFD.  BFD Control packets with unknown MAC address
>     MUST NOT be
>      >>     > > :   forwarded to VMs.
>      >>     > >
>      >>     > > I'd suggest pushing the second sentence into the prior
>     section
>      >>    since it
>      >>     > > deals with MAC addresses rather than the UDP procedures.
>      >>     > >
>      >>     > GIM>> Could you please clarify your suggestion - move to
>     Section
>      >>    4 or to
>      >>     > the preceding paragraph? I think it is the latter but
>     wanted to
>      >>    make sure.
>      >>    Full section 5 from your draft-8 candidate:
>      >>    : 5.  Reception of BFD Packet from VXLAN Tunnel
>      >>    :
>      >>    :    Once a packet is received, the VTEP MUST validate the
>     packet.     If the
>      >>    :    Destination MAC of the inner Ethernet frame matches one
>     of the MAC
>      >>    :    addresses associated with the VTEP the packet MUST be
>     processed
>      >>    :    further.  If the Destination MAC of the inner Ethernet frame
>      >>    doesn't
>      >>    :    match any of VTEP's MAC addresses, then the processing
>     of the
>      >>    :    received VXLAN packet MUST follow the procedures
>     described in
>      >>    :    Section 4.1 [RFC7348].
>      >>    It's not clear what that procedure is, with respect to BFD. 
>     Section 4.1
>      >>    basically says is that when a mapping is discovered, deliver
>     it to
>      >>    that VM
>      >>    with headers removed.
>      >>    Section 4.1 really doesn't discuss dropping behavior.
>      >>    :
>      >>    :    The UDP destination port and the TTL of the inner IP
>     packet MUST be
>      >>    :    validated to determine if the received packet can be
>     processed by
>      >>    :    BFD.
>      >>    This is fine.
>      >>    :    BFD Control packets with unknown MAC address MUST NOT be
>      >>    :    forwarded to VMs.
>      >>    This appears to be clarifying the missing point in the prior
>      >>    paragraph.  If
>      >>    that's the case, why is this sentence not part of the prior
>     paragraph?
>      >> GIM>> So I thought. Moving the sentence to the first paragraph
>     highlighted the contradiction others had pointed earlier:
>      >> On the one hand:
>      >>    If the Destination MAC of the inner Ethernet frame doesn't
>      >>    match any of VTEP's MAC addresses, then the processing of the
>      >>    received VXLAN packet MUST follow the procedures described in
>      >>    Section 4.1 [RFC7348].
>      >> To which we add:
>      >>    BFD Control packets with unknown MAC address
>      >>    MUST NOT be forwarded to VMs.
>      >> But the unknown MACs are treated as BUM according to the last
>     paragraph in Section 4.2 of RFC 7348:
>      >>    Note that multicast frames and "unknown MAC destination"
>     frames are
>      >>    also sent using the multicast tree, similar to the broadcast
>     frames.
>      >> In light of that, can this draft require that BFD packets with
>     unknown MAC be dropped and not flooded over the corresponding to the
>     VNI domain? I think that in addition to moving the sentence up the
>     statement must be updated:
>      >> OLD TEXT:
>      >>    BFD Control packets with unknown MAC address
>      >>    MUST NOT be forwarded to VMs.
>      >> NEW TEXT:
>      >>    If the BFD session is using the Management VNI (Section 6),
>      >>    BFD Control packets with unknown MAC address
>      >>    MUST NOT be forwarded to VMs.
>      >>  Comments? Suggestions?
>      >>    -- Jeff
>