Re: [RTG-DIR] Rtgdir last call review of draft-ietf-bfd-vxlan-07

"Joel M. Halpern" <jmh@joelhalpern.com> Fri, 07 June 2019 03:05 UTC

Return-Path: <jmh@joelhalpern.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3616120156; Thu, 6 Jun 2019 20:05:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=joelhalpern.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z173-eDZxE6i; Thu, 6 Jun 2019 20:05:15 -0700 (PDT)
Received: from mailb2.tigertech.net (mailb2.tigertech.net [208.80.4.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE8F21200B6; Thu, 6 Jun 2019 20:05:14 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailb2.tigertech.net (Postfix) with ESMTP id 45KnT60r6Sz15Qpv; Thu, 6 Jun 2019 20:05:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com; s=2.tigertech; t=1559876714; bh=5D0iggVtblcVmp6SB+UoMdolyufi6w0bSglYkB1AVSY=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=dXqE+ZVRVD2iluJYUUbLp1eBdfoLEYJbqucV8zGAjP7+wpLAwrd+U3l7uMp20pXip P/3QVMT8rLkq+S7gsXLRf72tjWGfapot5GXRIJc1lF1fRfyy5BwjGzf/5ww1Z2Kepd updwM/gnuDPVKAuNnfZ7ycuCtxJZl3gSa8TGL7hA=
X-Virus-Scanned: Debian amavisd-new at b2.tigertech.net
Received: from Joels-MacBook-Pro.local (209-255-163-147.ip.mcleodusa.net [209.255.163.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mailb2.tigertech.net (Postfix) with ESMTPSA id 45KnT50dl9z15Qps; Thu, 6 Jun 2019 20:05:12 -0700 (PDT)
Subject: Re: [RTG-DIR] Rtgdir last call review of draft-ietf-bfd-vxlan-07
To: Greg Mirsky <gregimirsky@gmail.com>
Cc: rtg-dir@ietf.org, rtg-bfd WG <rtg-bfd@ietf.org>, draft-ietf-bfd-vxlan.all@ietf.org, IETF list <ietf@ietf.org>
References: <155864919758.8626.11137277913302380197@ietfa.amsl.com> <CA+RyBmXO5tYtrm_79KOKJmTp2mbYwynze20EoJA=2gGnJ5jEsw@mail.gmail.com> <98825f67-6958-8845-d5d5-3e0ac5e996e1@joelhalpern.com> <CA+RyBmXmuL+v55SEgHfx-E=bkpLSZe4ceZG5k6e4R=QSuWQ=Ag@mail.gmail.com> <a8ead230-a09d-8ab9-5263-7414d2bd1acc@joelhalpern.com> <CA+RyBmVAhKGCxBPujtBU54wPCqY39zr_U8TA6rfbzQcaHm9oCw@mail.gmail.com> <4903980b-49e2-1f8c-7575-2af4614e2c6b@joelhalpern.com> <CA+RyBmVhPKjkogj-78xCHqMZG+Gtkd5wEpk2QbLTH+LncTou9g@mail.gmail.com>
From: "Joel M. Halpern" <jmh@joelhalpern.com>
Message-ID: <fd979eb7-df50-14e1-a6a1-c91c7fe36fad@joelhalpern.com>
Date: Thu, 6 Jun 2019 23:05:11 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <CA+RyBmVhPKjkogj-78xCHqMZG+Gtkd5wEpk2QbLTH+LncTou9g@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/675EKsv3kO1iBQP2yOLlADwjhn8>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jun 2019 03:05:19 -0000

As far as I can tell, what you describe violates the base VxLAN 
specification by requiring that the VTEP have a MAC address within the 
tenant space.

If there were no other way to make BFD work for VxLAN except biolating 
the spec, then I would epect the document to be very explicit that it 
was taking MAC address away from the tenant space.

Given that there clearly are other ways to achieve the goal that do not 
violate the underlying VxLAN spec, I think the IETF is obliged to use 
something else.

Yours,
Joel

PS: Having said that, I grant that for this purpose I have no more 
standing than any other WG member.

On 6/6/19 10:43 PM, Greg Mirsky wrote:
> Hi Joel,
> in the previous mail you've said:
>  >     As far as I know, in normal VxLAN oepration, VTEPs do NOT have their
>  >     own
>  >     MAC addresses within the scope of the VNI.
> I agree and note that VTEP's MAC addresses used in the inner Ethernet 
> header don't have to be associated with a VNI. They are the same as used 
> in the outer Ethernet header. And the BFD over VXLAN specification does 
> modify the processing of the inner Ethernet frame comparing to the 
> procedure described in RFC 7348.
> I don't say that the described method of encapsulating BFD over VXLAN is 
> the only one, but it is what has been discussed and supported by BFD WG. 
> Also, AFAIK, at least one implementation already exists.
> 
> 
> Regards,
> Greg
> 
> On Thu, Jun 6, 2019 at 5:53 PM Joel M. Halpern <jmh@joelhalpern.com 
> <mailto:jmh@joelhalpern.com>> wrote:
> 
>     There is a reason the "Outer Ethernet Header" in section 5 of 7348 is
>     labeled as "example".  That outer header will actually vary hop by hop
>     along the IP network between the source VTEP and the desination VTEP.
>     Unless the source and destination VTEP are one IP hope apart, the
>     source
>     VTEP will not even know the Ethernet MAC address of the destination VP.
>     It will simply address the outer IP packet, and let IP rotuing do its
>     job (that is the whole point of VxLAN.)
> 
>     More importantly, it is not associated with any VNI as it is the outer
>     header.  Your usage is as an inner Ethernet Destination address.  The
>     inner Ethernet header is the tenant space.  The VTEPs do not impinge on
>     that space.  Nor use any values from it.
> 
>     Yours,
>     Joel
> 
>     On 6/6/19 8:18 PM, Greg Mirsky wrote:
>      > Hi Joel,
>      > thank you for the clarification of your concern. For the inner
>     Ethernet
>      > header, the destination and source MAC addresses are as described in
>      > Section 5 of RFC 7348 for VXLAN's outer Ethernet header:
>      >       The outer destination MAC address in this frame may
>      >        be the address of the target VTEP or of an intermediate
>     Layer 3
>      >        router.
>      > As I understand this example, a VTEP must have MAC address
>     assigned. The
>      > address used as the source MAC address of the outer Ethernet
>     frame and
>      > may be used by a remote VTEP as destination MAC address in the outer
>      > Ethernet frame. This MAC address is not, as I understand, associated
>      > with any VNI. Perhaps we can add text to point to Section 5 RFC
>     7348 and
>      > how VTEP MAC address is used in the outer Ethernet header of a VXLAN
>      > packet. If you agree, I'll polish the new update in a day.
>      >
>      > Regards,
>      > Greg
>      >
>      > On Wed, Jun 5, 2019 at 8:20 PM Joel M. Halpern
>     <jmh@joelhalpern.com <mailto:jmh@joelhalpern.com>
>      > <mailto:jmh@joelhalpern.com <mailto:jmh@joelhalpern.com>>> wrote:
>      >
>      >     I am having trouble parsing your response.  Apologies.
>      >     The first part talks about a VTEP receiving a packet, and
>      >     determining if
>      >     there is a receiver VM for the inner MAC.  That is a quote
>     from 7348
>      >     Section 4.1.  I understand it.
>      >
>      >     You then go on to quote from section 5 of the BFD over VxLAN
>      >     specification saying that it modifies this to specify that
>     the VTEP
>      >     checks for its own MAC address.
>      >     The only problem is that the VTEP is not part of the tenant
>     network.
>      >     Any MAC address you want it to use may be in use by the
>     tenant network.
>      >     As far as I know, in normal VxLAN oepration, VTEPs do NOT
>     have their
>      >     own
>      >     MAC addresses within the scope of the VNI.
>      >
>      >     Now, if you say that BFD will only be used with VNI 0 (i.e. a
>     VNI that
>      >     is not assigned to a tenant), then the conflict goes away. 
>     But again,
>      >     there is no need for special MAC checking.  Just declare that
>     the VTEP
>      >     looks for OAM content on VNI 0.
>      >
>      >     So no, your proposed change does not address my concern, as
>     "VTEP's MAC
>      >     address is not, to the best of my knowledge, a well-defined
>     term.  I am
>      >     happy to be shown where such a thing is defined for use within
>      >     tenant VNIs.
>      >
>      >     Yours,
>      >     Joel
>      >
>      >     On 6/5/19 9:55 PM, Greg Mirsky wrote:
>      >      > Hi Joel,
>      >      > I cannot find the text in RFC 7348 that suggests that any
>      >      > VXLAN-encapsulated frame received by VTEP must be
>     forwarded to a VM
>      >      > associated with the specified VNI. But I've found the text in
>      >     section
>      >      > 4.1 that makes the forwarding of the inner frame to VM
>      >     conditional to
>      >      > the destination MAC address matching to VM's MAC:
>      >      >     Upon reception, the remote VTEP
>      >      >     verifies the validity of the VNI and whether or not
>     there is
>      >     a VM on
>      >      >     that VNI using a MAC address that matches the inner
>      >     destination MAC
>      >      >     address.  If so, the packet is stripped of its
>     encapsulating
>      >     headers
>      >      >     and passed on to the destination VM.
>      >      > BFD over VXLAN specification in section 5 clarifies the
>      >     processing of
>      >      > the received VXLAN packet by the remote VXLAN:
>      >      >     Once a packet is received, VTEP MUST validate the
>     packet.  If the
>      >      >     Destination MAC of the inner MAC frame matches the MAC
>      >     address of the
>      >      >     VTEP the packet MUST be processed further.
>      >      >
>      >      >     The UDP destination port and the TTL of the inner IP
>     packet
>      >     MUST be
>      >      >     validated to determine if the received packet can be
>     processed by
>      >      >     BFD.  BFD packet with inner MAC set to VTEP's MAC address
>      >     MUST NOT be
>      >      >     forwarded to VMs.
>      >      > Would this text address your concern?
>      >      >
>      >      > Regards,
>      >      > Greg
>      >      >
>      >      > On Wed, Jun 5, 2019 at 2:47 PM Joel M. Halpern
>      >     <jmh@joelhalpern.com <mailto:jmh@joelhalpern.com>
>     <mailto:jmh@joelhalpern.com <mailto:jmh@joelhalpern.com>>
>      >      > <mailto:jmh@joelhalpern.com <mailto:jmh@joelhalpern.com>
>     <mailto:jmh@joelhalpern.com <mailto:jmh@joelhalpern.com>>>> wrote:
>      >      >
>      >      >     The inner packet of a VxLAN header with a VNI is a tenant
>      >     packet for
>      >      >     the
>      >      >     tenant identified by the VNI.  That is the meaning of the
>      >     inner packet.
>      >      >
>      >      >     If you declare that the flag bits change that meaning,
>     then
>      >     that flag
>      >      >     bit has to adjust the packet processing at the VTEP
>     such taht
>      >     it will
>      >      >     intercept the packet.  As such, it doesn;t need
>     special inner
>      >     source or
>      >      >     dest mac addresses or IP addresses.  In fact, the inner
>      >     packet can just
>      >      >     be OAM payload.
>      >      >
>      >      >     If that is not what you intend, then how is it that
>     the VTEP
>      >     knows that
>      >      >     the inner addresses are for it to examine, rather than
>      >     belonging to the
>      >      >     tenant.  As far as I know we are not free to take
>     addresses
>      >     away from
>      >      >     the tenant.
>      >      >
>      >      >     It may be that I am completely missing how this is
>     supposed to
>      >      >     work.  If
>      >      >     so, it needs better explanation.
>      >      >
>      >      >     Yours,
>      >      >     Joel
>      >      >
>      >      >     On 6/5/19 5:20 PM, Greg Mirsky wrote:
>      >      >      > Hi Joel,
>      >      >      > thank you for your review and the pointed questions.
>      >     Please find my
>      >      >      > answers, comments in-line and tagged GIM>>.
>      >      >      >
>      >      >      > Regards,
>      >      >      > Greg
>      >      >      >
>      >      >      >
>      >      >      > On Thu, May 23, 2019 at 3:06 PM Joel Halpern via
>     Datatracker
>      >      >      > <noreply@ietf.org <mailto:noreply@ietf.org>
>     <mailto:noreply@ietf.org <mailto:noreply@ietf.org>>
>      >     <mailto:noreply@ietf.org <mailto:noreply@ietf.org>
>     <mailto:noreply@ietf.org <mailto:noreply@ietf.org>>>
>      >      >     <mailto:noreply@ietf.org <mailto:noreply@ietf.org>
>     <mailto:noreply@ietf.org <mailto:noreply@ietf.org>>
>      >     <mailto:noreply@ietf.org <mailto:noreply@ietf.org>
>     <mailto:noreply@ietf.org <mailto:noreply@ietf.org>>>>> wrote:
>      >      >      >
>      >      >      >     Reviewer: Joel Halpern
>      >      >      >     Review result: Has Issues
>      >      >      >
>      >      >      >     Hello,
>      >      >      >
>      >      >      >     I have been selected as the Routing Directorate
>      >     reviewer for this
>      >      >      >     draft. The
>      >      >      >     Routing Directorate seeks to review all routing or
>      >      >     routing-related
>      >      >      >     drafts as
>      >      >      >     they pass through IETF last call and IESG
>     review, and
>      >      >     sometimes on
>      >      >      >     special
>      >      >      >     request. The purpose of the review is to provide
>      >     assistance
>      >      >     to the
>      >      >      >     Routing ADs.
>      >      >      >     For more information about the Routing Directorate,
>      >     please see
>      >      >      > http://trac.tools.ietf.org/area/rtg/trac/wiki/RtgDir
>      >      >      >
>      >      >      >     Although these comments are primarily for the
>     use of
>      >     the Routing
>      >      >      >     ADs, it would
>      >      >      >     be helpful if you could consider them along
>     with any other
>      >      >     IETF Last
>      >      >      >     Call
>      >      >      >     comments that you receive, and strive to
>     resolve them
>      >     through
>      >      >      >     discussion or by
>      >      >      >     updating the draft.
>      >      >      >
>      >      >      >     Document: ddraft-ietf-bfd-vxlan-07
>      >      >      >     Reviewer: your-name
>      >      >      >     Review Date: date
>      >      >      >     IETF LC End Date: date-if-known
>      >      >      >     Intended Status: copy-from-I-D
>      >      >      >
>      >      >      >     Summary: This document does not appear to be
>     ready for
>      >      >     publication as a
>      >      >      >     Proposed Standard RFC.
>      >      >      >
>      >      >      >     Major issues:
>      >      >      >          The scoping of the BFD usage is unclear. 
>     In places,
>      >      >     this looks
>      >      >      >     like it is
>      >      >      >          intended to be used by the underlay service
>      >     provider,
>      >      >     who will
>      >      >      >     monitor the
>      >      >      >          connectivity between VTEPs.
>      >      >      >
>      >      >      > GIM>> I think that the DCI provider would not be
>     able to
>      >      >     instantiate a
>      >      >      > BFD session using VXLAN encapsulation and, possibly,
>      >     monitor that
>      >      >     VXLAN
>      >      >      > part of forwarding operates properly. Such BFD
>     session may
>      >      >     monitor the
>      >      >      > path between the two VTEP but, if there exists ECMP
>      >     environment
>      >      >     in the
>      >      >      > transport, ensuring that that BFD session follows
>     the same
>      >     path
>      >      >     as VXLAN
>      >      >      > data may be challenging.
>      >      >      >
>      >      >      >     In other places it seems to be aimed at
>      >      >      >          monitoring individual VNIs.
>      >      >      >
>      >      >      > GIM>> The BFD session between VTEPs is not actually
>     used to
>      >      >     monitor the
>      >      >      > particular VNI but MAY be used to communicate, as
>      >     concatenated path
>      >      >      > state signaling, the change of VNI state using the
>     method
>      >      >     described in
>      >      >      > Section 6.8.17 RFC 5880
>      >      >      > <https://tools.ietf.org/html/rfc5880#section-6.8.17>;.
>      >      >      >
>      >      >      >     This is made worse when the packet format is
>      >      >      >          laid out.  The inner packet is an Ethernet
>     Packet
>      >     with an IP
>      >      >      >     packet (with
>      >      >      >          UDP, with BFD).  This means that it is a
>     tenant
>      >     packet.
>      >      >      >
>      >      >      > GIM>> Could you please point to the text which suggests
>      >     that the BFD
>      >      >      > control packet is a tenant packet? Meant to be
>     delivered
>      >     to a tenant?
>      >      >      >
>      >      >      >     The IP address is
>      >      >      >          a tenant IP.
>      >      >      >
>      >      >      > GIM>> The explanation of the format states in regard to
>      >     the inner
>      >      >     IP header:
>      >      >      >         IP header:
>      >      >      >
>      >      >      >           Source IP: IP address of the originating
>     VTEP.
>      >      >      >
>      >      >      >           Destination IP: IP address of the
>     terminating VTEP.
>      >      >      >
>      >      >      >     But the diagram shows this as being the IP
>     address of the
>      >      >      >          VTEP.  Which is not a tenant entity.
>      >      >      >
>      >      >      >         There is further confusion as to whether the
>      >     processing is
>      >      >      >     driven by the VNI
>      >      >      >         the packet arrived with, or the VNI is ignored.
>      >      >      >
>      >      >      > GIM>> The use of VNI is implementation specific.
>     Section 6
>      >     states:
>      >      >      >   6.  Use of the Specific VNI
>      >      >      >
>      >      >      >     In most cases, a single BFD session is
>     sufficient for the
>      >      >     given VTEP
>      >      >      >     to monitor the reachability of a remote VTEP,
>      >     regardless of the
>      >      >      >     number of VNIs in common.  When the single BFD
>     session
>      >     is used to
>      >      >      >     monitor the reachability of the remote VTEP, an
>      >      >     implementation SHOULD
>      >      >      >     choose any of the VNIs but MAY choose VNI = 0.
>      >      >      >
>      >      >      >
>      >      >      >     Minor Issues:
>      >      >      >         N/A
>      >      >      >
>      >      >      >     Nits: N/A
>      >      >      >
>      >      >
>      >
>