Re: Éric Vyncke's Discuss on draft-ietf-bfd-vxlan-09: (with DISCUSS and COMMENT)

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Thu, 19 December 2019 12:48 UTC

Return-Path: <evyncke@cisco.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F320D120121; Thu, 19 Dec 2019 04:48:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.497
X-Spam-Level:
X-Spam-Status: No, score=-14.497 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=TNiw0RJ0; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=aZIfIWPf
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W0_0b0tZ3QJN; Thu, 19 Dec 2019 04:48:48 -0800 (PST)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D537112006D; Thu, 19 Dec 2019 04:48:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=13737; q=dns/txt; s=iport; t=1576759727; x=1577969327; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=EaOymXoj19R8XjY950K9gXwW0Zg6DBSOhBBXysqWZnA=; b=TNiw0RJ0Bb2sMQSrsU/fVPrQfiN9m0FlAfErs71NVJSumAWt3/VUSKyH Z43G8jXLiQO0fSZ0q2X+2WaAxGuYqTwOb4EowYaOxlzLCW4y7tdsdw7xE 8Jl3XkGg3DYER4GZ1lWSVyPd/AHIOFJCdUcbvyj8TTjXoG6vK5jj2A6vK E=;
IronPort-PHdr: =?us-ascii?q?9a23=3A7GsFFBMmk5QX1z3C42gl6mtXPHoupqn0MwgJ65?= =?us-ascii?q?Eul7NJdOG58o//OFDEu60/l0fHCIPc7f8My/HbtaztQyQh2d6AqzhDFf4ETB?= =?us-ascii?q?oZkYMTlg0kDtSCDBj2Mu/sZC83NM9DT1RiuXq8NBsdFQ=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0APAQAicPtd/40NJK1kGgEBAQEBAQE?= =?us-ascii?q?BAQMBAQEBEQEBAQICAQEBAYF8gR4vUAVsWCAECyqEBoNGA4pzgl+JXolJhGG?= =?us-ascii?q?CUgNUCQEBAQwBAS0CAQGEQAIXggQkOBMCAw0BAQQBAQECAQUEbYU3DIVeAQE?= =?us-ascii?q?BAQMSER0BASkOAQ8CAQgRAwECAScDAgICHxEUBgMIAgQBDQUigwABgXlNAy4?= =?us-ascii?q?BoVMCgTiIYXWBMoJ+AQEFhScNC4IMCYE2iVCCSRqBQT+BEScggkw+ghuCCEY?= =?us-ascii?q?WgloygiyPfjmFV5g+QwqCNJFyhCYbgkOHeZAVg0eLCopuj2MCBAIEBQIOAQE?= =?us-ascii?q?FgWkigVhwFWUBgkFQGA2NEgwXFYM7ilN0gSiNLoJAAQE?=
X-IronPort-AV: E=Sophos;i="5.69,331,1571702400"; d="scan'208,217";a="690587319"
Received: from alln-core-8.cisco.com ([173.36.13.141]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 19 Dec 2019 12:48:46 +0000
Received: from XCH-RCD-008.cisco.com (xch-rcd-008.cisco.com [173.37.102.18]) by alln-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id xBJCmkKr020113 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 19 Dec 2019 12:48:46 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-RCD-008.cisco.com (173.37.102.18) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 19 Dec 2019 06:48:45 -0600
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 19 Dec 2019 06:48:45 -0600
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 19 Dec 2019 07:48:45 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=asURlHdgxH/wwjtahEAqkQk28viPdls8VHy0QkZHyU9isS5wb6AGRZkhmWCi/Ik+tWnhKUru2DOolOzsqSgUS3wcc4eSpKE6Hi7/XEGj6Efg5UZ9/LeccVLCPlN44tx85PZ0dKTFsYAIZoCgV7GppAP/5rOV3K1NpZ9KZqgN89GNs7XC7GJ65HE0ut+rsX4eUaJcnRO0p5wH5U3a7q1YP7Q9oEIKI4K2i1g8deJqsT6xuuklHoq/aKSMEiozdlqy21nS0wS7LMe36ktbaHn8i48b5QAYHtK0LVWaB+wxbyHUEfgFhxudvi1/GQm/UOZZBKNixRfc/32mVmV6BJCzEg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EaOymXoj19R8XjY950K9gXwW0Zg6DBSOhBBXysqWZnA=; b=GaixkRvRGcvHwm3z+6PgLnjzFBi+K/dev8j7EDgdEjeFrZcyGSypo6eMKBmH6LX9ipkWknwQKg8Mhpfwjio6kdox6z28wu0BgnyRmvCFbXx+fXGHp1odLqekmr+Y2jgyyvnoGVGNiAtN4lkLZzISWUcPOjQrsHkKTEyIh3AZrRqaZJhTiKKL4gxed0RWcWboMMTusqJW3RC9P7bfVqzwKtClHQADtxI5cY+mS3qhouWvS1w20oZ5szMWboTAeNouzeaHjPJ2P3VAG046+udtah7HAidTzXP2IfhlgESO65SSkqPArJzqkP+XLbNfGqXKY7XU9YN/5h5K8hJV3MPi4Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EaOymXoj19R8XjY950K9gXwW0Zg6DBSOhBBXysqWZnA=; b=aZIfIWPfWz1Y/6EX8gVv092G5MGshGFPsLW/nW3Z5jIVRuWs/Jv05kN9Jx8hm29t65oufZrEqlgWvOBK0RCZZed08uq6eY/9IGs3DLA6YH05C8DWn8UQ86A3YeHI6rEpRN0VZMyV2dUF8R33PdAOltRjhJYGqsqiHVZK8rCUlJg=
Received: from DM5PR11MB1753.namprd11.prod.outlook.com (10.175.88.141) by DM5PR11MB1836.namprd11.prod.outlook.com (10.175.86.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2538.18; Thu, 19 Dec 2019 12:48:44 +0000
Received: from DM5PR11MB1753.namprd11.prod.outlook.com ([fe80::f8ba:7d8d:391d:4302]) by DM5PR11MB1753.namprd11.prod.outlook.com ([fe80::f8ba:7d8d:391d:4302%12]) with mapi id 15.20.2559.012; Thu, 19 Dec 2019 12:48:43 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Greg Mirsky <gregimirsky@gmail.com>, Jeffrey Haas <jhaas@pfrc.org>
CC: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>, The IESG <iesg@ietf.org>, "draft-ietf-bfd-vxlan@ietf.org" <draft-ietf-bfd-vxlan@ietf.org>, "rtg-bfd@ietf.org" <rtg-bfd@ietf.org>, "bfd-chairs@ietf.org" <bfd-chairs@ietf.org>
Subject: =?utf-8?B?UmU6IMOJcmljIFZ5bmNrZSdzIERpc2N1c3Mgb24gZHJhZnQtaWV0Zi1iZmQt?= =?utf-8?Q?vxlan-09:_(with_DISCUSS_and_COMMENT)?=
Thread-Topic: =?utf-8?B?w4lyaWMgVnluY2tlJ3MgRGlzY3VzcyBvbiBkcmFmdC1pZXRmLWJmZC12eGxh?= =?utf-8?Q?n-09:_(with_DISCUSS_and_COMMENT)?=
Thread-Index: AQHVteIq5ryADAJO5Ui6+24NC5naA6fAasRigABPBoCAAMB/gA==
Date: Thu, 19 Dec 2019 12:48:43 +0000
Message-ID: <3E08A000-91DE-448A-8AAF-77D34D82C226@cisco.com>
References: <157657269782.26511.12421406428553874826.idtracker@ietfa.amsl.com> <CED2B858-AC55-4B0A-ADA2-AC46B628E6DA@cisco.com> <20191218203145.GD6488@pfrc.org> <FE5AEE55-9F03-49E9-89C3-6C9700C8683E@cisco.com> <20191218214102.GF6488@pfrc.org> <CA+RyBmVc6t8K2UgZfFQoaCghmGQi0yOS1ZvB7r+E32sRS=vSxA@mail.gmail.com>
In-Reply-To: <CA+RyBmVc6t8K2UgZfFQoaCghmGQi0yOS1ZvB7r+E32sRS=vSxA@mail.gmail.com>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.20.0.191208
authentication-results: spf=none (sender IP is ) smtp.mailfrom=evyncke@cisco.com;
x-originating-ip: [2001:420:c0c1:36:31d1:af5:af8e:a461]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 812a7d33-8bc9-45a6-491e-08d78481c819
x-ms-traffictypediagnostic: DM5PR11MB1836:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <DM5PR11MB1836B4491E29B756C005C1F2A9520@DM5PR11MB1836.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0256C18696
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(376002)(366004)(346002)(136003)(39860400002)(189003)(199004)(8936002)(6486002)(478600001)(2616005)(33656002)(86362001)(2906002)(4326008)(81166006)(6506007)(71200400001)(5660300002)(81156014)(316002)(36756003)(91956017)(76116006)(186003)(224303003)(66946007)(66476007)(6512007)(66574012)(64756008)(110136005)(53546011)(54906003)(66556008)(66446008); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR11MB1836; H:DM5PR11MB1753.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: FUEXDZFyW19uA4hEDA0h0m4xyWkEYPBfEbMyWX+Beqhutk/upxLG8LR95pHXlWuxYGFhSKgD+uDkkgmrtL29z8rn6qFlB6n/uqXqmToWZxe3j9f6V6YmSWh+f067ErPCCwRHquVKsv+15mMjHNAbhS6OhrnKFG1dELJZNyMXq5+k6uiaxd4TkW7TIIUGLOVhn3LlG5zh4UXYMtrhnjY3Y6TBDXcA4ArwNqIc3zGEbyotpAryYggxMOwkGljeSI0Wx7PnA7iitCpEWIGWN4fZfdq8bUSKFaMO4vD8D/WShXJ28kxJBPK80dIUbCCqW8VKcYGJdIUOVwPV7I9xxMWrLJRqmp8F9YRZ+arbMstTKtf+K96axk8UMap8fmu6NjVXNprSK9qjNOq6KtUR/+syZhB7TMsM/ksiqDf+AZcNj5dsDLSCm+p1dFEAx5e0b5MU
Content-Type: multipart/alternative; boundary="_000_3E08A00091DE448A8AAF77D34D82C226ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 812a7d33-8bc9-45a6-491e-08d78481c819
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Dec 2019 12:48:43.8102 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: WZZz9YeTXNUPZYgNW4/MbWyZKNrSLXODwjwWbyvrz79VGD2VWeBN+IK/qolLUCozGJdosJFNU4xkHstN6pzT4Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1836
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.18, xch-rcd-008.cisco.com
X-Outbound-Node: alln-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/NP11colrpXUH8ZEc2GcSnQhsryU>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Dec 2019 12:48:50 -0000

Greg,

Thank you for the new text but I still believe that forwarding in the data plane a packet with TTL/HL=254 (assuming TTL/HL=255 at source) is less an issue than forcing the control plane of a VNI/gateway to reply to a remote BFD (the whole idea behind GTSM is to accept only local traffic). Moreover, a bad behaving routers is probably less probable than a bad behaving VM (although I am unsure about the threat model in this case).

Else, please s/ removes the VXLAN header/ removes the outer IP + UDP + VXLAN headers/

Also, note that IPv6 packets with HL=0 but with a matching dest addr will be accepted by IPv6 nodes.

-éric

From: Greg Mirsky <gregimirsky@gmail.com>
Date: Thursday, 19 December 2019 at 03:20
To: Jeffrey Haas <jhaas@pfrc.org>
Cc: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>om>, Eric Vyncke <evyncke@cisco.com>om>, The IESG <iesg@ietf.org>rg>, "draft-ietf-bfd-vxlan@ietf.org" <draft-ietf-bfd-vxlan@ietf.org>rg>, "rtg-bfd@ietf.org" <rtg-bfd@ietf.org>rg>, "bfd-chairs@ietf.org" <bfd-chairs@ietf.org>
Subject: Re: Éric Vyncke's Discuss on draft-ietf-bfd-vxlan-09: (with DISCUSS and COMMENT)

Hi Carlos, Jeff, et al.,
thank you for a very insightful discussion.
Based on the input from the experts familiar with VXLAN deployment scenario the following text was added to justify the requirement to set TTL or Hop Limit to 1:
         TTL or Hop Limit: MUST be set to 1 to ensure that the BFD
         packet is not routed within the Layer 3 underlay network.  This
         addresses the scenario when the inner IP destination address is
         of VXLAN gateway and there is a router in underlay which
         removes the VXLAN header, then it is possible to route the
         packet as VXLAN  gateway address is routable address.

Best regards,
Greg

On Wed, Dec 18, 2019 at 1:36 PM Jeffrey Haas <jhaas@pfrc.org<mailto:jhaas@pfrc.org>> wrote:
Carlos,

On Wed, Dec 18, 2019 at 09:28:30PM +0000, Carlos Pignataro (cpignata) wrote:
> The TTL of 1 recommended for RFC 4379 / RFC 8029 S4.3 is because if the MPLS packet is mis-routed, or there's a forwarding mis-programming, then an MPLS LSE pop would expose the BFD packet and so that the BFD is not further mis-forwarded.
>
> In the VXLAN case an intermediate router would not remove the VXLAN encap because the outer encap is IP (with a destination address, not an MPLS Label that can be mis-interpreted in context) and a mid-point router would not understand VXLAN.

Explained, that now seems obvious.  Thanks. :-)

But given that point, what precisely is the objection to the inner IP header
of the BFD for vxlan having a TTL of 1?

I think this is partially a matter of attack spaces varying depending on
whether we're targeting the management VNI vs. a tenant.  In the case of the
management VNI, we (should) have very strong control over what BFD traffic
is getting encapsulated.

However, for tenant VNI mode, is the argument that depending on what the
other vxlan PDU parameters look like, tenant sourced BFD PDUs may be
indistinguishable from ones sourced by the management infrastructure?  And
if so, how would GTSM help us here?

-- Jeff