Re: Fwd: I-D Action: draft-ietf-bfd-vxlan-02.txt
Greg Mirsky <gregimirsky@gmail.com> Mon, 17 September 2018 22:47 UTC
Return-Path: <gregimirsky@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBFD7130DC4 for <rtg-bfd@ietfa.amsl.com>; Mon, 17 Sep 2018 15:47:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XYNf-4rpESfp for <rtg-bfd@ietfa.amsl.com>; Mon, 17 Sep 2018 15:47:47 -0700 (PDT)
Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99C59130EC9 for <rtg-bfd@ietf.org>; Mon, 17 Sep 2018 15:47:46 -0700 (PDT)
Received: by mail-lf1-x12e.google.com with SMTP id z186-v6so123371lfa.5 for <rtg-bfd@ietf.org>; Mon, 17 Sep 2018 15:47:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TNT0Uh8JJ3/By9zC1xNi/vP7tNTzn1FIrzgUQxAcRDI=; b=j5X+YpXHv1rpAKOaK8wr+hXroXe37X65KfErp7q3OIGj8uxhpPtJigGE5pGt48MxDU TjozNjHJmDlKeERkMkznNkmoHXuGbFqbPmXR+BdwVWINBbOi6irqS3D4YY1ixTFVDJ/r NlEYuMTOdiQE7wwEzEsd9FxIkZVH/3szfS3CGXDgdUzfTBUxHiqA1zhUmLU/6kFVxnQI m+aj3XdHnvXfvHUsmnX1Y3IYBQ7vWNf+eRsZQTE9xvKFABlCC1j8o4oEB7BSwGg9eGnk W6+FySnNw0t/eBoYggWR8w7OY1UziBxLCSyd011XI+fnlgmoVMNe32q7fWjrHYFTtjmf tqbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TNT0Uh8JJ3/By9zC1xNi/vP7tNTzn1FIrzgUQxAcRDI=; b=B2OcHnel479qn8vl+GrrtA/LEGOMzIQY/hu0RhXp6zyvDzYV/ctWTBcMRkL7BhOwSE sWAYbV4kQsjQ5szXI8xdCffGaw9jMMUpxBKohX8f9Bhdm585+6hY8PUk36tKFruDN2bq auKaC1jZUARwSQEIW9csZoN5stP22oWLND+yRiRLKT3sjYOxl9BTPMWH9lVb39KPNj8g aX2kH1yfV1jysJabEOgy/KZjPqeuFuNgKGv00M+OeTCDkleChzsNCvwfN0Uy0NQgZNQJ iyb/WboCA2ej2c/VUiL/2GY/9v/62X0yh8vVGhxjtU40IYmzl5JUbS0eYHn3EfG/CPwN CTcg==
X-Gm-Message-State: APzg51D1X0BzhTQimmoMeG/YecRBvAZ4g3tdF1LJQpyjG8kDYgazMFa9 wIruoWUfbpGU1/9IU+JxpP1BG8DjEtNTnm2y+KY=
X-Google-Smtp-Source: ANB0VdZ1GyFSmO0X4HcBJqAOwDLgUBmgG8PZ+xK+0nFxvo1yJEvlVxe2TAbnSMN6ptjbcTh8/CAleaeDb+dJW1m7A8w=
X-Received: by 2002:a19:cc97:: with SMTP id c145-v6mr7933308lfg.145.1537224464570; Mon, 17 Sep 2018 15:47:44 -0700 (PDT)
MIME-Version: 1.0
References: <153462297684.27533.6391249246080806217@ietfa.amsl.com> <CA+RyBmW9x9Y-Ve=1JnFatqisqOkpN6YZuOFimNbUS+Keo1KUnw@mail.gmail.com> <20180913143611411852.0ca9e40a@sniff.de>
In-Reply-To: <20180913143611411852.0ca9e40a@sniff.de>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Mon, 17 Sep 2018 15:47:34 -0700
Message-ID: <CA+RyBmXywULG1+yLzsce15EQVNHUjTdWQO2+N7=o=j7DbMa6RA@mail.gmail.com>
Subject: Re: Fwd: I-D Action: draft-ietf-bfd-vxlan-02.txt
To: Marc Binderberger <marc@sniff.de>
Cc: rtg-bfd WG <rtg-bfd@ietf.org>, Donald Eastlake <d3e3e3@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000269dd4057618f6cb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/Zl7hura5dc5uyZ96axvsQ-vvy1g>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Sep 2018 22:47:50 -0000
Hi Marc, many thanks for your excellent comments and the most detailed questions - all much appreciated and the most helpful. Please find my answers, notes in-line and tagged GIM>>, Regards, Greg On Thu, Sep 13, 2018 at 5:36 PM, Marc Binderberger <marc@sniff.de> wrote: > Hello Greg & Authors, > > great to see this draft progressing! > > > As usual I'm a bit late :-/ but I do have some questions/comments: > > > Q1: the TTL = 1 requirement for the inner IP packet. The explanation for > the > MUST is > > TTL: MUST be set to 1 to ensure that the BFD packet is not > routed within the L3 underlay network. > > > I find this a very implementation-specific reason that may not apply to > many > other implementations. But the demand for TTL = 1 may limit what can be > done > with today's silicon, which is why I question this demand here :-) > > You will find off-the-shelf silicon that offers you BFD RFC5881 "in > hardware". For the ASIC user the usage is typically fixed by the API/SDK > and > RFC5881 uses TTL = 255 for send and check on receive. Using a loopback > port > it would be simple to use this RFC5881 BFD engine to send packets over the > VxLAN tunnel. But the TTL=1 requirements defeats this. Could we drop it? > GIM>> I think that this specification is closer to RFC 5884 case where TTL > for the encapsulated BFD control packet mandated to be set to 1: > The IP TTL or hop limit MUST be set to 1 [RFC4379]. > Q2: in this context of TTL you write > > 10. Security Considerations > > The document recommends setting the inner IP TTL to 1 which could > lead to a DDoS attack. > GIM>> Would s/recommends/requires/ work? > > > First, you don't recommend - you say MUST. But as a non-native speaker > maybe > this is a misinterpretation on my side ;-) > More interesting: how does TTL = 1 raises the DDoS risk? By someone > directly, > i.e. without any VxLAN encapsulation, sending a BFD packet to the VTEP IP ? > GIM>> Agree, the wording is rather confusing. Would the following text make it clearer: OLD TEXT: The document recommends setting the inner IP TTL to 1 which could lead to a DDoS attack. Thus the implementation MUST have throttling in place. Throttling MAY be relaxed for BFD packets based on port number. NEW TEXT: The document requires setting the inner IP TTL to 1 which could be used as DDoS attack vector. Thus the implementation MUST have throttling in place to control the rate of BFD control packets sent to the control plane. > > Q3: for the demultiplexing of incoming BFD packets (section 6.1) you write > > [...] For such packets, the BFD session MUST be identified > using the inner headers, i.e., the source IP and the destination IP > present in the IP header carried by the payload of the VXLAN > encapsulated packet. The VNI of the packet SHOULD be used to derive > interface-related information for demultiplexing the packet. > > > I understand the "MUST" for the source IP, to differentiate a session with > VTEP A from the session with VTEP B. Why is the destination IP, i.e. my > local > IP, of relevance? Support for multiple VTEP? > GIM>> Yes, it is the case. > But my main question is, why the VNI (or related information like the > local > VLAN or VFI) is only a "SHOULD" ? GIM>> An implementation may support only use of VNI 0 and not to use VNI value of the received packet. > In section 4 you say > > [...] Separate BFD > sessions can be established between the VTEPs (IP1 and IP2) for > monitoring each of the VXLAN tunnels (VNI 100 and 200). > > > How would I separate these BFD sessions when src/dst IP are the same? > GIM>> By using different VNI in the VXLAN encapsulation of a BFD Control packets. > > > Finally a nitpick, you write in section 6: > > The UDP destination port and the TTL of the inner Ethernet frame MUST > be validated > > We all understand what you mean but I first stumbled: Ethernet frames have > no > TTL. You mean (of course) the inner IP packet - why not writing it? ;-) > GIM>> Agreed. Would s/inner Ethernet/inner IP packet/ address it? > > > > Anyway, overall very useful standard (as you see from my comments, there > are > feature roadmaps coming ;-) > GIM>> Thank you for your kind words and help to improve the specification, Marc. > > > Thanks & Regards, > Marc > > > > > > On Sat, 18 Aug 2018 13:54:22 -0700, Greg Mirsky wrote: > > Dear All, > > the new version addresses comments and editorial suggestions we've > received > > from Donald. > > > > Your reviews are most welcome, comments, questions, and suggestions much > > appreciated. > > > > As discussed at the meeting in Montreal, the authors believe that this > > document is ready for WGLC. > > > > Regards, > > Greg > > > > ---------- Forwarded message ---------- > > From: <internet-drafts@ietf.org> > > Date: Sat, Aug 18, 2018 at 1:09 PM > > Subject: I-D Action: draft-ietf-bfd-vxlan-02.txt > > To: i-d-announce@ietf.org > > Cc: rtg-bfd@ietf.org > > > > > > > > A New Internet-Draft is available from the on-line Internet-Drafts > > directories. > > This draft is a work item of the Bidirectional Forwarding Detection WG > of > > the IETF. > > > > Title : BFD for VXLAN > > Authors : Santosh Pallagatti > > Sudarsan Paragiri > > Vengada Prasad Govindan > > Mallik Mudigonda > > Greg Mirsky > > Filename : draft-ietf-bfd-vxlan-02.txt > > Pages : 10 > > Date : 2018-08-18 > > > > Abstract: > > This document describes the use of the Bidirectional Forwarding > > Detection (BFD) protocol in Virtual eXtensible Local Area Network > > (VXLAN) overlay networks. > > > > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-ietf-bfd-vxlan/ > > > > There are also htmlized versions available at: > > https://tools.ietf.org/html/draft-ietf-bfd-vxlan-02 > > https://datatracker.ietf.org/doc/html/draft-ietf-bfd-vxlan-02 > > > > A diff from the previous version is available at: > > https://www.ietf.org/rfcdiff?url2=draft-ietf-bfd-vxlan-02 > > > > > > Please note that it may take a couple of minutes from the time of > submission > > until the htmlized version and diff are available at tools.ietf.org. > > > > Internet-Drafts are also available by anonymous FTP at: > > ftp://ftp.ietf.org/internet-drafts/ > > > > >
- I-D Action: draft-ietf-bfd-vxlan-02.txt internet-drafts
- Fwd: I-D Action: draft-ietf-bfd-vxlan-02.txt Greg Mirsky
- Re: Fwd: I-D Action: draft-ietf-bfd-vxlan-02.txt Marc Binderberger
- Re: Fwd: I-D Action: draft-ietf-bfd-vxlan-02.txt Greg Mirsky
- Re: Fwd: I-D Action: draft-ietf-bfd-vxlan-02.txt Greg Mirsky