IETF Logo Mail Archive

Re: Fwd: I-D Action: draft-ietf-bfd-vxlan-02.txt

Greg Mirsky <gregimirsky@gmail.com> Mon, 17 September 2018 22:47 UTC

Return-Path: <gregimirsky@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBFD7130DC4 for <rtg-bfd@ietfa.amsl.com>; Mon, 17 Sep 2018 15:47:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XYNf-4rpESfp for <rtg-bfd@ietfa.amsl.com>; Mon, 17 Sep 2018 15:47:47 -0700 (PDT)
Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99C59130EC9 for <rtg-bfd@ietf.org>; Mon, 17 Sep 2018 15:47:46 -0700 (PDT)
Received: by mail-lf1-x12e.google.com with SMTP id z186-v6so123371lfa.5 for <rtg-bfd@ietf.org>; Mon, 17 Sep 2018 15:47:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TNT0Uh8JJ3/By9zC1xNi/vP7tNTzn1FIrzgUQxAcRDI=; b=j5X+YpXHv1rpAKOaK8wr+hXroXe37X65KfErp7q3OIGj8uxhpPtJigGE5pGt48MxDU TjozNjHJmDlKeERkMkznNkmoHXuGbFqbPmXR+BdwVWINBbOi6irqS3D4YY1ixTFVDJ/r NlEYuMTOdiQE7wwEzEsd9FxIkZVH/3szfS3CGXDgdUzfTBUxHiqA1zhUmLU/6kFVxnQI m+aj3XdHnvXfvHUsmnX1Y3IYBQ7vWNf+eRsZQTE9xvKFABlCC1j8o4oEB7BSwGg9eGnk W6+FySnNw0t/eBoYggWR8w7OY1UziBxLCSyd011XI+fnlgmoVMNe32q7fWjrHYFTtjmf tqbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TNT0Uh8JJ3/By9zC1xNi/vP7tNTzn1FIrzgUQxAcRDI=; b=B2OcHnel479qn8vl+GrrtA/LEGOMzIQY/hu0RhXp6zyvDzYV/ctWTBcMRkL7BhOwSE sWAYbV4kQsjQ5szXI8xdCffGaw9jMMUpxBKohX8f9Bhdm585+6hY8PUk36tKFruDN2bq auKaC1jZUARwSQEIW9csZoN5stP22oWLND+yRiRLKT3sjYOxl9BTPMWH9lVb39KPNj8g aX2kH1yfV1jysJabEOgy/KZjPqeuFuNgKGv00M+OeTCDkleChzsNCvwfN0Uy0NQgZNQJ iyb/WboCA2ej2c/VUiL/2GY/9v/62X0yh8vVGhxjtU40IYmzl5JUbS0eYHn3EfG/CPwN CTcg==
X-Gm-Message-State: APzg51D1X0BzhTQimmoMeG/YecRBvAZ4g3tdF1LJQpyjG8kDYgazMFa9 wIruoWUfbpGU1/9IU+JxpP1BG8DjEtNTnm2y+KY=
X-Google-Smtp-Source: ANB0VdZ1GyFSmO0X4HcBJqAOwDLgUBmgG8PZ+xK+0nFxvo1yJEvlVxe2TAbnSMN6ptjbcTh8/CAleaeDb+dJW1m7A8w=
X-Received: by 2002:a19:cc97:: with SMTP id c145-v6mr7933308lfg.145.1537224464570; Mon, 17 Sep 2018 15:47:44 -0700 (PDT)
MIME-Version: 1.0
References: <153462297684.27533.6391249246080806217@ietfa.amsl.com> <CA+RyBmW9x9Y-Ve=1JnFatqisqOkpN6YZuOFimNbUS+Keo1KUnw@mail.gmail.com> <20180913143611411852.0ca9e40a@sniff.de>
In-Reply-To: <20180913143611411852.0ca9e40a@sniff.de>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Mon, 17 Sep 2018 15:47:34 -0700
Message-ID: <CA+RyBmXywULG1+yLzsce15EQVNHUjTdWQO2+N7=o=j7DbMa6RA@mail.gmail.com>
Subject: Re: Fwd: I-D Action: draft-ietf-bfd-vxlan-02.txt
To: Marc Binderberger <marc@sniff.de>
Cc: rtg-bfd WG <rtg-bfd@ietf.org>, Donald Eastlake <d3e3e3@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000269dd4057618f6cb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/Zl7hura5dc5uyZ96axvsQ-vvy1g>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Sep 2018 22:47:50 -0000

Hi Marc,
many thanks for your excellent comments and the most detailed questions -
all much appreciated and the most helpful.
Please find my answers, notes in-line and tagged GIM>>,

Regards,
Greg

On Thu, Sep 13, 2018 at 5:36 PM, Marc Binderberger <marc@sniff.de> wrote:

> Hello Greg & Authors,
>
> great to see this draft progressing!
>
>
> As usual I'm a bit late :-/ but I do have some questions/comments:
>
>
> Q1: the TTL = 1 requirement for the inner IP packet. The explanation for
> the
> MUST is
>
>          TTL: MUST be set to 1 to ensure that the BFD packet is not
>          routed within the L3 underlay network.
>
>
> I find this a very implementation-specific reason that may not apply to
> many
> other implementations. But the demand for TTL = 1 may limit what can be
> done
> with today's silicon, which is why I question this demand here :-)
>
> You will find off-the-shelf silicon that offers you BFD RFC5881 "in
> hardware". For the ASIC user the usage is typically fixed by the API/SDK
> and
> RFC5881 uses TTL = 255 for send and check on receive. Using a loopback
> port
> it would be simple to use this RFC5881 BFD engine to send packets over the
> VxLAN tunnel.  But the TTL=1 requirements defeats this.  Could we drop it?



> GIM>> I think that this specification is closer to RFC 5884 case where TTL
> for the encapsulated BFD control packet mandated to be set to 1:
>
The IP TTL or hop limit MUST be set to 1 [RFC4379].


> Q2: in this context of TTL you write
>
>    10.  Security Considerations
>
>       The document recommends setting the inner IP TTL to 1 which could
>       lead to a DDoS attack.
>
GIM>> Would s/recommends/requires/ work?

>
>
> First, you don't recommend - you say MUST. But as a non-native speaker
> maybe
> this is a misinterpretation on my side ;-)
> More interesting: how does TTL = 1 raises the DDoS risk? By someone
> directly,
> i.e. without any VxLAN encapsulation, sending a BFD packet to the VTEP IP ?
>
GIM>> Agree, the wording is rather confusing. Would the following text make
it clearer:
OLD TEXT:
   The document recommends setting the inner IP TTL to 1 which could
   lead to a DDoS attack.  Thus the implementation MUST have throttling
   in place.  Throttling MAY be relaxed for BFD packets based on port
   number.

NEW TEXT:
   The document requires setting the inner IP TTL to 1 which could
   be used as DDoS attack vector.  Thus the implementation MUST have
throttling
   in place to control the rate of BFD control packets sent to the control
plane.


>
> Q3: for the demultiplexing of incoming BFD packets (section 6.1) you write
>
>    [...] For such packets, the BFD session MUST be identified
>    using the inner headers, i.e., the source IP and the destination IP
>    present in the IP header carried by the payload of the VXLAN
>    encapsulated packet.  The VNI of the packet SHOULD be used to derive
>    interface-related information for demultiplexing the packet.
>
>
> I understand the "MUST" for the source IP, to differentiate a session with
> VTEP A from the session with VTEP B. Why is the destination IP, i.e. my
> local
> IP, of relevance?  Support for multiple VTEP?
>
GIM>> Yes, it is the case.

> But my main question is, why the VNI (or related information like the
> local
> VLAN or VFI) is only a "SHOULD" ?

GIM>> An implementation may support only use of VNI 0 and not to use VNI
value of the received packet.


> In section 4 you say
>
>    [...] Separate BFD
>    sessions can be established between the VTEPs (IP1 and IP2) for
>    monitoring each of the VXLAN tunnels (VNI 100 and 200).
>
>
> How would I separate these BFD sessions when src/dst IP are the same?
>
GIM>> By using different VNI in the VXLAN encapsulation of a BFD Control
packets.

>
>
> Finally a nitpick, you write in section 6:
>
>    The UDP destination port and the TTL of the inner Ethernet frame MUST
>    be validated
>
> We all understand what you mean but I first stumbled: Ethernet frames have
> no
> TTL. You mean (of course) the inner IP packet - why not writing it? ;-)
>
GIM>> Agreed. Would s/inner Ethernet/inner IP packet/ address it?

>
>
>
> Anyway, overall very useful standard (as you see from my comments, there
> are
> feature roadmaps coming ;-)
>
GIM>> Thank you for your kind words and help to improve the specification,
Marc.

>
>
> Thanks & Regards,
> Marc
>
>
>
>
>
> On Sat, 18 Aug 2018 13:54:22 -0700, Greg Mirsky wrote:
> > Dear All,
> > the new version addresses comments and editorial suggestions we've
> received
> > from Donald.
> >
> > Your reviews are most welcome, comments, questions, and suggestions much
> > appreciated.
> >
> > As discussed at the meeting in Montreal, the authors believe that this
> > document is ready for WGLC.
> >
> > Regards,
> > Greg
> >
> > ---------- Forwarded message ----------
> > From: <internet-drafts@ietf.org>
> > Date: Sat, Aug 18, 2018 at 1:09 PM
> > Subject: I-D Action: draft-ietf-bfd-vxlan-02.txt
> > To: i-d-announce@ietf.org
> > Cc: rtg-bfd@ietf.org
> >
> >
> >
> > A New Internet-Draft is available from the on-line Internet-Drafts
> > directories.
> > This draft is a work item of the Bidirectional Forwarding Detection WG
> of
> > the IETF.
> >
> >         Title           : BFD for VXLAN
> >         Authors         : Santosh Pallagatti
> >                           Sudarsan Paragiri
> >                           Vengada Prasad Govindan
> >                           Mallik Mudigonda
> >                           Greg Mirsky
> >         Filename        : draft-ietf-bfd-vxlan-02.txt
> >         Pages           : 10
> >         Date            : 2018-08-18
> >
> > Abstract:
> >    This document describes the use of the Bidirectional Forwarding
> >    Detection (BFD) protocol in Virtual eXtensible Local Area Network
> >    (VXLAN) overlay networks.
> >
> >
> > The IETF datatracker status page for this draft is:
> > https://datatracker.ietf.org/doc/draft-ietf-bfd-vxlan/
> >
> > There are also htmlized versions available at:
> > https://tools.ietf.org/html/draft-ietf-bfd-vxlan-02
> > https://datatracker.ietf.org/doc/html/draft-ietf-bfd-vxlan-02
> >
> > A diff from the previous version is available at:
> > https://www.ietf.org/rfcdiff?url2=draft-ietf-bfd-vxlan-02
> >
> >
> > Please note that it may take a couple of minutes from the time of
> submission
> > until the htmlized version and diff are available at tools.ietf.org.
> >
> > Internet-Drafts are also available by anonymous FTP at:
> > ftp://ftp.ietf.org/internet-drafts/
> >
> >
>

v2.23.0 | Report a Bug | By Email