IETF Logo Mail Archive

Re: BFD over VXLAN: Trapping BFD Control packet at VTEP

Santosh P K <santosh.pallagatti@gmail.com> Wed, 31 July 2019 18:00 UTC

Return-Path: <santosh.pallagatti@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCF8B120612; Wed, 31 Jul 2019 11:00:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.998
X-Spam-Level:
X-Spam-Status: No, score=-0.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nGhzqjrSo3eg; Wed, 31 Jul 2019 11:00:17 -0700 (PDT)
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7450012060E; Wed, 31 Jul 2019 11:00:17 -0700 (PDT)
Received: by mail-wr1-x42b.google.com with SMTP id f9so70649520wre.12; Wed, 31 Jul 2019 11:00:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XBMp9gY8+1yr/RgC3O9AC9++Whvvr6T9K3AZCUcPVyE=; b=a4kfMAKVliwmSWsNQkaDvSlSwyiQyVmKBGArJPRxnNvYcHAAAtYbCYLW1REOwkIGrM VONTNv22ZRkHbxTV4GnfeY8L8qqeqL2FrlnSjkK/DFJhJYstgwBtSdKKXeHtEKJUstS0 OXwxVS9jenO1Hd3wV1oketyfsbM+kdAKK4mF+vof+4CpQfubaQHeQeziXJsf6E5P9WOf pbjokf5DKfowAQOxKWgEGemvh7xnQc/Yn34UWTdFB2icylBpOgE46jJ29T5eFGR2I3RN QNvePxBuY3WLXGntnW/k0RM4SOYfjidvoZg1E47EYIf3LQR4Mc82GzlMVfqNHDEMpnUy FbgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XBMp9gY8+1yr/RgC3O9AC9++Whvvr6T9K3AZCUcPVyE=; b=lVoEG03wNUpigEXyw6C2R8QA3IX+mqkPSsHSwl0Mzbgr1gEQSn/+4eomdV9jMkRaKu omUqTVr2QcDHv7gwQBorzTc5V6CdmAagiNEW7/D4qPe+1Y77rPEkBsVjXp0mSeYCNmG+ a3+5heSLIwt8rau5CWMW+T7j3nQy3Br6iLQbe+VYI80kx41EQk/9J06sgfQKvA0DJRXX Tq/Dmvh+O1pe6aQAGRrs/wqTsRRtfVlgGwrWHsiIyMAdKhTwiPzIxfCXWoc796z6hUwQ AX0AAcLxw2z1fFym1TYS5jiirz/9rJMC0JH5WUKYKzfXFr4XiX2vS9iyG/S2F2ONOh5M xb0Q==
X-Gm-Message-State: APjAAAWqPhzm1H0gVzdA/gVyyjX76DeBsaMrjSn6uUdITYq6tYDt99kF yG2HGf9CQvKKvxo005a6cCaNTUyDrNmhOaE1DE4=
X-Google-Smtp-Source: APXvYqyWz80J9qUQqgHTrNU9NzRyRCxe3qryqrXnKziNYGWkuW6zEO7CBiJuKcMwEkhkoCxrOZhT2FDqylzWJ3kdGWQ=
X-Received: by 2002:a5d:5644:: with SMTP id j4mr54763606wrw.144.1564596015966; Wed, 31 Jul 2019 11:00:15 -0700 (PDT)
MIME-Version: 1.0
References: <CA+RyBmW=byLBNfVQSdaEoMf-QnJtj13k788XhbZ9tqH4bcgqNQ@mail.gmail.com> <CAOPNUTBJztjmNgrDyHgMo8-nRazAaXACGJJZ6Lx8z8aRVBM+GA@mail.gmail.com> <CA+RyBmWrM3v37BO8O_VOGG-NJ+UbrtSVQ_2GwW0R+vLkxbtvHw@mail.gmail.com> <CACi9rdvKTLwBQn9mcJksGTW79QTFj0d45DOpDT1Jee4QpGnv3Q@mail.gmail.com> <c57a3cf3-ab77-99df-0f78-104edef3275c@joelhalpern.com>
In-Reply-To: <c57a3cf3-ab77-99df-0f78-104edef3275c@joelhalpern.com>
From: Santosh P K <santosh.pallagatti@gmail.com>
Date: Wed, 31 Jul 2019 11:00:04 -0700
Message-ID: <CACi9rdubTnzgCVZK0syRf3fsrpTU45SpQV57n2rNcNCqk+3+7Q@mail.gmail.com>
Subject: Re: BFD over VXLAN: Trapping BFD Control packet at VTEP
To: "Joel M. Halpern" <jmh@joelhalpern.com>
Cc: Greg Mirsky <gregimirsky@gmail.com>, Dinesh Dutt <didutt@gmail.com>, rtg-bfd WG <rtg-bfd@ietf.org>, "T. Sridhar" <tsridhar@vmware.com>, bfd-chairs@ietf.org, Martin Vigoureux <martin.vigoureux@nokia.com>, draft-ietf-bfd-vxlan@ietf.org
Content-Type: multipart/alternative; boundary="000000000000bfadc5058efde5ff"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/_9DQKVlXEvGq7gZIQFNNM73_hVI>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Jul 2019 18:00:20 -0000

Joel,
   Thanks for your inputs. I checked implementation within Vmware. Perhaps
I should have been more clear about MAC address space while checking
internally. I will cross check again for the same and get back on this
list.

Thanks
Santosh P K

On Wed, Jul 31, 2019 at 10:54 AM Joel M. Halpern <jmh@joelhalpern.com>
wrote:

> Sorry to ask a stupid question.  Whose implementation?
>
> The reason I ask is that as far as I can tell, since the tenant does not
> have any control access to the VTEP, there is no reason for the VTEP to
> have a MAC address in the tenant space.  Yes, the device has a physical
> MAC address.  But the tenant could well be using that MAC address.  Yes,
> they would be violating the Ethernet spec.  But the whole point of
> segregation is not to care about such issues.
>
> On the other hand, if you tell me that the VMWare implementation has an
> Ethernet address that is part of the tenant space, well, they made up
> this particular game.
>
> Yours,
> Joel
>
> On 7/31/2019 1:44 PM, Santosh P K wrote:
> > I have checked with implementation in data path. When we receive a
> > packet with valid VNI then lookup for MAC will happen and it is VTEP own
> > MAC then it will be trapped to control plane for processing. I think we
> > can have following options
> > 1. Optional managment VNI
> > 2. Mandatory inner MAC set to VTEP mac
> > 3. Inner IP TTL set to 1 to avoid forwarding of packet via inner IP
> > address.
> >
> >
> > Thoughts?
> >
> > Thansk
> > Santosh P K
> >
> > On Wed, Jul 31, 2019 at 9:20 AM Greg Mirsky <gregimirsky@gmail.com
> > <mailto:gregimirsky@gmail.com>> wrote:
> >
> >     Hi Dinesh,
> >     thank you for your consideration of the proposal and questions. What
> >     would you see as the scope of testing the connectivity for the
> >     specific VNI? If it is tenant-to-tenant, then VTEPs will treat these
> >     packets as regular user frames. More likely, these could be Layer 2
> >     OAM, e.g. CCM frames. The reason to use 127/8 for IPv4, and
> >     0:0:0:0:0:FFFF:7F00:0/104 for IPv6 is to safeguard from leaking
> >     Ethernet frames with BFD Control packet to a tenant.
> >     You've suggested using a MAC address to trap the control packet at
> >     VTEP. What that address could be? We had proposed using the
> >     dedicated MAC and VTEP's MAC and both raised concerns among VXLAN
> >     experts. The idea of using Management VNI may be more acceptable
> >     based on its similarity to the practice of using Management VLAN.
> >
> >     Regards,
> >     Greg
> >
> >     On Wed, Jul 31, 2019 at 12:03 PM Dinesh Dutt <didutt@gmail.com
> >     <mailto:didutt@gmail.com>> wrote:
> >
> >         Hi Greg,
> >
> >         As long as the inner MAC address is such that the packet is
> >         trapped to the CPU, it should be fine for use as an inner MAC is
> >         it not? Stating that is better than trying to force a management
> >         VNI. What if someone wants to test connectivity on a specific
> >         VNI? I would not pick a loopback IP address for this since that
> >         address range is host/node local only. Is there a reason you're
> >         not using the VTEP IP as the inner IP address ?
> >
> >         Dinesh
> >
> >         On Wed, Jul 31, 2019 at 5:48 AM Greg Mirsky
> >         <gregimirsky@gmail.com <mailto:gregimirsky@gmail.com>> wrote:
> >
> >             Dear All,
> >             thank you for your comments, suggestions on this issue,
> >             probably the most challenging for this specification. In the
> >             course of our discussions, we've agreed to abandon the
> >             request to allocate the dedicated MAC address to be used as
> >             the destination MAC address in the inner Ethernet frame.
> >             Also, earlier using VNI 0 was changed from mandatory to one
> >             of the options an implementation may offer to an operator.
> >             The most recent discussion was whether VTEP's MAC address
> >             might be used as the destination MAC address in the inner
> >             Ethernet frame. As I recall it, the comments from VXLAN
> >             experts equally split with one for it and one against. Hence
> >             I would like to propose a new text to resolve the issue. The
> >             idea is to let an operator select Management VNI and use
> >             that VNI in VXLAN encapsulation of BFD Control packets:
> >             NEW TEXT:
> >
> >                 An operator MUST select a VNI number to be used as
> >                 Management VNI. VXLAN packet for Management VNI MUST NOT
> >                 be sent to a tenant. VNI number 1 is RECOMMENDED as the
> >                 default for Management VNI.
> >
> >             With that new text, what can be the value of the destination
> >             MAC in the inner Ethernet? I tend to believe that it can be
> >             anything and ignored by the reciever VTEP. Also, if the
> >             trapping is based on VNI number, the destination IP address
> >             of the inner IP packet can from the range 127/8 for IPv4,
> >             and for IPv6 from the range 0:0:0:0:0:FFFF:7F00:0/104. And
> >             lastly, the TTL to be set to 1 (no change here).
> >
> >             Much appreciate your comments, questions, and suggestions.
> >
> >             Best regards,
> >             Greg
> >
>

v2.23.0 | Report a Bug | By Email