IETF Logo Mail Archive

Re: Alvaro Retana's Discuss on draft-ietf-bfd-vxlan-09: (with DISCUSS and COMMENT)

Greg Mirsky <gregimirsky@gmail.com> Wed, 25 December 2019 21:51 UTC

Return-Path: <gregimirsky@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F314120025; Wed, 25 Dec 2019 13:51:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.597
X-Spam-Level:
X-Spam-Status: No, score=-0.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_COMMENT_SAVED_URL=1.391, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_HTML_ATTACH=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rkcwlxK0x1Yz; Wed, 25 Dec 2019 13:51:31 -0800 (PST)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D7AE1200E7; Wed, 25 Dec 2019 13:51:30 -0800 (PST)
Received: by mail-lj1-x230.google.com with SMTP id z22so18581053ljg.1; Wed, 25 Dec 2019 13:51:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=je0Oney1NJnkuB3ho5D3eXC/3vanvLpaN9becasTPQQ=; b=M96+WvbEhVcQgSf6DQ1AFw3U4ZppOL6x8tA7SHh3ILAhMoAvLKvFP70f+xNIkCigVC 3/8k3Ymgk6eRmcPvug9E9CCz0Vx3uNMXus7Gvk6ueBK+suSv1QlePsSI3fAgq9dzpqsn tbELMVCEGbsK0GY5Vij+7AfLqV+5waAHOySVe0kDiaJycNFz6yVWdGHTNXWCCmqM7LVh XVQxSVXPbtKEVe3PG1V/wXQ8vZLa8WegzOLGIbNzL6K4oAvh3O7kVcx/KvngQRaRPlU3 QyU42M955gfQjKPdCXJ8tnNW5PMrEhPawAti2dM945XJUPo8vUPKP/TqWGNhSveS5HWr mAdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=je0Oney1NJnkuB3ho5D3eXC/3vanvLpaN9becasTPQQ=; b=BW3SXlJ+sKcHx1hHmD05PZ75LDd7BZZC+RfP0WTrhjp8u0RWDrUdhVkwRewy0mr76c 4ejioGWfNJBhIvu+lmSYy8EG0JRX576OuopZHVHF/G9xKx1EUCPzvXYOnf1pFgsHeu8/ jd+tqNHd5mokElSPiv+JJZz67OSZKtw7vSpnMGezEL+ea+SDvN55Vr7ouc3saqhfFFxi vgeYvGupIsaxYLKFubDi2XZFTci8TY1KY+e3yJW0fdXgSj+wwVfPz91XeECEqRRf9KFS V52op4My63N+bIONpg3LhnuTgYsCfhaMDJkS/rndOC79/C9KALbOoU9EEj3b+8snUl40 T2Lg==
X-Gm-Message-State: APjAAAUXk2hAxWFfZgPVM5MRjFKIxrx9rB9gdP0g5QN3dZoHO0ysmV08 GAqMJlTCzEA2t84K+yRL7e0OpeMOtf8amNuTK5A=
X-Google-Smtp-Source: APXvYqwjp8POiLtbnSWc6O6TnJR5zR2vHL7BmuLOXUExb4MiDA5o5leO2o81lwwPDcwHBGTmZzu4B4zik54RWwD4pSY=
X-Received: by 2002:a2e:6c06:: with SMTP id h6mr23337786ljc.246.1577310688346; Wed, 25 Dec 2019 13:51:28 -0800 (PST)
MIME-Version: 1.0
References: <157660542458.26499.3977878811671361973.idtracker@ietfa.amsl.com>
In-Reply-To: <157660542458.26499.3977878811671361973.idtracker@ietfa.amsl.com>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Wed, 25 Dec 2019 13:51:17 -0800
Message-ID: <CA+RyBmUPCrj_ahxa098vj__niNndjbOJEccA-KwoopgKp5C51Q@mail.gmail.com>
Subject: Re: Alvaro Retana's Discuss on draft-ietf-bfd-vxlan-09: (with DISCUSS and COMMENT)
To: Alvaro Retana <aretana.ietf@gmail.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-bfd-vxlan@ietf.org, Jeffrey Haas <jhaas@pfrc.org>, bfd-chairs@ietf.org, rtg-bfd WG <rtg-bfd@ietf.org>
Content-Type: multipart/mixed; boundary="00000000000047affe059a8e4315"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/bVSbBXUVray7H_bO3h3ji6FK6aI>
X-Mailman-Approved-At: Thu, 02 Jan 2020 06:21:59 -0800
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Dec 2019 21:51:38 -0000

Hi Alvaro,
thank you for your thorough review, detailed questions, and helpful
suggestions. Please find answers in-line below under GIM>> tag.
Also, attached is the diff to highlight all the updates in the current
working version of the draft.

Regards,
Greg

On Tue, Dec 17, 2019 at 9:57 AM Alvaro Retana via Datatracker <
noreply@ietf.org> wrote:

> Alvaro Retana has entered the following ballot position for
> draft-ietf-bfd-vxlan-09: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-bfd-vxlan/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> I support Eric's DISCUSS point about the TTL, but I want to go a step
> further
> because this document contradicts rfc5881, which is clear about the TTL
> setting
> (from §5):
>
>    If BFD authentication is not in use on a session, all BFD Control
>    packets for the session MUST be sent with a Time to Live (TTL) or Hop
>    Limit value of 255.  All received BFD Control packets that are
>    demultiplexed to the session MUST be discarded if the received TTL or
>    Hop Limit is not equal to 255.  A discussion of this mechanism can be
>    found in [GTSM].
>
>    If BFD authentication is in use on a session, all BFD Control packets
>    MUST be sent with a TTL or Hop Limit value of 255.  All received BFD
>    Control packets that are demultiplexed to the session MAY be
>    discarded if the received TTL or Hop Limit is not equal to 255.  If
>    the TTL/Hop Limit check is made, it MAY be done before any
>    cryptographic authentication takes place if this will avoid
>    unnecessary calculation that would be detrimental to the receiving
>    system.
>
> OTOH, Section 4 of this document specifies:
>
>      TTL or Hop Limit: MUST be set to 1 to ensure that the BFD
>      packet is not routed within the Layer 3 underlay network.  This
>      addresses the scenario when the inner IP destination address is
>      of VXLAN gateway and there is a router in underlay which
>      removes the VXLAN header, then it is possible to route the
>      packet as VXLAN  gateway address is routable address.
>
> Not wanting the packet to be routed in the underlay sounds like a
> reasonable
> justification -- but I couldn't find the specification in rfc7348 about "a
> router in underlay which removes the VXLAN header".  Maybe I missed it...
>
GIM>> You're right, RFC 7348 does not describe what may be referred to as
Penultimate VXLAN termination. We've received the information about the
scenario described in Section 4 (the quote above) from one of the experts
well-familiar with VXLAN deployments and an existing BFD over VXLAN
implementation that sets IP TTL to 1 for BFD control packets.

>
> Independent of VXLAN, the conflict with rfc5881 remains -- given the text
> above, it seems to me that it would be ok if the TTL was set to 1 if
> authentication is is use, but this document doesn't talk about requiring
> authentication.
>
GIM>> You're right, BFD authentication is not dicussed in this document. In
VXLAN's Security Considerations section has been noted that a traditional
security mechanism, e.g., IPsec, may be used to authenticate and/or encrypt
VXLAN traffic. Perhaps the same should be said about BFD over VXLAN. For
example, text below may be added to Section 9:

A BFD over VXLAN session MAY be secured by using a traditional
security mechanism, e.g. IPsec, that authenticates and/or encrypts
VXLAN traffic.


>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> I also support Ben's DISCUSS.
>
> Non-blocking comments:
>
> (1) §3: "...a service layer BFD session may be used between the tenants of
> VTEPs IP1 and IP2..."   Just to be clear, the use of BFD in a "service
> layer
> session" is out of scope of this document, right?  It might be nice to say
> so.
>
GIM>> Agree. Will the following update be acceptable:
OLD TEXT:
   At the same time, a service layer BFD session may be used between the
   tenants of VTEPs IP1 and IP2 to provide end-to-end fault management.
NEW TEXT:
   At the same time, a service layer BFD session may be used between the
   tenants of VTEPs IP1 and IP2 to provide end-to-end fault management
   (this use case is outside the scope of this document).

>
> (2) §3: "As per Section 4, the inner destination IP address SHOULD be..."
> If
> the specification is already in Section 4, then there doesn't seem to be a
> need
> to repeat it.  It might make more sense to put the text about a potential
> firewall there.
>
GIM>> Resulting from addressing comments by other reviewers this text now
reads as:
   For BFD Control packets encapsulated in VXLAN (Figure 2), the inner
   destination IP address SHOULD be set to one of the loopback addresses
   from 127/8 range for IPv4 or to one of IPv4-mapped IPv4 loopback
   addresses from ::ffff:127.0.0.0/104 range for IPv6.  There could be a
   firewall configured on VTEP to block loopback addresses if set as the
   destination IP in the inner IP header.  It is RECOMMENDED to allow
   addresses from the loopback range through a firewall only if they are
   used as the destination IP addresses in the inner IP header and the
   destination UDP port is set to 3784 [RFC5881].
Do you think it is more clear and acceptable form?

>
> (3) §4: "...SHOULD ensure that the BFD packets follow the same lookup path
> as
> VXLAN data packets within the sender system."  What is a "lookup path"?
> When
> would it be ok to not ensure it?  BTW, a better Normative statement might
> me
> (something like): MUST follow the same lookup path...
>
GIM>> Would s/lookup/forwarding/  be acceptable? On your suggestion to
strengthen the normative language, RFC 5880 notes that the ability to
monitor a forwarding engine with BFD is only "to the extent possible". That
is why we've decided to us SHOULD rather than MUST.

>
> (4) §4: "The MAC address MAY be configured, or it MAY be learned via a
> control
> plane protocol. The details of how the MAC address is obtained are outside
> the
> scope of this document."  The Normative MAYs are really just stating a
> fact,
> and out of scope any way.  s/MAY/may
>
GIM>> Agree.
         The MAC address may be
         either configured or learned via a control plane protocol.

>
> (5) §5: "If the Destination MAC of the inner Ethernet frame doesn't match
> any
> of VTEP's MAC addresses, then the processing of the received VXLAN packet
> MUST
> follow the procedures described in Section 4.1 [RFC7348]."  §4.1 of
> rfc7348 is
> about Unicast VM-to-VM Communication -- which makes me think that if the
> procedures from that section are followed then the BFD packet may be
> forwarded
> to a VM, which seems to be in contradiction with this statement (from §3):
> "BFD
> packets intended for a VTEP MUST NOT be forwarded to a VM as a VM may drop
> BFD
> packets leading to a false negative."  What am I missing?
>
GIM>> In the preceding sentence we've tried to emphasize that a BFD packet
MUST use one of MAC addresses associated with VTEP:
   If the
   Destination MAC of the inner Ethernet frame matches one of the MAC
   addresses associated with the VTEP the packet MUST be processed
   further.
The next sentence (your quote) is to state that tenant packets (MAC address
is not of VTEP) MUST be processed as per VXLAN specification.

>
> (6) Related to the last point, the following sentences also mention that
> BFD
> packets MUST NOT be forwarded to VMs...but with qualifications:
>
> §5: "If the BFD session is using the Management VNI (Section 6), BFD
> Control
> packets with unknown MAC address MUST NOT be forwarded to VMs."
>
> §6: "All VXLAN packets received on the Management VNI MUST be processed
> locally
> and MUST NOT be forwarded to a tenant."
>
> The difference between these 2 statements and the one from §3 is that they
> seem
> to be intended only when using the Management VNI...but it would seem that
> the
> general statement applies there too, right?  IOW, the specific statements
> about
> the Management VNIs are simply affirming what was already said more
> generally
> in §3, right?
>
GIM>> Yes, your understanding is absolutely correct.

>
> (7) Nits:
>
> s/of VXLAN gateway and there is a router in underlay/of the VXLAN gateway
> and
> there is a router in the underlay
>

> s/VTEP MUST validate/the VTEP MUST validate
>
> s/then BFD session/then the BFD session
>
GIM>> Done. Thank you.

v2.23.0 | Report a Bug | By Email