Re: draft-ietf-bfd-vxlan IESG status

Greg Mirsky <gregimirsky@gmail.com> Wed, 17 June 2020 21:12 UTC

Return-Path: <gregimirsky@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 367E13A0B4A; Wed, 17 Jun 2020 14:12:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.855
X-Spam-Level:
X-Spam-Status: No, score=-0.855 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NUMERIC_HTTP_ADDR=1.242, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X_Y4Qi6m2x3P; Wed, 17 Jun 2020 14:12:16 -0700 (PDT)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD2283A0B68; Wed, 17 Jun 2020 14:12:15 -0700 (PDT)
Received: by mail-lf1-x12a.google.com with SMTP id w15so2171059lfe.11; Wed, 17 Jun 2020 14:12:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NQ+OI6gEPz0/YTr03tLWsu/t3ARVTBloxcvIIpDiCnc=; b=ZRbxCDnXsr0xJbro+XTIjeLufOoypfKK8dl9AF/TLXxaCrMN1+42RgWDPtO1e583rC A3iQAfQASxU9n6wWBI8B1MuTATIZ3HSjNwKMrjtaFwix37QpEytacCCJNEraRUU+0PJd 5G5sZdQQAQ/FIK0ankWgRMKMZuJY64M5AWUGrlLPDCJi4EGHOqvbcjyYP2ElTIcTaS3A SBza5eoRwfnNIRsHlKEj1LPRLU70BfzU0XNsmazqnD36vYI1DQrMR3shlIwfUTzN43mc VF+i7EmnZSVdlo/YpsyAH94HguTohNJ7qg1DvvHcEfWCVWQWM+Rv4EO8xLf2vWTQ7Tyv YNqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NQ+OI6gEPz0/YTr03tLWsu/t3ARVTBloxcvIIpDiCnc=; b=Jkwtr+MOGBvYqxvXgk4HIpEx1pyrusezKShn1PJI3s5unFWxL2/gSyQ1wrz0CrqDfR 2mJmH+Ea3kVtO+vfuIlqY9P01ufncPl+11bL7Vt58HcWx+gXLO7yZdu/fWVRu2HwneIG qWzzBkyhwdtgOAsdjHUleX/9PoZ4pY0Hhg627glm6ZXfVMZbXtzp617mEv4AKJTQU1pP foBvi8soyxMrhrq7I2aTdFCSSwgN7POUymo0ViSy48+C4lOLxBIKDgsybbLMyVpMf1ar VrSqsjUNAPg6J+fuUEA9GnYguYQNBweKTxOvfe4zjRPDKK5dcjME7NfsCNvG86I2gv4c uOWw==
X-Gm-Message-State: AOAM533tx/MM49u6t72IdbfvtszqytYr3T9mrKHG19dpFM0LkmfBa1hD 3+4EqVO+Dzedx1Df8fDWCRiWCOiKdNgXLYZ1xU0=
X-Google-Smtp-Source: ABdhPJxd3gBayluRjbiuUeAVkvYV+3MeJNZiT6dt9MTDJDAjUGpjxhIvwUXaGGWSaWGtxAJZSbO3sPo39QUTE8LySEY=
X-Received: by 2002:a05:6512:6c4:: with SMTP id u4mr447975lff.98.1592428333985; Wed, 17 Jun 2020 14:12:13 -0700 (PDT)
MIME-Version: 1.0
References: <20200127221705.GB17622@pfrc.org> <20200616211057.GA21373@pfrc.org> <CA+RyBmXk_-gnuyUYwbSwkfiBSvUnX77G2m5M4bkDsYQiHYjqbw@mail.gmail.com> <E2C152D4-AA4C-4CC8-BAD1-13FF007552E6@pfrc.org>
In-Reply-To: <E2C152D4-AA4C-4CC8-BAD1-13FF007552E6@pfrc.org>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Wed, 17 Jun 2020 14:12:02 -0700
Message-ID: <CA+RyBmXSr2skW1sidfFZks4+eOW0KSvP=jDzk_Mz3GcFhVZ=AA@mail.gmail.com>
Subject: Re: draft-ietf-bfd-vxlan IESG status
To: Jeffrey Haas <jhaas@pfrc.org>
Cc: Donald Eastlake <d3e3e3@gmail.com>, The IESG <iesg@ietf.org>, bfd-chairs@ietf.org, draft-ietf-bfd-vxlan@ietf.org, rtg-bfd WG <rtg-bfd@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002d72b805a84e1dae"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/fs5krXxsapvmdjXJ6RztZUik_9E>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2020 21:12:18 -0000

Hi Jeff,
thank you for the additional details. I've top-posted the discussion thread
regarding a firewall, VTEP, and drop rules. I recall that the relevant text
was suggested based on deployment experience. I will try to update it along
the suggested lines:

I think the rewording would include some phrasing like "RECOMMENDED that
the only firewall exception to allow incoming traffic with destination
address from the loopback range is when [...]", and of course, mention
the need to have BFD configured.

Would the following update make it clearer:
OLD TEXT:
  There could be a
   firewall configured on VTEP to block loopback addresses if set as the
   destination IP in the inner IP header.  It is RECOMMENDED to allow
   addresses from the loopback range through a firewall only if they are
   used as the destination IP addresses in the inner IP header and the
   destination UDP port is set to 3784 [RFC5881].
NEW TEXT:
  If a firewall
   configured on VTEP packets with their destination IP addresses in the
   inner IP header set to one of the loopback addresses listed above will be
   dropped.  To allow BFD work as described in this specification, it is
   RECOMMENDED to use an exception rule to allow addresses from the
   loopback range through a firewall only if they are used as the
   destination IP addresses in the inner IP header and the destination
   UDP port is set to 3784 [RFC5881].
Also, would splitting this text into a paragraph help to keep clear?

If the proposed update is not better than the current text, let's remove it
altogether.

Regards,
Greg

On Wed, Jun 17, 2020 at 12:52 PM Jeffrey Haas <jhaas@pfrc.org> wrote:

> Greg,
>
>
> > On Jun 16, 2020, at 9:05 PM, Greg Mirsky <gregimirsky@gmail.com> wrote:
> > thank you for providing continued support and guidance. Please find my
> > notes in-lined under tag GIM>>. Attached are the new working version and
> > its diff to -12. There are two remaining Open Issues - 7 and 9. I much
> > appreciate your considerations and suggestions.
>
> [...]
>
> >>> Open Issue 7: "::FFFF:7F00:0/104 IPv6 range" (COMMENT via Benjamin K.)
> >>>
> >>> Proposed Action: I believe this issue's fate is similarly tied to Open
> >> Issue 3.
> >>> If the proposal is limited solely to management VNI, this text is not
> >>> relevant and may be deleted.
> >>
> >> This action is still pending.
> >>
> > GIM>> There are two references to this IPv6 range. I think that the
> > document should give a recommendation on what address to use as the
> > destination IP address. As we've discussed with  Adam Roach, only ::ffff:
> > 127.0.0.1/128 has host loopback meaning in IPv6. I propose to change
> > throughout the text from "one of the addresses from IPv6 range" to
> "::ffff:
> > 127.0.0.1/128 for IPv6".
>
> Sorry, the issue is from the IESG ballot at
> https://datatracker.ietf.org/doc/draft-ietf-bfd-vxlan/ballot/:
>
> >    0:0:0:0:0:FFFF:7F00:0/104 range for IPv6).  There could be a firewall
> >    configured on VTEP to block loopback addresses if set as the
> >    destination IP in the inner IP header.  It is RECOMMENDED to allow
> >    addresses from the loopback range through a firewall only if it is
> >    used as the destination IP address in the inner IP header, and the
> >    destination UDP port is set to 3784 [RFC5881].
> >
> > I think we should reword this to make it clear that the default behavior
> > is still "block all incoming traffic with loopback destination" and that
> > the exception is tightly scoped to the encapsulated VXLAN traffic
> > discussed in this document and the specific destination port *and when
> > BFD has been configured for the VTEP*.
>
> So, the question is what should be done about packet drop or firewalls?
>
> My opinion is one possible action for this is to drop the text.  For this
> feature to work, traffic will be arriving with packets destined to these
> well known ranges.  If you want the feature to work, they must be permitted
> to come through.  Rather than mention "if you have it", the related actions
> are implied by things necessary to implement it.
>
>
>
> >
> >>>
> >>> Open Issue 9: "Destination MAC: This MUST NOT be of one of tenant's MAC
> >>> addresses." (COMMENT via Benjamin K.)
> >>>
> >>> Proposed Action: I believe this issue's fate is similarly tied to Open
> >> Issue 3.
> >>> If the proposal is limited solely to management VNI, this text is not
> >>> relevant and may be deleted.
> >>
> >> In -12, we now have the following text:
> >> "Destination MAC: since a Management VNI is the VNI that does
> >> not have any tenants, the value of this field is not analyzed
> >> by the receiving VTEP."
> >>
> >> For the management VNI, this text is true.  However, it likely requires
> a
> >> value that is described in the specification.
> >>
> >> Proposed solution: A MAC value should be chosen that is well known and
> th=
> > e
> >> text would become:
> >>
> >> "Destination MAC: A Management VNI, which does not have any tenants,
> will
> >> have no dedicated MAC address for decapsulated traffic.  The value
> >> X:X:X:X:X
> >> SHOULD be used in this field."
> >>
> >> SHOULD might need to be MUST.  Since a partial motivation for permitting
> >> the
> >> flexibility in the specification to NOT use the management VNI is
> desired=
> > ,
> >> MUST might be inappropriate.
> >>
> > GIM>> Accepted the suggested text. I agree that the flexibility to not
> use
> > the Management VNI is permitted in the specification and thus SHOULD in
> the
> > text is consistent with that scenario. How would we pick the MAC address?
>
> I am out of my area of expertise and I was hoping someone in the IESG can
> offer a fix. :-)  I am copying Donald Eastlake since he's the designated
> expert for the IANA MAC address block.
>
> Donald, review of the thread may be useful, but tersely the need is to
> have a well known MAC address that can be placed in this vxlan PDU that is
> literally a placeholder of "not to be used for forwarding".  The packet
> arrives at the endpoint and, if not immediately accepted, would be dropped.
>
> If there is no well known MAC that could be used for such a behavior,
> perhaps an address from the IANA block may be used?
>
> While I suspect the IANA mac documentation range could be used, IANA may
> not appreciate that.
>
> -- Jeff
>
>
>