Alvaro Retana's Discuss on draft-ietf-bfd-vxlan-09: (with DISCUSS and COMMENT)
Alvaro Retana via Datatracker <noreply@ietf.org> Tue, 17 December 2019 17:57 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: rtg-bfd@ietf.org
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 90DD0120B16; Tue, 17 Dec 2019 09:57:04 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Alvaro Retana via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-bfd-vxlan@ietf.org, Jeffrey Haas <jhaas@pfrc.org>, bfd-chairs@ietf.org, rtg-bfd@ietf.org
Subject: Alvaro Retana's Discuss on draft-ietf-bfd-vxlan-09: (with DISCUSS and COMMENT)
X-Test-IDTracker: no
X-IETF-IDTracker: 6.113.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Alvaro Retana <aretana.ietf@gmail.com>
Message-ID: <157660542458.26499.3977878811671361973.idtracker@ietfa.amsl.com>
Date: Tue, 17 Dec 2019 09:57:04 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/iOMNU6xcMj-Gpr3KdpC8ByenjEw>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Dec 2019 17:57:05 -0000
Alvaro Retana has entered the following ballot position for draft-ietf-bfd-vxlan-09: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-bfd-vxlan/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- I support Eric's DISCUSS point about the TTL, but I want to go a step further because this document contradicts rfc5881, which is clear about the TTL setting (from §5): If BFD authentication is not in use on a session, all BFD Control packets for the session MUST be sent with a Time to Live (TTL) or Hop Limit value of 255. All received BFD Control packets that are demultiplexed to the session MUST be discarded if the received TTL or Hop Limit is not equal to 255. A discussion of this mechanism can be found in [GTSM]. If BFD authentication is in use on a session, all BFD Control packets MUST be sent with a TTL or Hop Limit value of 255. All received BFD Control packets that are demultiplexed to the session MAY be discarded if the received TTL or Hop Limit is not equal to 255. If the TTL/Hop Limit check is made, it MAY be done before any cryptographic authentication takes place if this will avoid unnecessary calculation that would be detrimental to the receiving system. OTOH, Section 4 of this document specifies: TTL or Hop Limit: MUST be set to 1 to ensure that the BFD packet is not routed within the Layer 3 underlay network. This addresses the scenario when the inner IP destination address is of VXLAN gateway and there is a router in underlay which removes the VXLAN header, then it is possible to route the packet as VXLAN gateway address is routable address. Not wanting the packet to be routed in the underlay sounds like a reasonable justification -- but I couldn't find the specification in rfc7348 about "a router in underlay which removes the VXLAN header". Maybe I missed it... Independent of VXLAN, the conflict with rfc5881 remains -- given the text above, it seems to me that it would be ok if the TTL was set to 1 if authentication is is use, but this document doesn't talk about requiring authentication. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I also support Ben's DISCUSS. Non-blocking comments: (1) §3: "...a service layer BFD session may be used between the tenants of VTEPs IP1 and IP2..." Just to be clear, the use of BFD in a "service layer session" is out of scope of this document, right? It might be nice to say so. (2) §3: "As per Section 4, the inner destination IP address SHOULD be..." If the specification is already in Section 4, then there doesn't seem to be a need to repeat it. It might make more sense to put the text about a potential firewall there. (3) §4: "...SHOULD ensure that the BFD packets follow the same lookup path as VXLAN data packets within the sender system." What is a "lookup path"? When would it be ok to not ensure it? BTW, a better Normative statement might me (something like): MUST follow the same lookup path... (4) §4: "The MAC address MAY be configured, or it MAY be learned via a control plane protocol. The details of how the MAC address is obtained are outside the scope of this document." The Normative MAYs are really just stating a fact, and out of scope any way. s/MAY/may (5) §5: "If the Destination MAC of the inner Ethernet frame doesn't match any of VTEP's MAC addresses, then the processing of the received VXLAN packet MUST follow the procedures described in Section 4.1 [RFC7348]." §4.1 of rfc7348 is about Unicast VM-to-VM Communication -- which makes me think that if the procedures from that section are followed then the BFD packet may be forwarded to a VM, which seems to be in contradiction with this statement (from §3): "BFD packets intended for a VTEP MUST NOT be forwarded to a VM as a VM may drop BFD packets leading to a false negative." What am I missing? (6) Related to the last point, the following sentences also mention that BFD packets MUST NOT be forwarded to VMs...but with qualifications: §5: "If the BFD session is using the Management VNI (Section 6), BFD Control packets with unknown MAC address MUST NOT be forwarded to VMs." §6: "All VXLAN packets received on the Management VNI MUST be processed locally and MUST NOT be forwarded to a tenant." The difference between these 2 statements and the one from §3 is that they seem to be intended only when using the Management VNI...but it would seem that the general statement applies there too, right? IOW, the specific statements about the Management VNIs are simply affirming what was already said more generally in §3, right? (7) Nits: s/of VXLAN gateway and there is a router in underlay/of the VXLAN gateway and there is a router in the underlay s/VTEP MUST validate/the VTEP MUST validate s/then BFD session/then the BFD session
- Alvaro Retana's Discuss on draft-ietf-bfd-vxlan-0… Alvaro Retana via Datatracker
- Re: Alvaro Retana's Discuss on draft-ietf-bfd-vxl… Greg Mirsky
- Re: Alvaro Retana's Discuss on draft-ietf-bfd-vxl… Alvaro Retana
- Re: draft-ietf-bfd-vxlan IESG status Greg Mirsky
- Re: draft-ietf-bfd-vxlan IESG status Greg Mirsky
- draft-ietf-bfd-vxlan IESG status Jeffrey Haas
- Re: draft-ietf-bfd-vxlan IESG status Greg Mirsky
- Re: draft-ietf-bfd-vxlan IESG status Alvaro Retana
- Re: draft-ietf-bfd-vxlan IESG status Greg Mirsky
- Re: draft-ietf-bfd-vxlan IESG status Jeffrey Haas
- Re: draft-ietf-bfd-vxlan IESG status Greg Mirsky
- Re: draft-ietf-bfd-vxlan IESG status Benjamin Kaduk
- Re: draft-ietf-bfd-vxlan IESG status Alvaro Retana
- Re: draft-ietf-bfd-vxlan IESG status Greg Mirsky
- Re: draft-ietf-bfd-vxlan IESG status Jeffrey Haas
- Re: draft-ietf-bfd-vxlan IESG status Alvaro Retana
- Re: draft-ietf-bfd-vxlan IESG status Greg Mirsky
- Re: draft-ietf-bfd-vxlan IESG status Greg Mirsky
- BFD for vxlan Destination MAC field (was Re: draf… Jeffrey Haas
- Re: draft-ietf-bfd-vxlan IESG status Jeffrey Haas
- Re: BFD for vxlan Destination MAC field (was Re: … Greg Mirsky
- Re: BFD for vxlan Destination MAC field (was Re: … Greg Mirsky
- Re: BFD for vxlan Destination MAC field (was Re: … Greg Mirsky
- Re: BFD for vxlan Destination MAC field (was Re: … Donald Eastlake
- Re: BFD for vxlan Destination MAC field (was Re: … Jeffrey Haas
- Re: BFD for vxlan Destination MAC field (was Re: … Greg Mirsky
- Re: BFD for vxlan Destination MAC field (was Re: … Jeffrey Haas
- Re: BFD for vxlan Destination MAC field (was Re: … Donald Eastlake
- Re: BFD for vxlan Destination MAC field (was Re: … Greg Mirsky