Re: draft-ietf-bfd-vxlan IESG status

Jeffrey Haas <jhaas@pfrc.org> Wed, 17 June 2020 19:52 UTC

Return-Path: <jhaas@pfrc.org>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EA6F3A0D18; Wed, 17 Jun 2020 12:52:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zJtEFgfy_nEu; Wed, 17 Jun 2020 12:52:16 -0700 (PDT)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id 5D7233A0D17; Wed, 17 Jun 2020 12:52:16 -0700 (PDT)
Received: from dresden.attlocal.net (99-59-193-67.lightspeed.livnmi.sbcglobal.net [99.59.193.67]) by slice.pfrc.org (Postfix) with ESMTPSA id 0B8641E2F8; Wed, 17 Jun 2020 16:01:32 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Subject: Re: draft-ietf-bfd-vxlan IESG status
From: Jeffrey Haas <jhaas@pfrc.org>
In-Reply-To: <CA+RyBmXk_-gnuyUYwbSwkfiBSvUnX77G2m5M4bkDsYQiHYjqbw@mail.gmail.com>
Date: Wed, 17 Jun 2020 15:52:14 -0400
Cc: The IESG <iesg@ietf.org>, bfd-chairs@ietf.org, draft-ietf-bfd-vxlan@ietf.org, rtg-bfd WG <rtg-bfd@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E2C152D4-AA4C-4CC8-BAD1-13FF007552E6@pfrc.org>
References: <20200127221705.GB17622@pfrc.org> <20200616211057.GA21373@pfrc.org> <CA+RyBmXk_-gnuyUYwbSwkfiBSvUnX77G2m5M4bkDsYQiHYjqbw@mail.gmail.com>
To: Greg Mirsky <gregimirsky@gmail.com>, Donald Eastlake <d3e3e3@gmail.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/jN-VGaSJAZSGzVLlDG91EKn2htg>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2020 19:52:19 -0000

Greg,


> On Jun 16, 2020, at 9:05 PM, Greg Mirsky <gregimirsky@gmail.com> wrote:
> thank you for providing continued support and guidance. Please find my
> notes in-lined under tag GIM>>. Attached are the new working version and
> its diff to -12. There are two remaining Open Issues - 7 and 9. I much
> appreciate your considerations and suggestions.

[...]

>>> Open Issue 7: "::FFFF:7F00:0/104 IPv6 range" (COMMENT via Benjamin K.)
>>> 
>>> Proposed Action: I believe this issue's fate is similarly tied to Open
>> Issue 3.
>>> If the proposal is limited solely to management VNI, this text is not
>>> relevant and may be deleted.
>> 
>> This action is still pending.
>> 
> GIM>> There are two references to this IPv6 range. I think that the
> document should give a recommendation on what address to use as the
> destination IP address. As we've discussed with  Adam Roach, only ::ffff:
> 127.0.0.1/128 has host loopback meaning in IPv6. I propose to change
> throughout the text from "one of the addresses from IPv6 range" to "::ffff:
> 127.0.0.1/128 for IPv6".

Sorry, the issue is from the IESG ballot at https://datatracker.ietf.org/doc/draft-ietf-bfd-vxlan/ballot/:

>    0:0:0:0:0:FFFF:7F00:0/104 range for IPv6).  There could be a firewall
>    configured on VTEP to block loopback addresses if set as the
>    destination IP in the inner IP header.  It is RECOMMENDED to allow
>    addresses from the loopback range through a firewall only if it is
>    used as the destination IP address in the inner IP header, and the
>    destination UDP port is set to 3784 [RFC5881].
> 
> I think we should reword this to make it clear that the default behavior
> is still "block all incoming traffic with loopback destination" and that
> the exception is tightly scoped to the encapsulated VXLAN traffic
> discussed in this document and the specific destination port *and when
> BFD has been configured for the VTEP*.

So, the question is what should be done about packet drop or firewalls?

My opinion is one possible action for this is to drop the text.  For this feature to work, traffic will be arriving with packets destined to these well known ranges.  If you want the feature to work, they must be permitted to come through.  Rather than mention "if you have it", the related actions are implied by things necessary to implement it.



> 
>>> 
>>> Open Issue 9: "Destination MAC: This MUST NOT be of one of tenant's MAC
>>> addresses." (COMMENT via Benjamin K.)
>>> 
>>> Proposed Action: I believe this issue's fate is similarly tied to Open
>> Issue 3.
>>> If the proposal is limited solely to management VNI, this text is not
>>> relevant and may be deleted.
>> 
>> In -12, we now have the following text:
>> "Destination MAC: since a Management VNI is the VNI that does
>> not have any tenants, the value of this field is not analyzed
>> by the receiving VTEP."
>> 
>> For the management VNI, this text is true.  However, it likely requires a
>> value that is described in the specification.
>> 
>> Proposed solution: A MAC value should be chosen that is well known and th=
> e
>> text would become:
>> 
>> "Destination MAC: A Management VNI, which does not have any tenants, will
>> have no dedicated MAC address for decapsulated traffic.  The value
>> X:X:X:X:X
>> SHOULD be used in this field."
>> 
>> SHOULD might need to be MUST.  Since a partial motivation for permitting
>> the
>> flexibility in the specification to NOT use the management VNI is desired=
> ,
>> MUST might be inappropriate.
>> 
> GIM>> Accepted the suggested text. I agree that the flexibility to not use
> the Management VNI is permitted in the specification and thus SHOULD in the
> text is consistent with that scenario. How would we pick the MAC address?

I am out of my area of expertise and I was hoping someone in the IESG can offer a fix. :-)  I am copying Donald Eastlake since he's the designated expert for the IANA MAC address block.

Donald, review of the thread may be useful, but tersely the need is to have a well known MAC address that can be placed in this vxlan PDU that is literally a placeholder of "not to be used for forwarding".  The packet arrives at the endpoint and, if not immediately accepted, would be dropped.

If there is no well known MAC that could be used for such a behavior, perhaps an address from the IANA block may be used?

While I suspect the IANA mac documentation range could be used, IANA may not appreciate that.

-- Jeff