Re: Éric Vyncke's Discuss on draft-ietf-bfd-vxlan-09: (with DISCUSS and COMMENT)

["Eric Vyncke (evyncke)" <evyncke@cisco.com>]

Greg,

2nd reply as you replied in 2 messages ;-)

Please see in-line for EV>

But, for the most critical IMHO issue about using IPv4-mapped IPv6 addresses, I had a look at RFC 8029 and RFC 5884 and was, honestly, shocked by their use of IPv4-mapped addresses over the wire “just to add entropy”.

First, it is not because a mistake has been made in the past that repeating the same mistake is a good thing ;-)

Second, adding entropy could also be done with the IPv6 flow field.

Third, I wonder why adding entropy in the inner/overlay IP header would assist the ECMP in the underlay as I have doubt that underlay data plane will look so deep into the packets ... So, isn’t it useless in this case ?

Thank you again for the work and your reply

-éric



From: Greg Mirsky <gregimirsky@gmail.com>
Date: Thursday, 19 December 2019 at 03:17
To: Eric Vyncke <evyncke@cisco.com>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-bfd-vxlan@ietf.org" <draft-ietf-bfd-vxlan@ietf.org>, Jeffrey Haas <jhaas@pfrc.org>, "bfd-chairs@ietf.org" <bfd-chairs@ietf.org>, rtg-bfd WG <rtg-bfd@ietf.org>
Subject: Re: Éric Vyncke's Discuss on draft-ietf-bfd-vxlan-09: (with DISCUSS and COMMENT)

Hi Eric,
thank you for your review, comments, and suggestions. Please find my answers below under GIM>> tag. Also, attached is the diff to the working version of the document that includes updates that Adam has suggested.

Best regards,
Greg


On Tue, Dec 17, 2019 at 12:51 AM Éric Vyncke via Datatracker <noreply@ietf.org<mailto:noreply@ietf.org>> wrote:
Éric Vyncke has entered the following ballot position for
draft-ietf-bfd-vxlan-09: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-bfd-vxlan/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------


Thank you for the work put into this document.

I fully second Adam's COMMENT that should be fixed before publication (IMHO
this is a DISCUSS).
GIM>> I've applied changes suggested by Adam to the working version of the document.

Answers to my COMMENTs below will be welcome, even if those COMMENTs are not
blocking.

As usual, an answer to the DISCUSS is required to clear my DISCUSS though.

I hope that this helps to improve the document,

Regards,

-éric

== DISCUSS ==

May be I am not familiar enough with BFD, but, RFC 5881 (the one defining BFD)
specifies the use of TTL = Hop Limit = 255.. Why this document uses a value of
1 ?
GIM>> Jeff and Carlos are in a very detailed and insightful discussion. I'll wait for its conclusion and follow on their agreement.

EV> see my previous email about this.


-- Section 3 --
IPv4-mapped IPv6 addresses are only to be used inside a host and should never
be transmitted in real packets (including packets inside a tunnel) see section
4.2 of RFC 4038 (even if informational). As other IESG reviewers, I wonder why
::1/128 is not used?
GIM>> The mechanism of using an address from the loopback address range or IPv4-mapped addresses of that range may be used to create entropy and monitor ECMP paths in an IP/MPLS network (RFC 8029 and RFC 5884). This specification uses the same mechanism for ECMP environment in the underlay network.

-- Section 8 --
The document specifies no IANA actions while the shepherd write-up talks about
a IANA action.
GIM>> RtgDir review from Joel Halpern and the extensive discussion on BFD WG list lead to this change. As a result, the request to allocate a MAC address to be used as the destination MAC address in the inner Ethernet header was withdrawn and removed from the specification.

EV> can the document shepherd update the shepherd write up ?




-- Section 9 --
This section is only about IPv4 (TTL and RFC 1812). Please address IPv6 as well.
GIM>> Added "or Hop Limit". Please let me know if you agree. As for a IPv6 relevant reference equivalent to RFC 1812, Adam Roach has noted that RFC 8504 does not have anything of the kind. At the same time, the use of IPv4-mapped loopback address range has been mandated in RFC 8029 and RFC 5884.

EV> OK, even if I do not like the unbalance


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

== COMMENTS ==

RFC 5881 (BFD) states that it applies to IPv4/IPv6 tunnels, may I infer that
this document is only required to address the Ethernet encapsulation ? I.e.
specifying the Ethernet MAC addresses?
GIM>> There were several threads on encapsulation of BFD Control packet over VXLAN that, in my estimation, gathered 150+ messages. As you've noticed from the Shepherd write-up, the use of the dedicated MAC address was proposed, discussed, and documented. But later the WG decided not to use the dedicated MAC as the destination MAC in the inner Ethernet frame. Similarly, we had an extended discussion, including valuable input from implementors of BFD over VXLAN, on the selection of the destination IP address in the inner IP header. And another set of issues was discovered related to the selection of VXLAN VNI value when encapsulating  BFD control packet. I hope we've analyzed all encapsulation issues and documented them sufficiently for the benefit of future implementations.

EV> actually, I was not clear. I wonder why RFC 5881 (that claims to be applicable to IPv4/IPv6 tunnels) is not applicable to VXLAN.


-- Section 3 --
At first sight, I was surprized by having a BFD session per VXLAN VNI as it
will create some scalability issue, but, I assume that this is to detect
misconfiguration as well. If so, perhaps worth mentionnig the reasoning behind?
GIM>> I agree, detecting misconfiguration might be one of the reasons to run BFD over some VXLAN VNIs. Would the following text be acceptable:

NEW TEXT:
   Using a BFD session to monitor a set of VXLAN VNIs between
   the same pair of VTEPs might help to detect and localize problems
   caused by misconfiguration.


EV> perfect, thank you

In "the inner destination IP address SHOULD" it is unclear whether it is in the
all BFD packets, or only the request one or ... ?
GIM>> This is applicable to all BFD control packets transmitted over a VXLAN tunnel. To clarify, I propose the following change:
OLD TEXT:
As per Section 4, the inner destination IP address SHOULD be set to ...
NEW TEXT:
   For BFD Control packets encapsulated in VXLAN
   (Figure 2), the inner destination IP address SHOULD be set to ...
EV> ok, thank you

-- Section 4 --
While probably defined in RFC7348, should "FCS" be renamed as "Outer Ethernet
FCS" for consistency with the "Outer Ethernet Header" in figure 2 ?
GIM>> Would s/FCS/Outer FCS/ be acceptable?
EV> perfect

Why not using the Source MAC address as the Destination MAC address ? This
would ensure that there is no conflict at the expense of "forcing" the
transmission of the frame even if addressed to itself.
GIM>> Based on the input from experts familar with existing implementations, WG decided not to require the use of the specific MAC address. I think that using the Source MAC as the Destination might be one of the options an implementation will use.
EV> ok

Please consider rewriting the section about TTL/Hop Limit as it is not easy to
parse/read.
GIM>> Could you help me kindly and point to the problematic text?

-- Section 9 --
It is unclear to me (see also Ben's comment) what is the 'attack vector' of
sending packets with TTL=1 ?
GIM>> Another input from experts familiar with VXLAN and its deployments reflected in the following:
          TTL or Hop Limit: MUST be set to 1 to ensure that the BFD
         packet is not routed within the Layer 3 underlay network.  This
         addresses the scenario when the inner IP destination address is
         of VXLAN gateway and there is a router in underlay which
         removes the VXLAN header, then it is possible to route the
         packet as VXLAN  gateway address is routable address.

EV> I do not want to discuss the HL=1 (cfr top of this email message) but more about requesting more information about the **attack vector** of packets with HL=1 ? E.g., it is about forcing the expired packet to the main CPU rather than data plane ASIC? Really unclear what the attack is with packet having HL=1