Re: Fwd: I-D Action: draft-ietf-bfd-vxlan-02.txt
Greg Mirsky <gregimirsky@gmail.com> Tue, 25 September 2018 17:04 UTC
Return-Path: <gregimirsky@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D141130E26 for <rtg-bfd@ietfa.amsl.com>; Tue, 25 Sep 2018 10:04:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.597
X-Spam-Level:
X-Spam-Status: No, score=-0.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_COMMENT_SAVED_URL=1.391, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_HTML_ATTACH=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pkrh3Q-pcEhM for <rtg-bfd@ietfa.amsl.com>; Tue, 25 Sep 2018 10:04:48 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFBAE12F1AC for <rtg-bfd@ietf.org>; Tue, 25 Sep 2018 10:04:47 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id l19-v6so7990407ljb.0 for <rtg-bfd@ietf.org>; Tue, 25 Sep 2018 10:04:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4T0/ipttMSkK5A4NJSe8H8fn9WSncW18o8eoazVeFOY=; b=E0u8W4YpQyf39NTCo/nRNwYYZT99jXlKvVrd/9bTW7MZL6w2n77n0agGsfK19rCnXl cN6UKTk9TWcdjv1HQEkSDTF/AfqXtW9HnQcarA7rWH//caa3YHDwwaClYr1K+jhMSfe7 sVNq41YcU31DMrkbT5bDoGe4b7C5L5JNQ6OK655OL4cNXW6wxEGvJSyD1PxNIVS3XLC1 DEVlpiQeGfQgsIIdNkIyUKUv+QDqcfaop9sQs0ur5cOJJjEkU2uicJzHqwx6fS+jps3t 4wjiUGTobUUazpU+u8QU0U7yt5DkmEt31Eg+5HlyKKjcqfqyAzjxRs+31q9Evu+GPvZV Pkxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4T0/ipttMSkK5A4NJSe8H8fn9WSncW18o8eoazVeFOY=; b=oWkU/l4q+X+36rwvIxo4Xm0JD1uyNqw/PGw2orQEJP0Snnlh3ZNQ08dnOvJwAC6kNo yIXUtYNawycowZYg0LYAxCpoZj7EOQw0kWBwTnyDfz9f161+cxIXBcMwPiSMpvdeQZcc /Ul/l0VcoBX2MQPMi1G4irjVrK8gKbcyzcnItaVi9WiP4K78lVlXelfCtSdJTDgkkOVK TuzxV3Js9Stjxnk/ReIJYFDuaHTo79SMBAT4GjQTXEetc4puKdJ8oYBMDqALFGVrp/y4 4V/BeLrGCCGSiTMdqcH/1uZAOcJ7EP6n+K9JtU5BTh2tYiOoeqJ0WbGrkc5LnyhaNnlw m8Ng==
X-Gm-Message-State: ABuFfoirP+tc89sysMOuzSGstGDT5GF6jUxJ/VhvAeHjk7cCgz9oBnhR p0DaNb/BZxKCgamfkTnSITmP/TiZDFQGh3AgEbY=
X-Google-Smtp-Source: ACcGV62//J2TxRhZBR7RLeIZS+qXZ4ujAR2yR/xDuWILASoP3GGd7RDw/f6/H0fQsXlyi1I/ESIBNaZoSvx4JT5c8j8=
X-Received: by 2002:a2e:9c4d:: with SMTP id t13-v6mr1513176ljj.153.1537895085779; Tue, 25 Sep 2018 10:04:45 -0700 (PDT)
MIME-Version: 1.0
References: <153462297684.27533.6391249246080806217@ietfa.amsl.com> <CA+RyBmW9x9Y-Ve=1JnFatqisqOkpN6YZuOFimNbUS+Keo1KUnw@mail.gmail.com> <20180913143611411852.0ca9e40a@sniff.de> <CA+RyBmXywULG1+yLzsce15EQVNHUjTdWQO2+N7=o=j7DbMa6RA@mail.gmail.com>
In-Reply-To: <CA+RyBmXywULG1+yLzsce15EQVNHUjTdWQO2+N7=o=j7DbMa6RA@mail.gmail.com>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Tue, 25 Sep 2018 10:04:34 -0700
Message-ID: <CA+RyBmWRwFxqAExqbmxiTHzQMRerw2t4SoF6qQVZykhMES=32g@mail.gmail.com>
Subject: Re: Fwd: I-D Action: draft-ietf-bfd-vxlan-02.txt
To: Marc Binderberger <marc@sniff.de>
Cc: rtg-bfd WG <rtg-bfd@ietf.org>, Donald Eastlake <d3e3e3@gmail.com>
Content-Type: multipart/mixed; boundary="0000000000004a5d850576b51a7f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/nFiF5n1wBkTjom8eNfjhlNz9M5k>
X-Mailman-Approved-At: Tue, 25 Sep 2018 10:46:16 -0700
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2018 17:04:52 -0000
Hi Marc, hope this note finds you well. Attached you'll find diff between the latest and working versions of the document. The latter includes the update suggested by Donald and proposed changes I hope will address your comments. Your consideration and feedback on the proposed updates much appreciated. Best regards, Greg On Mon, Sep 17, 2018 at 3:47 PM Greg Mirsky <gregimirsky@gmail.com> wrote: > Hi Marc, > many thanks for your excellent comments and the most detailed questions - > all much appreciated and the most helpful. > Please find my answers, notes in-line and tagged GIM>>, > > Regards, > Greg > > On Thu, Sep 13, 2018 at 5:36 PM, Marc Binderberger <marc@sniff.de> wrote: > >> Hello Greg & Authors, >> >> great to see this draft progressing! >> >> >> As usual I'm a bit late :-/ but I do have some questions/comments: >> >> >> Q1: the TTL = 1 requirement for the inner IP packet. The explanation for >> the >> MUST is >> >> TTL: MUST be set to 1 to ensure that the BFD packet is not >> routed within the L3 underlay network. >> >> >> I find this a very implementation-specific reason that may not apply to >> many >> other implementations. But the demand for TTL = 1 may limit what can be >> done >> with today's silicon, which is why I question this demand here :-) >> >> You will find off-the-shelf silicon that offers you BFD RFC5881 "in >> hardware". For the ASIC user the usage is typically fixed by the API/SDK >> and >> RFC5881 uses TTL = 255 for send and check on receive. Using a loopback >> port >> it would be simple to use this RFC5881 BFD engine to send packets over >> the >> VxLAN tunnel. But the TTL=1 requirements defeats this. Could we drop it? > > > >> GIM>> I think that this specification is closer to RFC 5884 case where >> TTL for the encapsulated BFD control packet mandated to be set to 1: >> > The IP TTL or hop limit MUST be set to 1 [RFC4379]. > > >> Q2: in this context of TTL you write >> >> 10. Security Considerations >> >> The document recommends setting the inner IP TTL to 1 which could >> lead to a DDoS attack. >> > GIM>> Would s/recommends/requires/ work? > >> >> >> First, you don't recommend - you say MUST. But as a non-native speaker >> maybe >> this is a misinterpretation on my side ;-) >> More interesting: how does TTL = 1 raises the DDoS risk? By someone >> directly, >> i.e. without any VxLAN encapsulation, sending a BFD packet to the VTEP IP >> ? >> > GIM>> Agree, the wording is rather confusing. Would the following text > make it clearer: > OLD TEXT: > The document recommends setting the inner IP TTL to 1 which could > lead to a DDoS attack. Thus the implementation MUST have throttling > in place. Throttling MAY be relaxed for BFD packets based on port > number. > > NEW TEXT: > The document requires setting the inner IP TTL to 1 which could > be used as DDoS attack vector. Thus the implementation MUST have > throttling > in place to control the rate of BFD control packets sent to the control > plane. > > >> >> Q3: for the demultiplexing of incoming BFD packets (section 6.1) you write >> >> [...] For such packets, the BFD session MUST be identified >> using the inner headers, i.e., the source IP and the destination IP >> present in the IP header carried by the payload of the VXLAN >> encapsulated packet. The VNI of the packet SHOULD be used to derive >> interface-related information for demultiplexing the packet. >> >> >> I understand the "MUST" for the source IP, to differentiate a session >> with >> VTEP A from the session with VTEP B. Why is the destination IP, i.e. my >> local >> IP, of relevance? Support for multiple VTEP? >> > GIM>> Yes, it is the case. > >> But my main question is, why the VNI (or related information like the >> local >> VLAN or VFI) is only a "SHOULD" ? > > GIM>> An implementation may support only use of VNI 0 and not to use VNI > value of the received packet. > > >> In section 4 you say >> >> [...] Separate BFD >> sessions can be established between the VTEPs (IP1 and IP2) for >> monitoring each of the VXLAN tunnels (VNI 100 and 200). >> >> >> How would I separate these BFD sessions when src/dst IP are the same? >> > GIM>> By using different VNI in the VXLAN encapsulation of a BFD Control > packets. > >> >> >> Finally a nitpick, you write in section 6: >> >> The UDP destination port and the TTL of the inner Ethernet frame MUST >> be validated >> >> We all understand what you mean but I first stumbled: Ethernet frames >> have no >> TTL. You mean (of course) the inner IP packet - why not writing it? ;-) >> > GIM>> Agreed. Would s/inner Ethernet/inner IP packet/ address it? > >> >> >> >> Anyway, overall very useful standard (as you see from my comments, there >> are >> feature roadmaps coming ;-) >> > GIM>> Thank you for your kind words and help to improve the specification, > Marc. > >> >> >> Thanks & Regards, >> Marc >> >> >> >> >> >> On Sat, 18 Aug 2018 13:54:22 -0700, Greg Mirsky wrote: >> > Dear All, >> > the new version addresses comments and editorial suggestions we've >> received >> > from Donald. >> > >> > Your reviews are most welcome, comments, questions, and suggestions >> much >> > appreciated. >> > >> > As discussed at the meeting in Montreal, the authors believe that this >> > document is ready for WGLC. >> > >> > Regards, >> > Greg >> > >> > ---------- Forwarded message ---------- >> > From: <internet-drafts@ietf.org> >> > Date: Sat, Aug 18, 2018 at 1:09 PM >> > Subject: I-D Action: draft-ietf-bfd-vxlan-02.txt >> > To: i-d-announce@ietf.org >> > Cc: rtg-bfd@ietf.org >> > >> > >> > >> > A New Internet-Draft is available from the on-line Internet-Drafts >> > directories. >> > This draft is a work item of the Bidirectional Forwarding Detection WG >> of >> > the IETF. >> > >> > Title : BFD for VXLAN >> > Authors : Santosh Pallagatti >> > Sudarsan Paragiri >> > Vengada Prasad Govindan >> > Mallik Mudigonda >> > Greg Mirsky >> > Filename : draft-ietf-bfd-vxlan-02.txt >> > Pages : 10 >> > Date : 2018-08-18 >> > >> > Abstract: >> > This document describes the use of the Bidirectional Forwarding >> > Detection (BFD) protocol in Virtual eXtensible Local Area Network >> > (VXLAN) overlay networks. >> > >> > >> > The IETF datatracker status page for this draft is: >> > https://datatracker.ietf.org/doc/draft-ietf-bfd-vxlan/ >> > >> > There are also htmlized versions available at: >> > https://tools.ietf.org/html/draft-ietf-bfd-vxlan-02 >> > https://datatracker.ietf.org/doc/html/draft-ietf-bfd-vxlan-02 >> > >> > A diff from the previous version is available at: >> > https://www.ietf.org/rfcdiff?url2=draft-ietf-bfd-vxlan-02 >> > >> > >> > Please note that it may take a couple of minutes from the time of >> submission >> > until the htmlized version and diff are available at tools.ietf.org. >> > >> > Internet-Drafts are also available by anonymous FTP at: >> > ftp://ftp.ietf.org/internet-drafts/ >> > >> > >> > >
- I-D Action: draft-ietf-bfd-vxlan-02.txt internet-drafts
- Fwd: I-D Action: draft-ietf-bfd-vxlan-02.txt Greg Mirsky
- Re: Fwd: I-D Action: draft-ietf-bfd-vxlan-02.txt Marc Binderberger
- Re: Fwd: I-D Action: draft-ietf-bfd-vxlan-02.txt Greg Mirsky
- Re: Fwd: I-D Action: draft-ietf-bfd-vxlan-02.txt Greg Mirsky