Re: [nvo3] BFD over VXLAN: Trapping BFD Control packet at VTEP

Greg Mirsky <gregimirsky@gmail.com> Thu, 31 October 2019 15:48 UTC

Return-Path: <gregimirsky@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA869120804; Thu, 31 Oct 2019 08:48:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SMCefJTbFsF6; Thu, 31 Oct 2019 08:48:22 -0700 (PDT)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5500612013A; Thu, 31 Oct 2019 08:48:22 -0700 (PDT)
Received: by mail-lj1-x22a.google.com with SMTP id s4so7136855ljj.10; Thu, 31 Oct 2019 08:48:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=B9Z7j0iHKiFOJbIuMDjGJeITUbDo3abzCFTJuJRtTsE=; b=smm702zuKaL09LoL034XMJE59XEa8S4iiAaHIk7WX4boizFgqYtltUUIFqLkvJ3lbb g3hR+XLJmIL/RNHZINGVXJW4nCND1eVxX4+M28+j4NI4QuSe5extn9GPZOW4KlGId95u xQDsI8d71Pw5vKva9/qrs+QzsyDQsceyBvfqRzUILXAVLL/MPQcerbpUkravYLhMzLo6 tiaMXrpmWsOV6WOwVaplzcqZmfdBHfNwHOQSbyN+BlfduwULj9F30geQ1sVFIFwXZomS Cf+RHRRRDijEJICzbBBhX38eHYZDXbiohsSPTuJ9ojAUXC1ZAnpynUgqsUBECMZQsexE 7lng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=B9Z7j0iHKiFOJbIuMDjGJeITUbDo3abzCFTJuJRtTsE=; b=KAMviSAkiu/rWlFyufYmiqXenbfj2PuWvFuOlT4QVHUSDLMoJLoTI9wxAygT/mSzry jQMt8p2oND3SEwbMLRBIF65l30BdLu+bWNKwRe0Eoe1N1R58QKezDVxN8zDuUK4gR7KY nDLOou/aZoXltEjnW88S5U1MuhPxIJq9wzJt47WV3glgPasSBKR1sGt+2UPAWNOPhzVF d4hIfsnTnfyuW+z10Et753kHG+Zvt6swNoLKgQTVIbYDAiyVqLqLllFq1OC60vQyWqdf gVWxC8Ksd6R2i6lGL+uFvUNelmW/s2BY347b/1mnqKSppdIb2n4AcJbw3VfmTJqk8+4G L3jw==
X-Gm-Message-State: APjAAAUvstwgKNxstlVZlNJ5NzP5nyoGZkwLmyIDJMmURJMLt6dnqi/F QblPMdLw+xxwiz4ke9yqO/E/H2zNwmw7JIBE2Hw=
X-Google-Smtp-Source: APXvYqy/mNTvotx0pA7hcUZTZh93Fo0/7rUHurEmW4W8HibRaUVvSPBwXnN/fMaedGDgm20+xkLC89WWy5YehDK8s7I=
X-Received: by 2002:a2e:3612:: with SMTP id d18mr4790778lja.222.1572536900377; Thu, 31 Oct 2019 08:48:20 -0700 (PDT)
MIME-Version: 1.0
References: <CA+-tSzw76E0AM2AJR=2GQsXJ3MtFUtsug7KoGQzAP-=Ds8u7Fg@mail.gmail.com> <aa853b8e-7ff4-a2d9-9b66-f9c22823ac9d@joelhalpern.com> <1572400778.28051.7@smtp.gmail.com> <CA+-tSzyNu8XVqL7=cGVaT7Mbg5yO6d3ohgv2qPTrMHRV1vw0rg@mail.gmail.com> <1a38424c-6bc1-4414-a7fd-c1e2105b581a@Spark> <CA+-tSzzSNnR=fKRU+mEX=d+tL5B0u8eNUAoGcPvfrna_qHL7Hg@mail.gmail.com> <1572435956.28051.12@smtp.gmail.com> <CA+RyBmWgvjDLdxEz7oZEfYjtJT=7CZbiV5bRkx=gf3hQHHokOw@mail.gmail.com> <20191030203051.GD10145@pfrc.org> <CA+RyBmVTWMOuXaWVk_i1Lk7i+GgfiESkfVcLXARNnPD0Y3N5zQ@mail.gmail.com> <20191030211742.GE10145@pfrc.org>
In-Reply-To: <20191030211742.GE10145@pfrc.org>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Thu, 31 Oct 2019 08:48:08 -0700
Message-ID: <CA+RyBmUfKi79pnPqsA6KNFR9e6cqG42z8yo3c40BcZHL4D79zQ@mail.gmail.com>
Subject: Re: [nvo3] BFD over VXLAN: Trapping BFD Control packet at VTEP
To: Jeffrey Haas <jhaas@pfrc.org>
Cc: Dinesh Dutt <didutt@gmail.com>, Anoop Ghanwani <anoop@alumni.duke.edu>, "Joel M. Halpern" <jmh@joelhalpern.com>, Santosh P K <santosh.pallagatti@gmail.com>, NVO3 <nvo3@ietf.org>, draft-ietf-bfd-vxlan@ietf.org, rtg-bfd WG <rtg-bfd@ietf.org>, "T. Sridhar" <tsridhar@vmware.com>, xiao.min2@zte.com.cn
Content-Type: multipart/alternative; boundary="00000000000057e235059636c798"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/opWVZ235odK9ookvFD8brmlTxFM>
X-Mailman-Approved-At: Thu, 31 Oct 2019 09:22:19 -0700
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Oct 2019 15:48:26 -0000

Hi Jeff,
thank you for the detailed clarification of your questions. Please find my
follow-up notes in-lined tagged GIM2>>.

Regards,
Greg

On Wed, Oct 30, 2019 at 2:14 PM Jeffrey Haas <jhaas@pfrc.org> wrote:

> Greg,
>
> On Wed, Oct 30, 2019 at 01:58:30PM -0700, Greg Mirsky wrote:
> > On Wed, Oct 30, 2019 at 1:27 PM Jeffrey Haas <jhaas@pfrc.org> wrote:
> >
> > > Greg,
> > >
> > > From the updated text:
> > >
> > > "At the same time, a service layer BFD session may be used between the
> > > tenants of VTEPs IP1 and IP2 to provide end-to-end fault management. In
> > > such case, for VTEPs BFD Control packets of that session are
> > > indistinguishable from data packets.  If end-to-end defect detection is
> > > realized as the set of concatenated OAM domains, e.g., VM1-1 - IP1 --
> > > IP2 - VM2-1, then the BFD session over VXLAN between VTEPs SHOULD
> > > follow the procedures described in Section 6.8.17 [RFC5880]."
> > >
> > > In the case that two VMs are running BFD to each other as a user
> > > application
> > > rather than as part of the virtualized environment, it's unlikely that
> > > they'd be treated as concatenated domains.  To do so, the tenant VMs
> would
> > > have to have a sense that they are indeed virtual.
> > >
> > > Is your intent in this text that BFD implementations on the server
> should
> > > detect BFD sessions between servers and change them to a concatenated
> > > session?
> > >
> > GIM>> No, we do not suggest that the concatenation of BFD sessions be
> > automagical. That may be controlled via the management plane though.
>
> Then my suggestion is we may not want this text.
>
> It's fine to say "if tenants want to run BFD to each other, and that is
> standard BFD (RFC 5881) from the perspective of those tenants" if that's
> your intent.  Leave automagic out of the spec. :-)
>
GIM2>> I'd take the passage referring to the concatenated path out. That
will leave it as:
   At the same time, a service layer BFD session may be used between the
   tenants of VTEPs IP1 and IP2 to provide end-to-end fault management.
   In such case, for VTEPs BFD Control packets of that session are
   indistinguishable from data packets.

>
> > > Section 5 comment:
> > >
> > > :   The UDP destination port and the TTL of the inner IP packet MUST be
> > > :   validated to determine if the received packet can be processed by
> > > :   BFD.  BFD Control packets with unknown MAC address MUST NOT be
> > > :   forwarded to VMs.
> > >
> > > I'd suggest pushing the second sentence into the prior section since it
> > > deals with MAC addresses rather than the UDP procedures.
> > >
> > GIM>> Could you please clarify your suggestion - move to Section 4 or to
> > the preceding paragraph? I think it is the latter but wanted to make
> sure.
>
> Full section 5 from your draft-8 candidate:
> : 5.  Reception of BFD Packet from VXLAN Tunnel
> :
> :    Once a packet is received, the VTEP MUST validate the packet.  If the
> :    Destination MAC of the inner Ethernet frame matches one of the MAC
> :    addresses associated with the VTEP the packet MUST be processed
> :    further.  If the Destination MAC of the inner Ethernet frame doesn't
> :    match any of VTEP's MAC addresses, then the processing of the
> :    received VXLAN packet MUST follow the procedures described in
> :    Section 4.1 [RFC7348].
>
> It's not clear what that procedure is, with respect to BFD.  Section 4.1
> basically says is that when a mapping is discovered, deliver it to that VM
> with headers removed.
>
> Section 4.1 really doesn't discuss dropping behavior.
>
> :
> :    The UDP destination port and the TTL of the inner IP packet MUST be
> :    validated to determine if the received packet can be processed by
> :    BFD.
>
> This is fine.
>
> :    BFD Control packets with unknown MAC address MUST NOT be
> :    forwarded to VMs.
>
> This appears to be clarifying the missing point in the prior paragraph.  If
> that's the case, why is this sentence not part of the prior paragraph?
>
GIM>> So I thought. Moving the sentence to the first paragraph highlighted
the contradiction others had pointed earlier:
On the one hand:
   If the Destination MAC of the inner Ethernet frame doesn't
   match any of VTEP's MAC addresses, then the processing of the
   received VXLAN packet MUST follow the procedures described in
   Section 4.1 [RFC7348].
To which we add:
   BFD Control packets with unknown MAC address
   MUST NOT be forwarded to VMs.
But the unknown MACs are treated as BUM according to the last paragraph in
Section 4.2 of RFC 7348:
   Note that multicast frames and "unknown MAC destination" frames are
   also sent using the multicast tree, similar to the broadcast frames.
In light of that, can this draft require that BFD packets with unknown MAC
be dropped and not flooded over the corresponding to the VNI domain? I
think that in addition to moving the sentence up the statement must be
updated:
OLD TEXT:
   BFD Control packets with unknown MAC address
   MUST NOT be forwarded to VMs.
NEW TEXT:
   If the BFD session is using the Management VNI (Section 6),
   BFD Control packets with unknown MAC address
   MUST NOT be forwarded to VMs.
 Comments? Suggestions?

>
>
> -- Jeff
>