IETF Logo Mail Archive

Re: BFD over VXLAN: Trapping BFD Control packet at VTEP

Dinesh Dutt <didutt@gmail.com> Thu, 01 August 2019 16:34 UTC

Return-Path: <didutt@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 240FF1201A2; Thu, 1 Aug 2019 09:34:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xXnHRm8Pj2Z6; Thu, 1 Aug 2019 09:34:09 -0700 (PDT)
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 064F21200E0; Thu, 1 Aug 2019 09:34:09 -0700 (PDT)
Received: by mail-wr1-x42b.google.com with SMTP id r1so74256204wrl.7; Thu, 01 Aug 2019 09:34:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=p9dZZutqCKDeZRnD1qlbtrZt5T0NLnhLRed7CU+QX9g=; b=Ms+zv8Ncw5oVPhOlUpaQeKDLMg6ZnS6zmbxVkyBNxZlyLSpVaHJO3g/jId7kOdQa+4 TfgkBw7p53pPgAyVbU3GhZj4tMDpRkYuDGe8cWIVK8mu7wIligUjm2CitXfEH9vn1dQ+ IVLpFUkmGIymqfBmnxfzEqsxPWbVk28u32qd4qFMG+nVhtV4U/34QcLHWcFB4RUn9LgW hYIhDWiezOaxMJFdiwzbfeq/XRc6/el4OQiJKwbxwPcTxgZton+M+mYTSy7wyQ2W6hId fLFS+AJEUkhblGxPEPK7VUUBGJ6MzVp79fhRhFyXFYgEC7Ow1X01FTyBcOZ18NOROTQh C+Vg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=p9dZZutqCKDeZRnD1qlbtrZt5T0NLnhLRed7CU+QX9g=; b=cLlxTZ9LfJaSO/O6lMRsyby8JocPRMTW2yxlU7Z8sIWZSVBNNPB87XvsBG2MyN479e J9X8ug7pJE54fO0DWMCFDUo68IyJoFhdioZmYPkcWzZr+ozIEct04U9ZBDdaD9w/H9US f7G/rkFRxo7f/juD1HZJ0pd5t+8bJzHTNmaeAnm0pchcM+Z6lxi3OCzUWy28hqGq/WC0 AZ3xuHbhXNU5ydSEn+FficZ/vnfDhC/VpXG8CXpwKlwB37ZEdJmfO8fZGi+V1yldIzJp CMQnSuBydzru3dYs2wQdpdgV9U7MOWzjjqSvnrtzJk1LZk9ZnxugGKR4SzVgls5VLFOX vlmQ==
X-Gm-Message-State: APjAAAXO2Mn+pqFbAfMExp/18p03XCwL1gibmSccekAp68PxweHRhVKN jugviXMpeFv1kf+1ub5PCx1D9G5Y4PcU5fBgMZ0=
X-Google-Smtp-Source: APXvYqy1Z7PHD0anDE+vtIs+zeQWzS7AilNLcauroLa7CQg6MxrXCKfpXzpAQkcG5UZ7sKplFHkE3a0kULAP4795zbk=
X-Received: by 2002:adf:cf0d:: with SMTP id o13mr9679884wrj.291.1564677247242; Thu, 01 Aug 2019 09:34:07 -0700 (PDT)
MIME-Version: 1.0
References: <CA+RyBmW=byLBNfVQSdaEoMf-QnJtj13k788XhbZ9tqH4bcgqNQ@mail.gmail.com> <CAOPNUTBJztjmNgrDyHgMo8-nRazAaXACGJJZ6Lx8z8aRVBM+GA@mail.gmail.com> <CA+RyBmWrM3v37BO8O_VOGG-NJ+UbrtSVQ_2GwW0R+vLkxbtvHw@mail.gmail.com> <CAOPNUTDqe1iA9N=+kJD4Mih1xu6LqTVi0D=mzvgjUn_KE6K7dA@mail.gmail.com> <CA+RyBmXoc1hbhbS9SPAKp8phqahjQVKZHGb58F7-=Y=wX2FkQg@mail.gmail.com> <CAOPNUTCugS9hCXjRE8+Vh49oirtuYPq73hQer5g-h6iidZHqVQ@mail.gmail.com> <CA+RyBmVx5Q=OAmC4Fv2Cyo41LuR0UTbVN0MuuEVhxW0r_Z6arw@mail.gmail.com>
In-Reply-To: <CA+RyBmVx5Q=OAmC4Fv2Cyo41LuR0UTbVN0MuuEVhxW0r_Z6arw@mail.gmail.com>
From: Dinesh Dutt <didutt@gmail.com>
Date: Thu, 01 Aug 2019 09:33:55 -0700
Message-ID: <CAOPNUTA6vqieCNTreHB0JrYOUfn55H-uJ2pbWvdGmeh3v7mwwQ@mail.gmail.com>
Subject: Re: BFD over VXLAN: Trapping BFD Control packet at VTEP
To: Greg Mirsky <gregimirsky@gmail.com>
Cc: rtg-bfd WG <rtg-bfd@ietf.org>, "T. Sridhar" <tsridhar@vmware.com>, Joel Halpern <jmh@joelhalpern.com>, bfd-chairs@ietf.org, Martin Vigoureux <martin.vigoureux@nokia.com>, draft-ietf-bfd-vxlan@ietf.org
Content-Type: multipart/alternative; boundary="000000000000829884058f10cf1e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/q48pr4CgjTA2KKjZQRLkwSGOp58>
X-Mailman-Approved-At: Thu, 01 Aug 2019 09:35:34 -0700
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2019 16:34:13 -0000

I understand his point now. It arose in my head because of a difference in
perspective. On a hardware switch, pretty much every implementation I've
seen reuses one of the device's MAC address across all the local VNIs. Even
in VMW's case, Even on a server, NIC's MAC address is by default reused
across all VNIs. It seems some software switches have taken liberties with
this.

Given this information, if we want to ensure any proposal we come up with
will work with existing packet switching silicon and software switch
implementation,  I also would prefer not to define something that'll be
overridden or worked around soon enough by a new draft. With these
assumptions, I see the problem definition as:

   - checking VTEP-to-VTEP connectivity in the overlay. Checking
   VTEP-to-VTEP connectivity in the underlay is a multi-hop BFD scenario.
   - I suspect whoever wants to check connectivity in the overlay will also
   want to check the connectivity in a specific VNI(s), Otherwise why are they
   checking this in the overlay? There maybe existing mechanisms such as IEEE
   OAM frames to check overlay in a specific VNI, but given my past
   experience, I suspect people will want a single unified mechanism using
   VXLAN (at least I see this in the data center use case).

I believe you;ve implicitly excluded the case of bullet 2 currently. I'm
not in favor of that for the reasons I stated above.

I see the primary solution principles as:

   - BFD packet addressed to the VTEP MUST not leak beyond the VTEP..
   - BFD packets exchanged between endpoints behind VTEPs MUST work as
   well.

So, on the critical question of how do we address the VTEP, I see we have
three possibilities:

   - Pick a MAC/IP pair that belongs to the VTEP in the VNI that you wish
   to send the packet in. These three parameters MUST be configurable: {VNI,
   MAC, IP}. The default VNI for this can be VNI 1.
   - Pick a management VNI and use that VNI to trap control packets to the
   CPU. I don't like this option because we're burning a VNI for just this
   purpose.
   - Pick a well-defined MAC/IP for a given VNI. This is the solution that
   tries to use the 127/8 address for example. But this is a Martian packet,
   is it not? I don't like it for this reason.

Does this make sense?

Dinesh

On Thu, Aug 1, 2019 at 5:40 AM Greg Mirsky <gregimirsky@gmail.com> wrote:

> Hi Dinesh,
> as I understand, Sridhar is on vacation. In the meantime, this is his
> response to the question on using VTEP's MAC address as the destination MAC
> in the inner Ethernet frame:
>
>
> T. Sridhar
> Sun, Jun 30, 7:13 PM
> to Reshad, Martin, draft-ietf-bfd-vxlan@ietf.org, Matthew, Sam, Jeffrey
> Reshad,
>
> Sorry - could not respond earlier.
>
> Joel is right - the draft does impose a requirement on the inner MAC being
> the same as the VTEP MAC and eats into the tenant MAC space which is not a
> desirable approach. You *could* use VNI0 as the one only VNI to specify
> this but that's not ideal either since we did not impose any restriction on
> the VNI space.
>
> Btw,  I also think I should modify the comment I had made below about
> using the inner IP to be the same as the VTEP IP since there is no
> guarantee that the inner MAC frame is an IP packet.
>
> Thanks,
> Sridhar
>
>
>
> On 6/26/19, 6:59 PM, "Reshad Rahman (rrahman)" <rrahman@cisco.com> wrote:
>
>     Thank you Sridhar. One concern which came up is wrt the use of the
> destination VTEP MAC address as dest MAC in the inner IP header (see
> attached email). Could you please comment on that aspect?
>
>     Regards,
>     Reshad.
>
> I understand that RFC 7348 maybe is not clear on that issue. I'd like to
> understand how the existing implementations behave, process VXLAN header
> and the inner Ethernet frame to minimize changes BFD over VXLAN may impose
> on the implementation.
>
> Regards,
> Greg
>
>
> On Thu, Aug 1, 2019 at 12:48 AM Dinesh Dutt <didutt@gmail.com> wrote:
>
>> I don't understand his objection. My recommendation is to understand that
>> before we propose new text. I fear otherwise that we'll have a new draft in
>> a few months to address the issue of using non-mgmt VNI.
>>
>> Dinesh
>> On Jul 31, 2019, 12:07 PM -0700, Greg Mirsky <gregimirsky@gmail.com>,
>> wrote:
>>
>> Hi Dinesh,
>> if I recall correctly, T.Sridhar has noted that VTEP's MAC must not be
>> used as the destination MAC address in the inner Ethernet frame.
>>
>>
>>
>> Also, I should have been more precise in the proposed text, please see
>> the updated version to stress that the management VNI MUST NOT be one of
>> the tenant's VNIs:
>> NEW TEXT:
>>
>> An operator MUST select a VNI number to be used as Management VNI.
>> Management VNI number MUST NOT be one of the tenant's VNIs to prevent
>> sending VXLAN packets received on Management VNI to a tenant. VNI number 1
>> is RECOMMENDED as the default for Management VNI.
>>
>>
>> On Wed, Jul 31, 2019 at 2:25 PM Dinesh Dutt <didutt@gmail.com> wrote:
>>
>>> Hi Greg,
>>>
>>> On Wed, Jul 31, 2019 at 9:20 AM Greg Mirsky <gregimirsky@gmail.com>
>>> wrote:
>>>
>>>> Hi Dinesh,
>>>> thank you for your consideration of the proposal and questions. What
>>>> would you see as the scope of testing the connectivity for the specific
>>>> VNI? If it is tenant-to-tenant, then VTEPs will treat these packets as
>>>> regular user frames. More likely, these could be Layer 2 OAM, e.g. CCM
>>>> frames. The reason to use 127/8 for IPv4, and 0:0:0:0:0:FFFF:7F00:0/104 for
>>>> IPv6 is to safeguard from leaking Ethernet frames with BFD Control packet
>>>> to a tenant.
>>>> You've suggested using a MAC address to trap the control packet at
>>>> VTEP. What that address could be? We had proposed using the dedicated MAC
>>>> and VTEP's MAC and both raised concerns among VXLAN experts. The idea of
>>>> using Management VNI may be more acceptable based on its similarity to the
>>>> practice of using Management VLAN.
>>>>
>>>
>>> If you use the inner IP address as the VTEP IP address, then use the MAC
>>> address that the VTEP would respond with when replying to an ARP for that
>>> VTEP IP address. If a VXLAN expert disagrees with this, could you kindly
>>> tell me who it is so that I can understand their disagreement? So this
>>> handles the case where the VNI is not a user-tenant VNI. If the VNI used in
>>> the BFD packet is a user-tenant VNI, then the receiving VTEP MUST have an
>>> IP address in that VNI (mapped to a VRF) else you cannot use that VNI in
>>> the BFD packet. Why won't this combination address all the cases you've
>>> listed? What am I missing? Define VNI 1 as a possible use, not VNI 0. I
>>> objected to VNI 0 because there are too many switching siicon out there and
>>> some of them will not be able to handle this scenario.
>>>
>>> Dinesh
>>>
>>>>
>>>> Regards,
>>>> Greg
>>>>
>>>> On Wed, Jul 31, 2019 at 12:03 PM Dinesh Dutt <didutt@gmail.com> wrote:
>>>>
>>>>> Hi Greg,
>>>>>
>>>>> As long as the inner MAC address is such that the packet is trapped to
>>>>> the CPU, it should be fine for use as an inner MAC is it not? Stating that
>>>>> is better than trying to force a management VNI. What if someone wants to
>>>>> test connectivity on a specific VNI? I would not pick a loopback IP address
>>>>> for this since that address range is host/node local only. Is there a
>>>>> reason you're not using the VTEP IP as the inner IP address ?
>>>>>
>>>>> Dinesh
>>>>>
>>>>> On Wed, Jul 31, 2019 at 5:48 AM Greg Mirsky <gregimirsky@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Dear All,
>>>>>> thank you for your comments, suggestions on this issue, probably the
>>>>>> most challenging for this specification. In the course of our discussions,
>>>>>> we've agreed to abandon the request to allocate the dedicated MAC address
>>>>>> to be used as the destination MAC address in the inner Ethernet frame.
>>>>>> Also, earlier using VNI 0 was changed from mandatory to one of the options
>>>>>> an implementation may offer to an operator. The most recent discussion was
>>>>>> whether VTEP's MAC address might be used as the destination MAC address in
>>>>>> the inner Ethernet frame. As I recall it, the comments from VXLAN experts
>>>>>> equally split with one for it and one against. Hence I would like to
>>>>>> propose a new text to resolve the issue. The idea is to let an operator
>>>>>> select Management VNI and use that VNI in VXLAN encapsulation of BFD
>>>>>> Control packets:
>>>>>> NEW TEXT:
>>>>>>
>>>>>> An operator MUST select a VNI number to be used as Management VNI.
>>>>>> VXLAN packet for Management VNI MUST NOT be sent to a tenant. VNI number 1
>>>>>> is RECOMMENDED as the default for Management VNI.
>>>>>>
>>>>>> With that new text, what can be the value of the destination MAC in
>>>>>> the inner Ethernet? I tend to believe that it can be anything and ignored
>>>>>> by the reciever VTEP. Also, if the trapping is based on VNI number, the
>>>>>> destination IP address of the inner IP packet can from the range 127/8 for
>>>>>> IPv4, and for IPv6 from the range 0:0:0:0:0:FFFF:7F00:0/104. And lastly,
>>>>>> the TTL to be set to 1 (no change here).
>>>>>>
>>>>>> Much appreciate your comments, questions, and suggestions.
>>>>>>
>>>>>> Best regards,
>>>>>> Greg
>>>>>>
>>>>>

v2.23.0 | Report a Bug | By Email