IETF Logo Mail Archive

Re: [nvo3] BFD over VXLAN: Trapping BFD Control packet at VTEP

Greg Mirsky <gregimirsky@gmail.com> Thu, 31 October 2019 20:10 UTC

Return-Path: <gregimirsky@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D20912082D; Thu, 31 Oct 2019 13:10:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6O3Rh8fxDjGw; Thu, 31 Oct 2019 13:10:05 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E46512022C; Thu, 31 Oct 2019 13:10:04 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id y3so7994530ljj.6; Thu, 31 Oct 2019 13:10:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FuZ/Xbi33I3c2ZzjSAsRakQ+Nz66IE2J6Oo55tg3NfM=; b=pYLlsYGyr0zlN8ScTI8usScRiopuXe4f/5QiGR/zGXMHn4K4iLr4ZbCYKdgx3SKGph 6tI6EKwU7M2SVsKuUHhswu2lrI82FefS/lDkfFImKTQRvH4lcvqfJqvVXPk+Wl01xSkJ OKRcGZBxsRTUjbT2Tigmqu+6FmVb0ATQe93kiGPDMkf01dpTkGRnGlTMZic6uDZv68jh DeWTWyScxqB/C8bgoc94i5wxMs/TP669jJ3Gt9lt2IUZokL8EuSP1dAMDLQHDoh9y3vT AvjyMfBvePN7qW4P3MrTGgLeaOuSKhb7/yS+OK9nUXH0weX/rDFvnCmfk83fWgy5KX+T PiJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FuZ/Xbi33I3c2ZzjSAsRakQ+Nz66IE2J6Oo55tg3NfM=; b=n2Hy7WO99A6ctGFGBKqFlIcF9V1h5ylNoSJW3a/tNrUy3FmC18XfSRVhU2asMyBJQD jHBprZI171Q98xx+XdmhJddkv0k3ebqq0QWoapyZSxF9ci7QVZIU6yiTP2crYOZzoTiv 0287x5+qSz5L+SJix63nvI4RtE7wsBABnQe4osMc2U0l3LRVG6oKxfqgbS708Tac6O8X tTQoJGCF3mI/xexRKkJb+BjdaDuysVcWOw652qFL7AT9hC+lGhr1C6RoERNbou98RPdY TxQMo7yG4u4pIu51YoA+4AdeYxwO6Ee5d8HsldqEBtNN8mVu5QcUg+EWuKQC70jBXER4 CJPg==
X-Gm-Message-State: APjAAAUgK2vxj4b6vPsGqcoP++8rsjxVuYr7vsewThiTl3DNEml4u2HT anyfsitRDk9UiIYcN9EroX4t5xMDo5bgXS/v+3Q=
X-Google-Smtp-Source: APXvYqyNsAuVbwuRUG6jE+UNxBxLMmBm4F596E3bNqemqxbZjb+MDBPk1AGwT3LF0Q6E5fwUvYBlT0LWoVbrOL4SPho=
X-Received: by 2002:a2e:8146:: with SMTP id t6mr5545186ljg.66.1572552602733; Thu, 31 Oct 2019 13:10:02 -0700 (PDT)
MIME-Version: 1.0
References: <CA+-tSzw76E0AM2AJR=2GQsXJ3MtFUtsug7KoGQzAP-=Ds8u7Fg@mail.gmail.com> <aa853b8e-7ff4-a2d9-9b66-f9c22823ac9d@joelhalpern.com> <1572400778.28051.7@smtp.gmail.com> <CA+-tSzyNu8XVqL7=cGVaT7Mbg5yO6d3ohgv2qPTrMHRV1vw0rg@mail.gmail.com> <1a38424c-6bc1-4414-a7fd-c1e2105b581a@Spark> <CA+-tSzzSNnR=fKRU+mEX=d+tL5B0u8eNUAoGcPvfrna_qHL7Hg@mail.gmail.com> <1572435956.28051.12@smtp.gmail.com> <CA+RyBmWgvjDLdxEz7oZEfYjtJT=7CZbiV5bRkx=gf3hQHHokOw@mail.gmail.com> <20191030203051.GD10145@pfrc.org> <CA+RyBmVTWMOuXaWVk_i1Lk7i+GgfiESkfVcLXARNnPD0Y3N5zQ@mail.gmail.com> <20191030211742.GE10145@pfrc.org> <CA+RyBmUfKi79pnPqsA6KNFR9e6cqG42z8yo3c40BcZHL4D79zQ@mail.gmail.com> <34b67556-a405-e4d7-7f72-d097f1201860@joelhalpern.com> <51780FD6-DC02-435B-B18C-CA38C7267F67@pfrc.org>
In-Reply-To: <51780FD6-DC02-435B-B18C-CA38C7267F67@pfrc.org>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Thu, 31 Oct 2019 13:09:50 -0700
Message-ID: <CA+RyBmWjOOoAggEqGJVCFACUHTw=cyBokS8xCX1gj85c5vcTEA@mail.gmail.com>
Subject: Re: [nvo3] BFD over VXLAN: Trapping BFD Control packet at VTEP
To: Jeffrey Haas <jhaas@pfrc.org>
Cc: "Joel M. Halpern" <jmh@joelhalpern.com>, Dinesh Dutt <didutt@gmail.com>, Anoop Ghanwani <anoop@alumni.duke.edu>, Santosh P K <santosh.pallagatti@gmail.com>, NVO3 <nvo3@ietf.org>, draft-ietf-bfd-vxlan@ietf.org, rtg-bfd WG <rtg-bfd@ietf.org>, "T. Sridhar" <tsridhar@vmware.com>, xiao.min2@zte.com.cn
Content-Type: multipart/alternative; boundary="00000000000046d92205963a6f41"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/t5nMT4C_HqIillKTc-w9SC_hNIU>
X-Mailman-Approved-At: Fri, 01 Nov 2019 04:51:13 -0700
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Oct 2019 20:10:09 -0000

Thank you, Joel and Jeff.

I'll upload the working version shortly. I hope that updates will address
all comments and concerns shared on several threads by Anoop, Dinesh, Joel,
and many others. I greatly value and appreciate the time, expertise, and
consideration you've given to this work, and have shared with me.

Regards,
Greg

On Thu, Oct 31, 2019 at 9:22 AM Jeffrey Haas <jhaas@pfrc.org> wrote:

> I also agree with Joel.
>
> -- Jeff
>
>
> > On Oct 31, 2019, at 11:59 AM, Joel M. Halpern <jmh@joelhalpern.com>
> wrote:
> >
> > Explicitly restricting the discard behavior to the management VNI takes
> care of my concern.
> >
> > Thank you,
> > Joel
> >
> > On 10/31/2019 11:48 AM, Greg Mirsky wrote:
> >> Hi Jeff,
> >> thank you for the detailed clarification of your questions. Please find
> my follow-up notes in-lined tagged GIM2>>.
> >> Regards,
> >> Greg
> >> On Wed, Oct 30, 2019 at 2:14 PM Jeffrey Haas <jhaas@pfrc.org <mailto:
> jhaas@pfrc.org>> wrote:
> >>    Greg,
> >>    On Wed, Oct 30, 2019 at 01:58:30PM -0700, Greg Mirsky wrote:
> >>     > On Wed, Oct 30, 2019 at 1:27 PM Jeffrey Haas <jhaas@pfrc.org
> >>    <mailto:jhaas@pfrc.org>> wrote:
> >>     >
> >>     > > Greg,
> >>     > >
> >>     > > From the updated text:
> >>     > >
> >>     > > "At the same time, a service layer BFD session may be used
> >>    between the
> >>     > > tenants of VTEPs IP1 and IP2 to provide end-to-end fault
> >>    management. In
> >>     > > such case, for VTEPs BFD Control packets of that session are
> >>     > > indistinguishable from data packets.  If end-to-end defect
> >>    detection is
> >>     > > realized as the set of concatenated OAM domains, e.g., VM1-1 -
> >>    IP1 --
> >>     > > IP2 - VM2-1, then the BFD session over VXLAN between VTEPs
> SHOULD
> >>     > > follow the procedures described in Section 6.8.17 [RFC5880]."
> >>     > >
> >>     > > In the case that two VMs are running BFD to each other as a user
> >>     > > application
> >>     > > rather than as part of the virtualized environment, it's
> >>    unlikely that
> >>     > > they'd be treated as concatenated domains.  To do so, the
> >>    tenant VMs would
> >>     > > have to have a sense that they are indeed virtual.
> >>     > >
> >>     > > Is your intent in this text that BFD implementations on the
> >>    server should
> >>     > > detect BFD sessions between servers and change them to a
> >>    concatenated
> >>     > > session?
> >>     > >
> >>     > GIM>> No, we do not suggest that the concatenation of BFD
> sessions be
> >>     > automagical. That may be controlled via the management plane
> though.
> >>    Then my suggestion is we may not want this text.
> >>    It's fine to say "if tenants want to run BFD to each other, and that
> is
> >>    standard BFD (RFC 5881) from the perspective of those tenants" if
> that's
> >>    your intent.  Leave automagic out of the spec. :-)
> >> GIM2>> I'd take the passage referring to the concatenated path out.
> That will leave it as:
> >>    At the same time, a service layer BFD session may be used between the
> >>    tenants of VTEPs IP1 and IP2 to provide end-to-end fault management.
> >>    In such case, for VTEPs BFD Control packets of that session are
> >>    indistinguishable from data packets.
> >>     > > Section 5 comment:
> >>     > >
> >>     > > :   The UDP destination port and the TTL of the inner IP packet
> >>    MUST be
> >>     > > :   validated to determine if the received packet can be
> >>    processed by
> >>     > > :   BFD.  BFD Control packets with unknown MAC address MUST NOT
> be
> >>     > > :   forwarded to VMs.
> >>     > >
> >>     > > I'd suggest pushing the second sentence into the prior section
> >>    since it
> >>     > > deals with MAC addresses rather than the UDP procedures.
> >>     > >
> >>     > GIM>> Could you please clarify your suggestion - move to Section
> >>    4 or to
> >>     > the preceding paragraph? I think it is the latter but wanted to
> >>    make sure.
> >>    Full section 5 from your draft-8 candidate:
> >>    : 5.  Reception of BFD Packet from VXLAN Tunnel
> >>    :
> >>    :    Once a packet is received, the VTEP MUST validate the packet.
>    If the
> >>    :    Destination MAC of the inner Ethernet frame matches one of the
> MAC
> >>    :    addresses associated with the VTEP the packet MUST be processed
> >>    :    further.  If the Destination MAC of the inner Ethernet frame
> >>    doesn't
> >>    :    match any of VTEP's MAC addresses, then the processing of the
> >>    :    received VXLAN packet MUST follow the procedures described in
> >>    :    Section 4.1 [RFC7348].
> >>    It's not clear what that procedure is, with respect to BFD.  Section
> 4.1
> >>    basically says is that when a mapping is discovered, deliver it to
> >>    that VM
> >>    with headers removed.
> >>    Section 4.1 really doesn't discuss dropping behavior.
> >>    :
> >>    :    The UDP destination port and the TTL of the inner IP packet
> MUST be
> >>    :    validated to determine if the received packet can be processed
> by
> >>    :    BFD.
> >>    This is fine.
> >>    :    BFD Control packets with unknown MAC address MUST NOT be
> >>    :    forwarded to VMs.
> >>    This appears to be clarifying the missing point in the prior
> >>    paragraph.  If
> >>    that's the case, why is this sentence not part of the prior
> paragraph?
> >> GIM>> So I thought. Moving the sentence to the first paragraph
> highlighted the contradiction others had pointed earlier:
> >> On the one hand:
> >>    If the Destination MAC of the inner Ethernet frame doesn't
> >>    match any of VTEP's MAC addresses, then the processing of the
> >>    received VXLAN packet MUST follow the procedures described in
> >>    Section 4.1 [RFC7348].
> >> To which we add:
> >>    BFD Control packets with unknown MAC address
> >>    MUST NOT be forwarded to VMs.
> >> But the unknown MACs are treated as BUM according to the last paragraph
> in Section 4.2 of RFC 7348:
> >>    Note that multicast frames and "unknown MAC destination" frames are
> >>    also sent using the multicast tree, similar to the broadcast frames.
> >> In light of that, can this draft require that BFD packets with unknown
> MAC be dropped and not flooded over the corresponding to the VNI domain? I
> think that in addition to moving the sentence up the statement must be
> updated:
> >> OLD TEXT:
> >>    BFD Control packets with unknown MAC address
> >>    MUST NOT be forwarded to VMs.
> >> NEW TEXT:
> >>    If the BFD session is using the Management VNI (Section 6),
> >>    BFD Control packets with unknown MAC address
> >>    MUST NOT be forwarded to VMs.
> >>  Comments? Suggestions?
> >>    -- Jeff
>
>

v2.23.0 | Report a Bug | By Email