IETF Logo Mail Archive

Re: [nvo3] BFD over VXLAN: Trapping BFD Control packet at VTEP

Anoop Ghanwani <anoop@alumni.duke.edu> Wed, 23 October 2019 15:21 UTC

Return-Path: <ghanwani@gmail.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13A66120A46; Wed, 23 Oct 2019 08:21:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.423
X-Spam-Level:
X-Spam-Status: No, score=-1.423 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.226, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ibTY6zkcLaXj; Wed, 23 Oct 2019 08:21:12 -0700 (PDT)
Received: from mail-vs1-f42.google.com (mail-vs1-f42.google.com [209.85.217.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA6A0120A42; Wed, 23 Oct 2019 08:21:11 -0700 (PDT)
Received: by mail-vs1-f42.google.com with SMTP id v10so14033276vsc.7; Wed, 23 Oct 2019 08:21:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/3P+8pFuUAvEdS165EWRekYzVXhpHmlRACQ+VET3utI=; b=rp5erwJ1koVDxO41ySkf0Ri/852L6/jX7BNB8RVEg5SeC+UxS/XIERHpftyVtkneF6 Ven7qG3z03FNmC5r/SfgCnnhdl0hZmCz0h4U7ZmQAPsYrLSkan3rU1ZxTARxkKyYNH8u CupkjDRZonOh/lXhF/Peg+jCpuTUYzbKu+ZKQ0BKjmZsKZ3ACgULiNJnWU2eumnZA23g vvSIHzEgVf/ammQ/Tb/bC1RENpKSgrsv9JPBVr6LEIBuUCJ3upYC6MtpR3KzEKT0l8EK xOd/ftVAryWYrEylxHF2/iQ1fzx1ne2r+KpggVTv+0GGBJDCAk+tUWLHgojAwr/W8hYA r04A==
X-Gm-Message-State: APjAAAWEnmy6aa6IfX4wRHBhOTqxgV8YU9zHibN4D8csbDZKiuVoMpIW vgJzR0ROGs/vtW8Fgi9Ekybw8s8/l8GLhBWnbtU=
X-Google-Smtp-Source: APXvYqwH5T9h9nauR1pAwcHyrb0nqLzjnSRZqHfHj5o+M1OVWYsMlBuhY7pCcW3zmnmn9w+9e99G8qqooEJ+SD/xt2I=
X-Received: by 2002:a67:ea09:: with SMTP id g9mr5790718vso.23.1571844070709; Wed, 23 Oct 2019 08:21:10 -0700 (PDT)
MIME-Version: 1.0
References: <CACi9rdu8PKsLW_Pq4ww5DEwLL8Bs6Hq1Je_jmAjES4LKBuE8MQ@mail.gmail.com> <201909251039413767352@zte.com.cn> <CACi9rdv-760M8WgZ1mOOOa=yoJqQFP=vdc3xJKLe7wCR18NSvA@mail.gmail.com> <20191021210752.GA8916@pfrc.org> <0e99a541-b2ca-85d4-4a8f-1165cf7ac01e@joelhalpern.com> <CA+-tSzziDc+Tk8AYfOr5-Xn6oO_uqW2C1dRA9LLOBBVmzVhWEQ@mail.gmail.com> <CA+RyBmVcBgeoGc2z5Gv0grv8OY34tyw+T-T-W2vn1O3AxCSQ9Q@mail.gmail.com> <CA+-tSzyHgspKBfLWZ3C69EBb+-k-POqJ7vG7VoN=g077+qzGBA@mail.gmail.com> <1571795542.10436.5@smtp.gmail.com> <CA+RyBmXkyQMumeCDxM6OSzdn=DCL=aeyQ+tJmUiyEg0VZuUpRg@mail.gmail.com> <1571798869.2855.1@smtp.gmail.com> <CA+-tSzwRWH5w5nNs6Wzm_qkwvTyq=k-TyJmR9XVM9qsh9QKKXA@mail.gmail.com> <5a3165a7-d531-cc7b-828f-78f43d94a54d@joelhalpern.com>
In-Reply-To: <5a3165a7-d531-cc7b-828f-78f43d94a54d@joelhalpern.com>
From: Anoop Ghanwani <anoop@alumni.duke.edu>
Date: Wed, 23 Oct 2019 08:20:59 -0700
Message-ID: <CA+-tSzxoD+ZzT3tp7m=DmxVhJhSJhr0yawpyVeCNiZjaP23XFQ@mail.gmail.com>
Subject: Re: [nvo3] BFD over VXLAN: Trapping BFD Control packet at VTEP
To: "Joel M. Halpern" <jmh@joelhalpern.com>
Cc: Dinesh Dutt <didutt@gmail.com>, Greg Mirsky <gregimirsky@gmail.com>, draft-ietf-bfd-vxlan@ietf.org, NVO3 <nvo3@ietf.org>, Santosh P K <santosh.pallagatti@gmail.com>, Jeffrey Haas <jhaas@pfrc.org>, rtg-bfd WG <rtg-bfd@ietf.org>, "T. Sridhar" <tsridhar@vmware.com>, xiao.min2@zte.com.cn
Content-Type: multipart/alternative; boundary="0000000000007a20b6059595773a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/tMGbOMYwh5z9KxcaHy5shjpTtVs>
X-Mailman-Approved-At: Wed, 23 Oct 2019 11:02:10 -0700
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Oct 2019 15:21:16 -0000

Thanks Joel.

I see the issue.  In the case of IRB, the VTEP will likely have IP
addresses assigned from the tenant space for each VNI.  But if there is no
IRB, then it could be a problem.  Thus far, my assumption had been that the
underlay address would be used and that the inner addresses would be
inconsequential in terms of terminating the BFD messages.  But I can see
now how that would cause problems if the tenant devices are running BFD and
their addresses conflict with the underlay's addresses.

As indicated by Santosh, it looks like there's a precedence with MPLS OAM
using 127/8 so perhaps that is a reasonable solution.  I also think that
setting the TTL to 1 to prevent leakage may not work because the TTL would
not be decremented at the VTEP.  The outer TTL would just be checked, and
the inner TTL would be decremented only if routing.

The language around tenant IP may need to be clarified a bit because the
VTEP may have IP addresses from the tenant space assigned to its interfaces
when it's doing IRB.

Anoop

On Wed, Oct 23, 2019 at 4:49 AM Joel M. Halpern <jmh@joelhalpern.com> wrote:

> Anoop, you refer to "the destination VTEP's IP address".  Since this is
> a field inside the Ethernet header inside the VxLAN header, what VTEP
> assigned IP address?  The customer (whose address space this is in may
> not be using IP.  Or may be using IP and presumably has NOT assigned an
> IP address to the VTEP.
>
> If we were using VNI 0, then wew would be free to use whatever IP
> address we wanted, as there would be no tenant.  Since folks seem to
> want to use option #2, something has to go in the IP dest address.
> Since there is no IP assigned to the VTEP within the VNI being tested,
> we have to specify something.
>
> Yours,
> Joel
>
> On 10/23/2019 2:09 AM, Anoop Ghanwani wrote:
> > Hi Greg,
> >
> > The part about the use of 127/8 address appears to be a new thing
> > introduced in the version of the draft that is as of yet unpublished.
> > What was the motivation for the change?  Previously, the DA was simply
> > set to the destination VTEP's IP address which seemed fine.
> >
> > Anoop
> >
> > On Tue, Oct 22, 2019 at 7:48 PM Dinesh Dutt <didutt@gmail.com
> > <mailto:didutt@gmail.com>> wrote:
> >
> >     Greg,
> >
> >     Two comments, one minor and one maybe not.
> >
> >     - In section 3, there's a sentence that is: "BFD packets intended
> >     for a Hypervisor VTEP MUST NOT..". I recommend getting rid of the
> >     word "Hypervisor" ashe logic applies to any VTEP.
> >
> >     - You already explained the precedence of the use of 127/8 address
> >     in the inner header in MPLS. I have no specific comments in that
> >     area. I have only two questions:
> >         - Has anybody verified that the use of 127/8 address (and the
> >     right MAC) works with existing implementations, including the
> >     silicon ones? If this doesn't work there, is it worth adding the
> >     possibilit y of another address, one that is owned by the VTEP node?
> >         - Do we know if Firewalls stop such VXLAN packets? I ask this
> >     because VXLAN has an IP header and I don't know if firewalls stop
> >     packets with 127/8 in the inner header. If not, is it worth adding a
> >     sentence to say that firewalls  allow such packets? The use of a
> >     non-127/8 address may alleviate this case as well.
> >
> >     The rest of the draft looks good to me,
> >
> >     Dinesh
> >
> >     On Wed, Oct 23, 2019 at 7:58 AM, Greg Mirsky <gregimirsky@gmail.com
> >     <mailto:gregimirsky@gmail.com>> wrote:
> >>     Hi Dinesh,
> >>     I greatly appreciate your comments. Please heave a look at the
> >>     attached copy of the working version and its diff to -07 (latest
> >>     in the datatracker).
> >>
> >>     Regards,
> >>     Greg
> >>
> >>     On Tue, Oct 22, 2019 at 9:52 PM Dinesh Dutt <didutt@gmail.com
> >>     <mailto:didutt@gmail.com>> wrote:
> >>
> >>         I have the same feeling as Anoop. Greg, can you please point
> >>         me to the latest draft so that I can quickly glance through it
> >>         to be doubly sure,
> >>
> >>         Dinesh
> >>
> >>         On Wed, Oct 23, 2019 at 4:35 AM, Anoop Ghanwani
> >>         <anoop@alumni.duke.edu <mailto:anoop@alumni.duke.edu>> wrote:
> >>>         Greg,
> >>>
> >>>         I think the draft is fine as is.
> >>>
> >>>         I discussion with Xiao Min was about #3 and I see that as
> >>>         unnecessary until we have a draft that explains why that is
> >>>         needed in the context of the NVO3 architecture.
> >>>
> >>>         Anoop
> >>>
> >>>         On Tue, Oct 22, 2019 at 11:17 AM Greg Mirsky
> >>>         <gregimirsky@gmail.com <mailto:gregimirsky@gmail.com>> wrote:
> >>>
> >>>             Hi Anoop, et al.,
> >>>             I agree with your understanding of what is being defined
> >>>             in the current version of the BFD over VxLAN
> >>>             specification. But, as I understand, the WG is discussing
> >>>             the scope before the WGLC is closed. I believe there are
> >>>             three options:
> >>>
> >>>              1. single BFD session between two VTEPs
> >>>              2. single BFD session per VNI between two VTEPs
> >>>              3. multiple BFD sessions per VNI between two VTEPs
> >>>
> >>>             The current text reflects #2. Is WG accepts this scope?
> >>>             If not, which option WG would accept?
> >>>
> >>>             Regards,
> >>>             Greg
> >>>
> >>>             On Tue, Oct 22, 2019 at 2:09 PM Anoop Ghanwani
> >>>             <anoop@alumni.duke.edu <mailto:anoop@alumni.duke.edu>>
> wrote:
> >>>
> >>>                 I concur with Joel's assessment with the following
> >>>                 clarifications.
> >>>
> >>>                 The current document is already capable of monitoring
> >>>                 multiple VNIs between VTEPs.
> >>>
> >>>                 The issue under discussion was how do we use BFD to
> >>>                 monitor multiple VAPs that use the same VNI between a
> >>>                 pair of VTEPs.  The use case for this is not clear to
> >>>                 me, as from my understanding, we cannot have a
> >>>                 situation with multiple VAPs using the same
> >>>                 VNI--there is 1:1 mapping between VAP and VNI.
> >>>
> >>>                 Anoop
> >>>
> >>>                 On Tue, Oct 22, 2019 at 6:06 AM Joel M. Halpern
> >>>                 <jmh@joelhalpern.com <mailto:jmh@joelhalpern.com>>
> wrote:
> >>>
> >>>                      From what I can tell, there are two separate
> >>>                     problems.
> >>>                     The document we have is a VTEP-VTEP monitoring
> >>>                     document.  There is no
> >>>                     need for that document to handle the multiple VNI
> >>>                     case.
> >>>                     If folks want a protocol for doing BFD monitoring
> >>>                     of things behind the
> >>>                     VTEPs (multiple VNIs), then do that as a separate
> >>>                     document.   The
> >>>                     encoding will be a tenant encoding, and thus
> >>>                     sesparate from what is
> >>>                     defined in this document.
> >>>
> >>>                     Yours,
> >>>                     Joel
> >>>
> >>>                     On 10/21/2019 5:07 PM, Jeffrey Haas wrote:
> >>>                     > Santosh and others,
> >>>                     >
> >>>                     > On Thu, Oct 03, 2019 at 07:50:20PM +0530,
> >>>                     Santosh P K wrote:
> >>>                     >>     Thanks for your explanation. This helps a
> >>>                     lot. I would wait for more
> >>>                     >> comments from others to see if this what we
> >>>                     need in this draft to be
> >>>                     >> supported based on that we can provide
> >>>                     appropriate sections in the draft.
> >>>                     >
> >>>                     > The threads on the list have spidered to the
> >>>                     point where it is challenging
> >>>                     > to follow what the current status of the draft
> >>>                     is, or should be.  :-)
> >>>                     >
> >>>                     > However, if I've followed things properly, the
> >>>                     question below is really the
> >>>                     > hinge point on what our encapsulation for BFD
> >>>                     over vxlan should look like.
> >>>                     > Correct?
> >>>                     >
> >>>                     > Essentially, do we or do we not require the
> >>>                     ability to permit multiple BFD
> >>>                     > sessions between distinct VAPs?
> >>>                     >
> >>>                     > If this is so, do we have a sense as to how we
> >>>                     should proceed?
> >>>                     >
> >>>                     > -- Jeff
> >>>                     >
> >>>                     > [context preserved below...]
> >>>                     >
> >>>                     >> Santosh P K
> >>>                     >>
> >>>                     >> On Wed, Sep 25, 2019 at 8:10 AM
> >>>                     <xiao.min2@zte.com.cn
> >>>                     <mailto:xiao.min2@zte.com.cn>> wrote:
> >>>                     >>
> >>>                     >>> Hi Santosh,
> >>>                     >>>
> >>>                     >>>
> >>>                     >>> With regard to the question whether we should
> >>>                     allow multiple BFD sessions
> >>>                     >>> for the same VNI or not, IMHO we should allow
> >>>                     it, more explanation as
> >>>                     >>> follows.
> >>>                     >>>
> >>>                     >>> Below is a figure derived from figure 2 of
> >>>                     RFC8014 (An Architecture for
> >>>                     >>> Data-Center Network Virtualization over Layer
> >>>                     3 (NVO3)).
> >>>                     >>>
> >>>                     >>>                      |         Data Center
> >>>                     Network (IP)        |
> >>>                     >>>                      |
> >>>                                      |
> >>>                     >>>
> >>>                     +-----------------------------------------+
> >>>                     >>>                           |
> >>>                              |
> >>>                     >>>                           |       Tunnel
> >>>                     Overlay      |
> >>>                     >>>              +------------+---------+
> >>>                      +---------+------------+
> >>>                     >>>              | +----------+-------+ |       |
> >>>                     +-------+----------+ |
> >>>                     >>>              | |  Overlay Module  | |       |
> >>>                     |  Overlay Module  | |
> >>>                     >>>              | +---------+--------+ |       |
> >>>                     +---------+--------+ |
> >>>                     >>>              |           |          |
> >>>                      |           |          |
> >>>                     >>>       NVE1   |           |          |
> >>>                      |           |          | NVE2
> >>>                     >>>              |  +--------+-------+  |
> >>>                      |  +--------+-------+  |
> >>>                     >>>              |  |VNI1 VNI2  VNI1 |  |
> >>>                      |  | VNI1 VNI2 VNI1 |  |
> >>>                     >>>              |  +-+-----+----+---+  |
> >>>                      |  +-+-----+-----+--+  |
> >>>                     >>>              |VAP1| VAP2|    | VAP3 |
> >>>                      |VAP1| VAP2|     | VAP3|
> >>>                     >>>              +----+-----+----+------+
> >>>                      +----+-----+-----+-----+
> >>>                     >>>                   |     |    |
> >>>                        |     |     |
> >>>                     >>>                   |     |    |
> >>>                        |     |     |
> >>>                     >>>                   |     |    |
> >>>                        |     |     |
> >>>                     >>>
> >>>
>  -------+-----+----+-------------------+-----+-----+-------
> >>>                     >>>                   |     |    |     Tenant
> >>>                         |     |     |
> >>>                     >>>              TSI1 | TSI2|    | TSI3
> >>>                     TSI1| TSI2|     |TSI3
> >>>                     >>>                  +---+ +---+ +---+
> >>>                      +---+ +---+   +---+
> >>>                     >>>                  |TS1| |TS2| |TS3|
> >>>                      |TS4| |TS5|   |TS6|
> >>>                     >>>                  +---+ +---+ +---+
> >>>                      +---+ +---+   +---+
> >>>                     >>>
> >>>                     >>> To my understanding, the BFD sessions between
> >>>                     NVE1 and NVE2 are actually
> >>>                     >>> initiated and terminated at VAP of NVE.
> >>>                     >>>
> >>>                     >>> If the network operator want to set up one
> >>>                     BFD session between VAP1 of
> >>>                     >>> NVE1 and VAP1of NVE2, at the same time
> >>>                     another BFD session between VAP3 of
> >>>                     >>> NVE1 and VAP3 of NVE2, although the two BFD
> >>>                     sessions are for the same
> >>>                     >>> VNI1, I believe it's reasonable, so that's
> >>>                     why I think we should allow it
> >>>
> >>>                     _______________________________________________
> >>>                     nvo3 mailing list
> >>>                     nvo3@ietf.org <mailto:nvo3@ietf.org>
> >>>                     https://www.ietf.org/mailman/listinfo/nvo3
> >>>
> >
> > _______________________________________________
> > nvo3 mailing list
> > nvo3@ietf.org
> > https://www.ietf.org/mailman/listinfo/nvo3
> >
>

v2.23.0 | Report a Bug | By Email