IETF Logo Mail Archive

Re: [sami] : A new draft on state migration use cases is submitted.

<david.black@emc.com> Wed, 12 October 2011 14:40 UTC

Return-Path: <david.black@emc.com>
X-Original-To: sami@ietfa.amsl.com
Delivered-To: sami@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCD7921F85B8 for <sami@ietfa.amsl.com>; Wed, 12 Oct 2011 07:40:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.498
X-Spam-Level:
X-Spam-Status: No, score=-102.498 tagged_above=-999 required=5 tests=[AWL=-4.101, BAYES_00=-2.599, MIME_BASE64_TEXT=1.753, MIME_CHARSET_FARAWAY=2.45, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LF1V1ZRRetul for <sami@ietfa.amsl.com>; Wed, 12 Oct 2011 07:40:40 -0700 (PDT)
Received: from mexforward.lss.emc.com (mexforward.lss.emc.com [128.222.32.20]) by ietfa.amsl.com (Postfix) with ESMTP id 9503821F85AA for <sami@ietf.org>; Wed, 12 Oct 2011 07:40:40 -0700 (PDT)
Received: from hop04-l1d11-si03.isus.emc.com (HOP04-L1D11-SI03.isus.emc.com [10.254.111.23]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id p9CEecNk032353 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 12 Oct 2011 10:40:38 -0400
Received: from mailhub.lss.emc.com (mailhub.lss.emc.com [10.254.222.130]) by hop04-l1d11-si03.isus.emc.com (RSA Interceptor); Wed, 12 Oct 2011 10:40:24 -0400
Received: from mxhub13.corp.emc.com (mxhub13.corp.emc.com [128.221.56.102]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id p9CEeOYu027205; Wed, 12 Oct 2011 10:40:24 -0400
Received: from mx14a.corp.emc.com ([169.254.1.78]) by mxhub13.corp.emc.com ([128.221.56.102]) with mapi; Wed, 12 Oct 2011 10:40:24 -0400
From: david.black@emc.com
To: melinda.shore@gmail.com
Date: Wed, 12 Oct 2011 10:40:22 -0400
Thread-Topic: [sami]: A new draft on state migration use cases is submitted.
Thread-Index: AcyIqfrZSSFF4hKjSWWTzXCHaoePAQAQAwkQ
Message-ID: <7C4DFCE962635144B8FAE8CA11D0BF1E058CFE5F12@MX14A.corp.emc.com>
References: <CAB+71L3btz_h8Lkm9jW-WHUeS4=K-Jq-r9mmX94=NdHiepkJ-Q@mail.gmail.com> <2CE4AB2F9CD06543A3F2B0FE76661E12125C8295@fzex.ruijie.com.cn> <20111009160138.GB99820@elstar.local> <000601cc86eb$829967f0$87cc37d0$@com> <2CE4AB2F9CD06543A3F2B0FE76661E12125C85F9@fzex.ruijie.com.cn> <4A95BA014132FF49AE685FAB4B9F17F61209F3D1@dfweml506-mbx> <169529F73649BF469B4F61792955CD5C125E230D@fzex.ruijie.com.cn> <20111011075143.GB9466@elstar.local> <CAB+71L1Ltu4TMTwejEzBDPuKcC+_cwF5YqV1fJc_o0t3WhW2gg@mail.gmail.com> <003c01cc888a$a0a230b0$e1e69210$@com> <20111012061738.GB13515@elstar.local> <4E95368D.7000406@gmail.com>
In-Reply-To: <4E95368D.7000406@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EMM-MHVC: 1
Cc: sami@ietf.org
Subject: Re: [sami] : A new draft on state migration use cases is submitted.
X-BeenThere: sami@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: State Migration <sami.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sami>, <mailto:sami-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sami>
List-Post: <mailto:sami@ietf.org>
List-Help: <mailto:sami-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sami>, <mailto:sami-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2011 14:40:50 -0000

Hi Melinda,

> I still think there's a core of an interesting idea here and I'm
> pretty frustrated that on the one hand its advocates have not been
> able to make a stronger case and that on the other hand they won't
> let it stew quietly at the back of the stove for a little while.
> In particular, in a crunchy-on-the-outside network security model
> there's state associated with firewalling and with NAT *in* *network*
> *devices* that will probably need to move, but the authors haven't
> presented a case for that, the service providers are apparently not
> asking for that, and it seems to have drifted out of the picture.
> Instead, we're getting some fairly confusing (and unsupported)
> assertions about performance and DHCP sniffing and all sorts of
> things that mostly leave me doubting what I'm reading (they're
> not helped much by the early history of the cloud/datacenter
> advocacy at the IETF).

I'll go further here - having taken another detailed look, I don't see a
a DHCP snooping/sniffing problem that needs a protocol solution.  The DHCP
snooping/sniffing and related ARP filtering technology is intended to prevent
unwanted changes to MAC/IP address binding (e.g., ARP cache poisoning).  When
a VM moves, MAC/IP bindings are unaffected; what changes is the interface
that the VM's MAC(s) now reside(s) at.  It should be sufficient to ensure
that the gratuitous ARP issued after a VM moves updates not only the MAC
learning tables in the switch, but also any interface information in the
DHCP snooping/sniffing info retained by the switches.

That feels like an implementation problem:
	- Make sure the info obtained from DHCP snooping/sniffing is shared
		across the L2 network domain that supports live VM migration.
		As part of this, the entire L2 network domain should uniformly
		support DHCP snooping/sniffing, not just part of the domain.
	- Make sure that the gratuitous ARP issued after a live VM migration
		updates the interface in the DHCP snooping/sniffing info in
		addition to updating MAC learning information.

I still think there's a firewall problem, but the really compelling case may be
VM live migration across distance (different data centers), and that's still an
emerging use case.  That requires stretching an L2 domain across the data centers
- there are a number of ways to do this, including L2VPNs and OTV (see
draft-hasmit-otv for the latter).

I'm not sure about NAT state, as neither the IP nor the MAC changes when the
VM moves - for this reason, moving a VM across sides of a NAT doesn't seem like
something that's likely to work well.


Thanks,
--David

> -----Original Message-----
> From: sami-bounces@ietf.org [mailto:sami-bounces@ietf.org] On Behalf Of Melinda Shore
> Sent: Wednesday, October 12, 2011 2:41 AM
> To: Juergen Schoenwaelder
> Cc: Yingjie Gu(yingjie); "'卓志强(研七 福州)'"; 'Linda Dunbar'; 'A tao'; "'刘茗(研六 福州)'";
> sami@i etf.org
> Subject: Re: [sami] 答复: A new draft on state migration use cases is submitted.
> 
> On 10/11/11 10:17 PM, Juergen Schoenwaelder wrote:
> > My understanding is that today neither hypervisors nor 'switches'
> > support the state live migration you want.
> 
> There's been some work done around a more static scenario - SCTP and
> NAT - although I'm not sure what state it's in.  Probably worth
> checking out whether anything's been done with regard to this in
> mobile IP.
> 
> I will say, based on the midcom architectural work and the follow-on
> stuff with route-coupled signaling protocols that the topology-related
> problems with moving flow-coupled state around the network is
> exceptionally difficult - sufficiently difficult, I think, that
> it really is a good idea to avoid it when possible.
> 
> I still think there's a core of an interesting idea here and I'm
> pretty frustrated that on the one hand its advocates have not been
> able to make a stronger case and that on the other hand they won't
> let it stew quietly at the back of the stove for a little while.
> In particular, in a crunchy-on-the-outside network security model
> there's state associated with firewalling and with NAT *in* *network*
> *devices* that will probably need to move, but the authors haven't
> presented a case for that, the service providers are apparently not
> asking for that, and it seems to have drifted out of the picture.
> Instead, we're getting some fairly confusing (and unsupported)
> assertions about performance and DHCP sniffing and all sorts of
> things that mostly leave me doubting what I'm reading (they're
> not helped much by the early history of the cloud/datacenter
> advocacy at the IETF).
> 
> If you can forgive a badly-mixed metaphor I think this particular
> stewpot has run out of track.
> 
> Melinda
> _______________________________________________
> sami mailing list
> sami@ietf.org
> https://www.ietf.org/mailman/listinfo/sami

v2.23.0 | Report a Bug | By Email