IETF Logo Mail Archive

Re: [sfc] I-D Action: draft-ietf-sfc-nsh-ecn-support-09.txt

Donald Eastlake <d3e3e3@gmail.com> Mon, 25 April 2022 16:23 UTC

Return-Path: <d3e3e3@gmail.com>
X-Original-To: sfc@ietfa.amsl.com
Delivered-To: sfc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE714C157B5A for <sfc@ietfa.amsl.com>; Mon, 25 Apr 2022 09:23:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.053
X-Spam-Level:
X-Spam-Status: No, score=0.053 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B5ma3InUhVni for <sfc@ietfa.amsl.com>; Mon, 25 Apr 2022 09:23:37 -0700 (PDT)
Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD764C157B4B for <sfc@ietf.org>; Mon, 25 Apr 2022 09:23:08 -0700 (PDT)
Received: by mail-ej1-x62d.google.com with SMTP id bv19so30645829ejb.6 for <sfc@ietf.org>; Mon, 25 Apr 2022 09:23:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SPK/2q9igN/thl0BKUho/qhddENMNiSVxhUg568tVcE=; b=ljMWN/U1Ol9q+4ir1TYIgZnYkqj7XAm6QZNKUmpGJRYOa2Uaw9CVNSWgmgxs5P6tsI s00ZB1q8/CvPo2ga8BrEkAue1m73Qm+O2yYvFsLqHcXodGTfRi7dgdorrNjzsoklZ4QV NT9xD4hZng6k60V0PTPAd+czBIeFej5t02m5u1mbK49thywjwlDvsICjJq+KJUX/BdcR nWb23XBMEM6Nzz7sydxWTN6SRg43QEAuHJQ7azawLVGrtOKpbWvJlWSoQbKWrR2QRYFh tp82kZx8uWNDQqTDkNkflCNNaST+ms4aCyPQ7Z4MbK/jp/2a+x91udthvSeAQLFI35si NswQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SPK/2q9igN/thl0BKUho/qhddENMNiSVxhUg568tVcE=; b=rL1hy/BrG+1TwD8GWUoRmytIfDwVaCKE5Yve8bSOjiQkv5qFpHmAQB1xqe55qi06y9 KswdvPEV5wXFch6UXCRaKF7agh/YDDwdECASvQz4r/mtmcpZjfNpmkkREm3H2eVVtjjV g6NWJF+kAGY2JxmaaPFicAzm8Lj7JnFEK6optrhemz+XqgwGVFQET+CGv3PCrH7ztxmI n4Op8xBSqJjn/f3BaVPK49NlcP5b7Mhl9sBsAbTz2jljChirJ3hOYVmjp1SJpvKwqwJ2 4hDKqzWDLv/aR+uc5Jj2yT4motHkSFqtlRgafv29w/huM+XOhrSP4qqcRjFx5SvJ/O7m vIBA==
X-Gm-Message-State: AOAM532oRIxo1LaOdpGRV3s/NYMhCP4iGEgiGU8ns2QNd4u3qeX2sEl4 /C/1G4bHnBTTgYIYRuwpo0FAmTfSJ/XYAL/N/+1jwzhZzdA=
X-Google-Smtp-Source: ABdhPJxsKYPQsQmLREEYNwC56KC2mVBCmz6vSOYy1h+5A7/ArpcqjF88UZeZs6Mpb4Y8tgybYHhqbwqV2Py0hb53r0U=
X-Received: by 2002:a2e:a889:0:b0:24e:e9cd:dbe7 with SMTP id m9-20020a2ea889000000b0024ee9cddbe7mr11655489ljq.336.1650902265220; Mon, 25 Apr 2022 08:57:45 -0700 (PDT)
MIME-Version: 1.0
References: <165031936696.2628.12249583234819069643@ietfa.amsl.com> <CAF4+nEFxgS_8MazZjV-RM+xdCuHCcJnNoEmQa+AXnVp_Dqhgxw@mail.gmail.com> <CAA=duU0WXbTkAH50HXV7fT6kfrxMZ6JuJ6v0V1isL54opUR+8A@mail.gmail.com> <16754_1650372035_625EADC3_16754_66_33_eb5e074ed5314a508cb39c47988d8f7f@orange.com> <CAF4+nEFvd8aZTfPRcHrQo_ytiTTrS7TxaU_6_=UnDOkzghR1sw@mail.gmail.com> <23602_1650434890_625FA34A_23602_359_1_5bb576db092f44c39570f0a1d4f66be8@orange.com> <CAF4+nEEnWYpPk2-F9sv0rbM4rxZoMFW6s7Y3Vt8ZtWWabd1q-Q@mail.gmail.com> <24401_1650894244_6266A5A3_24401_475_1_b224ba20ab624fde9a0ca04d74b029f9@orange.com>
In-Reply-To: <24401_1650894244_6266A5A3_24401_475_1_b224ba20ab624fde9a0ca04d74b029f9@orange.com>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Mon, 25 Apr 2022 11:57:33 -0400
Message-ID: <CAF4+nEH7x7PkytAqerGe62G1vCWFOKsZey3giC+_ecRMWj=73g@mail.gmail.com>
To: mohamed.boucadair@orange.com
Cc: "sfc@ietf.org" <sfc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000013d39f05dd7ca359"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sfc/c2-3hKgR2OOxOJ3Vbdb503rAPik>
Subject: Re: [sfc] I-D Action: draft-ietf-sfc-nsh-ecn-support-09.txt
X-BeenThere: sfc@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Network Service Chaining <sfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sfc>, <mailto:sfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sfc/>
List-Post: <mailto:sfc@ietf.org>
List-Help: <mailto:sfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sfc>, <mailto:sfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2022 16:23:41 -0000

Hi Med,

On Mon, Apr 25, 2022 at 9:44 AM <mohamed.boucadair@orange.com> wrote:

> Hi Donald,
>
>
>
> Thank you.
>
>
>
> I think there is a disconnect. I’m all OK with incremental deployment, in
> general. However:
>

I agree there is a disconnect. We agree on the facts, we just disagree on
the implication of these facts.


> ** The NSH/transport encap is stripped ** by design ** by the last SFF in
> the SFP. This SFF is what behaves as the (tunnel) egress node.
>

I agree with that.


> ** Given that:
>
>
>
>       The specification of ECN tunneling [RFC6040
> <https://datatracker.ietf.org/doc/html/rfc6040>] explains that an
>
>       ingress must not propagate ECN support into an encapsulating
>
>       header unless the egress supports correct onward propagation of^
>
>              ^^^^^^^^^^^^^^^^^^^^^^^^^
>
>       the ECN field during decapsulation.
>

Yes, RFC 6040 says that.


> and
>
>
>
>       Section 3.3
> <https://datatracker.ietf.org/doc/html/draft-ietf-sfc-nsh-ecn-support#section-3.3>
> requires that all the egress nodes of the SFC enabled
>
>                                 ^^^^^^^^^^^^^^^^^^^^
>
>       domain support Compliant ECN Decapsulation in conjunction with
>
>       tunnel congestion feedback, otherwise the scheme in this document
>
>       will not work.*\*
>

Yes, all the nodes actually used as an egress need to support Compliant ECN
Decapsulation.


> then, one can conclude that every SFF has to support the feedback
> mechanism for the proposed mechanism to work.
>

I disagree. Only SFFs that can actually be an egress for the flows to which
the mechanism is being applied need to support the mechanism. In an
SFC-enabled domain that is being used so that only a subset of the SFFs can
act as egress for flows to which the mechanism is being applied, only that
subset need implement the mechanism.

For example, assume an SFF offering service via a number of simple NAT SFs.
Such an SFF will not be the egress; therefore, that SFF does not need to
implement the mechanism.

For another example, assume many flows coming into an SFC-enabled domain
via an ingress. But the network manager only wants to apply this mechanism
to one flow or a small set of flows. Whether a particular SFF in the domain
needs to implement this mechanism depends only on whether it can be an
egress for the flows to which the mechanism is applied. Even an SFF that is
frequently the egress for many other flows does not need to implement this
mechanism if it will not be the egress for at least one flow to which the
mechanism is being applied.

Since your conclusion does not follow from the facts, I do not currently
plan any fundamental change to the draft with regard to this issue. I will
try to change the wording a bit to clarify things,

Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 2386 Panoramic Circle, Apopka, FL 32703 USA
 d3e3e3@gmail.com


> Cheers,
>
> Med
>
>
>
> *De :* Donald Eastlake <d3e3e3@gmail.com>
> *Envoyé :* jeudi 21 avril 2022 18:03
> *À :* BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com>
> *Cc :* sfc@ietf.org
> *Objet :* Re: [sfc] I-D Action: draft-ietf-sfc-nsh-ecn-support-09.txt
>
>
>
> Hi Med,
>
>
>
> Thanks for your response and various pointers in it to things that may be
> included in the next revision.
>
>
>
> However, there is one point on which I disagree with you:
>
> Say you have a network of N nodes and are adding a feature. Furthermore,
> there are ways of using that network that need that feature and that make
> use of the feature at different subsets of those N nodes. While it might be
> desirable to implement the feature on all nodes, it is also possible to
> simply choose to make use of the network such that you only use the nodes
> at which the feature is implemented. So, I completely disagree
> that specification of such a feature must mandate implementation at every
> node in such a network.
>
>
> Thanks,
> Donald
> ===============================
>  Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
>  2386 Panoramic Circle, Apopka, FL 32703 USA
>  d3e3e3@gmail.com
>
>
>
>
>
> On Wed, Apr 20, 2022 at 2:08 AM <mohamed.boucadair@orange.com> wrote:
>
> Hi Donald,
>
>
>
> Please see inline.
>
>
>
> Cheers,
>
> Med
>
>
>
> *De :* Donald Eastlake <d3e3e3@gmail.com>
> *Envoyé :* mercredi 20 avril 2022 01:02
> *À :* BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com>
> *Cc :* sfc@ietf.org
> *Objet :* Re: [sfc] I-D Action: draft-ietf-sfc-nsh-ecn-support-09.txt
>
>
>
> Hi Med,
>
>
>
> On Tue, Apr 19, 2022 at 8:40 AM <mohamed.boucadair@orange.com> wrote:
>
> Hi Andy, all,
>
>
>
> One of the reasons why I suggested to consider Experimental is that I’m
> not sure that it is justified to require classifiers and **every** SFFs to
> behave as **both** IPFIX collectors/exporters while other approaches can be
> considered:
>
>
>
> I don't think the draft imposes a requirement on every SFF to be an IPFIX
> collector/exporter, just on the ingress and egress nodes for the flows of
> interest.
>
> *[Med] I think it does. The reasoning is as follows: *
>
> ** The SFC architecture does not make any assumption on the chains that
> can be instantiated in a domain. So, every SFF can potentially terminate a
> service chain.*
>
> ** An SFF that terminates a service chain is the egress for that chain. A
> terminating SFF is responsible for striping the NSH. *
>
>
>
> On the other hand, it is helpful for every SFF and, indeed, every node
> containing a queue that could  be congested, to be ECN-aware.
>
>
>
> But it is not fatal if some are not. It is just the congestion at
> non-ECN-aware nodes will be unmanaged,
>
> *[Med] I think you have already a note in the draft that covers this part.
> *
>
>
>
> e.g., the cumulative data from ingress to last SFF can be passed using a
> dedicated NSH TLV and, as such, we can get rid of this reco:
>
>
>
> The ingress MUST be configured to know the
>
>    relevant egress for a flow.
>
>
>
> I agree that the above "MUST" statement, which was just added in the last
> revision, needs further elaboration. There needs to be some way to get
> IPFIX messages from ingress to egress. I can think of three general ways:
>
> *[Med] Thank you for sharing this fair summary.*
>
>
>
> 1. IPFIX over the SFC domain's transport layer protocol such as sending
> the messages via SCTP over IP if IP is supported throughout the domain,
> which is the recommended method if it is available. This requires the
> ingress to be configured with additional information.
>
>
>
> *[Med] Indeed. Please note that the configured egress for a chain may not
> be the actual one that will be used for a given flow when reclassification
> happens on-path (rfc7665#section-4.8). An approach to avoid the
> configuration of the egress nodes is to use an NSH OAM trace message to
> discover the egress for a chain and then use whatever discovered egress to
> send the ecn data.  *
>
>
>
> 2. IPFIX over NSH. This would require assigning a new Next Protocol value
> for the NSH Next Protocol field for IPFIX. (Alternatively, you could use
> something more complex like IPFIX over UDP over IP over NSH but it is not
> clear what would be gained by the additional complexity and packet length.)
> This would normally use a different SPI, which would have to be configured,
> from the SPI used for data, to convey the IPFIX message more directly from
> ingress to egress.
>
>
>
> *[Med] I guess this one requires also knowing the egress nodes.  *
>
>
>
> 3. IPFIX via NSH TLV. This could be done but it would probably require
> using MD Type 2 and subject IPFIX messages to the same path and data delays
> / loss as user data. On the other hand, it might get the IPFIX message to
> the egress with minimal additional configuration at the ingress.
>
> *[Med] A variant would be to make use of rfc8393.html#section-6.4 to
> interleave these packets with data packets. *
>
>
>
> The draft suggests using NSH steering for IPFIX messages if direct
> transport protocol connectivity between ingress and egress is problematic
> but is not clear whether this means 2 or 3 above and whichever of these it
> is suggesting, the draft does not provide sufficient detail so that needs
> to be added. The draft recommends using a higher priority for IPFIX
> messages than for user data. Methods 1 and 2 above facilitate while this
> might be impractical for Method 3, causing re-ordering.
>
>
>
> I think details for Method 2 should be added to the draft.
>
>
>
> *[Med] I agree that the current mention of IPFIX over NSH in the draft is
> underspecified.   *
>
>
> Thanks,
> Donald
> ===============================
>  Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
>  2386 Panoramic Circle, Apopka, FL 32703 USA
>  d3e3e3@gmail.com
>
>
>
> Cheers,
>
> Med
>
>
>
> *De :* sfc <sfc-bounces@ietf.org> *De la part de* Andrew G. Malis
> *Envoyé :* mardi 19 avril 2022 13:54
> *À :* Donald Eastlake <d3e3e3@gmail.com>
> *Cc :* sfc@ietf.org
> *Objet :* Re: [sfc] I-D Action: draft-ietf-sfc-nsh-ecn-support-09.txt
>
>
>
> Donald,
>
>
>
> Regarding Experimental status, take a look at the guidelines at
> https://www.ietf.org/standards/process/informational-vs-experimental/ ,
> in particular guidelines 3.4 and 3.5. This draft doesn't fit either of
> those.
>
>
>
> Also, in my experience, the SFC WG has not required implementations for
> RFC publication, rather publication has been used to encourage
> implementation.
>
>
>
> Cheers,
>
> Andy
>
>
>
>
>
> On Mon, Apr 18, 2022 at 6:13 PM Donald Eastlake <d3e3e3@gmail.com> wrote:
>
> Hi,
>
>
>
> I have done a significant pass over this draft in light of the reviews and
> I believe the draft is substantially improved; however, this revision does
> not, in my opinion, resolve all of the review comments and another pass
> will be needed before a WG Last Call.
>
>
>
> Also, one person has suggested changing the target status of this draft
> from Proposed Standard to Experimental. I do not have much objection to
> such a change. What do others think?
>
>
> Thanks,
> Donald
> ===============================
>  Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
>  2386 Panoramic Circle, Apopka, FL 32703 USA
>  d3e3e3@gmail.com
>
>
>
>
>
> On Mon, Apr 18, 2022 at 6:02 PM <internet-drafts@ietf.org> wrote:
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Service Function Chaining WG of the IETF.
>
>         Title           : Explicit Congestion Notification (ECN) and
> Congestion Feedback Using the Network Service Header (NSH) and IPFIX
>         Authors         : Donald E. Eastlake
>                           Bob Briscoe
>                           Yizhou Li
>                           Andrew G. Malis
>                           Xinpeng Wei
>         Filename        : draft-ietf-sfc-nsh-ecn-support-09.txt
>         Pages           : 34
>         Date            : 2022-04-18
>
> Abstract:
>    Explicit congestion notification (ECN) allows a forwarding element to
>    notify downstream devices of the onset of congestion without having
>    to drop packets. Coupled with a means to feed information about
>    congestion back to upstream nodes, this can improve network
>    efficiency through better congestion control, frequently without
>    packet drops. This document specifies ECN and congestion feedback
>    support within a Service Function Chaining (SFC) enabled domain
>    through use of the Network Service Header (NSH, RFC 8300) and IP Flow
>    Information Export (IPFIX, RFC 7011).
>
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-sfc-nsh-ecn-support/
>
> There is also an htmlized version available at:
> https://datatracker.ietf.org/doc/html/draft-ietf-sfc-nsh-ecn-support-09
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-sfc-nsh-ecn-support-09
>
>
> Internet-Drafts are also available by rsync at rsync.ietf.org:
> :internet-drafts
>
>
> _______________________________________________
> sfc mailing list
> sfc@ietf.org
> https://www.ietf.org/mailman/listinfo/sfc
>
> _______________________________________________
> sfc mailing list
> sfc@ietf.org
> https://www.ietf.org/mailman/listinfo/sfc
>
> _________________________________________________________________________________________________________________________
>
>
>
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
>
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
>
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
>
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>
>
>
> This message and its attachments may contain confidential or privileged information that may be protected by law;
>
> they should not be distributed, used or copied without authorisation.
>
> If you have received this email in error, please notify the sender and delete this message and its attachments.
>
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
>
> Thank you.
>
> _________________________________________________________________________________________________________________________
>
>
>
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
>
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
>
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
>
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>
>
>
> This message and its attachments may contain confidential or privileged information that may be protected by law;
>
> they should not be distributed, used or copied without authorisation.
>
> If you have received this email in error, please notify the sender and delete this message and its attachments.
>
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
>
> Thank you.
>
> _________________________________________________________________________________________________________________________
>
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>
> This message and its attachments may contain confidential or privileged information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.
>
>

v2.23.0 | Report a Bug | By Email