IETF Logo Mail Archive

Re: [sfc] clarification on Service Path ID for draft-penno-sfc-packet

<mohamed.boucadair@orange.com> Thu, 27 July 2017 06:36 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: sfc@ietfa.amsl.com
Delivered-To: sfc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 979831293E1 for <sfc@ietfa.amsl.com>; Wed, 26 Jul 2017 23:36:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.619
X-Spam-Level:
X-Spam-Status: No, score=-2.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oA_fYXRYfCnf for <sfc@ietfa.amsl.com>; Wed, 26 Jul 2017 23:36:23 -0700 (PDT)
Received: from relais-inet.orange.com (mta239.mail.business.static.orange.com [80.12.66.39]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 751E2120227 for <sfc@ietf.org>; Wed, 26 Jul 2017 23:36:23 -0700 (PDT)
Received: from opfedar02.francetelecom.fr (unknown [xx.xx.xx.4]) by opfedar23.francetelecom.fr (ESMTP service) with ESMTP id D9BF516082F; Thu, 27 Jul 2017 08:36:21 +0200 (CEST)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.32]) by opfedar02.francetelecom.fr (ESMTP service) with ESMTP id B9DD2180063; Thu, 27 Jul 2017 08:36:21 +0200 (CEST)
Received: from OPEXCLILMA3.corporate.adroot.infra.ftgroup ([fe80::60a9:abc3:86e6:2541]) by OPEXCLILM32.corporate.adroot.infra.ftgroup ([fe80::8924:188:2124:a046%19]) with mapi id 14.03.0352.000; Thu, 27 Jul 2017 08:36:21 +0200
From: mohamed.boucadair@orange.com
To: "Kent Leung (kleung)" <kleung@cisco.com>
CC: "sfc@ietf.org" <sfc@ietf.org>
Thread-Topic: [sfc] clarification on Service Path ID for draft-penno-sfc-packet
Thread-Index: AdL8yGj6ijlxPpxFQhyonVi4uiBr2QABYlRQAACi1WAACSYE0ACB4IoAAAAW/OAAAPzOEAAJX2uAAB8CJ2AAEaQ9gAABme4AAAB5TAAAHJ0cEAAWlowAAAJ3zwAACCSfgAFBR0jgAA2kEDAAHp9kAA==
Date: Thu, 27 Jul 2017 06:36:21 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93300A013955@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
References: <91d8a4564df24299a24bee2688c9f6a6@XCH-RTP-006.cisco.com> <BF1BE6D99B52F84AB9B48B7CF6F17DA3EF0D62@SJCEML702-CHM.china.huawei.com> <E8355113905631478EFF04F5AA706E98A9060316@wtl-exchp-2.sandvine.com> <BF1BE6D99B52F84AB9B48B7CF6F17DA3EF0DF8@SJCEML702-CHM.china.huawei.com> <F241AD1D-A007-4AC7-A2B0-19550F1FF52C@cisco.com> <E8355113905631478EFF04F5AA706E98A9064B5C@wtl-exchp-2.sandvine.com> <99da3de545b142f5b9400f808f418fa1@XCH-RTP-006.cisco.com> <7B36C41A-EBE1-453E-BB25-04377E63B559@cisco.com> <6a0788234fec45909112016317e149fd@XCH-RTP-006.cisco.com> <CDF2F015F4429F458815ED2A6C2B6B0B839F731A@MBX021-W3-CA-2.exch021.domain.local> <6fa79c3c-6ae7-7818-47b3-1c71de2f0c50@joelhalpern.com> <CDF2F015F4429F458815ED2A6C2B6B0B839F7479@MBX021-W3-CA-2.exch021.domain.local> <03cda27203ec4cc0b8c8cca7ffab2cad@XCH-RTP-006.cisco.com> <bad829c9-2a90-af10-f06f-a9e90badf394@joelhalpern.com> <A925E36C-2C9B-42FD-96D5-736861AE8895@cisco.com> <5b0089f70075435d8b2b6e4dc512770d@XCH-RTP-006.cisco.com> <787AE7BB302AE849A7480A190F8B93300A01326E@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <93596249c1e04032ae66695bd90868dd@XCH-RTP-006.cisco.com>
In-Reply-To: <93596249c1e04032ae66695bd90868dd@XCH-RTP-006.cisco.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.168.234.1]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sfc/mwmJGNz2JJTpOWKHM9D9NmH4puI>
Subject: Re: [sfc] clarification on Service Path ID for draft-penno-sfc-packet
X-BeenThere: sfc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Service Chaining <sfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sfc>, <mailto:sfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sfc/>
List-Post: <mailto:sfc@ietf.org>
List-Help: <mailto:sfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sfc>, <mailto:sfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jul 2017 06:36:25 -0000

Hi Kent, 

Please see inline. 

Cheers,
Med

> -----Message d'origine-----
> De : Kent Leung (kleung) [mailto:kleung@cisco.com]
> Envoyé : mercredi 26 juillet 2017 18:08
> À : BOUCADAIR Mohamed IMT/OLN
> Cc : sfc@ietf.org
> Objet : RE: [sfc] clarification on Service Path ID for draft-penno-sfc-
> packet
> 
> Hi Mohamed. See comments below.
> 
> -----Original Message-----
> From: mohamed.boucadair@orange.com [mailto:mohamed.boucadair@orange.com]
> Sent: Wednesday, July 26, 2017 4:22 AM
> To: Kent Leung (kleung) <kleung@cisco.com>
> Cc: sfc@ietf.org
> Subject: RE: [sfc] clarification on Service Path ID for draft-penno-sfc-
> packet
> 
> Re-,
> 
> I do have the following comments:
> 
> * I do agree with Reinaldo with regards to unidirectional SPIs.
> 
> KL> OK. One more for unidirectional SPI.
> 
> 
> * Assuming by default that the SPI is inherited from the received NSH
> packet may lead to failures. Consider the example of a chain with NATs and
> FWs. Because the packet will be generated by an SF (that may not be the
> ultimate destination of the original packet), no corresponding state will
> be found in those NATs (non EIM/EIF)/FW. I'm not sure whether "no-op"
> feature softens the problem.
> 
> KL> There are various use cases when SF generates packet. See
> https://tools.ietf.org/html/draft-wang-sfc-ns-use-cases-03#page-14. We
> believe this draft is helpful in understanding various scenarios and want
> to pursue informational track. If you or others want to help, please let
> us know. The NOP is dealing with asymmetric SFC.

[Med] Thanks for the pointer. draft-wang-sfc-ns-use-cases mixes various functions of a "firewall": TCP proxy, NAT, stateful filtering, etc.  
My main comment is that the packet generated by an SF may be blocked by other stateful SFs because no mapping will be matching packets from the SF. I would expect such details to be included in the sfc-packet draft.  

> 
> 
> * Generating packets by an SF may not be triggered by a received NSH
> packet. Obviously, inheriting NSH-related information may not be possible
> in that case. A typical example is a service chain that involves an MPTCP
> proxy. The proxy can at any time during the connection add new subflows to
> the source.
> 
> KL> Agree. See draft mentioned above.

[Med] I would expect this to be discussed in the sfc-packet draft since this have an implication on the solution to be recommended (if we need such reco). Typically, how algorithmic approaches solves the issue for this particular case should be discussed. 

> 
> 
> * I don't think that we should assume that SF-generated packets must
> always be stamped with an NSH header. This is IMHO deployment-specific.
> Like any other packets generated by a (SFC-unware) node in the forwarding
> path, packets generated by an SFC-aware SF should be able to fly back
> without any SFC processing at all, too. Again, this is deployment-
> specific.
> 
> KL> Agree. See Option #2 in the reference above. Let us know if that's
> clear.

[Med] Idem as above. I would expect this to be covered in the sfc-packet I-D. 

> 
> 
> * Putting aside other aspects, that are btw discussed appropriately in the
> draft such as metadata cloning, which destination IP address to use to
> send back the packet? Some complications may arise when NATs are involved.
> 
> KL> The draft-penno-sfc-packet is dealing with this use case, "generate
> packets in the reverse flow direction destined to the source of the
> current in-process packet/flow." So the dest IP address is the source IP
> address of the received packet.

[Med] This may be intuitive but this cannot be generalized to all SFs. Let's consider the example of an MPTCP proxy that receives an ADD_ADDR from a client, the MPTCP proxy can send back an MP_JOIN to the address conveyed in ADD_ADDR, not the source IP address of the initial packet. 

 A packet that is NAT'ed needs to be
> addressed as an independent topic.
> 

[Med] Why NAT should be treated as a special SF?

> 
> Given that, I'm less for an algorithmic approach but for control-based
> approach at the SFC-aware SF and/or classifier.
> 
> KL> The control plane option (sect. 5.1) does require controller/SF
> interface.

[Med] Yes. That interface can leverage on existing interface to provision other non-SFC SF features. Further, as mentioned above, packets generated by an SF may or may not be stamped with an NSH header.  

 There are additional operational responsibility on SF to
> maintain state for reverse path, controller to ensure consistency between
> SF and SFF for SPIs, timing window when SPIs are configured, etc. It seems
> algorithmic method avoids chances for problems to be encountered in
> deployment.

[Med] I disagree. See the example I cited above. The algorithmic approach may work with some assumptions on the SFs; those assumptions are not generic.  

 Simple is better in terms there's only one touch point
> (automatic) vs. two touch points (control).

[Med] I cannot argue that it is simple at this stage.

> 
> Thanks for your feedback.
> 
> Kent
> 
> 
> Cheers,
> Med
> 
> > -----Message d'origine-----
> > De : sfc [mailto:sfc-bounces@ietf.org] De la part de Kent Leung
> > (kleung) Envoyé : mercredi 26 juillet 2017 00:32 À : Reinaldo Penno
> > (repenno); Joel M. Halpern; Ron Parker; Dave Dolson; Roberta Maglione
> > (robmgl); James N Guichard Cc : sfc@ietf.org Objet : Re: [sfc]
> > clarification on Service Path ID for draft-penno-sfc- packet
> >
> > It seems enough time has elapsed for folks to chime in their
> > preferences on the solution option.
> >
> > I believe that communication between two endpoints is based on flow
> > traffic from source to destination. A service path dictates which
> > service functions are applied for the traffic. Technically, a flow is
> > terminated at the receiving endpoint. So, the service path ended at the
> last hop.
> > Communication may be uni-directional (one flow) or bi-directional (two
> > flows). RFC 7665 describes SFC as steering of traffic flows through
> > service functions. My interpretation is that the service path is
> > associated with the flow. A new flow going in the reverse direction
> > should be treated with a new service path (set up to handle that flow)
> > and not continuation of the same service path (set up to handle
> > original flow) in the forward direction. Seems logical to me from that
> perspective.
> >
> > The service path ID is used to identify the service path and the
> > service index is used to identify the location within the service path
> > as stated in current NSH draft:
> >
> > " NSH contains a Service Path Identifier (SPI) and a Service Index (SI).
> > The SPI is, as per its name, an identifier" of the service path.
> >
> > "The Service Index provides an indication of location within a service
> > path."
> >
> > Given that both options support asymmetric and symmetric SFCs, has
> > anyone change their mind on selecting an option to go forth? Based on
> > the feedback, it seems that we all agree to choose one solution
> > instead of allowing multiple options for addressing reverse packet
> > generation scenario. Now, what should we need to do to achieve that?
> > Rock-paper- scissor? :)
> >
> > Current count as Joel is OK with either option.
> >
> > Sect 5.4.1 (one service path ID, service index indicates flow
> direction):
> >
> > -	(4) Dave, Joel, Ron, Kyle
> >
> > Sect 5.4.2 (two service path IDs, each indicate flow direction):
> >
> > -	(7) Sumandra, Jim, Kent, Renaldo, Roberta, Paul, Joel
> >
> > Kent
> >
> > <snip>
> >
> > _______________________________________________
> > sfc mailing list
> > sfc@ietf.org
> > https://www.ietf.org/mailman/listinfo/sfc

v2.23.0 | Report a Bug | By Email