IETF Logo Mail Archive

Re: [sfc] clarification on Service Path ID for draft-penno-sfc-packet

<mohamed.boucadair@orange.com> Fri, 11 August 2017 12:40 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: sfc@ietfa.amsl.com
Delivered-To: sfc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEA29132551 for <sfc@ietfa.amsl.com>; Fri, 11 Aug 2017 05:40:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.619
X-Spam-Level:
X-Spam-Status: No, score=-2.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pN9pb69mGq2k for <sfc@ietfa.amsl.com>; Fri, 11 Aug 2017 05:40:21 -0700 (PDT)
Received: from relais-inet.orange.com (mta239.mail.business.static.orange.com [80.12.66.39]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AFB61324E5 for <sfc@ietf.org>; Fri, 11 Aug 2017 05:40:21 -0700 (PDT)
Received: from opfedar05.francetelecom.fr (unknown [xx.xx.xx.7]) by opfedar27.francetelecom.fr (ESMTP service) with ESMTP id C62DB607BF; Fri, 11 Aug 2017 14:40:19 +0200 (CEST)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.27]) by opfedar05.francetelecom.fr (ESMTP service) with ESMTP id A865460094; Fri, 11 Aug 2017 14:40:19 +0200 (CEST)
Received: from OPEXCLILMA3.corporate.adroot.infra.ftgroup ([fe80::60a9:abc3:86e6:2541]) by OPEXCLILM7C.corporate.adroot.infra.ftgroup ([fe80::8007:17b:c3b4:d68b%19]) with mapi id 14.03.0361.001; Fri, 11 Aug 2017 14:40:19 +0200
From: mohamed.boucadair@orange.com
To: "Kent Leung (kleung)" <kleung@cisco.com>
CC: "sfc@ietf.org" <sfc@ietf.org>
Thread-Topic: [sfc] clarification on Service Path ID for draft-penno-sfc-packet
Thread-Index: AdL8yGj6ijlxPpxFQhyonVi4uiBr2QABYlRQAACi1WAACSYE0ACB4IoAAAAW/OAAAPzOEAAJX2uAAB8CJ2AAEaQ9gAABme4AAAB5TAAAHJ0cEAAWlowAAAJ3zwAACCSfgAFBR0jgAA2kEDAAHp9kAABQqBeAAq773KA=
Date: Fri, 11 Aug 2017 12:40:18 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93300A0271A9@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
References: <91d8a4564df24299a24bee2688c9f6a6@XCH-RTP-006.cisco.com> <BF1BE6D99B52F84AB9B48B7CF6F17DA3EF0D62@SJCEML702-CHM.china.huawei.com> <E8355113905631478EFF04F5AA706E98A9060316@wtl-exchp-2.sandvine.com> <BF1BE6D99B52F84AB9B48B7CF6F17DA3EF0DF8@SJCEML702-CHM.china.huawei.com> <F241AD1D-A007-4AC7-A2B0-19550F1FF52C@cisco.com> <E8355113905631478EFF04F5AA706E98A9064B5C@wtl-exchp-2.sandvine.com> <99da3de545b142f5b9400f808f418fa1@XCH-RTP-006.cisco.com> <7B36C41A-EBE1-453E-BB25-04377E63B559@cisco.com> <6a0788234fec45909112016317e149fd@XCH-RTP-006.cisco.com> <CDF2F015F4429F458815ED2A6C2B6B0B839F731A@MBX021-W3-CA-2.exch021.domain.local> <6fa79c3c-6ae7-7818-47b3-1c71de2f0c50@joelhalpern.com> <CDF2F015F4429F458815ED2A6C2B6B0B839F7479@MBX021-W3-CA-2.exch021.domain.local> <03cda27203ec4cc0b8c8cca7ffab2cad@XCH-RTP-006.cisco.com> <bad829c9-2a90-af10-f06f-a9e90badf394@joelhalpern.com> <A925E36C-2C9B-42FD-96D5-736861AE8895@cisco.com> <5b0089f70075435d8b2b6e4dc512770d@XCH-RTP-006.cisco.com> <787AE7BB302AE849A7480A190F8B93300A01326E@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <93596249c1e04032ae66695bd90868dd@XCH-RTP-006.cisco.com> <787AE7BB302AE849A7480A190F8B93300A013955@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <a4ec6f7feda84027bf6b2cabf2bdb413@XCH-RTP-006.cisco.com>
In-Reply-To: <a4ec6f7feda84027bf6b2cabf2bdb413@XCH-RTP-006.cisco.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.168.234.3]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sfc/suxr3k7ZMpB9ey8E2MTP5E6V1zE>
Subject: Re: [sfc] clarification on Service Path ID for draft-penno-sfc-packet
X-BeenThere: sfc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Service Chaining <sfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sfc>, <mailto:sfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sfc/>
List-Post: <mailto:sfc@ietf.org>
List-Help: <mailto:sfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sfc>, <mailto:sfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Aug 2017 12:40:25 -0000

Hi Kent,

Apologies for the delay to answer this message. 

Please see inline. 

Cheers,
Med

> -----Message d'origine-----
> De : Kent Leung (kleung) [mailto:kleung@cisco.com]
> Envoyé : vendredi 28 juillet 2017 23:25
> À : BOUCADAIR Mohamed IMT/OLN
> Cc : sfc@ietf.org
> Objet : RE: [sfc] clarification on Service Path ID for draft-penno-sfc-
> packet
> 
> Hi Med. Thanks for clarifying with the MPTCP example.
> 
> In general, draft-wang-sfc-ns-use-cases covers the two fundamental use
> cases in sects 4.3.1 and 4.3.2. The solution for the former is documented

[Med] I guess you meant: s/The solution/one approach.

> in draft-penno-sfc-packet, which puts the generated packet for "reverse
> flow direction" in the correct reverse SPI/SI. The latter is when SF
> initiates a new flow, which is not the problem statement addressed by
> draft-penno-sfc-packet, AFAIK.

[Med] The problem statement in draft-penno is not clearly described, IMO.

 I think the right solution for this
> particular scenario would be using internal classifier or external
> classifier.

[Med] That's an option. One can also consider configuring SFC-aware SFs with appropriate policies (e.g., echo the NSH header, use a configured one, do not carry any NSH, ...). 

> 
> The MPTCP MP_JOIN example seems to map to the SF initiated flow use case.

[Med] Yes and no. It is about injecting packets if we consider the full MPTCP connection (that is the aggregate TCP subflows), but it is an initiated connection if we consider the TCP (sub-flow) level. 

> Perhaps an internal classifier in SF would map associated subflows to a
> common service path used by the MPTCP session. Just a thought for
> implementation option.

[Med] Agree, this is one implementation option.

> 
> Are you asking to expand the scope of this draft beyond injected new
> packet to include the initiated connection use case?

[Med] Covering both cases in one single place would make sense.    

 I'll let other
> authors chime in if that's the case.
> 
> Kent
> 
> -----Original Message-----
> From: mohamed.boucadair@orange.com [mailto:mohamed.boucadair@orange.com]
> Sent: Wednesday, July 26, 2017 11:36 PM
> To: Kent Leung (kleung) <kleung@cisco.com>
> Cc: sfc@ietf.org
> Subject: RE: [sfc] clarification on Service Path ID for draft-penno-sfc-
> packet
> 
> Hi Kent,
> 
> Please see inline.
> 
> Cheers,
> Med
> 
> > -----Message d'origine-----
> > De : Kent Leung (kleung) [mailto:kleung@cisco.com] Envoyé : mercredi
> > 26 juillet 2017 18:08 À : BOUCADAIR Mohamed IMT/OLN Cc : sfc@ietf.org
> > Objet : RE: [sfc] clarification on Service Path ID for
> > draft-penno-sfc- packet
> >
> > Hi Mohamed. See comments below.
> >
> > -----Original Message-----
> > From: mohamed.boucadair@orange.com
> > [mailto:mohamed.boucadair@orange.com]
> > Sent: Wednesday, July 26, 2017 4:22 AM
> > To: Kent Leung (kleung) <kleung@cisco.com>
> > Cc: sfc@ietf.org
> > Subject: RE: [sfc] clarification on Service Path ID for
> > draft-penno-sfc- packet
> >
> > Re-,
> >
> > I do have the following comments:
> >
> > * I do agree with Reinaldo with regards to unidirectional SPIs.
> >
> > KL> OK. One more for unidirectional SPI.
> >
> >
> > * Assuming by default that the SPI is inherited from the received NSH
> > packet may lead to failures. Consider the example of a chain with NATs
> > and FWs. Because the packet will be generated by an SF (that may not
> > be the ultimate destination of the original packet), no corresponding
> > state will be found in those NATs (non EIM/EIF)/FW. I'm not sure whether
> "no-op"
> > feature softens the problem.
> >
> > KL> There are various use cases when SF generates packet. See
> > https://tools.ietf.org/html/draft-wang-sfc-ns-use-cases-03#page-14. We
> > believe this draft is helpful in understanding various scenarios and
> > want to pursue informational track. If you or others want to help,
> > please let us know. The NOP is dealing with asymmetric SFC.
> 
> [Med] Thanks for the pointer. draft-wang-sfc-ns-use-cases mixes various
> functions of a "firewall": TCP proxy, NAT, stateful filtering, etc.
> My main comment is that the packet generated by an SF may be blocked by
> other stateful SFs because no mapping will be matching packets from the
> SF. I would expect such details to be included in the sfc-packet draft.
> 
> >
> >
> > * Generating packets by an SF may not be triggered by a received NSH
> > packet. Obviously, inheriting NSH-related information may not be
> > possible in that case. A typical example is a service chain that
> > involves an MPTCP proxy. The proxy can at any time during the
> > connection add new subflows to the source.
> >
> > KL> Agree. See draft mentioned above.
> 
> [Med] I would expect this to be discussed in the sfc-packet draft since
> this have an implication on the solution to be recommended (if we need
> such reco). Typically, how algorithmic approaches solves the issue for
> this particular case should be discussed.
> 
> >
> >
> > * I don't think that we should assume that SF-generated packets must
> > always be stamped with an NSH header. This is IMHO deployment-specific.
> > Like any other packets generated by a (SFC-unware) node in the
> > forwarding path, packets generated by an SFC-aware SF should be able
> > to fly back without any SFC processing at all, too. Again, this is
> > deployment- specific.
> >
> > KL> Agree. See Option #2 in the reference above. Let us know if that's
> > clear.
> 
> [Med] Idem as above. I would expect this to be covered in the sfc-packet
> I-D.
> 
> >
> >
> > * Putting aside other aspects, that are btw discussed appropriately in
> > the draft such as metadata cloning, which destination IP address to
> > use to send back the packet? Some complications may arise when NATs are
> involved.
> >
> > KL> The draft-penno-sfc-packet is dealing with this use case,
> > KL> "generate
> > packets in the reverse flow direction destined to the source of the
> > current in-process packet/flow." So the dest IP address is the source
> > IP address of the received packet.
> 
> [Med] This may be intuitive but this cannot be generalized to all SFs.
> Let's consider the example of an MPTCP proxy that receives an ADD_ADDR
> from a client, the MPTCP proxy can send back an MP_JOIN to the address
> conveyed in ADD_ADDR, not the source IP address of the initial packet.
> 
>  A packet that is NAT'ed needs to be
> > addressed as an independent topic.
> >
> 
> [Med] Why NAT should be treated as a special SF?
> 
> >
> > Given that, I'm less for an algorithmic approach but for control-based
> > approach at the SFC-aware SF and/or classifier.
> >
> > KL> The control plane option (sect. 5.1) does require controller/SF
> > interface.
> 
> [Med] Yes. That interface can leverage on existing interface to provision
> other non-SFC SF features. Further, as mentioned above, packets generated
> by an SF may or may not be stamped with an NSH header.
> 
>  There are additional operational responsibility on SF to
> > maintain state for reverse path, controller to ensure consistency
> > between SF and SFF for SPIs, timing window when SPIs are configured,
> > etc. It seems algorithmic method avoids chances for problems to be
> > encountered in deployment.
> 
> [Med] I disagree. See the example I cited above. The algorithmic approach
> may work with some assumptions on the SFs; those assumptions are not
> generic.
> 
>  Simple is better in terms there's only one touch point
> > (automatic) vs. two touch points (control).
> 
> [Med] I cannot argue that it is simple at this stage.
> 
> >
> > Thanks for your feedback.
> >
> > Kent
> >
> >
> > Cheers,
> > Med
> >
> > > -----Message d'origine-----
> > > De : sfc [mailto:sfc-bounces@ietf.org] De la part de Kent Leung
> > > (kleung) Envoyé : mercredi 26 juillet 2017 00:32 À : Reinaldo Penno
> > > (repenno); Joel M. Halpern; Ron Parker; Dave Dolson; Roberta
> > > Maglione (robmgl); James N Guichard Cc : sfc@ietf.org Objet : Re:
> > > [sfc] clarification on Service Path ID for draft-penno-sfc- packet
> > >
> > > It seems enough time has elapsed for folks to chime in their
> > > preferences on the solution option.
> > >
> > > I believe that communication between two endpoints is based on flow
> > > traffic from source to destination. A service path dictates which
> > > service functions are applied for the traffic. Technically, a flow
> > > is terminated at the receiving endpoint. So, the service path ended
> > > at the
> > last hop.
> > > Communication may be uni-directional (one flow) or bi-directional
> > > (two flows). RFC 7665 describes SFC as steering of traffic flows
> > > through service functions. My interpretation is that the service
> > > path is associated with the flow. A new flow going in the reverse
> > > direction should be treated with a new service path (set up to
> > > handle that flow) and not continuation of the same service path (set
> > > up to handle original flow) in the forward direction. Seems logical
> > > to me from that
> > perspective.
> > >
> > > The service path ID is used to identify the service path and the
> > > service index is used to identify the location within the service
> > > path as stated in current NSH draft:
> > >
> > > " NSH contains a Service Path Identifier (SPI) and a Service Index
> (SI).
> > > The SPI is, as per its name, an identifier" of the service path.
> > >
> > > "The Service Index provides an indication of location within a
> > > service path."
> > >
> > > Given that both options support asymmetric and symmetric SFCs, has
> > > anyone change their mind on selecting an option to go forth? Based
> > > on the feedback, it seems that we all agree to choose one solution
> > > instead of allowing multiple options for addressing reverse packet
> > > generation scenario. Now, what should we need to do to achieve that?
> > > Rock-paper- scissor? :)
> > >
> > > Current count as Joel is OK with either option.
> > >
> > > Sect 5.4.1 (one service path ID, service index indicates flow
> > direction):
> > >
> > > -	(4) Dave, Joel, Ron, Kyle
> > >
> > > Sect 5.4.2 (two service path IDs, each indicate flow direction):
> > >
> > > -	(7) Sumandra, Jim, Kent, Renaldo, Roberta, Paul, Joel
> > >
> > > Kent
> > >
> > > <snip>
> > >
> > > _______________________________________________
> > > sfc mailing list
> > > sfc@ietf.org
> > > https://www.ietf.org/mailman/listinfo/sfc

v2.23.0 | Report a Bug | By Email