IETF Logo Mail Archive

Re: [spring] [IPv6] Subject: Mandating SRH when using C-SIDs (draft-ietf-spring-srv6-srh-compression)

Tom Herbert <tom@herbertland.com> Thu, 04 April 2024 17:49 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FA1DC17C8A5 for <spring@ietfa.amsl.com>; Thu, 4 Apr 2024 10:49:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0nXiMG7K_EBG for <spring@ietfa.amsl.com>; Thu, 4 Apr 2024 10:49:40 -0700 (PDT)
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61D5AC33A916 for <spring@ietf.org>; Thu, 4 Apr 2024 10:48:15 -0700 (PDT)
Received: by mail-ed1-x52f.google.com with SMTP id 4fb4d7f45d1cf-56e1a1c0ec9so1173180a12.3 for <spring@ietf.org>; Thu, 04 Apr 2024 10:48:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1712252894; x=1712857694; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=uNjPGrxsknAuoGycglx0L3HC9IO2fSAl1ZZFr6fTRsM=; b=LKbAY3ZtL/JGjPc5mpY2yp7zWpMmKSSOk+yAUO4wtb4mXaZ2Leu9p5lIL6O+np5aeJ eLCcSWGLyXt/H8LyiHNIxatXpRXQiaE9K3BUO9zQNWWDDxc5PBuAWpcGgwMQHpBpOPf3 HcWQv+QyxSMx09bvp5PU8mRLCSO86RaO3wbbpWWlmkw/3AxnnVpK9lPMFl6nRGuPkiga W6gHGUGMzAYFbuJzbmvH7szEWVz2AOSv0jSoymaRp7HqlXMf5nfIx5hP7+WGIS+F+1Jk retpP/18Kr21/VKO6Udq/aqzOsO8DOlXjrGmwHZ2DgperW9sQMzl5FN8Lr++r9o5gHCw +GKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712252894; x=1712857694; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=uNjPGrxsknAuoGycglx0L3HC9IO2fSAl1ZZFr6fTRsM=; b=w4iYe8ITcKczdEOUlJSiral8qAmx1ieWMw1izR1jbuN0dzSSqLN1mh8Jg6tJR1tElT UTUpghppmaGV5/i7x52EK0ene1jxYJeG2SVns6p8kCBFjL2QYlhAR46wCYWYxRJ6rliO vRSmk4AOqllCZjz8P6mFzd/mRWP4W58y950NG+vyHtbzFkSWXyqcn5bkAdjg3Aa+xG79 iWtUrCDSv15D2SFW+DrNOMKpkWotgBgpR3mmlW0tOpgN2Be9e996+osUMP2TYlD1HPVf v92so5qWX6qaE0dtJxBzUQcHF9HAHalJoq4nh4muduOELUuRRGLhIcNsuVCl8zPwxBOQ Edig==
X-Forwarded-Encrypted: i=1; AJvYcCVf5esdB5Q8J33uyy7Gpnobej9E7M5RBEjVx52abLzGZ49R7+x4fT6xuTaN86ObaEHVop0j0jjeOWE0/G1x0jU=
X-Gm-Message-State: AOJu0Yx1ZYAfs8esGa2dcdi2o/OuxBjLk3w1J62GkOzCOBSa1BK5KErX AwXu//ny08rRRycMssak7D6l9CQ16FPz7VJa0SnBXFMr0WvuSN58TNtvg+bvl5e8/DgqjvlrmbW O3sAfmTS/zuysQhNRgCK6ipM1KbNraxOifILCPQK8C05BUUs=
X-Google-Smtp-Source: AGHT+IFkpmO9IiClfhlMC6d5cq0grx9y37I5GncQ+MIs36z/WNXX5cb0VXZtsAvuT8LMfgftOjUiruhreyUtT/dCy0A=
X-Received: by 2002:a50:c31a:0:b0:56c:2785:ca3c with SMTP id a26-20020a50c31a000000b0056c2785ca3cmr2442670edb.7.1712252893805; Thu, 04 Apr 2024 10:48:13 -0700 (PDT)
MIME-Version: 1.0
References: <CAMMESszUUdDw-xnDtZKqz75g6SXZ+7mXtZujBKwN+hxypC-Kuw@mail.gmail.com> <CAMMESswF_NnpK7_xk9OXmmocU8P7pne0gmPjCkapXEQVfQA2zQ@mail.gmail.com> <CAHT6gR--Qw7W0ZqyfdEupTpLAjeJ5OLTTjzM6NvQ87zdizgb8Q@mail.gmail.com> <CAO42Z2xHNgzhmgC6mPrauSQZ6Q4mcgD_FOp_uWqRpz=pFwa7_w@mail.gmail.com> <CAHT6gR-q9B60fcvT7nTfErS8M+hUm+x8zoez0KkYiPtTthaYYg@mail.gmail.com> <CALx6S348-_7Xx8VsbdMpK3WLhprCWzx_hs-MQEPFdKtY8MMhrQ@mail.gmail.com> <CAHT6gR8oPH3o7FKx2pTSN=CbysCLcZ-pP98ZwuhGBxPNi0vSXA@mail.gmail.com> <CALx6S36c4tEbbiCAFLskQ1zSgi2the3H1_Sq8Jf7ZBhE=ezbFA@mail.gmail.com> <CAOj+MMH7hVffnF5YJY2hAUCNR5w6eRr65W1KnyyR5xjUe0WASw@mail.gmail.com> <CALx6S37HV3yQSfnYyQnw=A=_Mtnm4H53pSCWxpDvT7zHLx_HPg@mail.gmail.com> <715A250B-6E53-4FCE-9B57-83F748BDD1E7@employees.org>
In-Reply-To: <715A250B-6E53-4FCE-9B57-83F748BDD1E7@employees.org>
From: Tom Herbert <tom@herbertland.com>
Date: Thu, 04 Apr 2024 13:48:01 -0400
Message-ID: <CALx6S37t30f8BfedoGVpXtg8FWUe25fbdmxDaFZJ8VyGF41peg@mail.gmail.com>
To: Ole Troan <otroan=40employees.org@dmarc.ietf.org>
Cc: Robert Raszuk <robert@raszuk.net>, spring-chairs@ietf.org, SPRING WG List <spring@ietf.org>, 6man WG <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000805a00061548f1b6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/-amTBRagvQaGr6If-ZiAPv3MwKU>
Subject: Re: [spring] [IPv6] Subject: Mandating SRH when using C-SIDs (draft-ietf-spring-srv6-srh-compression)
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2024 17:49:44 -0000

On Thu, Apr 4, 2024, 1:12 PM Ole Troan <otroan=
40employees.org@dmarc.ietf.org> wrote:

> Tom,
>
> > Yes I am with you here.
> >
> > However let's observe that this is pretty common best practice to
> disable any hardware offload on the box when running tcpdump or wireshark.
> >
> > In fact some implementations (F5) do it for you automagically :)
> >
> > And as it has been said based on the fact that hardware offload does not
> understand any Routing Headers it really does not matter if it is there or
> not :)
> >
> > Robert,
> >
> > tcpdump is independent of hardware offload. If the checksum is incorrect
> per the packet contents we'll see bad checksums reported if we snoop
> packets, but like I said, we can't differentiate the bad from the good.
> >
> > Offload becomes an issue for NICs that do protocol specific checksum
> offload. We lose the capability on RX which is an inconvenience, on TX we'd
> need to change the implementation to ensure the checksum is not computed by
> HW.
> >
> > If SR without SRH is needed, then I believe the best answer is for SR
> aware routers to update L4 checksum when they change DA per NAT
> requirements. This solves tcpdump as well as offloads.
>
> Doesn’t that come with a raft of other problems. Network devices must be
> L4 agnostic.
>

Ole,

No more than NAT introduced :-)

Can’t you just think of this as null encap tunnelling. If that makes your
> head spin less.
>

That would make my head spin more :-). NAT is the process of changing IP
addresses in flight, that's exactly what an SR router does when there's no
SRH and it overwrites the DA. The requirements of NAT are at least well
understood.


> Can’t be the only example where a device in the middle cannot snoop
> traffic between endpoints…
>

For plain TCP/IPv6 packets? I'm not so sure...

Tom


> Cheers,
> Ole
>
>
> >
> > Tom
> >
> >
> > Cheers,
> > R.
> >
> >
> > On Thu, Apr 4, 2024 at 6:11 PM Tom Herbert <tom=
> 40herbertland.com@dmarc.ietf.org> wrote:
> >
> >
> > On Thu, Apr 4, 2024, 11:48 AM Francois Clad <fclad.ietf@gmail.com>
> wrote:
> > Hi Tom,
> >
> > Tcpdump can determine that this packet is steered onto an SRv6 path by
> checking if the DA matches the SRv6 SID block.
> >
> > Francois,
> >
> > That would require introducing external state to tcpdump for correct
> operation. This would be a major divergence in both implementation and ops
> compared to how things work today.
> >
> > Tom
> >
> >
> >
> > Thanks,
> > Francois
> >
> > On 4 Apr 2024 at 16:59:59, Tom Herbert <tom@herbertland.com> wrote:
> >>
> >>
> >> On Thu, Apr 4, 2024, 9:39 AM Francois Clad <fclad.ietf@gmail.com>
> wrote:
> >> Hi Mark,
> >>
> >> Tcpdump/wireshark decodes the IPv6 header just fine. I do not see any
> issue here.
> >>
> >> Francois,
> >>
> >> The problem is that tcpdump can't tell that a packet is an SR packet if
> there's no SRH. For instance, if the checksum is not maintained to be
> correct in the wire then tcpdump will show that the packet has a bad L4
> checksum, but there's no way to tell if that is an SR packet or if the
> checksum is actually bad. This will make debugging checksum failures in the
> network much more difficult, and this affects our ability to debug all
> traffic not just SR packets.
> >>
> >> Tom
> >>
> >>
> >> Cheers,
> >> Francois
> >>
> >> On 4 Apr 2024 at 14:09:43, Mark Smith <markzzzsmith@gmail.com> wrote:
> >>>
> >>>
> >>> On Thu, 4 Apr 2024, 22:50 Francois Clad, <fclad.ietf@gmail.com> wrote:
> >>> Hi Alvaro, all,
> >>>
> >>> RFC 8754 allows the SR source node to omit the SRH when it contains
> redundant information with what is already carried in the base IPv6 header.
> Mandating its presence for C-SID does not resolve any problem because it
> will not provide any extra information to the nodes along the packet path.
> >>>
> >>> How are troubleshooting tools like 'tcpdump' going to know how to
> automatically decode these packets as SRv6 packets if there is no SRH?
> >>>
> >>>
> >>>
> >>> Specifically for the case of middleboxes attempting to verify the
> upper-layer checksum,
> >>>     •
> >>> An SRv6-unaware middlebox will not be able to verify the upper-layer
> checksum of SRv6 packets in flight, regardless of whether an SRH is present
> or not.
> >>>     • An SRv6 and C-SID aware middlebox will be able to find the
> ultimate DA and verify the upper-layer checksum in flight, regardless of
> whether an SRH is present or not.
> >>>
> >>>
> >>> Furthermore, transit nodes (e.g., middleboxes) should not attempt to
> identify SRv6 traffic based on the presence of the SRH, because they will
> miss a significant portion of it: all the best-effort or Flex-Algo traffic
> steered with a single segment may not include an SRH, even without C-SID.
> Instead, RFC 8402, 8754, and 8986 define identification rules based on the
> SRv6 SID block.
> >>>
> >>> Thanks,
> >>> Francois
> >>>
> >>>
> >>> On 2 Apr 2024 at 19:44:51, Alvaro Retana <aretana.ietf@gmail.com>
> wrote:
> >>>> [Moving this conversation up on your mailbox. :-) ]
> >>>>
> >>>> [Thanks, Robert and Tom for your input!]
> >>>>
> >>>>
> >>>> We want to hear from more of you, including the authors. Even if you
> already expressed your opinion in a different thread, please chime in here.
> >>>>
> >>>> We will collect feedback until the end of this week.
> >>>>
> >>>> Thanks!
> >>>>
> >>>> Alvaro.
> >>>>
> >>>> On March 28, 2024 at 8:06:18 AM, Alvaro Retana (
> aretana.ietf@gmail.com) wrote:
> >>>>>
> >>>>>
> >>>>>
> >>>>> Focusing on the C-SID draft, some have suggested requiring the
> presence of the SRH whenever C-SIDs are used. Please discuss whether that
> is the desired behavior (or not) -- please be specific when debating the
> benefits or consequences of either behavior.
> >>>>>
> >>>>> Please keep the related (but independent) discussion of requiring
> the SRH whenever SRv6 is used separate. This larger topic may impact
> several documents and is better handled in a different thread (with 6man
> and spring included).
> >>>>>
> >>>>> Thanks!
> >>>>>
> >>>>> Alvaro
> >>>>> -- for spring-chairs
> >>>>
> >>>> --------------------------------------------------------------------
> >>>> IETF IPv6 working group mailing list
> >>>> ipv6@ietf.org
> >>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> >>>> --------------------------------------------------------------------
> >>> --------------------------------------------------------------------
> >>> IETF IPv6 working group mailing list
> >>> ipv6@ietf.org
> >>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> >>> --------------------------------------------------------------------
> >> --------------------------------------------------------------------
> >> IETF IPv6 working group mailing list
> >> ipv6@ietf.org
> >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> >> --------------------------------------------------------------------
> > --------------------------------------------------------------------
> > IETF IPv6 working group mailing list
> > ipv6@ietf.org
> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > --------------------------------------------------------------------
> > --------------------------------------------------------------------
> > IETF IPv6 working group mailing list
> > ipv6@ietf.org
> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > --------------------------------------------------------------------
>
>
>
>

v2.23.0 | Report a Bug | By Email