IETF Logo Mail Archive

Re: [spring] SRv6 - SRH in encaps or base header - point 2

"Darren Dukes (ddukes)" <ddukes@cisco.com> Fri, 02 November 2018 17:50 UTC

Return-Path: <ddukes@cisco.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77305126DBF; Fri, 2 Nov 2018 10:50:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.969
X-Spam-Level:
X-Spam-Status: No, score=-14.969 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z1dnJOIJoW0P; Fri, 2 Nov 2018 10:50:29 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B830C1276D0; Fri, 2 Nov 2018 10:50:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=35184; q=dns/txt; s=iport; t=1541181028; x=1542390628; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=dnDYcMB6UZeSqBsHBW/dew3KvjRP5TLCMndN71Pjpx8=; b=XXbde5+g8resTUxhCk2ad/hJPtzTwwo9fZ9lV1+Ou4JoTiYc9aPG5Em1 2t22SEm1FKLQtJe1oCGSXjf8M/2U8f0GrRVhNPGECS8dEj2qdNnq/TUPm yl1w37lC/rqO7zFZ9jtAS0f4d3kCCxzyfiHhe8cCniRlQhS2jxuc+GFvI U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AFAACNjdxb/4UNJK1jGgEBAQEBAgEBAQEHAgEBAQGBUQUBAQEBCwGBVS+BZSgKg2yIGIwXmTkUgWYLAQGBd4J1AheDJyI0DQ0BAwEBAgEBAm0ohTsGGglEEhACAQg/AwICAjAUEQIEDgUbgwaBHmSnUIEuhTyEZItxF4FBP4ERJx+CTIRCcgKCTDGCJgKIZCABMoUmhieJUlQJAoduiRwYgVWPBoJulCkCERSBJh04gVVwFTsqAYJBgiMDF44ab4p4B4EngR8BAQ
X-IronPort-AV: E=Sophos;i="5.54,456,1534809600"; d="scan'208,217";a="464554494"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 02 Nov 2018 17:50:27 +0000
Received: from XCH-RCD-017.cisco.com (xch-rcd-017.cisco.com [173.37.102.27]) by alln-core-11.cisco.com (8.15.2/8.15.2) with ESMTPS id wA2HoRlT007630 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 2 Nov 2018 17:50:27 GMT
Received: from xch-aln-017.cisco.com (173.36.7.27) by XCH-RCD-017.cisco.com (173.37.102.27) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 2 Nov 2018 12:50:26 -0500
Received: from xch-aln-017.cisco.com ([173.36.7.27]) by XCH-ALN-017.cisco.com ([173.36.7.27]) with mapi id 15.00.1395.000; Fri, 2 Nov 2018 12:50:26 -0500
From: "Darren Dukes (ddukes)" <ddukes@cisco.com>
To: "Joel M. Halpern" <jmh@joelhalpern.com>
CC: "6man@ietf.org" <6man@ietf.org>, "spring@ietf.org" <spring@ietf.org>
Thread-Topic: SRv6 - SRH in encaps or base header - point 2
Thread-Index: AQHUampMSmaiE2sUnkOZwbcZBqOzaaUyIfaAgAAQcoCABlqwgIAAA0oAgASXqgA=
Date: Fri, 02 Nov 2018 17:50:26 +0000
Message-ID: <679B2EEF-4EE6-44BC-A9D7-17E70FF1133A@cisco.com>
References: <42663f06-8fcc-4ca4-5e3c-368adcaaef86@joelhalpern.com> <A4FF775A-213D-46C3-93E5-180854097926@cisco.com> <69085e36-f091-44d5-590b-3550983ac4d7@joelhalpern.com> <AB652159-99AB-46C8-87B6-7A1020C1F880@cisco.com> <3e51b691-ae71-31ce-a094-db2d75d80ae0@joelhalpern.com> <728DADEC-AC49-4F16-93FB-4B5A6905DF59@cisco.com> <11918c9b-f0bb-4182-cdbe-9ed720b0a800@joelhalpern.com>
In-Reply-To: <11918c9b-f0bb-4182-cdbe-9ed720b0a800@joelhalpern.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.24.76.77]
Content-Type: multipart/alternative; boundary="_000_679B2EEF4EE644BCA9D717E70FF1133Aciscocom_"
MIME-Version: 1.0
X-Outbound-SMTP-Client: 173.37.102.27, xch-rcd-017.cisco.com
X-Outbound-Node: alln-core-11.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/13BfOoQb1p9mRtSHUOko7VMyASM>
Subject: Re: [spring] SRv6 - SRH in encaps or base header - point 2
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Nov 2018 17:50:33 -0000

Joel, For our last remaining item in this thread, re: communication from 1 to 9 and 9 to 1.

Lets add the following since we don’t discuss traffic from a host within the SR Domain to a host outside the SR Domain.

<NEW TEXT>
5.3.3 Inter SR Domain Packet
Host 9 sends a packet to host 1 (outside the SR Domain) via an SR Policy <S6,S3>.
Host 9 encapsulates an inner packet from 9 to 1 in an outer IPv6 header and adds an SRH for the SR Policy.

   P7: (A9,S6)(S3,S6; SL=1)(A9,A1)

A host implementation MUST support addition of the outer IPv6 encapsulation to avoid leaking SIDs to nodes outside the SR Domain.

For return traffic to A9, an outer IPv6 header may be applied by the SR Domain ingress node.  This outer IPv6 header may terminate at node 9, therefore a host implementation MUST support decapsulation of an outer IPv6 header and processing of the inner header.
</NEW TEXT>

For traffic destined within the SR Domain it’s still up to the host or controller providing the SR Policy to determine whether or not they must encapsulate in an outer IPv6 header.

Darren

On Oct 30, 2018, at 3:42 PM, Joel M. Halpern <jmh@joelhalpern.com<mailto:jmh@joelhalpern.com>> wrote:

I am not sure I agree that the allowance for handling the HMAC elsewhere is straightforward.  For example, I think the range of implementation strategies for border nodes and the intersection of that with the range of operational and deployment strategies is going to actually make it harder to get multi-vendor deployments.  Having said that, the approach in the document will work.  And I can live with it.

On the choice of encaps or not encaps (from node 9 to external node 1) there are two issues.
The important issue is that node 9 needs to be able to encaps. Otherwise there is no decision availabe, and the nodes software is forcing the operator to disclose, even if there policy is not to do so. Thus, I think the minimum requirement is that the document needs to clearly state that node 9 needs to be able to handle incoming encaps and needs to be able to generate outgoing encaps.

The lesser issue is "why bother?"  Why not always encaps.  Given that the network has to have an MTU big enough to handle an encaps packet (due to incoming packets from out the SR domain), there is no MTU issue wiht the encaps.  As such, we are talking about reducing the security and robustness of the solution in exchange for saving a few bytes.  That almost never turns out well.

Yours,
Joel

On 10/30/18 3:30 PM, Darren Dukes (ddukes) wrote:
I think we’re almost concluded so once more inline at <dd></dd>
On Oct 26, 2018, at 2:28 PM, Joel Halpern <jmh@joelhalpern.com<mailto:jmh@joelhalpern.com>> wrote:

(resending, +spring as requested)

Thank you for the responses.  I will respond in line, marked <jmh></jmh>.  I fear it will shortly get too deep, but the context is important.

I will rephrase here an issue from another thread that I ahve not seen your comments on.  If Node 9 is sending traffic to Node 1 (for example, the reverse traffic for the traffic from 1 to 9 in the examples below), it presumably has an SR Policy to be applied. The issue I raised before is the leakage issue.  If 9 puts the SRH in its packet (as the document currently mandates), then it will not be possible for 3 to remove the SRH.  Thus, the SRH will leak.

Some have argued that is not a big deal.  It seems to matter to me.  But there is an additional problem.  A1 is not a SID.  Therefore, 9 can not put A1 into the SRH.  If it can not put A1 into the SRH, and it does not encapsulate the packet, where does it put A1.
<dd> Node 9 has a choice, encapsulate to node 3 or not.
If node 9 does not encapsulate, it will inform the destination of the segments in the SRH and possibly leak them to intermediate nodes.
If node 9 does encapsulate, node 3 removes the outer header and node 1 would not learn the segment list.
I think its choice should not be mandated in the draft. </dd>

Yours,
Joel

On 10/26/18 1:29 PM, Darren Dukes (ddukes) wrote:
Hi Joel, you’ve described sections titled “Intra SR Domain Packet”, “Transit Packet Through SR Domain”, and "SR Source Nodes Not Directly Connected”.
I’ve parsed them inline to the sections of the draft defining them and given more context where needed.
On Oct 22, 2018, at 8:49 PM, Joel M. Halpern <jmh@joelhalpern.com<mailto:jmh@joelhalpern.com>> wrote:

Rephrasing using the example from 5.2.  Assuming that 8 and 9 are SR Hosts (not just hosts within the domain, they are capable of and expect to deal with SRHs, and therefore have local SIDs, ...)

For traffic from 8 to 9 that needs an SRH, the SRH goes in the IPv6 header sent my 8 to 9.  When 9 processes the packet, it seems that it is the last SID, figures out that there is no encapsulation, and send the TCP / UDP / QUIC information to its internal protocols stacks.
Yes, this is Section 5.3.1 “Intra SR Domain Packet”.
<jmh>Agreed as far as it goes.  However,  the existence of S9 and A9 points to a problem.  Node 8 is trying to put on an SRH going through Sx, Sy, whatever for some reason.  It can't put A9 into the SRH, as AH is not a SID, it is an address.  I presume node 8 got S9 from whatever provided him the SR Policy that it is using.  Does it simply use S9 as the address for node 9, rather than A9 that it got from DNS?  And does the TCP stack know that this substitution is being made?  (This is another example of a problem that goes away if we always encapsulate.) </jmh>
<dd>Section 4.3.2 covers these questions, i.e. A9 can be placed in the SRH as the last segment, and this section describes how it’s handled.</dd>


For traffic from 1 to 9, where 3 adds an SRH, that SRH still presumably ends at 9.  9 Receives the IP packet.  Sees that it is addressed to itself.  Sees that the SRH is finished.  And then notices that the next-header is IPv6.  Unwraps the header, checks that the inner destination address is also itself, and passes the material carried by the inner header up to the appropriate stack.
So node 1 sends a packet to node 9 (A1,A9)
IF there is some steering into an SR Policy at node 3 to reach node 9, this is identical to section 5.3.2 “Transit packet through SR domain”, except for destination of A9 via node 9  instead of A2 via node 4.


Thus, 9 needs to be able to check for both cases.  We at least need to tell implementors that.
Well, 9 needs a SID S9 and Address A9.  That is shown in Section 5.1 SID and address representation.
<jmh>So, let us assume that 3 has an SR policy it wants to apply to the traffic from A1 to A9.  In this case, the S9 / A9 dichotomy is not a problem, I think.  Node 3 encapsualtes the packet from A1 to A9, uses S3 as the source address of the encapsulating header, and ends the SID list in the SRH with S9.  The unspecified part is that node 9 needs to be prepared to receive such packets and do the double processing.  It is reasonable double processing.  My only request here is that we tell folks they need to support it. </jmh>
<dd>Actually, node 3 uses A3 as its source address, but that’s minor.
The double processing (lookup, do end processing, do another lookup) is documented in Section 4.3.
Is there a need for more than what is currently specified? </dd>

There is a further complication.  9 seems to need to have an address that is a valid SID, so it can be the last entry in the SRH from 8 to 9.
As described in the draft, Section 5.1 a node k has an address Ak and SID Sk.  So node 9 has a valid SID.
For traffic from 8 to 9, A9 is used as the destination as shown in section 5.3.1, 5.4 and 5.5.
 However, if 1 were to send the packet to that SID for 9, router 3 would be required by the rules we discussed in the other thread to discard the packet as it is neither to prefix nor contains an HAMC.
 And somehow, 8 and 1 need to each pick the right address to use for 9. (split DNS maybe?)  And 3 needs to be able to derive teh SID-formn address for 9 from the non-SID form of the address so that it (3) can build a proper SRH to get the packet to 9.
<jmh>I have retained your answer below for context, but I think that answers the wrong question.  I believe what is itnended is that only A9 appears in DNS.  So Node 1 will see 9 as A9, and will use that.  S9 will appear in SR Policies about traffic to node 9, but not in DNS.  That is what we need.  I wish it were clearer in the text. </jmh>

<jmh>If node 20 is generating SRHs with HMACs, then this is largely the same as the case from 8 to 9, except that whomever creates the SR Policy that 20 is using needs to also make sure that whatever the first SID is in teh list, it processes HMACs and is recognizable to node 3 as doing such processing. I am guessing that the reason for allowing internal nodes to do the processing is to move the verification load off the edge nodes.  It does create significant additional configuration complexity. </jmh>
<dd>We didn’t see a reason to restrict the HMAC processing to only edge nodes when it was straight forward to define how they could be processed at non-edge nodes.</dd>

This is incorrect.
See Section 6.2.1 “SR Source Nodes Not Directly Connected” I will expand on the example from that section.
Node 20 sends a packet to A9 with SR Policy <H7> and an HMAC provided to node 20 by some yet to be defined method.  Resulting in packet sent from node 20
  P: (A20,H7)(A9;SL=1)(payload)
Recall Hk is a SID at node k requiring HMAC verification, and it is covered by Prefix-H.
Prefix-H is _not_ subject to ingress filtering at node 3.
Therefore the packet P destined to H7 is not subject to ingress filtering at node 3.
P is forwarded to node 7, where H7 is processed and the HMAC verified.
If the HMAC can not be verified the packet is dropped, else it is forwarded to the next segment and destination, A9.
Darren

Yours,
Joel

On 10/22/18 8:04 PM, Darren Dukes (ddukes) wrote:
inline.
On Oct 22, 2018, at 7:21 PM, Joel M. Halpern <jmh@joelhalpern.com<mailto:jmh@joelhalpern.com>> wrote:
..
2) Now let us look at packets arriving at and actually destined for an SR Host in the SR Domain where that packet has an SRH.  If the packet is coming from another SR Host, the SRH will be in the base header, and the host can simply check it for any violations, and continue.  But, if the packet came from outside the domain, then it will have an encapsulating SRv6 header.  So the host has to detect this case, check and then peal off the encapsulating header, and then process the received packet. Yes, it can do so.  But nothing in teh document tells implementors they have to deal with both cases.

Can you be more precise here.  Perhaps use the example from section 5.2 or 6.2.1?
..

v2.23.0 | Report a Bug | By Email