IETF Logo Mail Archive

Re: [spring] C-SIDs and upper layer checksums (draft-ietf-spring-srv6-srh-compression)

Francois Clad <fclad.ietf@gmail.com> Fri, 05 April 2024 16:16 UTC

Return-Path: <fclad.ietf@gmail.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84C05C169429 for <spring@ietfa.amsl.com>; Fri, 5 Apr 2024 09:16:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vS9NXoTFjGtG for <spring@ietfa.amsl.com>; Fri, 5 Apr 2024 09:16:53 -0700 (PDT)
Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDA91C16942A for <spring@ietf.org>; Fri, 5 Apr 2024 09:16:21 -0700 (PDT)
Received: by mail-ej1-x632.google.com with SMTP id a640c23a62f3a-a47385a4379so627519966b.0 for <spring@ietf.org>; Fri, 05 Apr 2024 09:16:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712333780; x=1712938580; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=2Od5zBdzV//dPUOzUVjHcozxT1EnyhtOnrVVQJsZC2A=; b=FG2U06DwDBNsSR5Rrf/WIAENSDU/aFzUD7ASIIqkD1M6x3Wz2Ar3x60Ym8Z3Rv2CfO Jon0cV3ute+jAS+4vHrjJjo8x8UyKkUYK5QEjtc0IYHlOP8r8H2R1JPpBRlEQpYKmH2c JlU+9vkuS/ToZx73l48Osx7m6RZsiQr71/1hYCYtWGW/1TmN1VTG+LOO/S5jL2X2xIkb p5UffoTBZU9PZjAbBgUnMbbRtOBP/YgGVP43N6uCATyVWtLh+zc0DAIamutNiofMgi9j VKwGCw0uyKnSKHgy6260/+UQxreOMyQi1d1ORstWgqCM/kOpcAlv0/dUb6HjdY8Bd8bM mAQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712333780; x=1712938580; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=2Od5zBdzV//dPUOzUVjHcozxT1EnyhtOnrVVQJsZC2A=; b=sCGVxo4Jjcbgis5G75juBX+3UH9OdxPf+U53lOuRn18S595oiFr7j2jFVQsi+4Brmq fqBSHhI178a2KrrcXuRXiHiwLazM84lEPCCdu12qUU548W35cLGi4xE8VWu0hjbFlc+C i2+PKt5HMPgfWxuEG8LlLYgp5zpu4iYtvxc56Vn7MDsrRBXQnMY7OOSn6kwGLM3R+JMY EpT3bwDTNaSi/J/S5Yog599Mtb/9VhToAkJp9SGsQLbNsXwH6nibNcEXHeJbPAPbRYYI aARWxQx10N+wCgJuNAjJ1bcsWJtpJrJD17etJoa9YTvQ2apsrIbrlDM7/SipJXRMl/HS /1tg==
X-Gm-Message-State: AOJu0Yw8cYn3Bpd8TN39TdW/MgpdnN6Kl+4rl3RgdhWfvWw01J1OBzaF NMpEeThYQK/ynMlQzfn21souF4MiMUMIZHjM6ZDeGfPQDgtAVqCNxcWEjx7oiMOqq4Qf845sVIc OCc/NQlD19ddIEbklmxUDLYAgLg==
X-Google-Smtp-Source: AGHT+IFH/KFMK6Gtm8nEh17r0gMxC2cLOr9ockRct2RxNRfhIOQcsYidRshDorPD0vZAPY6PMEw/ZzJ5QoIv+f2aZAc=
X-Received: by 2002:a17:906:2c17:b0:a51:a7d5:50d8 with SMTP id e23-20020a1709062c1700b00a51a7d550d8mr1523986ejh.16.1712333780035; Fri, 05 Apr 2024 09:16:20 -0700 (PDT)
Received: from 1064022179695 named unknown by gmailapi.google.com with HTTPREST; Fri, 5 Apr 2024 16:16:19 +0000
Received: from 1064022179695 named unknown by gmailapi.google.com with HTTPREST; Fri, 5 Apr 2024 16:16:16 +0000
MIME-Version: 1.0 (Mimestream 1.2.6)
References: <CAMMESsyCYJwWP48=a9RWx3n8txS1eR4VLnUeE++VEdHKFeKOjw@mail.gmail.com> <CAOj+MMH9-F0nWG6zDZXxAGOQ7T8T9bUn74f4o=Fh2p0zah86Gg@mail.gmail.com> <e50b6a1b-08ae-4c8c-b3f0-0900fe8a9158@joelhalpern.com> <CAOj+MME5yL2S9Y8woVhLpkx8Xjq8g1+Ngw0RjH7o5u82p-38yg@mail.gmail.com> <71b6f07e-08d6-40a0-9436-e4acebf96c3b@joelhalpern.com> <CAOj+MMGNbYy=QZdptdKfYa-1pGfO0OeEbc_SsOVcvhgR+==sHQ@mail.gmail.com> <e9731f5f-f583-456f-b1a2-ba99e1b9dda8@joelhalpern.com> <CAHT6gR8+y0nn8TndTsB5=uJXCpLW-01F6s1o9ZRrBA9yxQiqwQ@mail.gmail.com> <DU2PR03MB8021725C40A8BFF037A97C8FFA3C2@DU2PR03MB8021.eurprd03.prod.outlook.com> <CAHT6gR-zJOngZrnugetKgJ+jzDVJ0LO6Ro9Cng=scRDzQFTo0w@mail.gmail.com> <DU2PR03MB80219D1BD8C9536824F8759CFA3C2@DU2PR03MB8021.eurprd03.prod.outlook.com> <CAHT6gR84es=4bSfdHookXRyTqzs5CyZScfrk4WzCtiWYBYVYVA@mail.gmail.com> <DU2PR03MB802151361E7D059673714737FA3C2@DU2PR03MB8021.eurprd03.prod.outlook.com>
In-Reply-To: <DU2PR03MB802151361E7D059673714737FA3C2@DU2PR03MB8021.eurprd03.prod.outlook.com>
From: Francois Clad <fclad.ietf@gmail.com>
Date: Fri, 05 Apr 2024 16:16:19 +0000
Message-ID: <CAHT6gR-EOBwHbXLFoRAVYaFt4btvswJ6BHP7ce=4Gg=yK8iexg@mail.gmail.com>
To: Andrew Alston - IETF <andrew-ietf@liquid.tech>
Cc: SPRING WG List <spring@ietf.org>, Robert Raszuk <robert@raszuk.net>, Joel Halpern <jmh.direct@joelhalpern.com>
Content-Type: multipart/alternative; boundary="000000000000b2322206155bc69c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/1AJKxc9cVvshVDwLO5icHTgYfg8>
Subject: Re: [spring] C-SIDs and upper layer checksums (draft-ietf-spring-srv6-srh-compression)
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2024 16:16:54 -0000

 Hi Andrew,

The originator of an IPv6 packet with a SID in its destination address is
an SR source node per RFC 8754. If this SID is one
of draft-ietf-spring-srv6-srh-compression, then the node must follow the SR
source node specification in section 6 of this document.

I am curious to know which Linux box would verify the upper-layer checksum
of transit packets by default (and drop them if unable to validate it). Can
you share any pointer (e.g., kernel version)?

In my testing on a Linux 5.15 node acting as a software router (default
config with only IPv6 forwarding enabled and a static route), those packets
were forwarded without any issue.

Thanks,
Francois


On 4 Apr 2024 at 16:27:51, Andrew Alston - IETF <andrew-ietf@liquid.tech>
wrote:

> Francois,
>
>
>
> Node A sends packet to a microsid – without an SRH
>
>
>
>    1. The system by default and in all current implementations will have
>    no way to know it’s a microsid – TX checksumming would therefore break and
>    the packet would be dropped – irrespective of if its on hardware offload to
>    every NIC in existence or if the kernel is doing it – the kernel cannot
>    differentiate between a microsid outbound and a normal ipv6 address
>    2. If you get around (a) then the checksum is invalid in flight until
>    the end node – if you have a software router that is doing RX validation on
>    received packets – which – most linux boxes will do by default – the packet
>    will get dropped
>    3. If you get around (a) and assume that the linux box in question is
>    doing RX HW checksumming – same thing applies – the checksum will be
>    invalid according to the DA – and without an SRH it cannot calculate it
>
>
>
>
>
> This makes this entire thing incompatible with existing deployments of any
> software based routers out there based on bsd, linux and other such kernels
> – and is therefore – a direct violation of the spring charter which says
> that compatibility with existing deployments cannot be affected.
>
>
>
> Andrew
>
>
>
>
>
> * Internal All Employees From: *Francois Clad <fclad.ietf@gmail.com>
> *Date: *Thursday, 4 April 2024 at 17:19
> *To: *Andrew Alston - IETF <andrew-ietf@liquid.tech>
> *Cc: *SPRING WG List <spring@ietf.org>, Robert Raszuk <robert@raszuk.net>,
> Joel Halpern <jmh.direct@joelhalpern.com>
> *Subject: *Re: [spring] C-SIDs and upper layer checksums
> (draft-ietf-spring-srv6-srh-compression)
>
> CAUTION: This email has originated from a free email service commonly used
> for personal email services, please be guided accordingly especially if
> this email is asking to click links or share information.
>
>
>
> Andrew,
>
>
>
> What do you mean “in the middle”? Is this software router the SR source
> node, transit node, an intermediate SR segment endpoint, or the last SR
> segment endpoint node by RFC 8754 terminology?
>
>
>
> Thanks,
>
> Francois
>
>
>
> On 4 Apr 2024 at 16:07:31, Andrew Alston - IETF <andrew-ietf@liquid.tech>
> wrote:
>
> Francois,
>
>
>
> So what happens with software routers in the middle that are doing rx
> offloading? The NIC’s will reject the packets.  And in a pure software
> router by default any software router will see an incorrect checksum – and
> reject the packet.  Because effectively in this case software routers are
> acting as middle boxes.
>
>
>
> Thanks
>
>
>
> Andrew
>
>
>
>
>
>
>
>
>
> Internal All Employees
>
> *From: *Francois Clad <fclad.ietf@gmail.com>
> *Date: *Thursday, 4 April 2024 at 16:59
> *To: *Andrew Alston - IETF <andrew-ietf@liquid.tech>
> *Cc: *SPRING WG List <spring@ietf.org>, Robert Raszuk <robert@raszuk.net>,
> Joel Halpern <jmh.direct@joelhalpern.com>
> *Subject: *Re: [spring] C-SIDs and upper layer checksums
> (draft-ietf-spring-srv6-srh-compression)
>
> CAUTION: This email has originated from a free email service commonly used
> for personal email services, please be guided accordingly especially if
> this email is asking to click links or share information.
>
>
>
> Hi Andrew,
>
>
>
> The originator (TX Linux box in your case) acting as an SR source node for
> C-SID must follow the entire Section 6 of
> draft-ietf-spring-srv6-srh-compression, including section 6.5 about the
> checksum calculation. One cannot expect it to work if it only implements
> half of it.
>
>
>
> On the receive side, there is nothing special to do. The DA in the
> received IPv6 header is the one that was used for the checksum calculation.
>
>
>
> I do not see anything broken.
>
>
>
> Cheers,
>
> Francois
>
>
>
> On 4 Apr 2024 at 15:32:12, Andrew Alston - IETF <andrew-ietf@liquid.tech>
> wrote:
>
> So in investgiating this further, there is a further problem.
>
>
>
> I’ve checked on 4 different linux boxes with 4 different network cards.
>
>
>
> Linux by default offloads TX checksumming on a lot of network cards.  If
> you originate a packet with a microsid and no SRH – and the linux box
> offloads the checksum generation – the checksum generated by the NIC will
> be incorrect – and when the packet arrives at the end host – if that end
> host is running RX checksumming – the checksum will fail and the packet
> will be dropped.
>
>
>
> If you disable TX checksumming – the kernel will have no way to tell if
> the packet is an Ipv6 or a microsid packet, it will therefore use the DA –
> and generate an incorrect checksum.  Again – if RX checksumming is enabled
> on the receiving end point – the packet will get dropped.
>
>
>
> Effectively this does NOT just affect middle boxes – it effects anything
> generating a packet directed to a microsid that either offloads the tx to
> hardware (whichi will have no clue this is a microsid) or in the
> alternative is generating tx checksums itself via kernel mechanisms that
> will treat these packets as standard Ipv6 packets.
>
>
>
> This is broken – severely broken.
>
>
>
> Andrew
>
>
>
>
>
> Internal All Employees
>
> *From: *spring <spring-bounces@ietf.org> on behalf of Francois Clad <
> fclad.ietf@gmail.com>
> *Date: *Thursday, 4 April 2024 at 14:49
> *To: *Joel Halpern <jmh.direct@joelhalpern.com>
> *Cc: *SPRING WG List <spring@ietf.org>, Robert Raszuk <robert@raszuk.net>
> *Subject: *Re: [spring] C-SIDs and upper layer checksums
> (draft-ietf-spring-srv6-srh-compression)
>
> Some people who received this message don't often get email from
> fclad.ietf@gmail.com. Learn why this is important
> <https://aka.ms/LearnAboutSenderIdentification>
>
> CAUTION: This email has originated from a free email service commonly used
> for personal email services, please be guided accordingly especially if
> this email is asking to click links or share information.
>
>
>
> Hi all,
>
>
>
> Section 6.5 of draft-ietf-spring-srv6-srh-compression specifies how an SR
> source node originating a packet with an upper layer checksum determines
> the Destination Address for use in the IPv6 pseudo-header.
>
>
>
> As a co-author, I’d say that the current text of 6.5 is good.
>
>
>
> This text is aligned with RFC 8200. It only indicates how the text in
> Section 8.1 of RFC 8200 applies to the SIDs of
> draft-ietf-spring-srv6-srh-compression. This is necessary since RFC 8200
> does not specify the format nor behavior of any source routing scheme.
>
>
>
> Thanks,
>
> Francois
>
>
>
>
>
> On 4 Apr 2024 at 00:10:55, Joel Halpern <jmh.direct@joelhalpern.com>
> wrote:
>
> I can not speak to the "norm" for other working groups.  The SPRING
> charter is very specific about what we have to do if we want to change an
> underlying protocol.  We have to go back to the WG which owns that
> protocol.
>
> 6man gets to decide if the change is acceptable, and if it is acceptable
> how it is to be represented.  SPRINGs job is to make sure we are asking the
> question we intend.
>
> Yours,
>
> Joel
>
> On 4/3/2024 6:05 PM, Robert Raszuk wrote:
>
> Ok Joel,
>
>
>
> Thank you for this clarification.
>
>
>
> To me the actual spirit of RFC8200 8.1 is to say that it is ok to
> compute the checksum by the src such that it comes out right at the final
> destination.
>
>
>
> But I guess we can have different opinions about that.
>
>
>
> But what I find specifically surprising here is that it is a norm in IETF
> to have new specifications defining protocol extensions and their behaviour
> and never go back to the original protocol RFC to check if this is ok or
> not. If that would not be a normal process I bet we would still be using
> classful IPv4 routing all over the place.
>
>
>
> Regards,
>
> Robert
>
>
>
>
>
> On Wed, Apr 3, 2024 at 11:28 PM Joel Halpern <jmh@joelhalpern.com> wrote:
>
> The concern with regard to the text that the chairs are asking about is
> not about intermediate nodes verifying the checksum.  The text does not
> talk aabout that, so we are not asking about that.
>
> But, the text in 8200 specifies how the originating node is to compute the
> upper layer checksum.  It doesn't say "do whatever you need to do to make
> the destination come out right".  It provides specific instructions.  Yes,
> it is understandable that those instructions do not cover the compressed
> container cases.  Which is why the compression document specifies changes
> to those procedures.
>
> Thus, we need to ask 6man how they want to handle the change in the
> instructions in 8200.
>
> the question we are asking SPRING is whether there is any clarification
> people want to the text in the compression draft before we send the
> question over to 6man.
>
> Yours,
>
> Joel
>
> On 4/3/2024 5:15 PM, Robert Raszuk wrote:
>
> Hi Joel,
>
>
>
> My interpretation of text from RFC8200 is that it allows discrepancy
> between the header and the upper layer checksum as long as final packet's
> destination sees the correct one.
>
>
>
> The last condition is met.
>
>
>
> So I see no issue.
>
>
>
> Sure RFC8200 does not talk about SRH nor cSIDs, but provides a hint on how
> to handle such future situations.
>
>
>
> With that being said I would like to still understand what real problem
> are we hitting here ...
>
>
>
> Kind regards,
>
> Robert
>
>
>
> On Wed, Apr 3, 2024 at 11:09 PM Joel Halpern <jmh@joelhalpern.com> wrote:
>
> There are two cases covered in section 6.5 of the compression draft that
> appear to be at variance with secton 8.1 of RFC 8200.
>
> First, if the final destination in the routing header is a compressed
> container, then the ultimate destination address will not be the same as
> the final destination shown in the routing header.
>
> Second, if a uSID container is used as the destination address and no SRH
> is present, then in addition to the above problem there is no routing
> header to trigger the behavior described.
>
> Yours,
>
> Joel
>
> On 4/3/2024 4:22 PM, Robert Raszuk wrote:
>
> Hi Alvaro,
>
>
>
> Section 6.5 of draft-ietf-spring-srv6-srh-compression describes the
> behavior when an originating node inside an SRv6 domain creates a
> packet with a C-SID as the final destination.
> *This description differs from the text in Section 8.1 of RFC8200.*
>
>
>
> I would like you to clarify the above statement - specifically of the last
> sentence.
>
>
>
> Reason for this that after looking at both drafts I find section 6.5 of
> the subject draft to be exactly in line with RFC8200 section 8.1 especially
> with the paragraf which says:
>
>
>
>
>
>
>
>
> *         If the IPv6 packet contains a Routing header, the Destination
>        Address used in the pseudo-header is that of the final
>  destination.  At the originating node, that address will be in
>  the last element of the Routing header; at the recipient(s),          that
> address will be in the Destination Address field of the          IPv6
> header.*
>
>
>
> So before we dive into solutions (as Andrew has already provided a few of)
> I think we should first agree on what precise problem are we solving here ?
>
>
>
> Many thx,
>
> Robert
>
>
>
> PS. As a side note I spoke with my hardware folks - just to check if
> validation of upper-layer checksum is even an option for transit nodes. The
> answer is NO as most data plane hardware can read at most 256 bytes of
> packets. So unless there is some specialized hardware processing up to 9K
> packets in hardware at line rates this entire discussion about checksum
> violations, fears of firing appeals is just smoke.
>
>
>
> _______________________________________________
> spring mailing list
> spring@ietf.org
> https://www.ietf.org/mailman/listinfo/spring
>
>

v2.23.0 | Report a Bug | By Email