IETF Logo Mail Archive

Re: [spring] C-SIDs and upper layer checksums (draft-ietf-spring-srv6-srh-compression)

Joel Halpern <jmh.direct@joelhalpern.com> Thu, 04 April 2024 14:10 UTC

Return-Path: <jmh.direct@joelhalpern.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E826C165518 for <spring@ietfa.amsl.com>; Thu, 4 Apr 2024 07:10:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.795
X-Spam-Level:
X-Spam-Status: No, score=-2.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=joelhalpern.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F9WBh4FAONdm for <spring@ietfa.amsl.com>; Thu, 4 Apr 2024 07:10:18 -0700 (PDT)
Received: from mailb2.tigertech.net (mailb2.tigertech.net [208.80.4.154]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF285C14F60C for <spring@ietf.org>; Thu, 4 Apr 2024 07:10:18 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailb2.tigertech.net (Postfix) with ESMTP id 4V9Nmp1n7Cz1nsMR; Thu, 4 Apr 2024 07:10:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com; s=2.tigertech; t=1712239818; bh=sxyMWRfY1bJqvqAvwBSWYMAOmhj4m+d8OxHObDoBPww=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=aaU+dArAJSPyCrN+lwWRkCFqT3md4IcRKGYsfIaUnjbgGiDSWCjlQOng3Z5R5CbMO OCoy3O1qbNNVDyMz8u9l0lujiUgBxOC6pXnyj+k4aLQb50MFdXx+zwb5z4uv3gCbNW /HzfyqC9lqt8t2Htb/2G9mQfFc6mrT6HM+kuN0+A=
X-Quarantine-ID: <EiYkapxq3dMb>
X-Virus-Scanned: Debian amavisd-new at b2.tigertech.net
Received: from [192.168.22.20] (unknown [50.233.136.230]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mailb2.tigertech.net (Postfix) with ESMTPSA id 4V9Nmj65wfz1nsMv; Thu, 4 Apr 2024 07:10:13 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------0ToJKUFi1SHXcI9aXgIhb35I"
Message-ID: <038b66c0-1f43-4167-8066-550addd2307a@joelhalpern.com>
Date: Thu, 04 Apr 2024 10:10:11 -0400
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Francois Clad <fclad.ietf@gmail.com>, Andrew Alston - IETF <andrew-ietf@liquid.tech>
Cc: SPRING WG List <spring@ietf.org>, Robert Raszuk <robert@raszuk.net>
References: <CAMMESsyCYJwWP48=a9RWx3n8txS1eR4VLnUeE++VEdHKFeKOjw@mail.gmail.com> <CAOj+MMH9-F0nWG6zDZXxAGOQ7T8T9bUn74f4o=Fh2p0zah86Gg@mail.gmail.com> <e50b6a1b-08ae-4c8c-b3f0-0900fe8a9158@joelhalpern.com> <CAOj+MME5yL2S9Y8woVhLpkx8Xjq8g1+Ngw0RjH7o5u82p-38yg@mail.gmail.com> <71b6f07e-08d6-40a0-9436-e4acebf96c3b@joelhalpern.com> <CAOj+MMGNbYy=QZdptdKfYa-1pGfO0OeEbc_SsOVcvhgR+==sHQ@mail.gmail.com> <e9731f5f-f583-456f-b1a2-ba99e1b9dda8@joelhalpern.com> <CAHT6gR8+y0nn8TndTsB5=uJXCpLW-01F6s1o9ZRrBA9yxQiqwQ@mail.gmail.com> <DU2PR03MB8021725C40A8BFF037A97C8FFA3C2@DU2PR03MB8021.eurprd03.prod.outlook.com> <CAHT6gR-zJOngZrnugetKgJ+jzDVJ0LO6Ro9Cng=scRDzQFTo0w@mail.gmail.com>
Content-Language: en-US
From: Joel Halpern <jmh.direct@joelhalpern.com>
In-Reply-To: <CAHT6gR-zJOngZrnugetKgJ+jzDVJ0LO6Ro9Cng=scRDzQFTo0w@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/5T8hCvxwipN6th5wjuFviFvNBnc>
Subject: Re: [spring] C-SIDs and upper layer checksums (draft-ietf-spring-srv6-srh-compression)
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2024 14:10:23 -0000

<No Hat>

Does this mean that if I have a source and destiantion host inside an 
SRv6 domain, and I am trying to verify a uSID path between them, so I 
issue the command ping <usUD-DA>, it will fail?  Given that we have 
documents describing the use of ping and traceroute with SRv6, shouldn't 
the comrpession document say someething about this?

Your,s

Joel

On 4/4/2024 9:59 AM, Francois Clad wrote:
> Hi Andrew,
>
> The originator (TX Linux box in your case) acting as an SR source node 
> for C-SID must follow the entire Section 6 of 
> draft-ietf-spring-srv6-srh-compression, including section 6.5 about 
> the checksum calculation. One cannot expect it to work if it only 
> implements half of it.
>
> On the receive side, there is nothing special to do. The DA in the 
> received IPv6 header is the one that was used for the checksum 
> calculation.
>
> I do not see anything broken.
>
> Cheers,
> Francois
>
> On 4 Apr 2024 at 15:32:12, Andrew Alston - IETF 
> <andrew-ietf@liquid.tech> wrote:
>>
>> So in investgiating this further, there is a further problem.
>>
>> I’ve checked on 4 different linux boxes with 4 different network cards.
>>
>> Linux by default offloads TX checksumming on a lot of network cards.  
>> If you originate a packet with a microsid and no SRH – and the linux 
>> box offloads the checksum generation – the checksum generated by the 
>> NIC will be incorrect – and when the packet arrives at the end host – 
>> if that end host is running RX checksumming – the checksum will fail 
>> and the packet will be dropped.
>>
>> If you disable TX checksumming – the kernel will have no way to tell 
>> if the packet is an Ipv6 or a microsid packet, it will therefore use 
>> the DA – and generate an incorrect checksum.  Again – if RX 
>> checksumming is enabled on the receiving end point – the packet will 
>> get dropped.
>>
>> Effectively this does NOT just affect middle boxes – it effects 
>> anything generating a packet directed to a microsid that either 
>> offloads the tx to hardware (whichi will have no clue this is a 
>> microsid) or in the alternative is generating tx checksums itself via 
>> kernel mechanisms that will treat these packets as standard Ipv6 
>> packets.
>>
>> This is broken – severely broken.
>>
>> Andrew
>>
>> *
>> *
>>
>> *
>>
>> Internal All Employees
>>
>> From: *spring <spring-bounces@ietf.org> on behalf of Francois Clad 
>> <fclad.ietf@gmail.com>
>> *Date: *Thursday, 4 April 2024 at 14:49
>> *To: *Joel Halpern <jmh.direct@joelhalpern.com>
>> *Cc: *SPRING WG List <spring@ietf.org>, Robert Raszuk <robert@raszuk.net>
>> *Subject: *Re: [spring] C-SIDs and upper layer checksums 
>> (draft-ietf-spring-srv6-srh-compression)
>>
>> 	
>>
>> Some people who received this message don't often get email from 
>> fclad.ietf@gmail.com. Learn why this is important 
>> <https://aka.ms/LearnAboutSenderIdentification>
>>
>> 	
>>
>> CAUTION: This email has originated from a free email service commonly 
>> used for personal email services, please be guided accordingly 
>> especially if this email is asking to click links or share information.
>>
>> Hi all,
>>
>> Section 6.5 of draft-ietf-spring-srv6-srh-compression specifies how 
>> an SR source node originating a packet with an upper layer checksum 
>> determines the Destination Address for use in the IPv6 pseudo-header.
>>
>> As a co-author, I’d say that the current text of 6.5 is good.
>>
>> This text is aligned with RFC 8200. It only indicates how the text in 
>> Section 8.1 of RFC 8200 applies to the SIDs of 
>> draft-ietf-spring-srv6-srh-compression. This is necessary since RFC 
>> 8200 does not specify the format nor behavior of any source routing 
>> scheme.
>>
>> Thanks,
>>
>> Francois
>>
>> On 4 Apr 2024 at 00:10:55, Joel Halpern <jmh.direct@joelhalpern.com> 
>> wrote:
>>
>>     I can not speak to the "norm" for other working groups.  The
>>     SPRING charter is very specific about what we have to do if we
>>     want to change an underlying protocol.  We have to go back to the
>>     WG which owns that protocol.
>>
>>     6man gets to decide if the change is acceptable, and if it is
>>     acceptable how it is to be represented.  SPRINGs job is to make
>>     sure we are asking the question we intend.
>>
>>     Yours,
>>
>>     Joel
>>
>>     On 4/3/2024 6:05 PM, Robert Raszuk wrote:
>>
>>         Ok Joel,
>>
>>         Thank you for this clarification.
>>
>>         To me the actual spirit of RFC8200 8.1 is to say that it is
>>         ok to compute the checksum by the src such that it comes out
>>         right at the final destination.
>>
>>         But I guess we can have different opinions about that.
>>
>>         But what I find specifically surprising here is that it is a
>>         norm in IETF to have new specifications defining protocol
>>         extensions and their behaviour and never go back to the
>>         original protocol RFC to check if this is ok or not. If that
>>         would not be a normal process I bet we would still be using
>>         classful IPv4 routing all over the place.
>>
>>         Regards,
>>
>>         Robert
>>
>>         On Wed, Apr 3, 2024 at 11:28 PM Joel Halpern
>>         <jmh@joelhalpern.com> wrote:
>>
>>             The concern with regard to the text that the chairs are
>>             asking about is not about intermediate nodes verifying
>>             the checksum.  The text does not talk aabout that, so we
>>             are not asking about that.
>>
>>             But, the text in 8200 specifies how the originating node
>>             is to compute the upper layer checksum.  It doesn't say
>>             "do whatever you need to do to make the destination come
>>             out right".  It provides specific instructions.  Yes, it
>>             is understandable that those instructions do not cover
>>             the compressed container cases.  Which is why the
>>             compression document specifies changes to those procedures.
>>
>>             Thus, we need to ask 6man how they want to handle the
>>             change in the instructions in 8200.
>>
>>             the question we are asking SPRING is whether there is any
>>             clarification people want to the text in the compression
>>             draft before we send the question over to 6man.
>>
>>             Yours,
>>
>>             Joel
>>
>>             On 4/3/2024 5:15 PM, Robert Raszuk wrote:
>>
>>                 Hi Joel,
>>
>>                 My interpretation of text from RFC8200 is that it
>>                 allows discrepancy between the header and the upper
>>                 layer checksum as long as final packet's destination
>>                 sees the correct one.
>>
>>                 The last condition is met.
>>
>>                 So I see no issue.
>>
>>                 Sure RFC8200 does not talk about SRH nor cSIDs, but
>>                 provides a hint on how to handle such future situations.
>>
>>                 With that being said I would like to still understand
>>                 what real problem are we hitting here ...
>>
>>                 Kind regards,
>>
>>                 Robert
>>
>>                 On Wed, Apr 3, 2024 at 11:09 PM Joel Halpern
>>                 <jmh@joelhalpern.com> wrote:
>>
>>                     There are two cases covered in section 6.5 of the
>>                     compression draft that appear to be at variance
>>                     with secton 8.1 of RFC 8200.
>>
>>                     First, if the final destination in the routing
>>                     header is a compressed container, then the
>>                     ultimate destination address will not be the same
>>                     as the final destination shown in the routing header.
>>
>>                     Second, if a uSID container is used as the
>>                     destination address and no SRH is present, then
>>                     in addition to the above problem there is no
>>                     routing header to trigger the behavior described.
>>
>>                     Yours,
>>
>>                     Joel
>>
>>                     On 4/3/2024 4:22 PM, Robert Raszuk wrote:
>>
>>                         Hi Alvaro,
>>
>>                             Section 6.5 of
>>                             draft-ietf-spring-srv6-srh-compression
>>                             describes the
>>                             behavior when an originating node inside
>>                             an SRv6 domain creates a
>>                             packet with a C-SID as the final
>>                             destination. _This description differs
>>                             from the text in Section 8.1 of RFC8200._
>>
>>                         I would like you to clarify the above
>>                         statement - specifically of the last sentence.
>>
>>                         Reason for this that after looking at both
>>                         drafts I find section 6.5 of the subject
>>                         draft to be exactly in line with RFC8200
>>                         section 8.1 especially with the paragraf
>>                         which says:
>>
>>                         *         If the IPv6 packet contains a
>>                         Routing header, the Destination
>>                          Address used in the pseudo-header is that of
>>                         the final
>>                          destination. At the originating node, that
>>                         address will be in
>>                                  the last element of the Routing
>>                         header; at the recipient(s),
>>                                  that address will be in the
>>                         Destination Address field of the
>>                                  IPv6 header.*
>>
>>                         So before we dive into solutions (as Andrew
>>                         has already provided a few of) I think we
>>                         should first agree on what precise problem
>>                         are we solving here ?
>>
>>                         Many thx,
>>
>>                         Robert
>>
>>                         PS. As a side note I spoke with my hardware
>>                         folks - just to check if validation of
>>                         upper-layer checksum is even an option for
>>                         transit nodes. The answer is NO as most data
>>                         plane hardware can read at most 256 bytes of
>>                         packets. So unless there is some specialized
>>                         hardware processing up to 9K packets in
>>                         hardware at line rates this entire discussion
>>                         about checksum violations, fears of firing
>>                         appeals is just smoke.
>>
>>     _______________________________________________
>>     spring mailing list
>>     spring@ietf.org
>>     https://www.ietf.org/mailman/listinfo/spring
>>

v2.23.0 | Report a Bug | By Email