IETF Logo Mail Archive

Re: [spring] Request comments/feedback on https://datatracker.ietf.org/doc/draft-zzhang-spring-microtap-segment/01/

Robert Raszuk <robert@raszuk.net> Fri, 01 March 2024 17:14 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F92CC1654EC for <spring@ietfa.amsl.com>; Fri, 1 Mar 2024 09:14:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.006
X-Spam-Level:
X-Spam-Status: No, score=-2.006 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dk-pMXao-O-z for <spring@ietfa.amsl.com>; Fri, 1 Mar 2024 09:14:13 -0800 (PST)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7C35C13506C for <spring@ietf.org>; Fri, 1 Mar 2024 09:14:04 -0800 (PST)
Received: by mail-ed1-x529.google.com with SMTP id 4fb4d7f45d1cf-565c6cf4819so5773729a12.1 for <spring@ietf.org>; Fri, 01 Mar 2024 09:14:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; t=1709313243; x=1709918043; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=3vVZiCRqZo1KZ9lzXZbh0oC1duQ8dSySigGfCUKu6j0=; b=GCX1HuQ93DFtnNiCXlBKImyEB/hd1diw36yFhfb5AipljlvXmpocKgZbotL06svkPM PBJ3A6xGfC42PbhufBJ1Onw3XcsRQ34NYQDpMHVqesPA4KmYesBHM6HqtRksrVQyfwT7 maeYBWXIKLtLk5w6B3aSXPD/1HkBjojY0IAiInG6Rk364vsb4KdTN1nFzK9KCip0f8aL 3csk+YCXvqAKz5LdpK6zyFpSqslEbCF5EkErQCU+SYNvxula6XgHY0SKXC1zzd2latvD 8MxoSu3SAcDbW/SsLg0TKkDL69RoB79Uekr8aGXz20o83LKzqFkiKsK5o77zdo/0Uqg+ MQug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709313243; x=1709918043; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3vVZiCRqZo1KZ9lzXZbh0oC1duQ8dSySigGfCUKu6j0=; b=GtNqsVZEqcgyMCCcavqFMjnuZycp5HD3eFOS7S0mrTfVbcMLLpKk57Uq6fd3DlhIKN bfNHUMtPab54ZDv42zbmqGSNQjJ7M7i6KB8e725i5L0l7usih9Q+trDRWbZ+01BLWlI9 CwdP5gvLXKDYNpepYZ6t5PzcOsOLEqZYh92b66fEXykx/sULfdEjcAJl1UfhrCRR07+m ZCZ2ghXZP+8LSRuxVccqPVooMMxaC4zNqpog6lCpcDKQQKKqYrrGPOzEXFa5BP4z3cGd XW11uGOlmxrAaM+C8hgZi21t65lT59EjyJvkWW8pFa4Lq18352svZrwe135t0U0v0JfL 6xuw==
X-Forwarded-Encrypted: i=1; AJvYcCVRL4HjnLMeV7Q2bB0fCCdP0A7fE967m3XSC3h1S/WxlycqeqhARMOnK7AG7XJdveoQXChgVPjKwHe0FbEIRwk=
X-Gm-Message-State: AOJu0Yz/r6YMm0QzWsHWCPsTVFLNKNXCof6QThw7FJu1UgoGUtsFW+R+ f0mFRAMRi9XKIcTkZaEdzqx+dFql0B8TvWXETxvmTpod8VmFkD3vVANmcshTR+q18zJn9R+qBh0 4rxlnX0coN6B7am6ETefG+HR1WPvqTZCsh9fxm7gObI3dLGfa
X-Google-Smtp-Source: AGHT+IFtd1P4OLPB0OZTOmy7hwnRFPnFoanuD2kas33mEy6Ad7eK7lJzc3lzwLR4q3JhxCG44mEJkzg4DHC0Q2QljbE=
X-Received: by 2002:a05:6402:312e:b0:566:a821:ae9 with SMTP id dd14-20020a056402312e00b00566a8210ae9mr1808169edb.9.1709313243048; Fri, 01 Mar 2024 09:14:03 -0800 (PST)
MIME-Version: 1.0
References: <CAKsJ_vjpjKC=9wDboxVK0UZFE=_SnogrwWKso-AaQ0eezq4WBw@mail.gmail.com> <3187342B-DA67-4857-A4E6-926CF54861D2@gmail.com> <CAG=3OHdWa_iVxJtB_VpdWDHdPqa3KgYsBstBnff1qxyHP-m=mw@mail.gmail.com> <IA1PR05MB9550E87D724EE6BF856122CFD45E2@IA1PR05MB9550.namprd05.prod.outlook.com>
In-Reply-To: <IA1PR05MB9550E87D724EE6BF856122CFD45E2@IA1PR05MB9550.namprd05.prod.outlook.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Fri, 01 Mar 2024 18:13:52 +0100
Message-ID: <CAOj+MMEnLH8aV-=XmDQqfMOerX08=BY1e50vTw_7GXYb3KR12A@mail.gmail.com>
To: "Jeffrey (Zhaohui) Zhang" <zzhang=40juniper.net@dmarc.ietf.org>
Cc: Eduard Metz <etmetz@gmail.com>, Jeff Tantsura <jefftant.ietf@gmail.com>, Ryan Hoffman <ryan.hoffman=40telus.com@dmarc.ietf.org>, "spring@ietf.org" <spring@ietf.org>, "draft-zzhang-spring-microtap-segment@ietf.org" <draft-zzhang-spring-microtap-segment@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a97eb006129c8002"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/G5dVAAgp_KASkQyUCa0lqusMHcM>
Subject: Re: [spring] Request comments/feedback on https://datatracker.ietf.org/doc/draft-zzhang-spring-microtap-segment/01/
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2024 17:14:17 -0000

Hi Jeffrey,

I have a question here ...

Are you completely dismissing the case where monitor itself may be microTAP
SR capable or that microTAP capable node may simply IP
encapsulate interesting traffic to monitor node which in turn would be just
reachable in the IGP and not connected directly to any SR/MicroTAP capable
node ?

You seems to be highlighting in both draft and below responses that monitor
must be directly connected to SR node ... which is surely possible but IMO
it limits the deployment options.

Many Thx,
Robert


On Fri, Mar 1, 2024 at 5:51 PM Jeffrey (Zhaohui) Zhang <zzhang=
40juniper.net@dmarc.ietf.org> wrote:

> Hi Ed, Jeff,
>
>
>
> Thanks for your comments.
>
> Please see zzh> below.
>
>
>
> Juniper Business Use Only
>
> *From:* Eduard Metz <etmetz@gmail.com>
> *Sent:* Friday, March 1, 2024 6:42 AM
> *To:* Jeff Tantsura <jefftant.ietf@gmail.com>
> *Cc:* Ryan Hoffman <ryan.hoffman=40telus.com@dmarc.ietf.org>; Jeffrey
> (Zhaohui) Zhang <zzhang@juniper.net>; spring@ietf.org;
> draft-zzhang-spring-microtap-segment@ietf.org
> *Subject:* Re: [spring] [WARNING: SUSPICIOUS SENDER] Request
> comments/feedback on
> https://datatracker.ietf.org/doc/draft-zzhang-spring-microtap-segment/01/
>
>
>
> *[External Email. Be cautious of content]*
>
>
>
>
>
> I think this is a relevant use-case / feature.
>
>
>
> Few comments after first read:
>
> - For SRv6 the procedure may be slightly different, ie steer traffic via
> MicroTAP capable node or have MicroTAP as integrated capability of
> "default" forwarding (of capable nodes) and indicate the parameter - this
> is the approach in the current draft if I understand correctly.
>
>
>
> Zzh> The microtap segment belongs to the node connected to the monitor,
> which is typically not in the path of most traffic. When a capable node in
> the normal traffic path encounters a microtap SID (which is not advertised
> by that node), it makes a copy and send the copy to the owner of the
> microtap SID (while continue to forward the original copy after removing
> the microtap SID).
>
> Zzh> Therefore, it is not an integrated capability of “default” forwarding
> (of capable nodes).
>
>
>
> - Section 2.3 describes that if a MicroTAP SID becomes the active on the a
> node not supporting the MicroTAP capability, the packet would be dropped. I
> wondered if this is correct? Wouldnt the packet be forwarded to the
> "monitor" node? This breaks the communication effectively, but not a drop
> at the node not supported MicroTAP.
>
>
>
> Zzh> A node not supporting MicroTAP will not advertise its capability or
> install the forwarding state for MicroTAP SIDs (advertised by the nodes
> connected to the monitors).
>
> Zzh> As a result, other nodes SHOULD NOT place a MicroTap SID after the
> node/adj SID for the incapable node. In the unlikely case if that happened,
> in the case of MPLS the packet will simply be dropped (there is no
> corresponding state). In the case of SRv6, there might not be a
> corresponding IPv6 route either and traffic will also be dropped. But if
> there is a less specific route covering that MicroTap SID, then it will be
> forwarded accordingly. We will add that clarification.
>
>
>
> - In general, or least for intercept, one would be interested in both
> directions of a traffic stream (e.g to / from a specific IP). To
> address this, the MicroTAP SID would need to inserted on all relevant
> ingresses. And the monitor may receive packets from different MicroTAP
> capable nodes. This may have implications for the use of IOM header (e.g.
> to avoid duplicate sequence ids)
>
>
>
> Zzh> A monitor is going to receive tapped packets from all over the places
> (it all depends on which packets carry the MicroTap SID and where in the
> SID list), but unless a MicroTap SID is repeated (in different places of
> the SID list) in the packet, the monitor will only receive one tapped copy
> for a particular packet. I also imagine that an ingress is likely
> coordinating with the monitor when it places the MicroTap SID, even though
> that’s outside the scope of this draft.
>
> Zzh> Can you explain the implications for the use of IOM header?
>
> Zzh> Thanks.
>
> Zzh> Jeffrey
>
>
>
> cheers,
>
>   Eduard
>
>
>
>
>
> On Wed, Feb 28, 2024 at 4:52 AM Jeff Tantsura <jefftant.ietf@gmail.com>
> wrote:
>
> Seems like a very useful feature indeed.
>
>
>
> Cheers,
>
> Jeff
>
>
>
> On Feb 27, 2024, at 07:15, Ryan Hoffman <ryan.hoffman=
> 40telus.com@dmarc.ietf.org> wrote:
>
> 
>
> TELUS intends to deploy this microTap segment feature once available in
> vendor NOS after thorough testing in our lab.  We'd expedite TELUS testing
> and deployment when available from vendors, as this is a much needed
> feature in our network.
>
>
>
> Thanks,
>
> Ryan Hoffman
>
>
>
> On Wed, Apr 5, 2023 at 3:28 PM Jeffrey (Zhaohui) Zhang <zzhang@juniper.net>
> wrote:
>
> Hi,
>
> The authors of this draft would like to get your feedback on this draft.
>
>    This document specifies a microTap segment that can be used to
>    instruct a transit node to make a copy of a segment-routed packet and
>    deliver it to a specified node for the purpose of network monitoring,
>    trouble shooting, or lawful intercept.
>
> Due to the limit of Spring WG session time we have not been able to
> present it but we submitted slides before:
> https://datatracker.ietf.org/meeting/115/materials/slides-115-spring-slides-115-spring-microtap-segment-00
> <https://urldefense.com/v3/__https:/datatracker.ietf.org/meeting/115/materials/slides-115-spring-slides-115-spring-microtap-segment-00__;!!NEt6yMaO-gk!EKhg-4oZEfTFYJNmgp8IGr1V5a4BR45VWyFGE1yjXKX5wyy_b1J1I5V1a1TwceJBWn4B_S11vdYmbIo$>
> .
>
> Thanks.
> Jeffrey
>
> Juniper Business Use Only
>
> _______________________________________________
> spring mailing list
> spring@ietf.org
> https://www.ietf.org/mailman/listinfo/spring
> <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spring__;!!NEt6yMaO-gk!EKhg-4oZEfTFYJNmgp8IGr1V5a4BR45VWyFGE1yjXKX5wyy_b1J1I5V1a1TwceJBWn4B_S11CmS-d-Q$>
>
> _______________________________________________
> spring mailing list
> spring@ietf.org
> https://www.ietf.org/mailman/listinfo/spring
> <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spring__;!!NEt6yMaO-gk!EKhg-4oZEfTFYJNmgp8IGr1V5a4BR45VWyFGE1yjXKX5wyy_b1J1I5V1a1TwceJBWn4B_S11CmS-d-Q$>
>
> _______________________________________________
> spring mailing list
> spring@ietf.org
> https://www.ietf.org/mailman/listinfo/spring
>

v2.23.0 | Report a Bug | By Email