Re: [spring] draft-ietf-spring-srv6-srh-compression
Nick Hilliard <nick@foobar.org> Tue, 06 February 2024 23:28 UTC
Return-Path: <nick@foobar.org>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1AE4C14F6AA for <spring@ietfa.amsl.com>; Tue, 6 Feb 2024 15:28:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.091, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LC6jm14KOEMQ for <spring@ietfa.amsl.com>; Tue, 6 Feb 2024 15:28:39 -0800 (PST)
Received: from mail.netability.ie (mail.netability.ie [IPv6:2a03:8900:0:100::5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BECAEC14F680 for <spring@ietf.org>; Tue, 6 Feb 2024 15:28:37 -0800 (PST)
Received: from crumpet.local (unknown [89.101.70.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netability.ie (Postfix) with ESMTPSA id D4651B070A; Tue, 6 Feb 2024 23:28:33 +0000 (GMT)
To: Robert Raszuk <robert@raszuk.net>
Cc: Nick Buraglio <buraglio@forwardingplane.net>, Francois Clad <fclad.ietf@gmail.com>, Andrew Alston - IETF <andrew-ietf=40liquid.tech@dmarc.ietf.org>, "spring@ietf.org" <spring@ietf.org>, Antoine FRESSANCOURT <antoine.fressancourt=40huawei.com@dmarc.ietf.org>, Ron Bonica <rbonica@juniper.net>
References: <DU2PR03MB8021764E2F17F0D527E3FA3CFA472@DU2PR03MB8021.eurprd03.prod.outlook.com> <BL0PR05MB53163A098023244520ADCEEBAE472@BL0PR05MB5316.namprd05.prod.outlook.com> <CAOj+MMEc1R8fZZwgOEF2-mK8S0+PE+zBR3Yz9vwXBh-umQPAjQ@mail.gmail.com> <DU2PR03MB8021CE3063F9E5B59B9A142FFA472@DU2PR03MB8021.eurprd03.prod.outlook.com> <6d32265d55cb4533b7da5d2d25e7c8d4@huawei.com> <DU2PR03MB8021F2F2194249158DE985B9FA462@DU2PR03MB8021.eurprd03.prod.outlook.com> <CAHT6gR9twG0Y8ZYF_c=UABC1g0=qM=MaDuqu8b5TY7VFRODqEg@mail.gmail.com> <b0c9e6d4-4fb3-3c55-a256-c58f2c4dec1d@foobar.org> <CACMsEX8xea-Z28JvVqpVh2+EEhDkhkDwcMnktphozUQcS9Y0uw@mail.gmail.com> <CAOj+MMH9RvukpJxPNRKQbLRnYNRidy_MPXerQZziSUX8zAmzuw@mail.gmail.com>
From: Nick Hilliard <nick@foobar.org>
Message-ID: <787167f1-263b-9ce0-da20-727716438b93@foobar.org>
Date: Tue, 06 Feb 2024 23:28:32 +0000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:52.0) Gecko/20100101 PostboxApp/7.0.60
MIME-Version: 1.0
In-Reply-To: <CAOj+MMH9RvukpJxPNRKQbLRnYNRidy_MPXerQZziSUX8zAmzuw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------AD2184A2B94024A92E5D12A4"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/HcVEnZ8nvHx1lbqCCrw0eHodIx4>
Subject: Re: [spring] draft-ietf-spring-srv6-srh-compression
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2024 23:28:41 -0000
Robert, Usually (but not always) networks which deploy a strict edge + core architecture would avoid middleboxes in the core, but most networks are more heterogeneous than that, as Andrew pointed out further up this thread. Nick Robert Raszuk wrote on 06/02/2024 22:04: > Hey Nick, > > All I could perhaps add to this thread here is that from my > experience the "middleboxes" RFC3234 talks about are placed at the > edges or peripherals of the core networks (example DMZs). In those > parts of the network rarely anyone runs any form of SRv6 be it with or > without SRH. > > So while in theory you could put an IDS/IPS in the middle of the 400G > core transit in practice it is never the case. > > Kind regards, > Robert > > > > On Tue, Feb 6, 2024 at 10:49 PM Nick Buraglio > <buraglio@forwardingplane.net <mailto:buraglio@forwardingplane.net>> > wrote: > > On Tue, Feb 6, 2024 at 1:58 PM Nick Hilliard <nick@foobar.org > <mailto:nick@foobar.org>> wrote: > > > > Francois, > > > > Fairly sure Andrew was referring to middleboxes, as defined in > rfc3234. > > > > In terms of what rfc8200 does or doesn't say, if srv6 is going > to unearth problems with the well-established operational > practices of embedding middleboxes deeply inside networks, then > this will need to be addressed. Protocols have to work, and 30 > years of middleboxes aren't going to go away any time soon. > > Definitely agree with the middle box issue, middle boxes aren't going > away and are fairly pervasive. As I asked previously, and Tal more > eloquently requested, do we have examples we can reference for > failure? Do we have a working example of a middle box that can verify > a checksum with a SRH? That would imply that the middle box either > participates in an SRv6 domain or ignores / passes the RH4. My testing > of many core routing platforms has left me wanting in the "filtering > RH4" department, and middle boxes tend to lag a handful of years > behind carrier gear. > > > > > Nick > > > > Francois Clad wrote on 06/02/2024 16:58: > > > > Hi Andrew, > > > > The L4 checksum issue that you have brought up is from the point > of view of a “middleware” node. Is my understanding correct? This > is not from either the source or destination node point of view > which is covered by section 8.1 of RFC 8200. > > > > Can you please describe this “middleware” and perhaps point to > its IETF specification? > > > > Thanks, > > Francois > > > > On Feb 6, 2024 at 11:16:12, Andrew Alston - IETF > <andrew-ietf=40liquid.tech@dmarc.ietf.org > <mailto:40liquid.tech@dmarc.ietf.org>> wrote: > >> > >> I think it’s only fair to clarify my remarks – again – speaking > entirely as a contributor. > >> > >> > >> > >> Let’s be clear – the middlware boxes will work in most cases – > except when there is no SRH. > >> > >> > >> > >> The problem here is that if you apply a Micro-SID – which is > imposed by originating system – and have no SRH – the DA of the > packet is changing along the way – and the L4 checksum will be > broken. There is no way to actually calculate the correct L4 > checksum in flight – and in reality the originating system will > now need to impose a checksum that is invalid at the start for it > to be correct at the end – breaking end to end check summing. > This is a problem. > >> > >> > >> > >> Let’s look at what 8200 says: > >> > >> > >> > >> o If the IPv6 packet contains a Routing header, the > Destination > >> > >> Address used in the pseudo-header is that of the final > >> > >> destination. At the originating node, that address > will be in > >> > >> the last element of the Routing header; at the > recipient(s), > >> > >> that address will be in the Destination Address field > of the > >> > >> IPv6 header. > >> > >> > >> > >> Now, in the case of no SRH – the DA address placed by the > originating host – is *NOT* the final DA – because of the > manipulation in the middle. > >> > >> > >> > >> The reality is that middleware boxes are (unfortunately) common > – especially in this part of the world – they are used by state > and other entities for DPI and traffic control etc – and they are > used for IDS purposes etc – and breaking the L4 checksum in flight > with no way for these boxes to calculate the correct checksum – > will break existing deployments – that – is a problem and it needs > to be addressed. I would be quite fine if there was explicit text > detailing this that was explicitly approved by 6man as the > originators of 8200 (and a clear indication that this document > updates 8200) – or alternatively a -BIS to 8200. Either way – if > you break the checksum – this needs explanatory text and it needs > approval for 6man via a 6man Last call as far as I am concerned. > >> > >> > >> > >> Thanks > >> > >> > >> > >> Andrew > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> Internal All Employees > >> > >> From: Antoine FRESSANCOURT > <antoine.fressancourt=40huawei.com@dmarc.ietf.org > <mailto:40huawei.com@dmarc.ietf.org>> > >> Date: Tuesday, 6 February 2024 at 12:16 > >> To: Andrew Alston - IETF <andrew-ietf@liquid.tech>, Robert > Raszuk <robert@raszuk.net <mailto:robert@raszuk.net>>, Ron Bonica > <rbonica@juniper.net <mailto:rbonica@juniper.net>> > >> Cc: spring@ietf.org <mailto:spring@ietf.org> <spring@ietf.org > <mailto:spring@ietf.org>> > >> Subject: RE: [spring] draft-ietf-spring-srv6-srh-compression > >> > >> Hello, > >> > >> > >> > >> I tend to agree with Andrew that the fact that the verification > of a L4 checksum by a middlebox breaks is a problem. But I think > this is a huge problem with the middleboxes, not with SRv6. > >> > >> > >> > >> According to me, reading RFC 8200 gives rather clear guidelines > with regards to the computation of the L4 checksum. This checksum > should be computed using the destination address seen by the > destination verifying the checksum. As L4 protocols are end to end > protocols, the checksum verifier is the end point destination of > the packet, and not a middlebox on the path. If a middlebox breaks > the communication by looking at fields it should not look at, then > the problem is the intervention of the middlebox. > >> > >> > >> > >> Best, > >> > >> > >> > >> Antoine > >> > >> > >> > >> > >> > >> From: spring <spring-bounces@ietf.org > <mailto:spring-bounces@ietf.org>> On Behalf Of Andrew Alston - IETF > >> Sent: lundi 5 février 2024 20:32 > >> To: Robert Raszuk <robert@raszuk.net > <mailto:robert@raszuk.net>>; Ron Bonica <rbonica@juniper.net > <mailto:rbonica@juniper.net>> > >> Cc: spring@ietf.org <mailto:spring@ietf.org> > >> Subject: Re: [spring] draft-ietf-spring-srv6-srh-compression > >> > >> > >> > >> I call breaking any middleware that does checksum validation a > problem - and a big one > >> > >> > >> > >> > >> > >> Andrew Alston > >> > >> > >> > >> Internal All Employees > >> > >> ________________________________ > >> > >> From: Robert Raszuk <robert@raszuk.net <mailto:robert@raszuk.net>> > >> Sent: Monday, February 5, 2024 7:16:23 PM > >> To: Ron Bonica <rbonica@juniper.net <mailto:rbonica@juniper.net>> > >> Cc: Andrew Alston - IETF <andrew-ietf@liquid.tech>; > spring@ietf.org <mailto:spring@ietf.org> <spring@ietf.org > <mailto:spring@ietf.org>> > >> Subject: Re: [spring] draft-ietf-spring-srv6-srh-compression > >> > >> > >> > >> Hi Ron, > >> > >> > >> > >> Is there a problem ? > >> > >> > >> > >> If I read RFC8200 L4 checksum is computed by the packet > originator and validated by the packet's ultimate receiver. > >> > >> > >> > >> In all SPRING work to the best of my knowledge the vast > majority of packets are only encapsulated by transit nodes. > >> > >> > >> > >> Is there any formal mandate in any of the RFCs that an > encapsulating node must mangle the inner packet's L4 checksum ? I > don't think so but stand open to get my understanding corrected. > >> > >> > >> > >> Cheers, > >> > >> Robert > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> On Mon, Feb 5, 2024 at 5:04 PM Ron Bonica > <rbonica=40juniper.net@dmarc.ietf.org > <mailto:40juniper.net@dmarc.ietf.org>> wrote: > >> > >> Folks, > >> > >> > >> > >> Has anyone proposed a solution to the L4 checksum problem that > Andrew talks about? > >> > >> > >> > >> Ron > >> > >> > >> > >> Juniper Business Use Only > >> > >> ________________________________ > >> > >> From: spring <spring-bounces@ietf.org > <mailto:spring-bounces@ietf.org>> on behalf of Andrew Alston - > IETF <andrew-ietf=40liquid.tech@dmarc.ietf.org > <mailto:40liquid.tech@dmarc.ietf.org>> > >> Sent: Monday, February 5, 2024 5:21 AM > >> To: spring@ietf.org <mailto:spring@ietf.org> <spring@ietf.org > <mailto:spring@ietf.org>> > >> Subject: [spring] draft-ietf-spring-srv6-srh-compression > >> > >> > >> > >> [External Email. Be cautious of content] > >> > >> > >> > >> Hi All, > >> > >> > >> > >> (In capacity as a contributor and wearing no other hats) > >> > >> > >> > >> At this point I cannot support progression of this document > until the issues around the L4 Checksum have been resolved. It’s > been clearly stated in other emails on the list that in certain > circumstances the behavior described in this document break the L4 > checksum as defined in RFC8200. This requires an update to > RFC8200 to fix it – and I’m not sure that spring can update 8200 > absent the consent of 6man, which I’m not sure has been asked for, > nor am I sure that a spring document can update something like > 8200 in an area so fundamental as the checksum without a -BIS, > which would have to be done via 6man. The L4 checksum issue > though is real – and it cannot simply be ignored. > >> > >> > >> > >> I also have deep concerns that the compression document creates > something that (in a similar way to SRv6) creates something that > is completely non-conformant with RFC4291. There are multiple > references to this in draft-6man-sids, and should draft-6man-sids > become an RFC I would argue that it should probably be a normative > reference in this document – on the logic that this document > relies on similar RFC4291 violations that srv6 itself does (and > for the record, just because SRv6 itself violates RFC4291 as is > clearly documented in draft-6man-sids – does not make it > acceptable to do so in yet another draft without clear and > unambiguously stating the deviations and ideally updating RFC4291 > to allow for said deviations) > >> > >> > >> > >> I believe these two issues alone are sufficient that to pass > this document would create still further tensions about the > relationship between SRv6 and IPv6 and lead to confusion. As such > – I believe these issues need to be adequately dealt with – and > the solutions to them need to be approved by 6man as the working > group that holds responsibility for ipv6 maintenance. > >> > >> > >> > >> Thanks > >> > >> > >> > >> Andrew Alston > >> > >> > >> > >> > >> > >> > >> > >> Internal All Employees > >> > >> _______________________________________________ > >> spring mailing list > >> spring@ietf.org <mailto:spring@ietf.org> > >> https://www.ietf.org/mailman/listinfo/spring > >> > >> _______________________________________________ > >> spring mailing list > >> spring@ietf.org <mailto:spring@ietf.org> > >> https://www.ietf.org/mailman/listinfo/spring > > > > > > > > _______________________________________________ > > spring mailing list > > spring@ietf.org <mailto:spring@ietf.org> > > https://www.ietf.org/mailman/listinfo/spring > > > > > > _______________________________________________ > > spring mailing list > > spring@ietf.org <mailto:spring@ietf.org> > > https://www.ietf.org/mailman/listinfo/spring >
- [spring] draft-ietf-spring-srv6-srh-compression Andrew Alston - IETF
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Ron Bonica
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Robert Raszuk
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Andrew Alston - IETF
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Nick Buraglio
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Antoine FRESSANCOURT
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Andrew Alston - IETF
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Tal Mizrahi
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Eduard Metz
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Nick Hilliard
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Nick Buraglio
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Ron Bonica
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Nick Hilliard
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Andrew Alston - IETF
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Robert Raszuk
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Miya Kohno
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Francois Clad
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Robert Raszuk
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Nick Buraglio
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Robert Raszuk
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Gyan Mishra
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Francois Clad
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Robert Raszuk
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Robert Raszuk
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Greg Mirsky
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Eduard Metz
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Robert Raszuk
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Francois Clad
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Mark Smith
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Mark Smith
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Greg Mirsky
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Greg Mirsky