IETF Logo Mail Archive

Re: [spring] WGLC for draft-ietf-spring-sr-replication-segment

Rishabh Parekh <rishabhp@gmail.com> Fri, 16 December 2022 22:21 UTC

Return-Path: <rishabhp@gmail.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56E12C1522B0; Fri, 16 Dec 2022 14:21:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aunaekvcxSSD; Fri, 16 Dec 2022 14:21:33 -0800 (PST)
Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CA01C151713; Fri, 16 Dec 2022 14:21:33 -0800 (PST)
Received: by mail-ed1-x535.google.com with SMTP id d14so5485516edj.11; Fri, 16 Dec 2022 14:21:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=UsiNDX31cnOE0MNCq9gISOjPZXEaMqaKJ4hqhfOMIS0=; b=G6VV8HTxbvryNLrL12fP7hMXp4JVB658sYi18NlNeqFfQYUeatNNMxePUbnO7VHDNi pv14CF36RixoYa9le1BwN5ERVcIgjs1ul4UBfR42HbwIwRF4tk1U1wqOj38L4Nl0tXwF /YVT2s1G4DsOPp0GQiP/1gO6HQE+jBpDQHOB/SGSSBNVzJkIjZmby8svi6ZaqLIQEDBl 46/3N4DfDzVfqYBfUk3zeAJYGJhogXqM3DUJlQqEDmrpC8bxW5/hP8rCKkuPjIqhwOCm ouQvIosU6Ym35xxsHEq9KOBHpPFfu764LR40MwiPuRrGO2Xyw2shhRhs4OnWiUVJzd0L 7JKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=UsiNDX31cnOE0MNCq9gISOjPZXEaMqaKJ4hqhfOMIS0=; b=W1peiTqLvYmyGns+bSOFu2LQT/YSNEamaZdUDRPKtneH8n+7mITThqoNOqdCK2yfzY soHL5apb2JfYwPyB19haZ4JICysQVlGrYZUEcnVhsWlk72/lSvhBdpOB+vJmMmVZoktM Sk4Jow9OG7Yqw4MUaRX9RZTjg+Kj5R7ID/J956tNNNHHksTvq1lJAr3+PZbUoHHDkAPt vz4rDw5aPo5YMzDe6VAFa0Wk+7RPoPHXcH1J9sDzOsMjMj1UiX4zb4r45Gq9rBbHifd1 IsTUns8ZJbQzgiSz9v83IFKDaQgi9KjezvrT8v/XNuQ9ZUasXK4hZGAK93M4WCvpPmmj 0j3A==
X-Gm-Message-State: ANoB5pmk/5/zF87lw4ouFiJH9w5lL0f+2xB+nUsD8dgCANEnHrUU2N73 bK1+NTwpg2CN0fLkQSTF8XSwKKiVOvBatg7xZchi3oZR7d9+Ex+y
X-Google-Smtp-Source: AA0mqf4+I0R4HwuQjdyXtCzuVqSa09c9rUwxcCXW8+nbmvMkKDDicW5kqbXprDThKq3elaIiqQCtIf02eMLpxsFTNGo=
X-Received: by 2002:a05:6402:1943:b0:46a:e4cd:5204 with SMTP id f3-20020a056402194300b0046ae4cd5204mr37592898edz.402.1671229290489; Fri, 16 Dec 2022 14:21:30 -0800 (PST)
MIME-Version: 1.0
References: <MN2PR13MB4206165672BF331105525F8CD2139@MN2PR13MB4206.namprd13.prod.outlook.com> <f120be63ce0c4b4fbe3deede7f3e8343@huawei.com> <CABjMoXa_F3UGCMzh+FBvGBAXpYXyx9kTpaKP-7QKpTy9hGsYEQ@mail.gmail.com> <05668681202f4452a9d2423fec6c063f@huawei.com> <CABjMoXaa4uv1GLvKsYr5vszhOUy3adPOD6iMjEUqJZRM2-6pOQ@mail.gmail.com> <1d34ea5d5a794f3fa2c7e9502ffd7850@huawei.com>
In-Reply-To: <1d34ea5d5a794f3fa2c7e9502ffd7850@huawei.com>
From: Rishabh Parekh <rishabhp@gmail.com>
Date: Fri, 16 Dec 2022 14:21:17 -0800
Message-ID: <CABjMoXbfi1nHkmFN=R0tSZUNV_Q2=M2rkqfxGYmYbhBLsbKRZg@mail.gmail.com>
To: "Xiejingrong (Jingrong)" <xiejingrong=40huawei.com@dmarc.ietf.org>
Cc: SPRING WG <spring@ietf.org>, "spring-chairs@ietf.org" <spring-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000032aadd05eff96475"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/IwITs5FSSrwAmwmvr9FgGFyZQzg>
Subject: Re: [spring] WGLC for draft-ietf-spring-sr-replication-segment
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Dec 2022 22:21:34 -0000

Jingrong,
Replies @ [RP]

Thanks,
-Rishabh.

On Sat, Dec 10, 2022 at 5:22 PM Xiejingrong (Jingrong) <xiejingrong=
40huawei.com@dmarc.ietf.org> wrote:

> Hi WG and chairs,
>
>
>
> I would like to draw your attention that, the SRv6 Replication SID will
> break SRv6 architecture, scope and restrictions in many aspects.
>
>
>
> Though it is still not defined what is the scope of “context”, leaving a
> big “hole” to explain in the future.
>

 [RP] It is natural to extend the concept of Replication SID as SR-MPLS
label to a SRv6 Endpoint behavior represented by FUNCT bits of SRv6 SID. I
don’t think this “… break[s] SRv6 architecture, scope and restrictions in
many aspects”.

First of this document does *not* mandate the “context” SID following the
SRv6 Replication SID; it just lays down the purpose and restriction on SIDs
following the Replication SID. Second, this draft makes it clear that the
scope of this "context" SID is local to a Leaf node.


>
>
> But through the past discussions we have known a little about it, for
> example, used as a VPN identifier in multicast scenario.
>
>
>
[RP] VPN context has been specified in the BESS MVPN/EVPN  SR-P2MP draft
for quite some time now. And it is only required when a SR P2MP tree is
shared across MVPNs.


> However, I think the Upstream-assigned SID or “DCB” SID in SRv6 for
> “context” need to be carefully evaluated by the WG.
>
>
>
> Firstly, there is no definition of “Upstream-assigned SID” or “DCB” in
> SRv6.
>


[RP] Just because something has not been defined yet, does not mean it can
never be defined J. How does a PE assigning a SID and advertising to all
other PEs break SRv6 architecture?



> Secondly, suppose an Ingress PE allocated an “Upstream-assigned SID” from
> its locator, and put the SID into the SID list after the Replication SID,
> what is expected to behave on every replication node to this
> Upstream-assigned SID ? make it an active SID, and then take it as a
> context ? or send it back to the Ingress PE ?
>


[RP] This draft restricts a Leaf/Bud node using a “context” SID, if
present, just for local processing of a packet; the node MUST NOT forward
the packet as a result of using context SID.


>   3. Suppose a DCB SRv6 SID, what is the 128bit DCB SRv6 SID looks like ?
> ffff:ffff:x:x:x:x:x:x? ff00:x:x:x:x:x:x:x? fe08:x:x:x:x:x:x:x? ::127.x.x.x ?
>

[RP] The locator of "context" SID is not relevant since the packet will not
be re-forwarded. The FUNCT "context" bits are significant and the egress
PE/Leaf knows where this value is present in the SID based on SID structure
information from BGP Prefix SID attribute sent along with MVPN  A-D routes.


> Further, I think there are many other differences between SRv6 data plane
> and MPLS data plane for a “Replication SID” to work in its multicast
> scenario context. For example, how is the “host originating an IPv6 packet”
> scenario (RFC8754,8986)
>
supported ?
>

[RP] If a host originates a packet with a locator of Replication Node with
appropriate Replication SID, it will be replicated as long as security
allows it. This is no different that a host originating a SRv6 packet with
any other SRv6 Endpoint behavior SID.

How does the “ICMPv6 error message MUST NOT be originated as a result of
> receiving … a packet destined to an IPv6 multicast address” may be
> considered ?
>
1. “ICMPv6 error message MUST NOT be originated as a result of receiving …
> a packet destined to an IPv6 multicast address” is from RFC4443, to prevent
> a reflection amplification DDoS attack in my understanding.
>
>
>

[RP] Replication SID is not an IPv6 multicast address, but what is your
specific concern with ICMPv6 error messages? Note RFC 4443 does allow some
ICMPv6 error messages for IPv6 multicast packets (Section 2.4 (e.3)) and
acknowledges this exception can be used for DoS attack (Section 5.2 bullet
5).


>
> Also note that, the implementations disclosed in section 4.1 and 4.2 only
> include MPLS data plane. I assume they reflect the fact that Replication
> SID for SRv6 data plane is far from mature. Therefore I request the WG to
> first exclude SRv6 data plane of this draft from the WGLC scope. Then we
> can focus on the MPLS data plane part (Hopefully I can move from SRv6
> problems if they are noted already, and then I can provide some comments on
> MPLS soon).
>

[RP] SRv6 Replication SID is an essential part of this document. Section
2.2 and the corresponding example illustrated in Appendix A.2 illustrates
how SRv6 Replication SID operates within the overall framework of SRv6
architecture.


>
>
> Thanks,
>
> Jingrong
>
>
>
>
>
>
> 本邮件及其附件含有华为公司的保密信息,仅限于发送给上面地址中列出的个人或群组。禁止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、或散发)本邮件中的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本邮件!
> This e-mail and its attachments contain confidential information from
> HUAWEI, which is intended only for the person or entity whose address is
> listed above. Any use of the information contained herein in any way
> (including, but not limited to, total or partial disclosure, reproduction,
> or dissemination) by persons other than the intended recipient(s) is
> prohibited. If you receive this e-mail in error, please notify the sender
> by phone or email immediately and delete it!
>
>
>
> *From:* Rishabh Parekh [mailto:rishabhp@gmail.com]
> *Sent:* Thursday, December 8, 2022 6:52 AM
> *To:* Xiejingrong (Jingrong) <xiejingrong@huawei.com>
> *Cc:* James Guichard <james.n.guichard@futurewei.com>; SPRING WG <
> spring@ietf.org>; spring-chairs@ietf.org
> *Subject:* Re: [spring] WGLC for draft-ietf-spring-sr-replication-segment
>
>
>
> Jingrong,
>
>
>
> For the second one regarding the SID after the replication SID, I still
> have some further question when considering it a “VPN SID”:
>
>
>
> In MPLS data plane, Is the SID an Upstream-assigned Label ? Or an SRGB
> label (though may be a more strictly unique number than SRGB that is a
> relatively unique index/offset ) ?
>
> In SRv6 data plane, is the SID an “Upstream-assigned SRv6 SID”, which is
> allocated on Ingress PE and put in the SID list after the replication SID ?
>
>
>
> The VPN SID is only required when SR P2MP trees are shared across VPNs. It
> can be upstream assigned or globally assigned (from DCB) as described in SR
> P2MP MVPN
> <https://datatracker.ietf.org/doc/draft-ietf-bess-mvpn-evpn-sr-p2mp/>
> draft. If present, the VPN SID is after the Replication SID. For SR-MPLS,
> the VPN SID SHOULD NOT be assigned from SRGB or SRLB since it is an overlay
> context,
>
>
>
> -Rishabh
> _______________________________________________
> spring mailing list
> spring@ietf.org
> https://www.ietf.org/mailman/listinfo/spring
>

v2.23.0 | Report a Bug | By Email