IETF Logo Mail Archive

Re: [spring] [IPv6] Requiring Tunneling - subject change

Bob Hinden <bob.hinden@gmail.com> Thu, 28 March 2024 16:03 UTC

Return-Path: <bob.hinden@gmail.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64CDBC151701; Thu, 28 Mar 2024 09:03:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.095
X-Spam-Level:
X-Spam-Status: No, score=-1.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rgRcQKymHj17; Thu, 28 Mar 2024 09:03:33 -0700 (PDT)
Received: from mail-yw1-x112f.google.com (mail-yw1-x112f.google.com [IPv6:2607:f8b0:4864:20::112f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCF39C151548; Thu, 28 Mar 2024 09:03:32 -0700 (PDT)
Received: by mail-yw1-x112f.google.com with SMTP id 00721157ae682-607c5679842so10178727b3.2; Thu, 28 Mar 2024 09:03:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711641811; x=1712246611; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=OlXuhcyWMPQz1sgLFWbtMj7JDKpJUZpsVKgLKIhUgHo=; b=Mgh5afUQMTJFgHo6yBNqNOQaQ2cXMai7B6IdEo8qhPZ1VPGmsq6HGc6ccLuIiCAsTT FqtCxBBkySE5j56JP1OOMHXZizkid6zMjaPSBmKrGz7hrBx4VKleVbC6hATrFg52DJgI evLfwPAyK+Ka4Xqmajt1XaF9Whk1ncDJt78PiL1LVxzX7C7I3lRS1quHGwoPUzmTyRp3 Wi0vsW0mbATawLzj/QmyXLEshWZG/Fb3D3G+1/844F7cig/VIdZzeYdw4171OYsOUide WWGdiL6JM8qM6QudVWG3jTVfTmu+teaJZ5hpklL1EwLjlmfcsVR/K9BvJ9GYbY4BpNN7 NhVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711641811; x=1712246611; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=OlXuhcyWMPQz1sgLFWbtMj7JDKpJUZpsVKgLKIhUgHo=; b=DLflcqxGWsWJgQWQ6JZoxym0gV7DpKz9JMC2ME2bMag/aG0UFWIyC7GL/lJBpIlou8 5YCsZ1UWhFKCxBKAC1IDPykOjerebzLX2nZEHJLH7po34baatLlVs/JV0XsLqf+Oa+2h hOWcEUmLCzW3NNOuzJuwFR+p570ujFYcBVqqtDyRNILXH0RbVwgT021FEdxGMfV6OjeV z7TiOCqtgrMO+qCHEdnALmdw20dNSQwGRP9guAYFSn4JYIopfsHi7FeK5vYC+i5xS4QL P9o7r4qExYsK3nM8NbeBSeVI5gtC7uYpyS6ZJkVHygC08AfotjGlajeUPI1/eGfLf2Fx nPkg==
X-Forwarded-Encrypted: i=1; AJvYcCXj4NWjHRhGcWAX0nd2YWNiC/mxKgg1NboQdOKLFa2GX5ZvdJrt+j6OQzsWjtPRoOLPUsr2ajPBi5QsZSV7z6b1kDU4JeJZW7RV4pCFjrs=
X-Gm-Message-State: AOJu0Yxtt9SXDK63GJLmGzweBBeCrBWzI61sQrExssMdlnQsR3ZMI8mk d3Nfm7jwgmzPqRIf7CEuXBbKsoLekvM7zO56sjGgABCoXYAwcoFzhgYZ9GN3
X-Google-Smtp-Source: AGHT+IHG4LLrKGlPCE8iQ602krJP4wSzLTlGqZgMJloxIDkA0alr/JNEtYvgfGsuPqL+dDcVTDVwyg==
X-Received: by 2002:a81:bd54:0:b0:614:934:3bfd with SMTP id n20-20020a81bd54000000b0061409343bfdmr2619802ywk.12.1711641811206; Thu, 28 Mar 2024 09:03:31 -0700 (PDT)
Received: from smtpclient.apple (99-31-208-116.lightspeed.sntcca.sbcglobal.net. [99.31.208.116]) by smtp.gmail.com with ESMTPSA id g6-20020a0ddd06000000b00607fc6858c3sm362478ywe.82.2024.03.28.09.03.30 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 28 Mar 2024 09:03:30 -0700 (PDT)
From: Bob Hinden <bob.hinden@gmail.com>
Message-Id: <D77C7606-4DAD-437A-BD75-5BF6EB2AD99D@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_A12CEE91-27DE-4D34-B6FD-B275C0AED204"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.500.171.1.1\))
Date: Thu, 28 Mar 2024 09:03:09 -0700
In-Reply-To: <53e9e432-db61-4129-b766-b4c675b13012@joelhalpern.com>
Cc: Bob Hinden <bob.hinden@gmail.com>, Robert Raszuk <robert@raszuk.net>, Tom Herbert <tom@herbertland.com>, SPRING WG List <spring@ietf.org>, IPv6 List <ipv6@ietf.org>
To: "Joel M. Halpern" <jmh@joelhalpern.com>
References: <CAMMESszUUdDw-xnDtZKqz75g6SXZ+7mXtZujBKwN+hxypC-Kuw@mail.gmail.com> <CAOj+MMFTpKdNtE2SGubsBKkwbgdX2G5qBxBCViCu-EFmUXjfHw@mail.gmail.com> <CALx6S37CK69EU+59r_M8caO4MNRQFC8fgo4+VyTSgSE0aNTVTQ@mail.gmail.com> <CAOj+MMFHC6vdUK3MQ8xU44=ESf-_mq=PCT=8W_jr5WiTp50hyQ@mail.gmail.com> <CALx6S35Dn03qt9ziMv3=xtYKpdgR88SU0HDYirXr1tm4-Nz-ng@mail.gmail.com> <CAOj+MMF6D+fsDY-8tt7R9MJRAf3x+bk13MXadSPT2ozOpq7zrg@mail.gmail.com> <53e9e432-db61-4129-b766-b4c675b13012@joelhalpern.com>
X-Mailer: Apple Mail (2.3774.500.171.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/JwH5tr6t-WSVgSEvOJ1QCt-anR0>
Subject: Re: [spring] [IPv6] Requiring Tunneling - subject change
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2024 16:03:37 -0000

Joel,

> On Mar 28, 2024, at 8:46 AM, Joel Halpern <jmh@joelhalpern.com> wrote:
> 
> Robert, as far as I can tell, you are asking for a different change than any of the other proposals.  If I understand, you are proposing that even end hosts inside an SRv6 domain should encapsulate the underlying IPv6 packet.  In order to help the chairs keep track, and tell if there are other folks who also support such a change, I have changed the subject line and ask that if there is more to say, people use this subject line.
> 
> I look forward to comments from folks beyond Tom and Robert on this subject.
> 

The text Robert quotes from RFC8200 is correct.  However, as it says, the use of zero checksum in encapsulated UDP must follow the recommendations in RFC6936.   I don’t know if what is being proposed does that or not.   It would be good to clarify that.

Bob


> Yours,
> 
> Joel M. Halpern
> 
> On 3/28/2024 11:40 AM, Robert Raszuk wrote:
>> Hi Tom,
>> 
>> Not really. 
>> 
>> RFC8200 defines an exception which is tunneling and says: 
>>          As an exception to the default behavior, protocols that use UDP
>>          as a tunnel encapsulation may enable zero-checksum mode for a
>>          specific port (or set of ports) for sending and/or receiving.
>>          Any node implementing zero-checksum mode must follow the
>>          requirements specified in "Applicability Statement for the Use
>>          of IPv6 UDP Datagrams with Zero Checksums" [RFC6936 <https://datatracker.ietf.org/doc/html/rfc6936>].
>> 
>> So in practice if we always tunnel SRv6 there is no issue. 
>> 
>> Even Andrew agreed with that :) 
>> 
>> Cheers,
>> Robert
>> 
>> On Thu, Mar 28, 2024 at 4:36 PM Tom Herbert <tom@herbertland.com <mailto:tom@herbertland.com>> wrote:
>>> On Thu, Mar 28, 2024 at 7:46 AM Robert Raszuk <robert@raszuk.net <mailto:robert@raszuk.net>> wrote:
>>> >
>>> > Hi Tom,
>>> >
>>> > > because of SRH
>>> >
>>> > Ok I buy this that there are devices which do check checksum and are not final destination of the packets  ... I was more talking about plain forwarding devices (aka P routers). Then I doubt firewalls would be sitting in the core of the networks.
>>> >
>>> > But let me come black to what I believe is the main disconnect.
>>> >
>>> > Why SRH would cause an issue ? I think there is claimed issue *ONLY* with SRv6 packets which are not encapsulated - call it raw - sent by the hosts which talk SRv6 and sent with more then one SID/uSID which may get swapped on the way.
>>> >
>>> > Because only in those cases the destination address will be changing while checksum of the tunnel header will not be zero.
>>> >
>>> > So what we should I think discuss are really B.1 and B.2.2 cases.
>>> 
>>> Robert,
>>> 
>>> The scenario that I'm talking about is really simple, and it's not
>>> specific to segment routing.  If someone sends a TCP in an IPv6 packet
>>> with no routing header then the convention is that the TCP checksum is
>>> valid end to end. So if the addresses are changed in flight, like in
>>> NAT, then we expect that some part of the packet covered by the
>>> checksum is adjusted to offset the change. If a packet is sent in
>>> segment routing without an SRH with EtherType 0x86DD then it IS an
>>> IPv6 packet to the network so all the conventions and requirements of
>>> IPv6 should be applied. IMO, if SRv6 can't maintain these conventions
>>> and requirements then it should fork from IPv6 and use a different
>>> EtherType.
>>> 
>>> Tom
>>> 
>>> >
>>> > Francois, Pablo - could you comment on this how often do we see those type of SRv6 deployments ? And also could you comment if operator who enables SRv6 in the first place sees those checksum errors how difficult is to address it ?
>>> >
>>> > Thx,
>>> > Robert
>>> >
>>> >
>>> > On Thu, Mar 28, 2024 at 3:29 PM Tom Herbert <tom@herbertland.com <mailto:tom@herbertland.com>> wrote:
>>> >>
>>> >> On Thu, Mar 28, 2024 at 6:26 AM Robert Raszuk <robert@raszuk.net <mailto:robert@raszuk.net>> wrote:
>>> >> >
>>> >> > Hi Alvaro,
>>> >> >
>>> >> > On this specific topic I think you have flatted it a bit too much.
>>> >> >
>>> >> > These are apparently the options on the table:
>>> >> >
>>> >> > A) Original packet get's encapsulated with IPv6 header
>>> >> >
>>> >> >       A.1 SHR is added to it
>>> >> >
>>> >> >              A.1.1. Regular SIDs are used
>>> >> >              A.1.2  Compresses SIDs are used
>>> >> >
>>> >> >       A.2 SRH is not added to it
>>> >> >
>>> >> >              A.2.1. Regular SID is used as destination
>>> >> >              A.2.2  Compresses SIDs are used in a container
>>> >> >              A.2.3  Compresses SID is used
>>> >> >
>>> >> > B) Original packet get's send from SRv6 host (without encapsulation)
>>> >> >
>>> >> >     B.1 SHR is added to it
>>> >> >
>>> >> >              B.1.1. Regular SIDs are used
>>> >> >              B.1.2  Compresses SIDs are used
>>> >> >
>>> >> >       B.2 SRH is not added to it
>>> >> >
>>> >> >              B.2.1. Regular SID is used as destination
>>> >> >              B.2.2  Compresses SIDs are used in a container
>>> >> >              B.2.3  Compresses SID is used
>>> >> >
>>> >> > So within all checksum related discussions so far it seems that the only concern is about B.2.2 and perhaps B.1 however folks did state that if there is SRH added there is no issue so I am not sure how the presence of SRH fixes it.
>>> >> >
>>> >> > Maybe there was some assumption that presence of SRH mandates encapsulation, but I do not believe this is the case for native SRv6 hosts.
>>> >> >
>>> >> > All in all I think it should be no business for transit nodes to verify packet's upper layer checksum. I do not know if there is any RFC which would describe what is an expected behavior for transit nodes or even say that they MAY do it.
>>> >>
>>> >> Robert,
>>> >>
>>> >> I can go further than that. I believe that intermediate nodes have no
>>> >> business parsing into the transport layer, and yet firewalls do that
>>> >> all the time even though there is no standard RFC on it (I've asked
>>> >> for someone to formalize the requirements of firewalls, but to no
>>> >> avail). Validating the checksum in flight is an instance of this, and
>>> >> there are devices that commonly do this in deployment. Protocol
>>> >> specific checksum offload in NICs is one example. Also, if someone is
>>> >> seeing checksum failures in their network, an obvious action is to
>>> >> sample packets from routers in the path and look at the traces. If the
>>> >> checksum is incorrect on the wire because of SRH then the operator
>>> >> sees a whole bunch of checksum errors at the router, but has no way to
>>> >> distinguish those packets that are actually good from those that are
>>> >> bad.
>>> >>
>>> >> It's a long established convention in IP that the transport checksum
>>> >> is maintained to be correct on the wire-- this is done in NAT by
>>> >> adjusting the checksum directly, there's also checksum neutral NAT
>>> >> that adjusts another part of the IPv6 header to keep the transport
>>> >> layer checksum correct. IMO, deviating from this convention is risky,
>>> >> not just to SRH packets but that can have collateral damage like
>>> >> breaking the user's ability to debug bad links as I described above.
>>> >>
>>> >> Tom
>>> >>
>>> >> >
>>> >> > Kind regards,
>>> >> > Robert
>>> >> >
>>> >> >
>>> >> >
>>> >> > On Thu, Mar 28, 2024 at 1:06 PM Alvaro Retana <aretana.ietf@gmail.com <mailto:aretana.ietf@gmail.com>> wrote:
>>> >> >>
>>> >> >> Focusing on the C-SID draft, some have suggested requiring the
>>> >> >> presence of the SRH whenever C-SIDs are used. Please discuss whether
>>> >> >> that is the desired behavior (or not) -- please be specific when
>>> >> >> debating the benefits or consequences of either behavior.
>>> >> >>
>>> >> >> Please keep the related (but independent) discussion of requiring the
>>> >> >> SRH whenever SRv6 is used separate. This larger topic may impact
>>> >> >> several documents and is better handled in a different thread (with
>>> >> >> 6man and spring included).
>>> >> >>
>>> >> >> Thanks!
>>> >> >>
>>> >> >> Alvaro
>>> >> >> -- for spring-chairs
>>> >> >>
>>> >> >> --------------------------------------------------------------------
>>> >> >> IETF IPv6 working group mailing list
>>> >> >> ipv6@ietf.org <mailto:ipv6@ietf.org>
>>> >> >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>> >> >> --------------------------------------------------------------------
>>> >> >
>>> >> > --------------------------------------------------------------------
>>> >> > IETF IPv6 working group mailing list
>>> >> > ipv6@ietf.org <mailto:ipv6@ietf.org>
>>> >> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>> >> > --------------------------------------------------------------------
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email