IETF Logo Mail Archive

Re: [spring] [IPv6] Subject: Mandating SRH when using C-SIDs (draft-ietf-spring-srv6-srh-compression)

Robert Raszuk <robert@raszuk.net> Thu, 28 March 2024 14:46 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAA12C15108A for <spring@ietfa.amsl.com>; Thu, 28 Mar 2024 07:46:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mIS0d9Hh4vGU for <spring@ietfa.amsl.com>; Thu, 28 Mar 2024 07:46:15 -0700 (PDT)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23DC0C151542 for <spring@ietf.org>; Thu, 28 Mar 2024 07:46:10 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id 4fb4d7f45d1cf-566e869f631so1176915a12.0 for <spring@ietf.org>; Thu, 28 Mar 2024 07:46:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; t=1711637169; x=1712241969; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=8PSZSHv1Gc+OFlKbEPdeUhb2EqhklRrTsN/rnLJSH2A=; b=MByoplyimRQWt9+cEEMMlbvyaiyOkk0ssKQCFOukeCXOkjfHN0112VwrrFHBC4Shbe qKy0GKEZ6HwaTVxHGUebOpE/5g0Fzc7bqWB+SnE0dL2SI6osKqNfoFTdnj3wnEuDhdNF 8i/L+qOsb+SbWsiiA6Hg+zryiq8QuVYoUHjpDBg3bfeLHXrMAN9DPUPPPA46EQduPN+S Wl+nrjzSrvgDnoNQJXF7wkvoipNgK4ZJD7FbFsQ6Nr6rSbeaSfgQfQAYkvuk0Y6m6MYb qxGTzuQC3K7j7WftzHc3SKRgq0KqvKpvrV4YODvpgLq0YnJdKBZ6f9pLGRcnDEaKBY66 wIcw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711637169; x=1712241969; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=8PSZSHv1Gc+OFlKbEPdeUhb2EqhklRrTsN/rnLJSH2A=; b=ZXWDO5eneTXt6wQ/br7r5nAIxIt6/+2l3EkTRSi+WCy70sn0Zjbpononu9SLNpp95C K6WtwKPGbEoRJh4WzcG5RyHWFQcuhgVI2a9TCRtoRyYvPFY4d8vPM7uoP4Cy0dpfPPDo /p66RSFcXhL6dadKrBuDrW5xakIQn67PWxfJmfm47R+WWcBG1AYf0m37dwOPojYW4qDS 6QL566FQm/TGKhhnf7xemhiWdLyPxS21Lj3aVRQ13r0EilRLMyhNdrHvGxPl8FPJB6h6 lGJNKO2PJ6qVlIVbmy4oYQI8EE2m94Tdh8oAS2YOL6Dsr06fjVSWhncRCG29gu6XKK0G u7tA==
X-Forwarded-Encrypted: i=1; AJvYcCXe92Fu+QYPiWnyAq+PGJayB1tdnOr1mCr3hPdbdBixrv9ajK3fjh5B+Ew32FdyaruCs6fSvaBNMoCqiXJSBWw=
X-Gm-Message-State: AOJu0YwG5R3DOYDsGZF1gDidHXMA/43tbe4BI4ZwHH52Gdhp2sgeWYDW pblJj4erF9FCmk+oVZZOjYL0f9kRHM3shLdIJ3/A32D1T5hkHdYJ9e0hnR37TMfXLHhYpDR01r2 LHOSjj5TgECitnAImZaHxiFr3VwScbTv/SqB4nQ==
X-Google-Smtp-Source: AGHT+IGHc1HCurkC5D44EtGMOuZZRFQaCzzrgGGr1i38tImMzX4lV8bYc3KmCTaGPLYF4x7sK6iIS3bCZ3hsm9Bnkao=
X-Received: by 2002:a50:8ace:0:b0:568:a420:7d80 with SMTP id k14-20020a508ace000000b00568a4207d80mr2576168edk.27.1711637168815; Thu, 28 Mar 2024 07:46:08 -0700 (PDT)
MIME-Version: 1.0
References: <CAMMESszUUdDw-xnDtZKqz75g6SXZ+7mXtZujBKwN+hxypC-Kuw@mail.gmail.com> <CAOj+MMFTpKdNtE2SGubsBKkwbgdX2G5qBxBCViCu-EFmUXjfHw@mail.gmail.com> <CALx6S37CK69EU+59r_M8caO4MNRQFC8fgo4+VyTSgSE0aNTVTQ@mail.gmail.com>
In-Reply-To: <CALx6S37CK69EU+59r_M8caO4MNRQFC8fgo4+VyTSgSE0aNTVTQ@mail.gmail.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Thu, 28 Mar 2024 15:45:57 +0100
Message-ID: <CAOj+MMFHC6vdUK3MQ8xU44=ESf-_mq=PCT=8W_jr5WiTp50hyQ@mail.gmail.com>
To: Tom Herbert <tom@herbertland.com>, Francois Clad <fclad.ietf@gmail.com>, "Pablo Camarillo (pcamaril)" <pcamaril@cisco.com>
Cc: Alvaro Retana <aretana.ietf@gmail.com>, SPRING WG List <spring@ietf.org>, 6man <ipv6@ietf.org>, "spring-chairs@ietf.org" <spring-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006e98ae0614b995d1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/YAaMp17yoJCBbwsBkXJgoi565K4>
Subject: Re: [spring] [IPv6] Subject: Mandating SRH when using C-SIDs (draft-ietf-spring-srv6-srh-compression)
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2024 14:46:20 -0000

Hi Tom,

> because of SRH

Ok I buy this that there are devices which do check checksum and are not
final destination of the packets  ... I was more talking about plain
forwarding devices (aka P routers). Then I doubt firewalls would be sitting
in the core of the networks.

But let me come black to what I believe is the main disconnect.

Why SRH would cause an issue ? I think there is claimed issue *ONLY* with
SRv6 packets which are not encapsulated - call it raw - sent by the hosts
which talk SRv6 and sent with more then one SID/uSID which may get swapped
on the way.

Because only in those cases the destination address will be changing while
checksum of the tunnel header will not be zero.

So what we should I think discuss are really B.1 and B.2.2 cases.

Francois, Pablo - could you comment on this how often do we see those type
of SRv6 deployments ? And also could you comment if operator who enables
SRv6 in the first place sees those checksum errors how difficult is to
address it ?

Thx,
Robert


On Thu, Mar 28, 2024 at 3:29 PM Tom Herbert <tom@herbertland.com> wrote:

> On Thu, Mar 28, 2024 at 6:26 AM Robert Raszuk <robert@raszuk.net> wrote:
> >
> > Hi Alvaro,
> >
> > On this specific topic I think you have flatted it a bit too much.
> >
> > These are apparently the options on the table:
> >
> > A) Original packet get's encapsulated with IPv6 header
> >
> >       A.1 SHR is added to it
> >
> >              A.1.1. Regular SIDs are used
> >              A.1.2  Compresses SIDs are used
> >
> >       A.2 SRH is not added to it
> >
> >              A.2.1. Regular SID is used as destination
> >              A.2.2  Compresses SIDs are used in a container
> >              A.2.3  Compresses SID is used
> >
> > B) Original packet get's send from SRv6 host (without encapsulation)
> >
> >     B.1 SHR is added to it
> >
> >              B.1.1. Regular SIDs are used
> >              B.1.2  Compresses SIDs are used
> >
> >       B.2 SRH is not added to it
> >
> >              B.2.1. Regular SID is used as destination
> >              B.2.2  Compresses SIDs are used in a container
> >              B.2.3  Compresses SID is used
> >
> > So within all checksum related discussions so far it seems that the only
> concern is about B.2.2 and perhaps B.1 however folks did state that if
> there is SRH added there is no issue so I am not sure how the presence of
> SRH fixes it.
> >
> > Maybe there was some assumption that presence of SRH mandates
> encapsulation, but I do not believe this is the case for native SRv6 hosts.
> >
> > All in all I think it should be no business for transit nodes to verify
> packet's upper layer checksum. I do not know if there is any RFC which
> would describe what is an expected behavior for transit nodes or even say
> that they MAY do it.
>
> Robert,
>
> I can go further than that. I believe that intermediate nodes have no
> business parsing into the transport layer, and yet firewalls do that
> all the time even though there is no standard RFC on it (I've asked
> for someone to formalize the requirements of firewalls, but to no
> avail). Validating the checksum in flight is an instance of this, and
> there are devices that commonly do this in deployment. Protocol
> specific checksum offload in NICs is one example. Also, if someone is
> seeing checksum failures in their network, an obvious action is to
> sample packets from routers in the path and look at the traces. If the
> checksum is incorrect on the wire because of SRH then the operator
> sees a whole bunch of checksum errors at the router, but has no way to
> distinguish those packets that are actually good from those that are
> bad.
>
> It's a long established convention in IP that the transport checksum
> is maintained to be correct on the wire-- this is done in NAT by
> adjusting the checksum directly, there's also checksum neutral NAT
> that adjusts another part of the IPv6 header to keep the transport
> layer checksum correct. IMO, deviating from this convention is risky,
> not just to SRH packets but that can have collateral damage like
> breaking the user's ability to debug bad links as I described above.
>
> Tom
>
> >
> > Kind regards,
> > Robert
> >
> >
> >
> > On Thu, Mar 28, 2024 at 1:06 PM Alvaro Retana <aretana.ietf@gmail.com>
> wrote:
> >>
> >> Focusing on the C-SID draft, some have suggested requiring the
> >> presence of the SRH whenever C-SIDs are used. Please discuss whether
> >> that is the desired behavior (or not) -- please be specific when
> >> debating the benefits or consequences of either behavior.
> >>
> >> Please keep the related (but independent) discussion of requiring the
> >> SRH whenever SRv6 is used separate. This larger topic may impact
> >> several documents and is better handled in a different thread (with
> >> 6man and spring included).
> >>
> >> Thanks!
> >>
> >> Alvaro
> >> -- for spring-chairs
> >>
> >> --------------------------------------------------------------------
> >> IETF IPv6 working group mailing list
> >> ipv6@ietf.org
> >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> >> --------------------------------------------------------------------
> >
> > --------------------------------------------------------------------
> > IETF IPv6 working group mailing list
> > ipv6@ietf.org
> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email