IETF Logo Mail Archive

Re: [spring] [IPv6] Subject: Mandating SRH when using C-SIDs (draft-ietf-spring-srv6-srh-compression)

Robert Raszuk <robert@raszuk.net> Thu, 28 March 2024 15:40 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D96DEC151557 for <spring@ietfa.amsl.com>; Thu, 28 Mar 2024 08:40:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eWIbnWPl96MW for <spring@ietfa.amsl.com>; Thu, 28 Mar 2024 08:40:48 -0700 (PDT)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1367CC151548 for <spring@ietf.org>; Thu, 28 Mar 2024 08:40:47 -0700 (PDT)
Received: by mail-ed1-x52d.google.com with SMTP id 4fb4d7f45d1cf-56890b533aaso1248179a12.3 for <spring@ietf.org>; Thu, 28 Mar 2024 08:40:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; t=1711640446; x=1712245246; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Ak09iIIB0RhdoLibsqmsa/7F77U4Fcd2EZtNFMLHB4Q=; b=LZIYag1tvklm4/eu2IdQ57BBtfgdyVXi1DTkQ6iEMzyS9+WzVhDJM57om2kiuBDMaT yJQfxP5LT5w3GkX9E+2mmRwQk48Rp4SekQ59RLFefSSpx8Km2OeHhM3SNHUlQ3TkaCrJ RA1/FDXIBsnAlPfMLDl35jSwdlHB3V94rePz62+eLgdXqz1AUkTxkcPXArhEUYkf15kq X6VoslB/4/SYR1ae18v1xVQArelHKuAv/r3j/Q5DcUNsyAPpXFieEG7P03DDBVe+tsDM r24NBHqj5cpUxAiHhs5vLG/u8IRfz4cibRPtN8OVHq7dUf+CaMaBGNq7mht6C2jm616Q BQ4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711640446; x=1712245246; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Ak09iIIB0RhdoLibsqmsa/7F77U4Fcd2EZtNFMLHB4Q=; b=bAcZEpMx2jSaGjbEVrWLzdFIrrRPb0s1UA/t/gl3bh1uP394rGzA1jTRKPInlXnHKu 2Rxv1dYKxxyLKUbpFCMTses2nOn7q02ev3stJ3bvGnTxm4E2dowNZodG2zwAZ9WVDUFa q0y0oFNeSxaCjK+ciLUUAviMxXfNjANcMaDLv+vqYuzbo9qRSHk5eoLYCVq0UyvxSVBj nJ/TYsDRYLtoG3wlWi8XqGum4dCCcJrrloeNDElic9rdzxS/LSUewGS87TPzl6Q/IZ3Q 1ImQHI1cYh172nVEYVyNUQTarnHIhgs8fDsq52rJaAHiuY0iDA4o1XxhrhELltqT0mCd QLng==
X-Forwarded-Encrypted: i=1; AJvYcCWJ3te/2/4KM5HT/EFO+wpHYhYx+6t/dmg1tKG2ix2V8uL6JdPw8wTwpRDKNK2Qh2p+BazOkNwtHtndUR0PqI4=
X-Gm-Message-State: AOJu0YycA1aQpJt/Jn6Vorh2U+oFKWn6R33p9UfeR2kG8weKsxs6IXmC 0k4JrQj3BZK5LmjojKdkxvA+78PK3tTaLkOAOShe0hMuGG/mQd3jafud7kvZY46Sf+rKx5QrUEO hMqiBYNmcTguk7kMnRaTRabnrTNKYJ3bFQugGLQ==
X-Google-Smtp-Source: AGHT+IGTaUOCDrLry1/k873HKY3P4A1+35Lbov2eEv4HbRTpcJvVdOQk+tbQcnPoboJUex3GkpBOiZGAd8Ai31RhO4g=
X-Received: by 2002:a50:8d53:0:b0:567:a2d8:ca92 with SMTP id t19-20020a508d53000000b00567a2d8ca92mr2505292edt.23.1711640445489; Thu, 28 Mar 2024 08:40:45 -0700 (PDT)
MIME-Version: 1.0
References: <CAMMESszUUdDw-xnDtZKqz75g6SXZ+7mXtZujBKwN+hxypC-Kuw@mail.gmail.com> <CAOj+MMFTpKdNtE2SGubsBKkwbgdX2G5qBxBCViCu-EFmUXjfHw@mail.gmail.com> <CALx6S37CK69EU+59r_M8caO4MNRQFC8fgo4+VyTSgSE0aNTVTQ@mail.gmail.com> <CAOj+MMFHC6vdUK3MQ8xU44=ESf-_mq=PCT=8W_jr5WiTp50hyQ@mail.gmail.com> <CALx6S35Dn03qt9ziMv3=xtYKpdgR88SU0HDYirXr1tm4-Nz-ng@mail.gmail.com>
In-Reply-To: <CALx6S35Dn03qt9ziMv3=xtYKpdgR88SU0HDYirXr1tm4-Nz-ng@mail.gmail.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Thu, 28 Mar 2024 16:40:34 +0100
Message-ID: <CAOj+MMF6D+fsDY-8tt7R9MJRAf3x+bk13MXadSPT2ozOpq7zrg@mail.gmail.com>
To: Tom Herbert <tom@herbertland.com>
Cc: Francois Clad <fclad.ietf@gmail.com>, "Pablo Camarillo (pcamaril)" <pcamaril@cisco.com>, Alvaro Retana <aretana.ietf@gmail.com>, SPRING WG List <spring@ietf.org>, 6man <ipv6@ietf.org>, "spring-chairs@ietf.org" <spring-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bcafed0614ba5868"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/ZDaSiaxBbx5LX3XMDOvtoPIgbLc>
Subject: Re: [spring] [IPv6] Subject: Mandating SRH when using C-SIDs (draft-ietf-spring-srv6-srh-compression)
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2024 15:40:51 -0000

Hi Tom,

Not really.

RFC8200 defines an exception which is tunneling and says:

         As an exception to the default behavior, protocols that use UDP
         as a tunnel encapsulation may enable zero-checksum mode for a
         specific port (or set of ports) for sending and/or receiving.
         Any node implementing zero-checksum mode must follow the
         requirements specified in "Applicability Statement for the Use
         of IPv6 UDP Datagrams with Zero Checksums" [RFC6936
<https://datatracker.ietf.org/doc/html/rfc6936>].


So in practice if we always tunnel SRv6 there is no issue.

Even Andrew agreed with that :)

Cheers,
Robert

On Thu, Mar 28, 2024 at 4:36 PM Tom Herbert <tom@herbertland.com> wrote:

> On Thu, Mar 28, 2024 at 7:46 AM Robert Raszuk <robert@raszuk.net> wrote:
> >
> > Hi Tom,
> >
> > > because of SRH
> >
> > Ok I buy this that there are devices which do check checksum and are not
> final destination of the packets  ... I was more talking about plain
> forwarding devices (aka P routers). Then I doubt firewalls would be sitting
> in the core of the networks.
> >
> > But let me come black to what I believe is the main disconnect.
> >
> > Why SRH would cause an issue ? I think there is claimed issue *ONLY*
> with SRv6 packets which are not encapsulated - call it raw - sent by the
> hosts which talk SRv6 and sent with more then one SID/uSID which may get
> swapped on the way.
> >
> > Because only in those cases the destination address will be changing
> while checksum of the tunnel header will not be zero.
> >
> > So what we should I think discuss are really B.1 and B.2.2 cases.
>
> Robert,
>
> The scenario that I'm talking about is really simple, and it's not
> specific to segment routing.  If someone sends a TCP in an IPv6 packet
> with no routing header then the convention is that the TCP checksum is
> valid end to end. So if the addresses are changed in flight, like in
> NAT, then we expect that some part of the packet covered by the
> checksum is adjusted to offset the change. If a packet is sent in
> segment routing without an SRH with EtherType 0x86DD then it IS an
> IPv6 packet to the network so all the conventions and requirements of
> IPv6 should be applied. IMO, if SRv6 can't maintain these conventions
> and requirements then it should fork from IPv6 and use a different
> EtherType.
>
> Tom
>
> >
> > Francois, Pablo - could you comment on this how often do we see those
> type of SRv6 deployments ? And also could you comment if operator who
> enables SRv6 in the first place sees those checksum errors how difficult is
> to address it ?
> >
> > Thx,
> > Robert
> >
> >
> > On Thu, Mar 28, 2024 at 3:29 PM Tom Herbert <tom@herbertland.com> wrote:
> >>
> >> On Thu, Mar 28, 2024 at 6:26 AM Robert Raszuk <robert@raszuk.net>
> wrote:
> >> >
> >> > Hi Alvaro,
> >> >
> >> > On this specific topic I think you have flatted it a bit too much.
> >> >
> >> > These are apparently the options on the table:
> >> >
> >> > A) Original packet get's encapsulated with IPv6 header
> >> >
> >> >       A.1 SHR is added to it
> >> >
> >> >              A.1.1. Regular SIDs are used
> >> >              A.1.2  Compresses SIDs are used
> >> >
> >> >       A.2 SRH is not added to it
> >> >
> >> >              A.2.1. Regular SID is used as destination
> >> >              A.2.2  Compresses SIDs are used in a container
> >> >              A.2.3  Compresses SID is used
> >> >
> >> > B) Original packet get's send from SRv6 host (without encapsulation)
> >> >
> >> >     B.1 SHR is added to it
> >> >
> >> >              B.1.1. Regular SIDs are used
> >> >              B.1.2  Compresses SIDs are used
> >> >
> >> >       B.2 SRH is not added to it
> >> >
> >> >              B.2.1. Regular SID is used as destination
> >> >              B.2.2  Compresses SIDs are used in a container
> >> >              B.2.3  Compresses SID is used
> >> >
> >> > So within all checksum related discussions so far it seems that the
> only concern is about B.2.2 and perhaps B.1 however folks did state that if
> there is SRH added there is no issue so I am not sure how the presence of
> SRH fixes it.
> >> >
> >> > Maybe there was some assumption that presence of SRH mandates
> encapsulation, but I do not believe this is the case for native SRv6 hosts.
> >> >
> >> > All in all I think it should be no business for transit nodes to
> verify packet's upper layer checksum. I do not know if there is any RFC
> which would describe what is an expected behavior for transit nodes or even
> say that they MAY do it.
> >>
> >> Robert,
> >>
> >> I can go further than that. I believe that intermediate nodes have no
> >> business parsing into the transport layer, and yet firewalls do that
> >> all the time even though there is no standard RFC on it (I've asked
> >> for someone to formalize the requirements of firewalls, but to no
> >> avail). Validating the checksum in flight is an instance of this, and
> >> there are devices that commonly do this in deployment. Protocol
> >> specific checksum offload in NICs is one example. Also, if someone is
> >> seeing checksum failures in their network, an obvious action is to
> >> sample packets from routers in the path and look at the traces. If the
> >> checksum is incorrect on the wire because of SRH then the operator
> >> sees a whole bunch of checksum errors at the router, but has no way to
> >> distinguish those packets that are actually good from those that are
> >> bad.
> >>
> >> It's a long established convention in IP that the transport checksum
> >> is maintained to be correct on the wire-- this is done in NAT by
> >> adjusting the checksum directly, there's also checksum neutral NAT
> >> that adjusts another part of the IPv6 header to keep the transport
> >> layer checksum correct. IMO, deviating from this convention is risky,
> >> not just to SRH packets but that can have collateral damage like
> >> breaking the user's ability to debug bad links as I described above.
> >>
> >> Tom
> >>
> >> >
> >> > Kind regards,
> >> > Robert
> >> >
> >> >
> >> >
> >> > On Thu, Mar 28, 2024 at 1:06 PM Alvaro Retana <aretana.ietf@gmail.com>
> wrote:
> >> >>
> >> >> Focusing on the C-SID draft, some have suggested requiring the
> >> >> presence of the SRH whenever C-SIDs are used. Please discuss whether
> >> >> that is the desired behavior (or not) -- please be specific when
> >> >> debating the benefits or consequences of either behavior.
> >> >>
> >> >> Please keep the related (but independent) discussion of requiring the
> >> >> SRH whenever SRv6 is used separate. This larger topic may impact
> >> >> several documents and is better handled in a different thread (with
> >> >> 6man and spring included).
> >> >>
> >> >> Thanks!
> >> >>
> >> >> Alvaro
> >> >> -- for spring-chairs
> >> >>
> >> >> --------------------------------------------------------------------
> >> >> IETF IPv6 working group mailing list
> >> >> ipv6@ietf.org
> >> >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> >> >> --------------------------------------------------------------------
> >> >
> >> > --------------------------------------------------------------------
> >> > IETF IPv6 working group mailing list
> >> > ipv6@ietf.org
> >> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> >> > --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email