Re: [spring] SRv6 - SRH in encaps or base header - point 2
"Joel M. Halpern" <jmh@joelhalpern.com> Sat, 03 November 2018 06:59 UTC
Return-Path: <jmh@joelhalpern.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EAD1127332; Fri, 2 Nov 2018 23:59:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=joelhalpern.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IawE70lojqCr; Fri, 2 Nov 2018 23:59:55 -0700 (PDT)
Received: from mailb2.tigertech.net (mailb2.tigertech.net [208.80.4.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5F18124BE5; Fri, 2 Nov 2018 23:59:55 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailb2.tigertech.net (Postfix) with ESMTP id 5FA271C02F4; Fri, 2 Nov 2018 23:59:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com; s=2.tigertech; t=1541228395; bh=J2JadqoZuUbAbkunoJTt+293b6w8Asu4W5wUZeJ+4+0=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=OhCIzeyb21ro7u34iUhn2e+muTBjMFPe9vsHLTPgscgAu4cDdVoAuWIQFTYEtS1ll EaeZjA9uRsZ993+o6WQFVYs5uPePbHaOmgM3bXQZYVbZvhZ/bmznJNeb8qXamemlNY 68mWUv82y+Q5NwhScon5g3u3HVDt/2XNPqRVd7VE=
X-Virus-Scanned: Debian amavisd-new at b2.tigertech.net
Received: from Joels-MacBook-Pro.local (unknown [210.164.9.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mailb2.tigertech.net (Postfix) with ESMTPSA id 4066B5A1706; Fri, 2 Nov 2018 23:59:54 -0700 (PDT)
To: "Darren Dukes (ddukes)" <ddukes@cisco.com>
Cc: "6man@ietf.org" <6man@ietf.org>, "spring@ietf.org" <spring@ietf.org>
References: <42663f06-8fcc-4ca4-5e3c-368adcaaef86@joelhalpern.com> <A4FF775A-213D-46C3-93E5-180854097926@cisco.com> <69085e36-f091-44d5-590b-3550983ac4d7@joelhalpern.com> <AB652159-99AB-46C8-87B6-7A1020C1F880@cisco.com> <3e51b691-ae71-31ce-a094-db2d75d80ae0@joelhalpern.com> <728DADEC-AC49-4F16-93FB-4B5A6905DF59@cisco.com> <11918c9b-f0bb-4182-cdbe-9ed720b0a800@joelhalpern.com> <679B2EEF-4EE6-44BC-A9D7-17E70FF1133A@cisco.com>
From: "Joel M. Halpern" <jmh@joelhalpern.com>
Message-ID: <d3ed256d-16a0-bf96-f19c-234074e5ebd9@joelhalpern.com>
Date: Sat, 03 Nov 2018 15:59:52 +0900
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <679B2EEF-4EE6-44BC-A9D7-17E70FF1133A@cisco.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/Zy6TDCbrLdbntp8C2jtoQRmSqJw>
Subject: Re: [spring] SRv6 - SRH in encaps or base header - point 2
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Nov 2018 06:59:59 -0000
Thank you. That does address my concern about those exchanges. Yours, Joel On 11/3/18 2:50 AM, Darren Dukes (ddukes) wrote: > Joel, For our last remaining item in this thread, *re: communication > from 1 to 9 and 9 to 1.* > > Lets add the following since we don’t discuss traffic from a host within > the SR Domain to a host outside the SR Domain. > > <NEW TEXT> > *5.3.3 Inter SR Domain Packet* > Host 9 sends a packet to host 1 (outside the SR Domain) via an SR Policy > <S6,S3>. > Host 9 encapsulates an inner packet from 9 to 1 in an outer IPv6 header > and adds an SRH for the SR Policy. > > P7: (A9,S6)(S3,S6; SL=1)(A9,A1) > > A host implementation MUST support addition of the outer IPv6 > encapsulation to avoid leaking SIDs to nodes outside the SR Domain. > > For return traffic to A9, an outer IPv6 header may be applied by the SR > Domain ingress node. This outer IPv6 header may terminate at node 9, > therefore a host implementation MUST support decapsulation of an outer > IPv6 header and processing of the inner header. > </NEW TEXT> > > For traffic destined within the SR Domain it’s still up to the host or > controller providing the SR Policy to determine whether or not they must > encapsulate in an outer IPv6 header. > > Darren > >> On Oct 30, 2018, at 3:42 PM, Joel M. Halpern <jmh@joelhalpern.com >> <mailto:jmh@joelhalpern.com>> wrote: >> >> I am not sure I agree that the allowance for handling the HMAC >> elsewhere is straightforward. For example, I think the range of >> implementation strategies for border nodes and the intersection of >> that with the range of operational and deployment strategies is going >> to actually make it harder to get multi-vendor deployments. Having >> said that, the approach in the document will work. And I can live >> with it. >> >> On the choice of encaps or not encaps (from node 9 to external node 1) >> there are two issues. >> The important issue is that node 9 needs to be able to encaps. >> Otherwise there is no decision availabe, and the nodes software is >> forcing the operator to disclose, even if there policy is not to do >> so. Thus, I think the minimum requirement is that the document needs >> to clearly state that node 9 needs to be able to handle incoming >> encaps and needs to be able to generate outgoing encaps. >> >> The lesser issue is "why bother?" Why not always encaps. Given that >> the network has to have an MTU big enough to handle an encaps packet >> (due to incoming packets from out the SR domain), there is no MTU >> issue wiht the encaps. As such, we are talking about reducing the >> security and robustness of the solution in exchange for saving a few >> bytes. That almost never turns out well. >> >> Yours, >> Joel >> >> On 10/30/18 3:30 PM, Darren Dukes (ddukes) wrote: >>> I think we’re almost concluded so once more inline at <dd></dd> >>>> On Oct 26, 2018, at 2:28 PM, Joel Halpern <jmh@joelhalpern.com >>>> <mailto:jmh@joelhalpern.com>> wrote: >>>> >>>> (resending, +spring as requested) >>>> >>>> Thank you for the responses. I will respond in line, marked >>>> <jmh></jmh>. I fear it will shortly get too deep, but the context >>>> is important. >>>> >>>> I will rephrase here an issue from another thread that I ahve not >>>> seen your comments on. If Node 9 is sending traffic to Node 1 (for >>>> example, the reverse traffic for the traffic from 1 to 9 in the >>>> examples below), it presumably has an SR Policy to be applied. The >>>> issue I raised before is the leakage issue. If 9 puts the SRH in >>>> its packet (as the document currently mandates), then it will not be >>>> possible for 3 to remove the SRH. Thus, the SRH will leak. >>>> >>>> Some have argued that is not a big deal. It seems to matter to me. >>>> But there is an additional problem. A1 is not a SID. Therefore, 9 >>>> can not put A1 into the SRH. If it can not put A1 into the SRH, and >>>> it does not encapsulate the packet, where does it put A1. >>> <dd> Node 9 has a choice, encapsulate to node 3 or not. >>> If node 9 does not encapsulate, it will inform the destination of the >>> segments in the SRH and possibly leak them to intermediate nodes. >>> If node 9 does encapsulate, node 3 removes the outer header and node >>> 1 would not learn the segment list. >>> I think its choice should not be mandated in the draft. </dd> >>>> >>>> Yours, >>>> Joel >>>> >>>> On 10/26/18 1:29 PM, Darren Dukes (ddukes) wrote: >>>>> Hi Joel, you’ve described sections titled “Intra SR Domain Packet”, >>>>> “Transit Packet Through SR Domain”, and "SR Source Nodes Not >>>>> Directly Connected”. >>>>> I’ve parsed them inline to the sections of the draft defining them >>>>> and given more context where needed. >>>>>> On Oct 22, 2018, at 8:49 PM, Joel M. Halpern <jmh@joelhalpern.com >>>>>> <mailto:jmh@joelhalpern.com>> wrote: >>>>>> >>>>>> Rephrasing using the example from 5.2. Assuming that 8 and 9 are >>>>>> SR Hosts (not just hosts within the domain, they are capable of >>>>>> and expect to deal with SRHs, and therefore have local SIDs, ...) >>>>>> >>>>>> For traffic from 8 to 9 that needs an SRH, the SRH goes in the >>>>>> IPv6 header sent my 8 to 9. When 9 processes the packet, it seems >>>>>> that it is the last SID, figures out that there is no >>>>>> encapsulation, and send the TCP / UDP / QUIC information to its >>>>>> internal protocols stacks. >>>>> Yes, this is Section 5.3.1 “Intra SR Domain Packet”. >>>> <jmh>Agreed as far as it goes. However, the existence of S9 and A9 >>>> points to a problem. Node 8 is trying to put on an SRH going >>>> through Sx, Sy, whatever for some reason. It can't put A9 into the >>>> SRH, as AH is not a SID, it is an address. I presume node 8 got S9 >>>> from whatever provided him the SR Policy that it is using. Does it >>>> simply use S9 as the address for node 9, rather than A9 that it got >>>> from DNS? And does the TCP stack know that this substitution is >>>> being made? (This is another example of a problem that goes away if >>>> we always encapsulate.) </jmh> >>> <dd>Section 4.3.2 covers these questions, i.e. A9 can be placed in >>> the SRH as the last segment, and this section describes how it’s >>> handled.</dd> >>>> >>>>>> >>>>>> For traffic from 1 to 9, where 3 adds an SRH, that SRH still >>>>>> presumably ends at 9. 9 Receives the IP packet. Sees that it is >>>>>> addressed to itself. Sees that the SRH is finished. And then >>>>>> notices that the next-header is IPv6. Unwraps the header, checks >>>>>> that the inner destination address is also itself, and passes the >>>>>> material carried by the inner header up to the appropriate stack. >>>>> So node 1 sends a packet to node 9 (A1,A9) >>>>> IF there is some steering into an SR Policy at node 3 to reach node >>>>> 9, this is identical to section 5.3.2 “Transit packet through SR >>>>> domain”, except for destination of A9 via node 9 instead of A2 via >>>>> node 4. >>>> >>>>>> >>>>>> Thus, 9 needs to be able to check for both cases. We at least >>>>>> need to tell implementors that. >>>>> Well, 9 needs a SID S9 and Address A9. That is shown in Section >>>>> 5.1 SID and address representation. >>>> <jmh>So, let us assume that 3 has an SR policy it wants to apply to >>>> the traffic from A1 to A9. In this case, the S9 / A9 dichotomy is >>>> not a problem, I think. Node 3 encapsualtes the packet from A1 to >>>> A9, uses S3 as the source address of the encapsulating header, and >>>> ends the SID list in the SRH with S9. The unspecified part is that >>>> node 9 needs to be prepared to receive such packets and do the >>>> double processing. It is reasonable double processing. My only >>>> request here is that we tell folks they need to support it. </jmh> >>> <dd>Actually, node 3 uses A3 as its source address, but that’s minor. >>> The double processing (lookup, do end processing, do another lookup) >>> is documented in Section 4.3. >>> Is there a need for more than what is currently specified? </dd> >>>>>> >>>>>> There is a further complication. 9 seems to need to have an >>>>>> address that is a valid SID, so it can be the last entry in the >>>>>> SRH from 8 to 9. >>>>> As described in the draft, Section 5.1 a node k has an address Ak >>>>> and SID Sk. So node 9 has a valid SID. >>>>> For traffic from 8 to 9, A9 is used as the destination as shown in >>>>> section 5.3.1, 5.4 and 5.5. >>>>>> However, if 1 were to send the packet to that SID for 9, router 3 >>>>>> would be required by the rules we discussed in the other thread to >>>>>> discard the packet as it is neither to prefix nor contains an HAMC. >>>>>> And somehow, 8 and 1 need to each pick the right address to use >>>>>> for 9. (split DNS maybe?) And 3 needs to be able to derive teh >>>>>> SID-formn address for 9 from the non-SID form of the address so >>>>>> that it (3) can build a proper SRH to get the packet to 9. >>>> <jmh>I have retained your answer below for context, but I think that >>>> answers the wrong question. I believe what is itnended is that only >>>> A9 appears in DNS. So Node 1 will see 9 as A9, and will use that. >>>> S9 will appear in SR Policies about traffic to node 9, but not in >>>> DNS. That is what we need. I wish it were clearer in the text. </jmh> >>>> >>>> <jmh>If node 20 is generating SRHs with HMACs, then this is largely >>>> the same as the case from 8 to 9, except that whomever creates the >>>> SR Policy that 20 is using needs to also make sure that whatever the >>>> first SID is in teh list, it processes HMACs and is recognizable to >>>> node 3 as doing such processing. I am guessing that the reason for >>>> allowing internal nodes to do the processing is to move the >>>> verification load off the edge nodes. It does create significant >>>> additional configuration complexity. </jmh> >>> <dd>We didn’t see a reason to restrict the HMAC processing to only >>> edge nodes when it was straight forward to define how they could be >>> processed at non-edge nodes.</dd> >>>> >>>>> This is incorrect. >>>>> See Section 6.2.1 “SR Source Nodes Not Directly Connected” I will >>>>> expand on the example from that section. >>>>> Node 20 sends a packet to A9 with SR Policy <H7> and an HMAC >>>>> provided to node 20 by some yet to be defined method. Resulting in >>>>> packet sent from node 20 >>>>> P: (A20,H7)(A9;SL=1)(payload) >>>>> Recall Hk is a SID at node k requiring HMAC verification, and it is >>>>> covered by Prefix-H. >>>>> Prefix-H is _not_ subject to ingress filtering at node 3. >>>>> Therefore the packet P destined to H7 is not subject to ingress >>>>> filtering at node 3. >>>>> P is forwarded to node 7, where H7 is processed and the HMAC verified. >>>>> If the HMAC can not be verified the packet is dropped, else it is >>>>> forwarded to the next segment and destination, A9. >>>>> Darren >>>>>> >>>>>> Yours, >>>>>> Joel >>>>>> >>>>>> On 10/22/18 8:04 PM, Darren Dukes (ddukes) wrote: >>>>>>> inline. >>>>>>>> On Oct 22, 2018, at 7:21 PM, Joel M. Halpern >>>>>>>> <jmh@joelhalpern.com <mailto:jmh@joelhalpern.com>> wrote: >>>>>> .. >>>>>>>> 2) Now let us look at packets arriving at and actually destined >>>>>>>> for an SR Host in the SR Domain where that packet has an SRH. >>>>>>>> If the packet is coming from another SR Host, the SRH will be >>>>>>>> in the base header, and the host can simply check it for any >>>>>>>> violations, and continue. But, if the packet came from outside >>>>>>>> the domain, then it will have an encapsulating SRv6 header. So >>>>>>>> the host has to detect this case, check and then peal off the >>>>>>>> encapsulating header, and then process the received packet. Yes, >>>>>>>> it can do so. But nothing in teh document tells implementors >>>>>>>> they have to deal with both cases. >>>>>>>> >>>>>>> Can you be more precise here. Perhaps use the example from >>>>>>> section 5.2 or 6.2.1? >>>>>> .. >
- Re: [spring] SRv6 - SRH in encaps or base header … Darren Dukes (ddukes)
- Re: [spring] SRv6 - SRH in encaps or base header … Joel Halpern
- Re: [spring] SRv6 - SRH in encaps or base header … Darren Dukes (ddukes)
- Re: [spring] SRv6 - SRH in encaps or base header … Joel M. Halpern
- Re: [spring] SRv6 - SRH in encaps or base header … Chengli (IP Technology Research)
- Re: [spring] SRv6 - SRH in encaps or base header … Darren Dukes (ddukes)
- Re: [spring] SRv6 - SRH in encaps or base header … Darren Dukes (ddukes)
- Re: [spring] SRv6 - SRH in encaps or base header … Joel M. Halpern
- [spring] 答复: SRv6 - SRH in encaps or base header … Chengli (Cheng Li)
- Re: [spring] SRv6 - SRH in encaps or base header … Darren Dukes (ddukes)
- Re: [spring] SRv6 - SRH in encaps or base header … Chengli (Cheng Li)