IETF Logo Mail Archive

Re: [spring] C-SIDs and upper layer checksums (draft-ietf-spring-srv6-srh-compression)

Francois Clad <fclad.ietf@gmail.com> Thu, 04 April 2024 17:11 UTC

Return-Path: <fclad.ietf@gmail.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23E82C14F5ED for <spring@ietfa.amsl.com>; Thu, 4 Apr 2024 10:11:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z5DsGaHvRM0K for <spring@ietfa.amsl.com>; Thu, 4 Apr 2024 10:11:33 -0700 (PDT)
Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDDC6C14F695 for <spring@ietf.org>; Thu, 4 Apr 2024 10:10:43 -0700 (PDT)
Received: by mail-ej1-x62e.google.com with SMTP id a640c23a62f3a-a44f2d894b7so172280466b.1 for <spring@ietf.org>; Thu, 04 Apr 2024 10:10:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712250642; x=1712855442; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=y4DfqTvlpSAMxttT7DnhSx9ByjykK/GRz/GkdTVN0ls=; b=GUS//dqRC5OcH+rPqZ/Tuyb3iGTotelGE89HEu4RsVa5pj9j+YbusqdVlgkGFbbW56 s8gfYYjzxMi/9xS/hMrf7/9xWboWz0XKAE7KXHlkYHMCIIWYwpzeC61960EXyfkAFLiJ uZULfoX4E/TdfBnndYHf9068HMxq6rMtM8Iom/y/dVPFQL9NeqaJHLrG30hDvpzFTe4F wznPCFWMQ4u/hZHHaLWn3m5Gfvqf2ER53vzPHjFrNJCiXgIdb++zmwN339dnHj0jRG3Z 2s3zvs2JeR+42K6KbYkhSlRqqUlK8iEw8uiLTR4DCBw82vP6pWmNTBKrHWruSpbBoQgW CDSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712250642; x=1712855442; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=y4DfqTvlpSAMxttT7DnhSx9ByjykK/GRz/GkdTVN0ls=; b=p/j1J50coP20S8TqmoiRJ1XVKlumknDlM1Vl5Yu4H0hQCXsRUVxAqzoiH1EVjqBUua 1ldX3Cm8+fy8RPA2WmFwcxY8QIJUc5qGMYUbl/OUzIJOvqXH3DE7yha1g3egMwUZFUKD CmWh50Q8O8nCkJxdg9hPbH+fCL81wYmYC9PwCAQgE3Wom1pxxJ2bPydUu5UkldILB3sa w0j7qs8iWwbNvpl0f6aLRRz+SgULI17rb5boag0R0GOArS6B9voCtlhTZrmzCpQZY5Fk xpn8uyNafzc1jqAOQZdFCv4K+dHPNQjHzXFOlcJynh+jYXxAhvXqF5cJazcQxS33/F9S JXcA==
X-Gm-Message-State: AOJu0Yx46HH/i9DvB3o089plVXPWjuDs4xMFs14SNfz/bWCgzglrR8s9 +uBaoUKZbvBPgIETIZGxuOWCKpWMdG/vMok2lEyiZoX8HUsSf2HK59NczhPAqChUUfCtTv+OxA+ 24B6P6WK8y/MB63eM+5t5FS/E7Q==
X-Google-Smtp-Source: AGHT+IHEJyFs6gV+30dE5cNdtZuxbPmPn8vDlIgmpggGbftd71zU+wu0+YMDK34rqsiHGs2dCE4ccEOM8TMg4b4cVHI=
X-Received: by 2002:a17:906:57c9:b0:a51:933e:c544 with SMTP id u9-20020a17090657c900b00a51933ec544mr1142650ejr.62.1712250641506; Thu, 04 Apr 2024 10:10:41 -0700 (PDT)
Received: from 1064022179695 named unknown by gmailapi.google.com with HTTPREST; Thu, 4 Apr 2024 17:10:40 +0000
Received: from 1064022179695 named unknown by gmailapi.google.com with HTTPREST; Thu, 4 Apr 2024 17:10:37 +0000
MIME-Version: 1.0 (Mimestream 1.2.6)
References: <CAMMESsyCYJwWP48=a9RWx3n8txS1eR4VLnUeE++VEdHKFeKOjw@mail.gmail.com> <CAOj+MMH9-F0nWG6zDZXxAGOQ7T8T9bUn74f4o=Fh2p0zah86Gg@mail.gmail.com> <e50b6a1b-08ae-4c8c-b3f0-0900fe8a9158@joelhalpern.com> <CAOj+MME5yL2S9Y8woVhLpkx8Xjq8g1+Ngw0RjH7o5u82p-38yg@mail.gmail.com> <71b6f07e-08d6-40a0-9436-e4acebf96c3b@joelhalpern.com> <CAOj+MMGNbYy=QZdptdKfYa-1pGfO0OeEbc_SsOVcvhgR+==sHQ@mail.gmail.com> <e9731f5f-f583-456f-b1a2-ba99e1b9dda8@joelhalpern.com> <CAHT6gR8+y0nn8TndTsB5=uJXCpLW-01F6s1o9ZRrBA9yxQiqwQ@mail.gmail.com> <DU2PR03MB8021725C40A8BFF037A97C8FFA3C2@DU2PR03MB8021.eurprd03.prod.outlook.com> <CAHT6gR-zJOngZrnugetKgJ+jzDVJ0LO6Ro9Cng=scRDzQFTo0w@mail.gmail.com> <038b66c0-1f43-4167-8066-550addd2307a@joelhalpern.com> <CAHT6gR93o5kCnsoMme3nZ=Ru_H=Ahj7nKJHK+e8v2w=TFySCag@mail.gmail.com> <93965f42-9980-4f7b-a5c8-e0ba5a6ef165@joelhalpern.com>
In-Reply-To: <93965f42-9980-4f7b-a5c8-e0ba5a6ef165@joelhalpern.com>
From: Francois Clad <fclad.ietf@gmail.com>
Date: Thu, 04 Apr 2024 17:10:40 +0000
Message-ID: <CAHT6gR84V9w5Htp7sQ67iu7+X8esohKOUE99gVbbZfZeLqyEGw@mail.gmail.com>
To: Joel Halpern <jmh.direct@joelhalpern.com>
Cc: SPRING WG List <spring@ietf.org>, Robert Raszuk <robert@raszuk.net>, Andrew Alston - IETF <andrew-ietf@liquid.tech>
Content-Type: multipart/alternative; boundary="00000000000040e8aa0615486be3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/aaDLlMTxEz8UDO4Txamo0xcBPMM>
Subject: Re: [spring] C-SIDs and upper layer checksums (draft-ietf-spring-srv6-srh-compression)
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2024 17:11:37 -0000

 Hi Joel,

One can ping a SID of this document without a segment list by simply
running the ping command with that SID as an argument (2nd paragraph of
section 9.1).

To ping a SID of this document via a SID list, one needs to configure the
originator node to impose that SID list, like any other SRv6 SID list.

Hope this helps.

Cheers,
Francois


On 4 Apr 2024 at 16:29:11, Joel Halpern <jmh.direct@joelhalpern.com> wrote:

> <No Hats>
>
> It seems that the text you quote requires that the ping code or kernel
> code know that the user has specified a uSID for the ping DA.   Maybe I am
> missing something, but it is not obvious to me how that would be achieved?
> And does seem to imply that an unmodified ping will get incompatible and
> unexpected results?
>
> Yours,
>
> Joel
> On 4/4/2024 10:23 AM, Francois Clad wrote:
>
> Hi Joel,
>
> The ping behavior is described in section 9.1 of the draft (
> https://www.ietf.org/archive/id/draft-ietf-spring-srv6-srh-compression-14.html#section-9.1
> ).
>
> Specifically,
> "When pinging a SID of this document via a segment list, the SR source
> node MUST construct the IPv6 packet as described in Section 6 and compute
> the ICMPv6 checksum as described in Section 6.5."
>
> Please let me know if anything in this text is not clear.
>
> Thanks,
> Francois
>
> On 4 Apr 2024 at 16:10:11, Joel Halpern <jmh.direct@joelhalpern.com>
> wrote:
>
>> <No Hat>
>>
>> Does this mean that if I have a source and destiantion host inside an
>> SRv6 domain, and I am trying to verify a uSID path between them, so I issue
>> the command ping <usUD-DA>, it will fail?  Given that we have documents
>> describing the use of ping and traceroute with SRv6, shouldn't the
>> comrpession document say someething about this?
>>
>> Your,s
>>
>> Joel
>> On 4/4/2024 9:59 AM, Francois Clad wrote:
>>
>> Hi Andrew,
>>
>> The originator (TX Linux box in your case) acting as an SR source node
>> for C-SID must follow the entire Section 6 of
>> draft-ietf-spring-srv6-srh-compression, including section 6.5 about the
>> checksum calculation. One cannot expect it to work if it only implements
>> half of it.
>>
>> On the receive side, there is nothing special to do. The DA in the
>> received IPv6 header is the one that was used for the checksum calculation.
>>
>> I do not see anything broken.
>>
>> Cheers,
>> Francois
>>
>> On 4 Apr 2024 at 15:32:12, Andrew Alston - IETF <andrew-ietf@liquid.tech>
>> <andrew-ietf@liquid.tech> wrote:
>>
>>> So in investgiating this further, there is a further problem.
>>>
>>>
>>>
>>> I’ve checked on 4 different linux boxes with 4 different network cards.
>>>
>>>
>>>
>>> Linux by default offloads TX checksumming on a lot of network cards.  If
>>> you originate a packet with a microsid and no SRH – and the linux box
>>> offloads the checksum generation – the checksum generated by the NIC will
>>> be incorrect – and when the packet arrives at the end host – if that end
>>> host is running RX checksumming – the checksum will fail and the packet
>>> will be dropped.
>>>
>>>
>>>
>>> If you disable TX checksumming – the kernel will have no way to tell if
>>> the packet is an Ipv6 or a microsid packet, it will therefore use the DA –
>>> and generate an incorrect checksum.  Again – if RX checksumming is enabled
>>> on the receiving end point – the packet will get dropped.
>>>
>>>
>>>
>>> Effectively this does NOT just affect middle boxes – it effects anything
>>> generating a packet directed to a microsid that either offloads the tx to
>>> hardware (whichi will have no clue this is a microsid) or in the
>>> alternative is generating tx checksums itself via kernel mechanisms that
>>> will treat these packets as standard Ipv6 packets.
>>>
>>>
>>>
>>> This is broken – severely broken.
>>>
>>>
>>>
>>> Andrew
>>>
>>>
>>>
>>>
>>>
>>> * Internal All Employees From: *spring <spring-bounces@ietf.org> on
>>> behalf of Francois Clad <fclad.ietf@gmail.com>
>>> *Date: *Thursday, 4 April 2024 at 14:49
>>> *To: *Joel Halpern <jmh.direct@joelhalpern.com>
>>> *Cc: *SPRING WG List <spring@ietf.org>, Robert Raszuk <robert@raszuk.net
>>> >
>>> *Subject: *Re: [spring] C-SIDs and upper layer checksums
>>> (draft-ietf-spring-srv6-srh-compression)
>>>
>>> Some people who received this message don't often get email from
>>> fclad.ietf@gmail.com. Learn why this is important
>>> <https://aka.ms/LearnAboutSenderIdentification>
>>>
>>> CAUTION: This email has originated from a free email service commonly
>>> used for personal email services, please be guided accordingly especially
>>> if this email is asking to click links or share information.
>>>
>>>
>>>
>>> Hi all,
>>>
>>>
>>>
>>> Section 6.5 of draft-ietf-spring-srv6-srh-compression specifies how an
>>> SR source node originating a packet with an upper layer checksum determines
>>> the Destination Address for use in the IPv6 pseudo-header.
>>>
>>>
>>>
>>> As a co-author, I’d say that the current text of 6.5 is good.
>>>
>>>
>>>
>>> This text is aligned with RFC 8200. It only indicates how the text in
>>> Section 8.1 of RFC 8200 applies to the SIDs of
>>> draft-ietf-spring-srv6-srh-compression. This is necessary since RFC 8200
>>> does not specify the format nor behavior of any source routing scheme.
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Francois
>>>
>>>
>>>
>>>
>>>
>>> On 4 Apr 2024 at 00:10:55, Joel Halpern <jmh.direct@joelhalpern.com>
>>> wrote:
>>>
>>> I can not speak to the "norm" for other working groups.  The SPRING
>>> charter is very specific about what we have to do if we want to change an
>>> underlying protocol.  We have to go back to the WG which owns that
>>> protocol.
>>>
>>> 6man gets to decide if the change is acceptable, and if it is acceptable
>>> how it is to be represented.  SPRINGs job is to make sure we are asking the
>>> question we intend.
>>>
>>> Yours,
>>>
>>> Joel
>>>
>>> On 4/3/2024 6:05 PM, Robert Raszuk wrote:
>>>
>>> Ok Joel,
>>>
>>>
>>>
>>> Thank you for this clarification.
>>>
>>>
>>>
>>> To me the actual spirit of RFC8200 8.1 is to say that it is ok to
>>> compute the checksum by the src such that it comes out right at the final
>>> destination.
>>>
>>>
>>>
>>> But I guess we can have different opinions about that.
>>>
>>>
>>>
>>> But what I find specifically surprising here is that it is a norm in
>>> IETF to have new specifications defining protocol extensions and their
>>> behaviour and never go back to the original protocol RFC to check if this
>>> is ok or not. If that would not be a normal process I bet we would still be
>>> using classful IPv4 routing all over the place.
>>>
>>>
>>>
>>> Regards,
>>>
>>> Robert
>>>
>>>
>>>
>>>
>>>
>>> On Wed, Apr 3, 2024 at 11:28 PM Joel Halpern <jmh@joelhalpern.com>
>>> wrote:
>>>
>>> The concern with regard to the text that the chairs are asking about is
>>> not about intermediate nodes verifying the checksum.  The text does not
>>> talk aabout that, so we are not asking about that.
>>>
>>> But, the text in 8200 specifies how the originating node is to compute
>>> the upper layer checksum.  It doesn't say "do whatever you need to do to
>>> make the destination come out right".  It provides specific instructions.
>>> Yes, it is understandable that those instructions do not cover the
>>> compressed container cases.  Which is why the compression document
>>> specifies changes to those procedures.
>>>
>>> Thus, we need to ask 6man how they want to handle the change in the
>>> instructions in 8200.
>>>
>>> the question we are asking SPRING is whether there is any clarification
>>> people want to the text in the compression draft before we send the
>>> question over to 6man.
>>>
>>> Yours,
>>>
>>> Joel
>>>
>>> On 4/3/2024 5:15 PM, Robert Raszuk wrote:
>>>
>>> Hi Joel,
>>>
>>>
>>>
>>> My interpretation of text from RFC8200 is that it allows discrepancy
>>> between the header and the upper layer checksum as long as final packet's
>>> destination sees the correct one.
>>>
>>>
>>>
>>> The last condition is met.
>>>
>>>
>>>
>>> So I see no issue.
>>>
>>>
>>>
>>> Sure RFC8200 does not talk about SRH nor cSIDs, but provides a hint on
>>> how to handle such future situations.
>>>
>>>
>>>
>>> With that being said I would like to still understand what real problem
>>> are we hitting here ...
>>>
>>>
>>>
>>> Kind regards,
>>>
>>> Robert
>>>
>>>
>>>
>>> On Wed, Apr 3, 2024 at 11:09 PM Joel Halpern <jmh@joelhalpern.com>
>>> wrote:
>>>
>>> There are two cases covered in section 6.5 of the compression draft that
>>> appear to be at variance with secton 8.1 of RFC 8200.
>>>
>>> First, if the final destination in the routing header is a compressed
>>> container, then the ultimate destination address will not be the same as
>>> the final destination shown in the routing header.
>>>
>>> Second, if a uSID container is used as the destination address and no
>>> SRH is present, then in addition to the above problem there is no routing
>>> header to trigger the behavior described.
>>>
>>> Yours,
>>>
>>> Joel
>>>
>>> On 4/3/2024 4:22 PM, Robert Raszuk wrote:
>>>
>>> Hi Alvaro,
>>>
>>>
>>>
>>> Section 6.5 of draft-ietf-spring-srv6-srh-compression describes the
>>> behavior when an originating node inside an SRv6 domain creates a
>>> packet with a C-SID as the final destination.
>>> *This description differs from the text in Section 8.1 of RFC8200.*
>>>
>>>
>>>
>>> I would like you to clarify the above statement - specifically of the
>>> last sentence.
>>>
>>>
>>>
>>> Reason for this that after looking at both drafts I find section 6.5 of
>>> the subject draft to be exactly in line with RFC8200 section 8.1 especially
>>> with the paragraf which says:
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *         If the IPv6 packet contains a Routing header, the Destination
>>>          Address used in the pseudo-header is that of the final
>>>  destination.  At the originating node, that address will be in
>>>  the last element of the Routing header; at the recipient(s),          that
>>> address will be in the Destination Address field of the          IPv6
>>> header.*
>>>
>>>
>>>
>>> So before we dive into solutions (as Andrew has already provided a few
>>> of) I think we should first agree on what precise problem are we solving
>>> here ?
>>>
>>>
>>>
>>> Many thx,
>>>
>>> Robert
>>>
>>>
>>>
>>> PS. As a side note I spoke with my hardware folks - just to check if
>>> validation of upper-layer checksum is even an option for transit nodes. The
>>> answer is NO as most data plane hardware can read at most 256 bytes of
>>> packets. So unless there is some specialized hardware processing up to 9K
>>> packets in hardware at line rates this entire discussion about checksum
>>> violations, fears of firing appeals is just smoke.
>>>
>>>
>>>
>>> _______________________________________________
>>> spring mailing list
>>> spring@ietf.org
>>> https://www.ietf.org/mailman/listinfo/spring
>>>
>>>

v2.23.0 | Report a Bug | By Email