IETF Logo Mail Archive

Re: [spring] A note on CRH and on going testing

Ron Bonica <rbonica@juniper.net> Sat, 21 September 2019 18:09 UTC

Return-Path: <rbonica@juniper.net>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F2871200B8 for <spring@ietfa.amsl.com>; Sat, 21 Sep 2019 11:09:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NHKSZPvzIzMY for <spring@ietfa.amsl.com>; Sat, 21 Sep 2019 11:09:40 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D112120024 for <spring@ietf.org>; Sat, 21 Sep 2019 11:09:40 -0700 (PDT)
Received: from pps.filterd (m0108158.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id x8LI9X3a002474; Sat, 21 Sep 2019 11:09:34 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=fCgv4MZquoQpw5smf7wofE97Oz7mmsRtmumsDOnH9Tw=; b=GORD+MvjsNP5XH8ClmETMJOTuWjJ2ulBvMZzTc9y6CgmdvJDlYTJ2OB97ASFRPl1+Qa3 a93IgzdFnTjcgEEFfVBzs34Q0AxHoHcXh4gTrejvkFleP6tcBLBIpBANygtD2eHvoYbz vtA8/QVavgGgHseoiIu071ykEYNfPApYxg+Fbp3G75rQoe/otWP8ELnfq9LftZowYOvR RwloUsC0R2H//0tEfn7djfVrBH8vCZkufmq96+2BCTvovmb8kCEOSHZFxzlCoPXaQsvL ir/fEf0lUgw8hTw8THYvut+AneVvcQRsgsdPSGamckzq/ddDTSSMjaQ+Auxm/Cc3H6rH RA==
Received: from nam02-cy1-obe.outbound.protection.outlook.com (mail-cys01nam02lp2055.outbound.protection.outlook.com [104.47.37.55]) by mx0a-00273201.pphosted.com with ESMTP id 2v5fjr0t2g-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 21 Sep 2019 11:09:34 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lLtQ4kcm3lSktGs9SkFFxjNasjAbrFVe8/5v8DJ6mlGGBB6ySm9O4CHzoD4YgHJY9psM5hdJbmtspTOvILI65LfBR6mKopKkE8pWeDHa6t2qGo5jXmep7aCqF2eAU7TDY8d4oEPqWPKA4WO8qrTXNpxLEw1ctaBUuelQkUQFp+ZX9buuKyqud6w25AUElBfaCrq5mnXeW46ZQl+Yc6fiElVcRbgDYPkwZ0zT7m3bPB/6k1lL1aNE9wYLqV5jI1HiJ4ryIVgXhirWaeM8WTqKVfMKBl7PWGphuMpFg+A3U9vW+6WngDe7o3s7llMHGsn3O1dJgWE50nYWVlBp0GF3Gg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fCgv4MZquoQpw5smf7wofE97Oz7mmsRtmumsDOnH9Tw=; b=cQ1/nsy8sO3Vy3QDDlR6H9s77RSC4mLk1L+uGCAnzVsi8SgWZHGbZV00YweUsIuQWbUnMIy/8eawnusWvLpCZ5liq47Lp3jT2aGynb1hui2rvFypMcWB0m6WmMx5ivdYNJtdwEFNPkSIKIJeLnqH6SX369WcABveSya2a2fh9DbffXKVdIDvDCFUNdx8ywzSz7UfZ5+Y/0eOJUDAi42QS6vjL+wURvYg/Qkmp4ZOIt1wFrMF/ftD1meT/geW0kgYw9qyn/HiDMuGBwljeDx/RNC2qYF3N/kHu8F66ICWp+lve5JkCQ7b4G8PQxCogBnSY/jrW6CVmA+ET4IsW/GygA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
Received: from BYAPR05MB5463.namprd05.prod.outlook.com (20.177.185.144) by BYAPR05MB6536.namprd05.prod.outlook.com (20.178.234.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2284.12; Sat, 21 Sep 2019 18:09:30 +0000
Received: from BYAPR05MB5463.namprd05.prod.outlook.com ([fe80::f4f2:f284:d49a:890a]) by BYAPR05MB5463.namprd05.prod.outlook.com ([fe80::f4f2:f284:d49a:890a%4]) with mapi id 15.20.2284.009; Sat, 21 Sep 2019 18:09:30 +0000
From: Ron Bonica <rbonica@juniper.net>
To: SING Team <s.i.n.g.team.0810@gmail.com>
CC: Jeff Tantsura <jefftant.ietf@gmail.com>, "Chengli (Cheng Li)" <chengli13@huawei.com>, "EXT - daniel.bernier@bell.ca" <daniel.bernier@bell.ca>, SPRING WG List <spring@ietf.org>
Thread-Topic: [spring] A note on CRH and on going testing
Thread-Index: AQHVbv1ogIVJNBSa90i6Frx+YTTnzaczIfKAgAC8GgCAAAELAIAA/e3wgACjQQCAAOr5IA==
Content-Class:
Date: Sat, 21 Sep 2019 18:09:30 +0000
Message-ID: <BYAPR05MB5463D09B6FAB2F4E60103FAAAE8B0@BYAPR05MB5463.namprd05.prod.outlook.com>
References: <1568906072231.1bkuswxveutxvlrzmmzkgs2g@android.mail.163.com> <20625BDC-2D90-4E35-96E3-2BC4B723C06E@bell.ca> <C7C2E1C43D652C4E9E49FE7517C236CB026DDDBE@dggeml529-mbx.china.huawei.com> <FC493433-BCDD-4080-9400-61481E7ADEF8@gmail.com><BYAPR05MB546372D1E0559F75D7DA5F61AE880@BYAPR05MB5463.namprd05.prod.outlook.com> <1569035481440.mlhhmijcsgraco5tapifot4m@android.mail.163.com>
In-Reply-To: <1569035481440.mlhhmijcsgraco5tapifot4m@android.mail.163.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=True; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Owner=rbonica@juniper.net; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2019-09-21T18:09:24.5631172Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=Juniper Business Use Only; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Application=Microsoft Azure Information Protection; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=1f99e35a-786e-4fa3-a760-94fc100f5dbb; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Extended_MSFT_Method=Automatic
dlp-product: dlpe-windows
dlp-version: 11.2.0.14
dlp-reaction: no-action
x-originating-ip: [108.28.233.91]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4f9ad7e1-f05a-4630-ead2-08d73ebed94f
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600167)(711020)(4605104)(1401327)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(49563074)(7193020); SRVR:BYAPR05MB6536;
x-ms-traffictypediagnostic: BYAPR05MB6536:
x-ms-exchange-purlcount: 3
x-ld-processed: bea78b3c-4cdb-4130-854a-1d193232e5f4,ExtAddr
x-microsoft-antispam-prvs: <BYAPR05MB6536B34AC102EDE5604E39F9AE8B0@BYAPR05MB6536.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:4125;
x-forefront-prvs: 0167DB5752
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(39860400002)(366004)(136003)(396003)(376002)(346002)(199004)(189003)(446003)(5660300002)(229853002)(7696005)(236005)(99286004)(316002)(9686003)(478600001)(256004)(11346002)(26005)(25786009)(966005)(54906003)(6436002)(33656002)(733005)(486006)(4326008)(14454004)(86362001)(53546011)(6916009)(71200400001)(6246003)(66066001)(66476007)(71190400001)(102836004)(3846002)(99936001)(7736002)(8936002)(52536014)(74316002)(66574012)(81156014)(6116002)(790700001)(81166006)(55016002)(76116006)(2906002)(14444005)(6506007)(66446008)(66946007)(186003)(64756008)(76176011)(66556008)(6306002)(66616009)(606006)(8676002)(476003)(54896002); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR05MB6536; H:BYAPR05MB5463.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: ryJU8whUArnLtgJhfRfL4NNmFMBieHdzp9SAz+OAeExTw78RkEQSoZWJedU7kzFoRSsdh0robft5TI8+Ig5q1lnMz9hzS3xTTtIKKYQP/GQ2MjEFDvMEY+kP5+K8FlVDF52pOiErO24Z9Ayq4TI37FnEszeftCCECxu7PKZw8AeH42MIWG4xo/DUWDZsuNmLFswg8laGdD9g5DUYQAjTZvcJKkF97XTtWWkSKW7urp0pG2CPBHi9bLPtF6QyrqoS4aWbMe3kr9LH3GzN3pul02DHA9WajZQfZ1Po1gk5bMr1luJ8S/8WSz+AIMHuwXZWwLp2dzEiwClLkIGAZThQJhKZ8FkUa/tQqR7vzY0MkRFGIrS0zL3CzNQlBHHRNm7JG+CHLnxtRBNLFgzfAN0UNcXk1VoLerGniypQkdjz0fE=
x-ms-exchange-transport-forked: True
Content-Type: multipart/related; boundary="_004_BYAPR05MB5463D09B6FAB2F4E60103FAAAE8B0BYAPR05MB5463namp_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 4f9ad7e1-f05a-4630-ead2-08d73ebed94f
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Sep 2019 18:09:30.4335 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kM4xvwHQE5ARDHQMLWAkN1+jeL9DCYKBYhOeC58H4U0YLh5ZtJFfDilIicRDBZRXQUupaJSWJVVaSHRsGT8/3w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB6536
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.70,1.0.8 definitions=2019-09-21_08:2019-09-20,2019-09-21 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 mlxscore=0 adultscore=0 phishscore=0 spamscore=0 suspectscore=0 malwarescore=0 bulkscore=0 clxscore=1015 priorityscore=1501 impostorscore=0 lowpriorityscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1908290000 definitions=main-1909210199
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/bsA3m3KhYBOuscn_PrFRoB33eXw>
Subject: Re: [spring] A note on CRH and on going testing
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Sep 2019 18:09:44 -0000

Hi S.I.N.G. Team,

Good to meet you! Let's address the issue in two parts....

First, we agree that it would be easy do define a binding SID in SRv6+. We would simply mimic the strategy used by SR-MPLS. That is:


  *   Define a new SID type
  *   Define a new SFIB type that contains all of the information required to compose the binding tunnel
  *   Add a few TLVs to the IGPs to distribute the above-mentioned information

Now, we explore whether it is possible achieve the same effect without defining a new SID type.....

We agree that when an SRv6+ ingress node receives a packet, it can expose that packet to policy. Policy contains match conditions and actions. If the packet satisfies a policy's match conditions, its actions will be executed and its actions may include encapsulating the packet in an IPv6 header.

Policy can be applied recursively. Assume that a packet traverses the following SRv6+ path:


  *   S1 -> S2 -> S3

As the packet enters or traverses Segment S1->S2, the outermost IPv6 address is 2001:db8::1. But somewhere along that path, either at the ingress node or at a transit node, the packet is exposed to policy. Policy matches on the destination address 2001:db8::1 and causes the packet to be encapsulated in yet another SRv6+ tunnel that traverses the following path:


  *   S2A -> S2B -> S2C

The IPv6 address 2001:db8::1 represents a real interface in S3. But it is also the object of a match condition.

                                                                                      Ron

BTW, What does S.I.N.G. stand for? I'm always happy to see students and researchers participating in the IETF !








Juniper Business Use Only
From: SING Team <s.i.n.g.team.0810@gmail.com>
Sent: Friday, September 20, 2019 11:46 PM
To: Ron Bonica <rbonica@juniper.net>
Cc: Jeff Tantsura <jefftant.ietf@gmail.com>; Chengli (Cheng Li) <chengli13@huawei.com>; EXT - daniel.bernier@bell.ca <daniel.bernier@bell.ca>; SPRING WG List <spring@ietf.org>
Subject: Re: [spring] A note on CRH and on going testing

Hi Ron,

Yes I believe both Binding SID is an important design for inter-domain signaling, and it is easy to add some mechanisms for SRv6+ to achieve similar function of Binding SID.  :)

But I'm not sure if it is feasible to bind one IPv6 address to 'BSID' in SRv6+, because as shown in draft(spring-srv6-plus):

"In SRv6+, an IPv6 address always represents a network interface", and not represents an instruction/function on a node as SRv6 does.

And, as the way you presented, interface IPv6 address 2001:db8::1 is mapped with SID 123, and bind to one SRv6+ tunnel.


So, does it mean if we need to advertise many tunnels outside at one border router, we need to initialize many virtual interfaces(e.g. loopback) in the router?

If does, I'm not sure this is a good idea to achieve inter-domain service tunnel signaling with security. Because in contrast to SRv6, it just need to simply add one route/sr-policy.

How do you think?  :)

Best regards,
SING Team

[Image removed by sender.]
Moonlight Thoughts
SING Team. Guangzhou, China

Signature is customized by Netease Mail Master<https://urldefense.com/v3/__https:/mail.163.com/dashi/dlpro.html?from=mail88__;!8WoA6RjC81c!WGBJP_h3_h-Z3srdMIVg-12_kYbDFVeulK8cLVC_ptBGpDcDP3zO11EVuONBRcme$>
On 09/21/2019 02:09, Ron Bonica<mailto:rbonica@juniper.net> wrote:
Hi Jeff,

It would be easy enough to add a binding SID to SRv6+. Given customer demand, I would not be averse to adding one.

However, there is another way to get exactly the same behavior on the forwarding plane without adding a new SID type.

Assume that on Node N, we have the following SFIB entry:


  *   SID: 123
  *   IPv6 address: 2001:db8::1
  *   SID type: prefix SID

Now assume that was also have the following route on Node N:

2001:db8::1 -> SRv6+ tunnel with specified destination address and CRH

This gives you the same forwarding behavior as a binding SID.

                                                           Ron




Juniper Business Use Only
From: spring <spring-bounces@ietf.org> On Behalf Of Jeff Tantsura
Sent: Thursday, September 19, 2019 10:53 PM
To: Chengli (Cheng Li) <chengli13@huawei.com>
Cc: SING Team <s.i.n.g.team.0810@gmail.com>; EXT - daniel.bernier@bell.ca <daniel.bernier@bell.ca>; SPRING WG List <spring@ietf.org>
Subject: Re: [spring] A note on CRH and on going testing

There's number of solutions on the market that extensively use BSID for multi-domain as well as multi-layer signaling.

Regards,
Jeff

On Sep 19, 2019, at 19:49, Chengli (Cheng Li) <chengli13@huawei.com<mailto:chengli13@huawei.com>> wrote:
+1.

As I mentioned before, Binding SID is not only for shortening SID list.
We should see the important part of binding SID in inter-domain routing,  since it hides the details of intra-domain. Security and Privacy are always important.

Since the EH insertion related text will be removed from SRv6 NP draft, I don't think anyone will still say we don't need binding SID.
Let's be honest, Encap mode Binding SID is very useful in inter-domain routing. It is not secure to share internal info outside a trusted network domain.

Cheng


From: spring [mailto:spring-bounces@ietf.org] On Behalf Of Bernier, Daniel
Sent: Thursday, September 19, 2019 11:36 PM
To: SING Team <s.i.n.g.team.0810@gmail.com<mailto:s.i.n.g.team.0810@gmail.com>>
Cc: 'SPRING WG List' <spring@ietf.org<mailto:spring@ietf.org>>
Subject: Re: [spring] A note on CRH and on going testing

+1

This is what we did on our multi-cloud trials.

Encap with Binding SID to avoid inter-domain mapping + I don't need to have some sort of inter-domain alignment of PSSIs

Dan

On 2019-09-19, 11:18 AM, "spring on behalf of SING Team" <spring-bounces@ietf.org<mailto:spring-bounces@ietf.org> on behalf of s.i.n.g.team.0810@gmail.com<mailto:s.i.n.g.team.0810@gmail.com>> wrote:

Hi Andrew,

Good to hear that reality experiment :)

But is it secure to share internal SID-IP mappings outside a trusted network domain?

Or is there an analogue like Binding SID of SRv6, in SRv6+?

Btw, PSSI and PPSI can not do that now, right?

Best regards,
Moonlight Thoughts


(mail failure, try to cc to spring again.)

On 09/19/2019 17:49, Andrew Alston<mailto:Andrew.Alston@liquidtelecom.com> wrote:
Hi Guys,

I thought this may be of interest in light of discussions around deployments and running code - because one of the things we've been testing is inter-domain traffic steering with CRH on both our DPDK implementation and another implementation.

So - the setup we used last night:

6 systems in a lab - one of which linked to the open internet.  Call these S1 -> S6
3 systems in a lab on the other side of the world - no peering between the networks in question.  Call these R1 -> R3

We applied a SID list on S1, that steered S1 -> S2 -> S3 -> S6 -> R1 -> R3, with the relevant mappings from the CRH SID's to the underlying addressing (S2 had a mapping for the SID for S3, S3 had a mapping for the SID corresponding to S6, S6 had a mapping for the SID corresponding to R1 etc)

Then we sent some packets - and the test was entirely successful.

What this effectively means is that if two providers agree to share the SID mappings - it is possible to steer across one network, out over an open path, and across a remote network.  Obviously this relies on the fact that EH's aren't being dropped by intermediate providers, but this isn't something we're seeing.

Combine this with the BGP signaling draft - and the SID's can then be signaled between the providers - work still going on with regards to this for testing purposes.  Just as a note - there would be no requirement to share the full SID mapping or topologies when doing this with BGP - the requirement would be only to share the relevant SID's necessary for the steering.

I can say from our side - with various other providers - this is something that we see *immense* use case for - for a whole host of reasons.

Thanks

Andrew


_______________________________________________
spring mailing list
spring@ietf..org<mailto:spring@ietf.org>
https://www.ietf.org/mailman/listinfo/Spring<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/Spring__;!8WoA6RjC81c!U4_s7somKP_KyQ3viBMIcXpk_pTMYlY11nTHMB2b-JTdTLKi9mnrF1wu_DoXwIdf$>
_______________________________________________
spring mailing list
spring@ietf.org<mailto:spring@ietf.org>
https://www.ietf.org/mailman/listinfo/spring<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spring__;!8WoA6RjC81c!U4_s7somKP_KyQ3viBMIcXpk_pTMYlY11nTHMB2b-JTdTLKi9mnrF1wu_Ll7ej5P$>

v2.23.0 | Report a Bug | By Email