IETF Logo Mail Archive

Re: [spring] [IPv6] Subject: Mandating SRH when using C-SIDs (draft-ietf-spring-srv6-srh-compression)

Tom Herbert <tom@herbertland.com> Thu, 04 April 2024 20:57 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A7BAC1840D2 for <spring@ietfa.amsl.com>; Thu, 4 Apr 2024 13:57:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3w2XQheKsuym for <spring@ietfa.amsl.com>; Thu, 4 Apr 2024 13:57:43 -0700 (PDT)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 170E6C1D61F1 for <spring@ietf.org>; Thu, 4 Apr 2024 13:57:33 -0700 (PDT)
Received: by mail-ed1-x52e.google.com with SMTP id 4fb4d7f45d1cf-56bdf81706aso2018816a12.2 for <spring@ietf.org>; Thu, 04 Apr 2024 13:57:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1712264251; x=1712869051; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=6S0u6WEvBjYBXk5+x1xBBZXWozZi5nGnp8x66B9gCFM=; b=GtAuD1FxkAmS2SSS85DuMMCxDiWJAPKM68ThcBevoeVd8RSASHzPzo+x8qMpK7TCuX XqG+6kyQccPUMpHrXAcwPlwiXlmbhCpC8nLES1McSGc+p4Zj02LWok71m7txHEYBqo1I NsryXik1PTZjGhUIvIhaR2p2LtixcbYtGSh0to8t7YAFY0yeRCYwyXUCeR31NVNWfiXM WbF7t7uK+ZWzc5O6nAyTBwM+WkjHsYh0ot0m6Qo0fTX8S5U/m1W4BfE3mCQPw2XUvSJU MlkNGJJkHw5LQ2Ak6KnFDvyk6xPHG0EbFQV4nI4IuWw/OwPXkg1z4zQSZM9kE65G3XKG Wiew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712264251; x=1712869051; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=6S0u6WEvBjYBXk5+x1xBBZXWozZi5nGnp8x66B9gCFM=; b=Bh+uKmImFZqtzbb4qlH9NzZ9IvljpajFPFX824D/YpoRqki4x3Ro/bgjXLVimMtVaS qQayUipdhGG4D3DT5q7VycWm1jNfGpE92obFPSvufzgqc9HGfFkUv75zhG3FtS2hDtnr iKngwsowfCDHVc6wl21HloexJV/AsW8Jv2OZ4Qf/jbP98xbq9WILrqwMZSXiJXBkDV9j JO93GzRhIAu632Bm7GM2ficL3U0Yl1j9nntBmeJuUmq6yg7kwdtkL+qYQ7IYkhnqJ5yW RaCg729OTaRvPQ+nEmFqFYbyCYSV9ENEQz66ZJekeThZzYI1orotO9JI59h0AwlKou1n uG5Q==
X-Forwarded-Encrypted: i=1; AJvYcCX8+tujsE41Bk/8MlBKyVfD8s9hsaLQD9jXZ1BAFx1B+YXEuMOng6QIUu7lMC1u6UuQPvn72+b29xA07UfodQc=
X-Gm-Message-State: AOJu0YwuogjpO2S/iXRpDMb3Ghp6vlQ8bD5B3rNUBOe0GJls+/rPzlXC 9COJKM/tf1why7pApqi3kPx/I50iys4EqmbjPg9SrJOyyJek+n47JgWBJ2YX9l/1ehFhselZvZp J3QK9pKZyrF+ZrS0g5nK6ZxcweFoTdZkHB6jHIUVmgaWnHE0=
X-Google-Smtp-Source: AGHT+IFsT/i/3dj0GaTMRRksLG4zlPxwbIbo9odKR/JBhJjOFrKet3XyligABgGNApJies79Qb+0VsgC/3Fo1f2ni70=
X-Received: by 2002:a50:d6de:0:b0:56d:c91c:dfc2 with SMTP id l30-20020a50d6de000000b0056dc91cdfc2mr2026437edj.31.1712264251520; Thu, 04 Apr 2024 13:57:31 -0700 (PDT)
MIME-Version: 1.0
References: <CALx6S34WAJxqZzcOVFUw4-L36kBJOx7rowcKbvzJLGUykTmzTg@mail.gmail.com> <3D87E6A7-2487-4E18-9553-008AE4DB37C1@employees.org> <CALx6S35C3BARfQPn42yHb8a-MZF5hoei39z4ezOLDYAuN=o=fA@mail.gmail.com> <CAOj+MMHNOW1Yao8qTukNx3ykEALeco_4A=L78=O+VLH=Dgx7rg@mail.gmail.com>
In-Reply-To: <CAOj+MMHNOW1Yao8qTukNx3ykEALeco_4A=L78=O+VLH=Dgx7rg@mail.gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Thu, 04 Apr 2024 16:57:17 -0400
Message-ID: <CALx6S35oyyXpUwEMw0v0ToujhXHfKzg39TAkmpUjiG9rJQqfvQ@mail.gmail.com>
To: Robert Raszuk <robert@raszuk.net>
Cc: Ole Trøan <otroan=40employees.org@dmarc.ietf.org>, spring-chairs@ietf.org, SPRING WG List <spring@ietf.org>, 6man <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000079577606154b968c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/deaSwigi2BZmzfcLToS5m-GXREY>
Subject: Re: [spring] [IPv6] Subject: Mandating SRH when using C-SIDs (draft-ietf-spring-srv6-srh-compression)
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2024 20:57:48 -0000

On Thu, Apr 4, 2024, 4:00 PM Robert Raszuk <robert@raszuk.net> wrote:

> Tom,
>
> I have full sympathy for your points.
>
> But I can not understand how suddenly SR uSID is the issue and normal IPv6
> vanilla Routing Headers are ok as defined checksum wise in RFC8200.
>
> Maybe someone could elaborate a bit on that ?
>

Robert,

Because, when a routing header is present we know that the final address in
the list is the one to used as the destination address in the pseudo
header. If the last address is uncompressed or can be decompressed without
additional state then we can calculate the checksum based on that (also,
that allows us to track flows in the network which is another useful thing
in a data center).

Tom


> Thx,
> R.
>
> PS. And of course in spite of all effort from Alvaro to sort the topics
> the threads again got completely mangled and everyone is describing their
> perceived issue in random thread. My gently hint for the chairs would be to
> log issues in github and have more structured processing them there.
>
>
>
> On Thu, Apr 4, 2024 at 9:50 PM Tom Herbert <tom@herbertland.com> wrote:
>
>>
>>
>> On Thu, Apr 4, 2024, 3:37 PM Ole Trøan <otroan=
>> 40employees.org@dmarc.ietf.org> wrote:
>>
>>> Tom,
>>>
>>> Can you point to any IETF specification requiring that middle boxes
>>> should be able to validate a l4 checksum? IPsec be damn.  It just seems
>>> like a path we should not go down.
>>>
>>
>> Ole,
>>
>> No, but neither can I point to an RFC that says firewalls have to parse
>> deep into packets. The point is that we know people can and do such things
>> (packet traces and checksum offload are deployed use cases for this).
>>
>> The transport checksum has been maintained to be correct on the wire in
>> plain UDP,TCP/IPv6 for thirty years even in NAT. Breaking that convention
>> without considering the ramifications could very well lead to some
>> unhappiness. And my concern is that problems would not just be confined to
>> SR packets, but could affect non-SR (like how we debug checksum problems in
>> non-SR traffic).
>>
>> Tom
>>
>>
>>> O.
>>>
>>>
>>>
>>> On 4 Apr 2024, at 21:22, Tom Herbert <tom=
>>> 40herbertland.com@dmarc.ietf.org> wrote:
>>>
>>> 
>>>
>>>
>>> On Thu, Apr 4, 2024, 3:12 PM Robert Raszuk <robert@raszuk.net> wrote:
>>>
>>>> Tom,
>>>>
>>>> >  SR aware routers to update L4 checksum
>>>>
>>>> That is completely unrealistic.
>>>>
>>>> Show me the box which can forward all interfaces at 800 Gb/s and read
>>>> entire each packet and compute upper layer checksum on it.
>>>>
>>>
>>> Robert,
>>>
>>> It's not necessary to calculate the whole checksum, only the L4 checksum
>>> needs to be updated by adding in the delta checksum. With IPv6 we can also
>>> do a checksum neutral mapping. Basically, this uses the low order 16 bits
>>> in the DA address as the checksum adjustment value. For instance, if we can
>>> use the low order bits in a SID block then that would be simplest to
>>> implement.
>>>
>>> Tom
>>>
>>>
>>>> If anything just do encap and move on.
>>>>
>>>> Thx,
>>>> R.
>>>>
>>>>
>>>> On Thu, Apr 4, 2024 at 7:06 PM Tom Herbert <tom@herbertland.com> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Thu, Apr 4, 2024, 12:30 PM Robert Raszuk <robert@raszuk.net> wrote:
>>>>>
>>>>>> Hi Tom,
>>>>>>
>>>>>> Yes I am with you here.
>>>>>>
>>>>>> However let's observe that this is pretty common best practice to
>>>>>> disable any hardware offload on the box when running tcpdump or wireshark.
>>>>>>
>>>>>> In fact some implementations (F5) do it for you automagically :)
>>>>>>
>>>>>> And as it has been said based on the fact that hardware offload does
>>>>>> not understand any Routing Headers it really does not matter if it is there
>>>>>> or not :)
>>>>>>
>>>>>
>>>>> Robert,
>>>>>
>>>>> tcpdump is independent of hardware offload. If the checksum is
>>>>> incorrect per the packet contents we'll see bad checksums reported if we
>>>>> snoop packets, but like I said, we can't differentiate the bad from the
>>>>> good.
>>>>>
>>>>> Offload becomes an issue for NICs that do protocol specific checksum
>>>>> offload. We lose the capability on RX which is an inconvenience, on TX we'd
>>>>> need to change the implementation to ensure the checksum is not computed by
>>>>> HW.
>>>>>
>>>>> If SR without SRH is needed, then I believe the best answer is for SR
>>>>> aware routers to update L4 checksum when they change DA per NAT
>>>>> requirements. This solves tcpdump as well as offloads.
>>>>>
>>>>> Tom
>>>>>
>>>>>
>>>>>> Cheers,
>>>>>> R.
>>>>>>
>>>>>>
>>>>>> On Thu, Apr 4, 2024 at 6:11 PM Tom Herbert <tom=
>>>>>> 40herbertland.com@dmarc.ietf.org> wrote:
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Apr 4, 2024, 11:48 AM Francois Clad <fclad.ietf@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi Tom,
>>>>>>>>
>>>>>>>> Tcpdump can determine that this packet is steered onto an SRv6 path
>>>>>>>> by checking if the DA matches the SRv6 SID block.
>>>>>>>>
>>>>>>>
>>>>>>> Francois,
>>>>>>>
>>>>>>> That would require introducing external state to tcpdump for correct
>>>>>>> operation. This would be a major divergence in both implementation and ops
>>>>>>> compared to how things work today.
>>>>>>>
>>>>>>> Tom
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Francois
>>>>>>>>
>>>>>>>> On 4 Apr 2024 at 16:59:59, Tom Herbert <tom@herbertland.com> wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Thu, Apr 4, 2024, 9:39 AM Francois Clad <fclad.ietf@gmail.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Hi Mark,
>>>>>>>>>>
>>>>>>>>>> Tcpdump/wireshark decodes the IPv6 header just fine. I do not see
>>>>>>>>>> any issue here.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Francois,
>>>>>>>>>
>>>>>>>>> The problem is that tcpdump can't tell that a packet is an SR
>>>>>>>>> packet if there's no SRH. For instance, if the checksum is not maintained
>>>>>>>>> to be correct in the wire then tcpdump will show that the packet has a bad
>>>>>>>>> L4 checksum, but there's no way to tell if that is an SR packet or if the
>>>>>>>>> checksum is actually bad. This will make debugging checksum failures in the
>>>>>>>>> network much more difficult, and this affects our ability to debug all
>>>>>>>>> traffic not just SR packets.
>>>>>>>>>
>>>>>>>>> Tom
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Cheers,
>>>>>>>>>> Francois
>>>>>>>>>>
>>>>>>>>>> On 4 Apr 2024 at 14:09:43, Mark Smith <markzzzsmith@gmail.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Thu, 4 Apr 2024, 22:50 Francois Clad, <fclad.ietf@gmail.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hi Alvaro, all,
>>>>>>>>>>>>
>>>>>>>>>>>> RFC 8754 allows the SR source node to omit the SRH when it
>>>>>>>>>>>> contains redundant information with what is already carried in the base
>>>>>>>>>>>> IPv6 header. Mandating its presence for C-SID does not resolve any problem
>>>>>>>>>>>> because it will not provide any extra information to the nodes along the
>>>>>>>>>>>> packet path.
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> How are troubleshooting tools like 'tcpdump' going to know how
>>>>>>>>>>> to automatically decode these packets as SRv6 packets if there is no SRH?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> Specifically for the case of middleboxes attempting to verify
>>>>>>>>>>>> the upper-layer checksum,
>>>>>>>>>>>>
>>>>>>>>>>>>    - An SRv6-unaware middlebox will not be able to verify the
>>>>>>>>>>>>    upper-layer checksum of SRv6 packets in flight, regardless of whether an
>>>>>>>>>>>>    SRH is present or not.
>>>>>>>>>>>>    - An SRv6 and C-SID aware middlebox will be able to find
>>>>>>>>>>>>    the ultimate DA and verify the upper-layer checksum in flight, regardless
>>>>>>>>>>>>    of whether an SRH is present or not.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Furthermore, transit nodes (e.g., middleboxes) should not
>>>>>>>>>>>> attempt to identify SRv6 traffic based on the presence of the SRH, because
>>>>>>>>>>>> they will miss a significant portion of it: all the best-effort or
>>>>>>>>>>>> Flex-Algo traffic steered with a single segment may not include an SRH,
>>>>>>>>>>>> even without C-SID. Instead, RFC 8402, 8754, and 8986 define identification
>>>>>>>>>>>> rules based on the SRv6 SID block.
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks,
>>>>>>>>>>>> Francois
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 2 Apr 2024 at 19:44:51, Alvaro Retana <
>>>>>>>>>>>> aretana.ietf@gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> [Moving this conversation up on your mailbox. :-) ]
>>>>>>>>>>>>>
>>>>>>>>>>>>> [Thanks, Robert and Tom for your input!]
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> We want to hear from more of you, including the authors. Even
>>>>>>>>>>>>> if you already expressed your opinion in a different thread, please chime
>>>>>>>>>>>>> in here.
>>>>>>>>>>>>>
>>>>>>>>>>>>> We will collect feedback until the end of this week.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks!
>>>>>>>>>>>>>
>>>>>>>>>>>>> Alvaro.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On March 28, 2024 at 8:06:18 AM, Alvaro Retana (
>>>>>>>>>>>>> aretana.ietf@gmail.com) wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Focusing on the C-SID draft, some have suggested requiring the
>>>>>>>>>>>>> presence of the SRH whenever C-SIDs are used. Please discuss whether that
>>>>>>>>>>>>> is the desired behavior (or not) -- please be specific when debating the
>>>>>>>>>>>>> benefits or consequences of either behavior.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Please keep the related (but independent) discussion of
>>>>>>>>>>>>> requiring the SRH whenever SRv6 is used separate. This larger topic may
>>>>>>>>>>>>> impact several documents and is better handled in a different thread (with
>>>>>>>>>>>>> 6man and spring included).
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks!
>>>>>>>>>>>>>
>>>>>>>>>>>>> Alvaro
>>>>>>>>>>>>> -- for spring-chairs
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>>>>>> IETF IPv6 working group mailing list
>>>>>>>>>>>>> ipv6@ietf.org
>>>>>>>>>>>>> Administrative Requests:
>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/ipv6
>>>>>>>>>>>>>
>>>>>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>>>>> IETF IPv6 working group mailing list
>>>>>>>>>>>> ipv6@ietf.org
>>>>>>>>>>>> Administrative Requests:
>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/ipv6
>>>>>>>>>>>>
>>>>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>>> IETF IPv6 working group mailing list
>>>>>>>>>> ipv6@ietf.org
>>>>>>>>>> Administrative Requests:
>>>>>>>>>> https://www.ietf.org/mailman/listinfo/ipv6
>>>>>>>>>>
>>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>>
>>>>>>> --------------------------------------------------------------------
>>>>>>> IETF IPv6 working group mailing list
>>>>>>> ipv6@ietf.org
>>>>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>>>>> --------------------------------------------------------------------
>>>>>>>
>>>>>> --------------------------------------------------------------------
>>> IETF IPv6 working group mailing list
>>> ipv6@ietf.org
>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>> --------------------------------------------------------------------
>>>
>>>

v2.23.0 | Report a Bug | By Email