IETF Logo Mail Archive

Re: [spring] How CRH support SFC/Segment Endpoint option?

"Chengli (Cheng Li)" <c.l@huawei.com> Sat, 23 May 2020 17:27 UTC

Return-Path: <c.l@huawei.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30DB43A0D1C; Sat, 23 May 2020 10:27:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZwujR3UFeSTK; Sat, 23 May 2020 10:27:38 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9786E3A0CB7; Sat, 23 May 2020 10:27:38 -0700 (PDT)
Received: from lhreml701-chm.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id 51AAA8F81620ABAF8253; Sat, 23 May 2020 18:27:37 +0100 (IST)
Received: from lhreml701-chm.china.huawei.com (10.201.108.50) by lhreml701-chm.china.huawei.com (10.201.108.50) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1913.5; Sat, 23 May 2020 18:27:36 +0100
Received: from DGGEML402-HUB.china.huawei.com (10.3.17.38) by lhreml701-chm.china.huawei.com (10.201.108.50) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256) id 15.1.1913.5 via Frontend Transport; Sat, 23 May 2020 18:27:36 +0100
Received: from DGGEML509-MBS.china.huawei.com ([169.254.4.143]) by DGGEML402-HUB.china.huawei.com ([fe80::fca6:7568:4ee3:c776%31]) with mapi id 14.03.0487.000; Sun, 24 May 2020 01:27:30 +0800
From: "Chengli (Cheng Li)" <c.l@huawei.com>
To: "Joel M. Halpern" <jmh@joelhalpern.com>, 6man <6man@ietf.org>, "spring@ietf.org" <spring@ietf.org>
Thread-Topic: How CRH support SFC/Segment Endpoint option?
Thread-Index: AdYwBYkgTau2vInrR6WP+x+iqlpN9gAPJDmwADf+cOD//3/VgP//eYTg
Date: Sat, 23 May 2020 17:27:29 +0000
Message-ID: <C7C2E1C43D652C4E9E49FE7517C236CB02A37EA8@dggeml509-mbs.china.huawei.com>
References: <C7C2E1C43D652C4E9E49FE7517C236CB02A2CD12@dggeml529-mbx.china.huawei.com> <DM6PR05MB63482CFA4D5AB938D5A4B818AEB40@DM6PR05MB6348.namprd05.prod.outlook.com> <C7C2E1C43D652C4E9E49FE7517C236CB02A37DC6@dggeml509-mbs.china.huawei.com> <2a1737d1-bc5d-3aa5-8865-b916952cc0ed@joelhalpern.com>
In-Reply-To: <2a1737d1-bc5d-3aa5-8865-b916952cc0ed@joelhalpern.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.45.234.160]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/j62p_8LzlA-DQOLCocknBiCMcoU>
Subject: Re: [spring] How CRH support SFC/Segment Endpoint option?
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 May 2020 17:27:44 -0000

Hi Joel,

Sure, you are right, we can use CRH and NSH, but personally, I don't think this is a good idea. 

CRH introduce the mapping table to the nodes, and NSH introduce per-SFC/flow mapping state again, it is not we want in source routing. 
We want to maintain the states on the edge nodes only instead of all the nodes. Not intent to say bad words to NSH, it is a good solution, but we just like sourcing routing more, because of the simplicity. 
Using CRH and NSH is too complicated. Why not use SRv6 for SFC?[1], a single SRH can solve the problem. Less states on nodes, even less overhead, and simpler processing for sure.

But my point is not about NSH, my point is about the second option proposed by Ron, how to use the first DOH to support SFC?

or how to support to trigger the specific (service/function) behavior on a specific node?

For example, I need to expose the packet to a firewall policy at node 3 ( 5 nodes for this path, 1,2,3,4,5), so I put a PSSI :expose a packet to a firewall policy into the first DOH.
According to RFC8200, all the segment endpoint nodes 1,2,3,4,5 will expose the packet to a firewall policy, correct?

Thanks,
Cheng


[1]. https://tools.ietf.org/html/draft-ietf-spring-sr-service-programming-02
[2]. https://tools.ietf.org/html/draft-bonica-spring-sr-mapped-six-01#section-4.1

======================
4.1.  PSSI

   The PSSI, if present, is executed on the segment egress node.
   Because the path egress node is also a segment egress node, it can
   execute a PSSI.

   The following are examples of PSSIs:

   o  Expose a packet to a firewall policy.

   o  Expose a packet to a sampling policy.

===============

-----Original Message-----
From: Joel M. Halpern [mailto:jmh@joelhalpern.com] 
Sent: Sunday, May 24, 2020 1:10 AM
To: Chengli (Cheng Li) <c.l@huawei.com>; 6man <6man@ietf.org>; spring@ietf.org
Subject: Re: How CRH support SFC/Segment Endpoint option?

there are a number of Internet Drafts describing a range of ways of using SFC NSH with MPLS.  The same choices appear to be available with CRH.  If folks are interested, once CRH progresses, it should be a simple task to document that.

Yours,
Joel

On 5/23/2020 12:59 PM, Chengli (Cheng Li) wrote:
> Hi Ron,
> 
> Thanks for your reply.
> 
> Regarding NSH, are you saying to use CRH as a tunnel transport 
> encapsulation between two SFF nodes?
> 
> Or we can use a single CRH for steering packet through all the SFF 
> nodes that the NSH packet should visit?
> 
> Regarding using the first DOH, how to do that without the container 
> design by your draft[1]?
> 
> Or the same option TLV will bind to different behaviors on different 
> nodes according to the node local configuration?
> 
> Best,
> 
> Cheng
> 
> [1]. 
> https://tools.ietf.org/rfcdiff?url2=draft-bonica-6man-seg-end-opt-04.t
> xt 
> <https://urldefense.com/v3/__https:/tools.ietf.org/rfcdiff?url2=draft-bonica-6man-seg-end-opt-04.txt__;!!NEt6yMaO-gk!UD4vf0darQ9cskFhH1fJ9jwZJ-nIciQxgVnf1219YuyyaNcgvNdRUdkjwNmXwyHT$>.
> 
> *From:*Ron Bonica [mailto:rbonica@juniper.net]
> *Sent:* Friday, May 22, 2020 10:17 PM
> *To:* Chengli (Cheng Li) <c.l@huawei.com>; 6man <6man@ietf.org>; 
> spring@ietf.org
> *Cc:* spring@ietf.org
> *Subject:* RE: How CRH support SFC/Segment Endpoint option?
> 
> Cheng,
> 
> The sole purpose of a Routing header is to steer a packet along a 
> specified path to its destination. It shouldn't attempt to do any more 
> than that.
> 
> The CRH does not attempt to deliver service function information to 
> service function instances. However, it is compatible with:
> 
> -The Network Service Header (NSH)
> 
> -The Destination Options header that precedes the Routing header
> 
> Both of these can be used to deliver service function information to 
> service function instances.
> 
>                                                                                                                       
> Ron
> 
> Juniper Business Use Only
> 
> *From:*Chengli (Cheng Li) <c.l@huawei.com <mailto:c.l@huawei.com>>
> *Sent:* Friday, May 22, 2020 2:56 AM
> *To:* 6man <6man@ietf.org <mailto:6man@ietf.org>>; spring@ietf.org 
> <mailto:spring@ietf.org>; Ron Bonica <rbonica@juniper.net 
> <mailto:rbonica@juniper.net>>
> *Cc:* spring@ietf.org <mailto:spring@ietf.org>
> *Subject:* How CRH support SFC/Segment Endpoint option?
> 
> *[External Email. Be cautious of content]*
> 
> Hi Ron,
> 
> When reading the CRH draft, I have a question about how CRH support SFC?
> 
> For example, we have a SID List [S1, S2, S3, S4, S5], and S3 is a SFC 
> related SID, how to indicate that? By PSSI? [1]
> 
> But how to know which segment endpoint node/egress node should process 
> this PSSI? At the beginning of the SRm6 design, this is described in 
> [2]. But you deleted the containers [2].
> 
> Without that, I don't really understand how SFC can be supported.
> 
> Best,
> 
> Cheng
> 
> [1]. 
> https://tools.ietf.org/html/draft-bonica-spring-sr-mapped-six-01#secti
> on-4.1 
> <https://urldefense.com/v3/__https:/tools.ietf.org/html/draft-bonica-s
> pring-sr-mapped-six-01*section-4.1__;Iw!!NEt6yMaO-gk!UD4vf0darQ9cskFhH
> 1fJ9jwZJ-nIciQxgVnf1219YuyyaNcgvNdRUdkjwP15i-Xa$>
> 
> [2]. 
> https://tools.ietf.org/rfcdiff?url2=draft-bonica-6man-seg-end-opt-04.t
> xt 
> <https://urldefense.com/v3/__https:/tools.ietf.org/rfcdiff?url2=draft-bonica-6man-seg-end-opt-04.txt__;!!NEt6yMaO-gk!UD4vf0darQ9cskFhH1fJ9jwZJ-nIciQxgVnf1219YuyyaNcgvNdRUdkjwNmXwyHT$>.
> 
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email