Re: [spring] SRv6 - SRH in encaps or base header - point 2
"Darren Dukes (ddukes)" <ddukes@cisco.com> Fri, 26 October 2018 18:22 UTC
Return-Path: <ddukes@cisco.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 100A8126CB6; Fri, 26 Oct 2018 11:22:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.97
X-Spam-Level:
X-Spam-Status: No, score=-14.97 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BdvTH1tmecLd; Fri, 26 Oct 2018 11:22:20 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0757E130DDE; Fri, 26 Oct 2018 11:22:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=29052; q=dns/txt; s=iport; t=1540578140; x=1541787740; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=zaFXxHww3s59G2OztesmuDTTQtCNAHH9bpx4ObEpe30=; b=cj3zlk/Loiuz2gtxf7DV571BHbCPHqtYFsWqpBPJS7bN69FXP8KUgyTB 7yvVMo5bXiUcrPdz1b7v8BBXcb51/3CMCADRbzxs1pXPEK7dG/PYu8JXe qDGa1hMn3r6VEm6mBl/w91HZ7EQZPP8e2kEtUq7ALdduqGMrDZBouKucU Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ADAADqWtNb/5hdJa1jGQEBAQEBAQEBAQEBAQcBAQEBAQGBUQQBAQEBAQsBgQ13Zn8oCoNriBiMGIFol0KBegsBARgBCgmEQAIXgwEhNA0NAQMBAQIBAQJtHAyFOwIEAQEhRAcLEAIBCDgHAwICAiULFBECBA4FgyEBgR1kD6ZKgS6FO4ReBYtnF4FBP4ERJwwTgkyDGwEBghmCTDGCJgKIeIVOhiCKGQkCkH0YkEWCaJQDAhEUgSYdOIFVcBU7KgGCQYImF4hchT5vgSiJSQeBJwGBHgEB
X-IronPort-AV: E=Sophos;i="5.54,428,1534809600"; d="scan'208,217";a="475259062"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Oct 2018 18:22:18 +0000
Received: from XCH-RCD-016.cisco.com (xch-rcd-016.cisco.com [173.37.102.26]) by rcdn-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id w9QIMIro016441 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 26 Oct 2018 18:22:18 GMT
Received: from xch-aln-017.cisco.com (173.36.7.27) by XCH-RCD-016.cisco.com (173.37.102.26) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 26 Oct 2018 13:22:17 -0500
Received: from xch-aln-017.cisco.com ([173.36.7.27]) by XCH-ALN-017.cisco.com ([173.36.7.27]) with mapi id 15.00.1395.000; Fri, 26 Oct 2018 13:22:17 -0500
From: "Darren Dukes (ddukes)" <ddukes@cisco.com>
To: "Joel M. Halpern" <jmh@joelhalpern.com>
CC: "6man@ietf.org" <6man@ietf.org>, "spring@ietf.org" <spring@ietf.org>
Thread-Topic: SRv6 - SRH in encaps or base header - point 2
Thread-Index: AQHUampMSmaiE2sUnkOZwbcZBqOzaaUyIfaAgAAOrAA=
Date: Fri, 26 Oct 2018 18:22:17 +0000
Message-ID: <BAB7BDF9-2699-4B83-8E88-E3BE36606314@cisco.com>
References: <42663f06-8fcc-4ca4-5e3c-368adcaaef86@joelhalpern.com> <A4FF775A-213D-46C3-93E5-180854097926@cisco.com> <69085e36-f091-44d5-590b-3550983ac4d7@joelhalpern.com> <AB652159-99AB-46C8-87B6-7A1020C1F880@cisco.com>
In-Reply-To: <AB652159-99AB-46C8-87B6-7A1020C1F880@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [161.44.213.34]
Content-Type: multipart/alternative; boundary="_000_BAB7BDF926994B838E88E3BE36606314ciscocom_"
MIME-Version: 1.0
X-Outbound-SMTP-Client: 173.37.102.26, xch-rcd-016.cisco.com
X-Outbound-Node: rcdn-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/sVnAjbUf9X6CcqrMTHeHmSCoArE>
Subject: Re: [spring] SRv6 - SRH in encaps or base header - point 2
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Oct 2018 18:22:23 -0000
+spring Hi Joel, you’ve described sections titled “Intra SR Domain Packet”, “Transit Packet Through SR Domain”, and "SR Source Nodes Not Directly Connected”. I’ve parsed them inline to the sections of the draft defining them and given more context where needed. On Oct 22, 2018, at 8:49 PM, Joel M. Halpern <jmh@joelhalpern.com<mailto:jmh@joelhalpern.com>> wrote: Rephrasing using the example from 5.2. Assuming that 8 and 9 are SR Hosts (not just hosts within the domain, they are capable of and expect to deal with SRHs, and therefore have local SIDs, ...) For traffic from 8 to 9 that needs an SRH, the SRH goes in the IPv6 header sent my 8 to 9. When 9 processes the packet, it seems that it is the last SID, figures out that there is no encapsulation, and send the TCP / UDP / QUIC information to its internal protocols stacks. Yes, this is Section 5.3.1 “Intra SR Domain Packet”. For traffic from 1 to 9, where 3 adds an SRH, that SRH still presumably ends at 9. 9 Receives the IP packet. Sees that it is addressed to itself. Sees that the SRH is finished. And then notices that the next-header is IPv6. Unwraps the header, checks that the inner destination address is also itself, and passes the material carried by the inner header up to the appropriate stack. So node 1 sends a packet to node 9 (A1,A9) IF there is some steering into an SR Policy at node 3 to reach node 9, this is identical to section 5.3.2 “Transit packet through SR domain”, except for destination of A9 via node 9 instead of A2 via node 4. Thus, 9 needs to be able to check for both cases. We at least need to tell implementors that. Well, 9 needs a SID S9 and Address A9. That is shown in Section 5.1 SID and address representation. There is a further complication. 9 seems to need to have an address that is a valid SID, so it can be the last entry in the SRH from 8 to 9. As described in the draft, Section 5.1 a node k has an address Ak and SID Sk. So node 9 has a valid SID. For traffic from 8 to 9, A9 is used as the destination as shown in section 5.3.1, 5.4 and 5.5. However, if 1 were to send the packet to that SID for 9, router 3 would be required by the rules we discussed in the other thread to discard the packet as it is neither to prefix nor contains an HAMC. And somehow, 8 and 1 need to each pick the right address to use for 9. (split DNS maybe?) And 3 needs to be able to derive teh SID-formn address for 9 from the non-SID form of the address so that it (3) can build a proper SRH to get the packet to 9. This is incorrect. See Section 6.2.1 “SR Source Nodes Not Directly Connected” I will expand on the example from that section. Node 20 sends a packet to A9 with SR Policy <H7> and an HMAC provided to node 20 by some yet to be defined method. Resulting in packet sent from node 20 P: (A20,H7)(A9;SL=1)(payload) Recall Hk is a SID at node k requiring HMAC verification, and it is covered by Prefix-H. Prefix-H is _not_ subject to ingress filtering at node 3. Therefore the packet P destined to H7 is not subject to ingress filtering at node 3. P is forwarded to node 7, where H7 is processed and the HMAC verified. If the HMAC can not be verified the packet is dropped, else it is forwarded to the next segment and destination, A9. Darren Yours, Joel On 10/22/18 8:04 PM, Darren Dukes (ddukes) wrote: inline. On Oct 22, 2018, at 7:21 PM, Joel M. Halpern <jmh@joelhalpern.com<mailto:jmh@joelhalpern.com>> wrote: .. 2) Now let us look at packets arriving at and actually destined for an SR Host in the SR Domain where that packet has an SRH. If the packet is coming from another SR Host, the SRH will be in the base header, and the host can simply check it for any violations, and continue. But, if the packet came from outside the domain, then it will have an encapsulating SRv6 header. So the host has to detect this case, check and then peal off the encapsulating header, and then process the received packet. Yes, it can do so. But nothing in teh document tells implementors they have to deal with both cases. Can you be more precise here. Perhaps use the example from section 5.2 or 6.2.1? .. -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org<mailto:ipv6@ietf.org> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- Re: [spring] SRv6 - SRH in encaps or base header … Darren Dukes (ddukes)
- Re: [spring] SRv6 - SRH in encaps or base header … Joel Halpern
- Re: [spring] SRv6 - SRH in encaps or base header … Darren Dukes (ddukes)
- Re: [spring] SRv6 - SRH in encaps or base header … Joel M. Halpern
- Re: [spring] SRv6 - SRH in encaps or base header … Chengli (IP Technology Research)
- Re: [spring] SRv6 - SRH in encaps or base header … Darren Dukes (ddukes)
- Re: [spring] SRv6 - SRH in encaps or base header … Darren Dukes (ddukes)
- Re: [spring] SRv6 - SRH in encaps or base header … Joel M. Halpern
- [spring] 答复: SRv6 - SRH in encaps or base header … Chengli (Cheng Li)
- Re: [spring] SRv6 - SRH in encaps or base header … Darren Dukes (ddukes)
- Re: [spring] SRv6 - SRH in encaps or base header … Chengli (Cheng Li)