IETF Logo Mail Archive

Re: [tcpm] [v6ops] Flow Label Load Balancing

Tom Herbert <tom@herbertland.com> Thu, 03 December 2020 17:31 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BA0B3A0A1C for <tcpm@ietfa.amsl.com>; Thu, 3 Dec 2020 09:31:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hloNCCsEfcsh for <tcpm@ietfa.amsl.com>; Thu, 3 Dec 2020 09:30:59 -0800 (PST)
Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF0323A09C9 for <tcpm@ietf.org>; Thu, 3 Dec 2020 09:30:58 -0800 (PST)
Received: by mail-ej1-x634.google.com with SMTP id qw4so4622444ejb.12 for <tcpm@ietf.org>; Thu, 03 Dec 2020 09:30:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5t9/bnLlHge8qv6Cj3rUOp3tZdHHx9aErFK3U8IONFI=; b=JsyTgtjwWqbesx9WmpkjHKhgm+A20C2FRZrslv20jOhSfGD9v2vSiM5ssw7IH+btCi BPOVnEe9AAD5Lq6MY5xysJrmWPNGfsaKZWTlVL2wdN0tU6K+f+M0iLyihjBy+6NlxcmI r3Ahhp118YqZzr1HZV803K/jvSvmTJVykGIwrrDluiQuIAXRty3iZnwfsI03SywftN23 DnQqzGVhlFfAVZRd3fuv4lXwotdDeOeLjrwNZajhWVhgih0XWGAydaJil7KPDXlrpgQ4 Y84qtHGNptq5hE9dn++XdVONsHAPIW+mgtFvPaxD9xv4zPVc5ZVjTrMptXvw0NZzHvzt aHWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5t9/bnLlHge8qv6Cj3rUOp3tZdHHx9aErFK3U8IONFI=; b=RsHVcmpru377WIohyjcxISXt/ve1A2yVdIj11HRyALxI4tNkRCLNWXMoSMtt1gfLLg QFTT35A69yvfkt0VlaYr1+nHvsHJeYtm+4MYTB66wjoRRy6jjmLP8WcAZXN06cKw+Wv7 ECSUnwQ0RvBqN8HkTn5/WpYhCr3wBl43jIbUBQoJLTuR7MMaEqdeWGuroq1JSaRg7vt2 D51IFn4oUp4rmbR3ZZrhlUBFA0lTCrAh4H0IVWgV9ZHsy27SbWFqq6cWcocyJ4f/9CNk HFulZ0kM1wHJ9hieow+MMSd1V+DYTOFnVjmCzmZ/6OKwhX2MQArDkvjCKgM2EkPpsBiC PFvA==
X-Gm-Message-State: AOAM532EEhs5n4UxeYNUxwtitrc4exZ9nFZcnfXIhmJqWVTpdHL+iGZI 1t2Vt/+7oPcMW/TjLjgqTrGEIm7EJnNR3a9JxG5eLA==
X-Google-Smtp-Source: ABdhPJyQO3nqK6zp3jU+YFnu28S5HOMBcOTffN700tu6Btr61fvvq3fnPN22roqyXMbpJ59WDubFfLf7xkrU4VCYgjA=
X-Received: by 2002:a17:906:26cc:: with SMTP id u12mr3590035ejc.295.1607016656907; Thu, 03 Dec 2020 09:30:56 -0800 (PST)
MIME-Version: 1.0
References: <CAEGSd=DY8t8Skor+b6LSopzecoUUzUZhti9s0kdooLZGxPEt+w@mail.gmail.com> <d29042a7-742b-a445-cf60-2773e5515ae5@gont.com.ar> <CALx6S37+1duoNGR3dZWesHsZvx15kX9wCWufPMh=esvMaSMF_g@mail.gmail.com> <63e7aad3-7094-7492-dbe4-3eefb5236de3@gont.com.ar> <CALx6S37t4jump6S-R5_xdo5DF+RnHtT4rU5-RuiC-2GQ0PXxkQ@mail.gmail.com> <96b6d04b-e5bb-ba79-0281-e9599109be95@gont.com.ar> <CALx6S34uCrA1QdvLV8fpRKaJGLWMgtCmBCnrsBjU3TS+kXUs3Q@mail.gmail.com> <CAO42Z2xn_+7EVpjGyEU3aAdBmt1h=a4MPXFjjoTi_JeM2w9pkg@mail.gmail.com> <f66cbccd-55ed-375b-743b-7fc6c48a50c2@gont.com.ar> <CAO42Z2xqU4gs9iP=u_0Z16Qk+U24_YH0h5vTmJRJ5XZXZ0nweQ@mail.gmail.com> <0d38980a-f1c5-fac5-a9b1-0711d61353d1@gont.com.ar> <CAEGSd=A_e-db8m2VN+2wEuXj9e+GTq7brYfY_fwW7tysUr19Ng@mail.gmail.com> <CALx6S34xQF-PHQRqom_O8=amoRFmVrzHL-qh8765mtr1XnF2Wg@mail.gmail.com> <d59e1785-672d-8cc7-f844-51c64a440a57@gont.com.ar> <CALx6S373yLJwHigv4Yo-xdtRkZ9YsB0J9cwXqy0BWpwXSiHCPg@mail.gmail.com> <42b6e327-08b5-292b-be65-28f1a8508a69@si6networks.com> <CAMGpriUb3WQqFhtDULy=Avbf8dWh1LsO=LBfvGUf3ozBAg7myA@mail.gmail.com>
In-Reply-To: <CAMGpriUb3WQqFhtDULy=Avbf8dWh1LsO=LBfvGUf3ozBAg7myA@mail.gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Thu, 03 Dec 2020 10:30:45 -0700
Message-ID: <CALx6S373gk+GweWm=ph8fHgSk7rDPGQCXjdC++G6Jk2NGo1x-A@mail.gmail.com>
To: Erik Kline <ek.ietf@gmail.com>
Cc: Fernando Gont <fgont@si6networks.com>, Fernando Gont <fernando@gont.com.ar>, IPv6 Operations <v6ops@ietf.org>, tcpm <tcpm@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/6Ehcvs5vrH_DomQbpFjxsh3uOk4>
Subject: Re: [tcpm] [v6ops] Flow Label Load Balancing
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2020 17:31:00 -0000

On Thu, Dec 3, 2020 at 8:43 AM Erik Kline <ek.ietf@gmail.com> wrote:
>
> > > Please include requirements for both hosts and network nodes. If there
> > > is going to the be a requirement that hosts MUST make a 1:1 mapping to
> > > a transport connection and the flow label MUST be consistent for the
> > > life of connection, then I would expect there to also be a requirement
> > > that the flow label MUST be immutable by all devices in the path-- in
> > > particular the requirement of RFC6437 would need to be updated: "A
> > > forwarding node MUST either leave a non-zero flow label value
> > > unchanged or change it only for compelling operational security
> > > reasons..."-- if hosts are not allowed to change a field they are
> > > primarily responsible for setting, then the network should not be
> > > allowed to modify it either.
> >
> > I don't recall _(of the top of my head) why we ended up making the field
> > mutable ("SHOULD NOT  be modified" rather than "MUST NOT.."). IIRC, it
> > had to do with allowing middle-boxes to mitigate FL-based covert
> > channels.  If that's the case (Brian CC'ed) then, in retrospective, that
> > seems to have been a bad idea.  -- I was part of the discussion, so I
> > take my share of blame. :-)
>
> My understanding/recollection is that since there were never any
> restrictions on modification of the flow label from the very beginning
> it wasn't super meaningful to try to close the barn door after all
> these years.

Erik,

There are two apropos statements in RFC6437:

"There is no way to verify whether a flow label has been modified en
route or whether it belongs to a uniform distribution.  Therefore, no
Internet-wide mechanism can depend mathematically on unmodified and
uniformly distributed flow labels; they have a "best effort" quality."

"From an upper-layer viewpoint, a flow could consist of all packets in
one direction of a specific transport connection or media stream.
However, a flow is not necessarily 1:1 mapped to a transport
connection."

So building a load balancer, or any other intermediate network device,
that *depends* on the flow label to be consistent for the life of a
transport connection and 1:1 mapped to a transport connection is
contrary to this guidance. The ship has already sailed on this in
deployment, and even if the protocol requirements were to be
sufficiently tightened that would take years to reach full effect and
that would preclude other use cases where modifying the flow label is
useful. If a stable 1:1 mapped identifier for transport ports is
needed in the network layer, it might make sense to create a new HBH
option for that. Personally, if I were building a load balancer I'd
use neither the flow label nor transport ports for entropy, I'd look
at using the destination address since 128 bits allows plenty of bits
of entropy, it's consistent per transport flow and always set in an
IPv6 packet.

Tom



Tom

v2.23.0 | Report a Bug | By Email