Re: [rbridge] a stronger RPF check for TRILL
Sam Aldrin <aldrin.ietf@gmail.com> Thu, 15 March 2012 22:29 UTC
Return-Path: <rbridge-bounces@postel.org>
X-Original-To: ietfarch-trill-archive-Osh9cae4@ietfa.amsl.com
Delivered-To: ietfarch-trill-archive-Osh9cae4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id 0C0E121F8603 for
<ietfarch-trill-archive-Osh9cae4@ietfa.amsl.com>;
Thu, 15 Mar 2012 15:29:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.377
X-Spam-Level:
X-Spam-Status: No, score=-4.377 tagged_above=-999 required=5 tests=[AWL=0.224,
BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_55=0.6,
MIME_HTML_MOSTLY=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LUOmKBEiYLtv for
<ietfarch-trill-archive-Osh9cae4@ietfa.amsl.com>;
Thu, 15 Mar 2012 15:29:01 -0700 (PDT)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by
ietfa.amsl.com (Postfix) with ESMTP id 448D521F8602 for
<trill-archive-Osh9cae4@lists.ietf.org>; Thu, 15 Mar 2012 15:29:01 -0700 (PDT)
Received: from boreas.isi.edu (localhost [127.0.0.1]) by boreas.isi.edu
(8.13.8/8.13.8) with ESMTP id q2FLsfcf024526;
Thu, 15 Mar 2012 14:54:43 -0700 (PDT)
Received: from mail-yw0-f52.google.com (mail-yw0-f52.google.com
[209.85.213.52]) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id
q2FLsAG6024459 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT);
Thu, 15 Mar 2012 14:54:19 -0700 (PDT)
Received: by yhpp61 with SMTP id p61so5244375yhp.39 for <multiple recipients>;
Thu, 15 Mar 2012 14:54:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=references:in-reply-to:mime-version:content-transfer-encoding
:content-type:message-id:cc:x-mailer:from:subject:date:to;
bh=I5XRc1gDGs7vve9G8umAHoD9G4qpno5c5xNQkrEx4yQ=;
b=Uc9An9IxOzReJaey8a7J0FdgdvmdDD0Fjj6+KVLDohLqbwa+orBb+et+8Nz8eZ4Gtw
IWhCYZyc8MJuCnIGNcE5nggx8FTkpZSTKDNXgHh69KEhjrGeR1fImJhTiep8IP8GP4lN
NxGQ6OXvxPDOJJ7bSx62cdeFF5ifJkypZZ8nUEDc9YMSgmVgRMjG4/S5uFs3vQQUxvyw
e8NsGufroN2FMTvBuIM5eMQ2Ob/041zKgGpr0sfZPjGrPKII7iI227gdBIaQA/ulxtCY
puTE5wqQN50T8xIG7c3mRYK19w+Yz4ZoX+uzzJptCgrAoP2alshChfHce8gIeLR6JNLx iVVg==
Received: by 10.182.114.3 with SMTP id jc3mr368654obb.18.1331848449911;
Thu, 15 Mar 2012 14:54:09 -0700 (PDT)
Received: from [192.168.0.173] ([12.207.18.42]) by mx.google.com with ESMTPS
id v10sm2995725obb.4.2012.03.15.14.54.08 (version=TLSv1/SSLv3 cipher=OTHER);
Thu, 15 Mar 2012 14:54:08 -0700 (PDT)
References: <1C4D6949-3235-4BB0-B148-C88791DD5CC0@gmail.com>
<CB86BBEA.7438%letracy@cisco.com>
<OF9CD56F5C.AD41ACAC-ON872579C2.00744680-882579C2.007606FB@us.ibm.com>
In-Reply-To: <OF9CD56F5C.AD41ACAC-ON872579C2.00744680-882579C2.007606FB@us.ibm.com>
Mime-Version: 1.0 (1.0)
Message-Id: <F88EF32D-1C13-44F2-8BD2-D6AFCF4C9871@gmail.com>
X-Mailer: iPhone Mail (9B176)
From: Sam Aldrin <aldrin.ietf@gmail.com>
Date: Thu, 15 Mar 2012 14:54:04 -0700
To: Santosh Rajagopalan <sunny.rajagopalan@us.ibm.com>
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: aldrin.ietf@gmail.com
Cc: "rbridge@postel.org" <rbridge@postel.org>,
Anoop Ghanwani <anoop@alumni.duke.edu>, Radia Perlman <radiaperlman@gmail.com>,
Donald Eastlake <d3e3e3@gmail.com>,
"rbridge-bounces@postel.org" <rbridge-bounces@postel.org>,
letracy <letracy@cisco.com>, Jon Hudson <jon.hudson@gmail.com>
Subject: Re: [rbridge] a stronger RPF check for TRILL
X-BeenThere: rbridge@postel.org
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: "Developing a hybrid router/bridge." <rbridge.postel.org>
List-Unsubscribe: <http://mailman.postel.org/mailman/listinfo/rbridge>,
<mailto:rbridge-request@postel.org?subject=unsubscribe>
List-Archive: <http://mailman.postel.org/pipermail/rbridge>
List-Post: <mailto:rbridge@postel.org>
List-Help: <mailto:rbridge-request@postel.org?subject=help>
List-Subscribe: <http://mailman.postel.org/mailman/listinfo/rbridge>,
<mailto:rbridge-request@postel.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1656561337=="
Sender: rbridge-bounces@postel.org
Errors-To: rbridge-bounces@postel.org
Having read both sides of the story, two points I hear are 1. There is a scenario or corner case, where existing rpf check doesn't satisfy the needs. 2. Because the new proposal requires SMAC to be maintained, the size of tables exponentially increases. IMO, weight given to 1and 2 could vary depending on vendor and whom you talk to. If stronger rpf check is needed, a solution without increasing the complexity in table size etc should be proposed. If that is something not going to be achieved, it should be left optional, till something is identified. My 2 cents Sam Sent from my iPhone On Mar 15, 2012, at 2:28 PM, Santosh Rajagopalan <sunny.rajagopalan@us.ibm.com> wrote: > I think that a similar argument can be made for the current RPF check as well - it costs us table space and helps us in rare, transient cases. If you decide that the RPF check is worthwhile having in its current form, I think you can make the case that it's worthwhile having in the expanded form as well. > > Because really, the new form of the RPF check says the same thing as the current form - it's just that in multi-access links you need to qualify the "allowed link" a little more strongly. Also, I'm not sure if its absence could lead to loops - duplicates were just the first case I thought of. > > Note that in the case you illustrated below (where rbridges have multiple links to the CE network) you would need to have multiple RPF entries anyway, even without the new expanded check. For example, the rbridge W would need "allow (A, link_1)" in addition to "allow (A, link_2)". Of course, there's no denying that adding the mac address there will bring in additional memory costs. > > -- > Sunny Rajagopalan > > > > > From: letracy <letracy@cisco.com> > To: Jon Hudson <jon.hudson@gmail.com>om>, Radia Perlman <radiaperlman@gmail.com>om>, Santosh Rajagopalan/Santa Clara/IBM@IBMUS > Cc: Donald Eastlake <d3e3e3@gmail.com>om>, "rbridge@postel.org" <rbridge@postel.org>rg>, Anoop Ghanwani <anoop@alumni.duke.edu> > Date: 03/14/2012 09:37 PM > Subject: Re: [rbridge] a stronger RPF check for TRILL > Sent by: rbridge-bounces@postel.org > > > > > > I think one drawback to the stronger RPF check is that Rbridges will be > required to maintain more state. In the best cases, Rbridges will be > required to maintain a 6 byte source MAC address per RPF. In some other > cases, the stronger check will require additional RPF checks as well. > > Consider a case such as: > > A - B - C > | > U - V - W = o - X - Y - Z > > Where o is a LAN link and W has two parallel links into the LAN o with > unique MAC addresses on each link. > > In this case, W is allowed to loadsplit among the two links and Rbridges > A and X are required by RFC6325 to accept traffic coming from either of > W's ports. This will mean bridges X and A are required to maintain two > RPF entries each for Rbridges U, V and W (One RPF check accepting (W, SMAC1) > and one accepting (W, SMAC2), etc...). Thus, the number of RPF checks > required in the network becomes proportional to the number of Rbridge ports > connected to LAN links as well as to the number of Rbridges in the network. > In larger networks this could explode in terms of scale and complexity. > > Considering that the problem case is transient, rare, and only results in > duplicate packets (as opposed to loops) - I'd like to suggest that the > stronger check be made optional. > > Thanks, > Leonard Tracy > > > On 3/9/12 1:55 PM, "Jon Hudson" <jon.hudson@gmail.com> wrote: > > > > > I agree! Both stronger & easier to read/understand. > > > > Very nice Santosh! > > > > On Mar 9, 2012, at 7:57 AM, Radia Perlman <radiaperlman@gmail.com> wrote: > > > >> Ah. Yes, thank you for that explanation, Donald. Santosh is indeed > >> correct, and it also makes the spec easier to read, which is an > >> additional plus. > >> > >> Radia > >> > >> On Fri, Mar 9, 2012 at 6:44 AM, Donald Eastlake <d3e3e3@gmail.com> wrote: > >>> Hi Anoop, > >>> > >>> On Fri, Mar 9, 2012 at 7:51 AM, Anoop Ghanwani <anoop@alumni.duke.edu> > >>> wrote: > >>>> The tree adjacency check already accounts for this. > >>>> http://tools.ietf.org/html/rfc6325#section-4.6.2.5 > >>>> > >>>>>> > >>>> The Outer.MacSA is checked and the frame discarded if it is not a > >>>> tree adjacency for the tree indicated by the egress RBridge nickname > >>>> on the port where the frame was received. > >>>>>> > >>>> > >>>> This is done in addition to the port-based RPF check. > >>> > >>> Ahhh, but this is not quite a strong as what Santosh is suggesting. > >>> The subtle weakness is that "adjacency" has no directionality. > >>> > >>> RFC 6325 currently specifies this part of the RPFC as two separate checks: > >>> 1. Is ( tree, Outer.MacSA, arrival port) an allowed triplet according > >>> to the current topology and tree? > >>> 2. Is ( tree, ingress, arrival port ) an allowed triplet according to > >>> the current topology and tree? > >>> > >>> What Santosh is suggesting, which would be just a little stronger and > >>> arguably simpler, is equivalent to replacing this with one test: > >>> -- Is ( tree, Outer.MacSA, ingress, arrival port ) an allowed quadruplet? > >>> > >>> This is stronger because, on a multi-access link, one Outer.MacSA may > >>> only be allowed on frames from the ingress and other Outer.MacSA may > >>> only only be allowed on frames ingressed elsewhere. > >>> > >>> I think some existing silicon may already use this combined RPFC test... > >>> > >>> Thanks, > >>> Donald > >>> ============================= > >>> Donald E. Eastlake 3rd +1-508-333-2270 (cell) > >>> 155 Beaver Street, Milford, MA 01757 USA > >>> d3e3e3@gmail.com > >>> > >>>> Anoop > >>>> > >>>> On Thu, Mar 8, 2012 at 9:43 AM, Santosh Rajagopalan > >>>> <sunny.rajagopalan@us.ibm.com> wrote: > >>>>> It appears the the multidestination frame checks present in TRILL may not > >>>>> be > >>>>> strong enough to cover some cases of packet duplicates during network > >>>>> transition scenarios. In this email, I'm going to suggest a modification > >>>>> of > >>>>> the TRILL RPF check to cover these cases. > >>>>> > >>>>> The root problem is that there's a notion of directionality built into the > >>>>> RPF concept ("accept packets from X along this vector"). In a p2p link, > >>>>> specifying the port alone uniquely qualifies that vector. However, in a > >>>>> multiaccess link, there are many "links/adjacencies" overlaid on the > >>>>> physical link. To identify one of them, you need to specify both the > >>>>> outer_smac *and* the port. So the RPF check should actually be "accept > >>>>> packets from X along (outer_smac, port)". > >>>>> > >>>>> Consider this network: > >>>>> > >>>>> F--A--B--C--o--D > >>>>> All the links except the link between C and D are p2p links. C and D are > >>>>> connected over a classical ethernet network (represented by the pseudonode > >>>>> "o"). Let's say D gets picked as the root for a multidestination tree (the > >>>>> choice of root is unimportant here). > >>>>> The resulting tree looks like: > >>>>> > >>>>> F--A--B--C--o--D > >>>>> > >>>>> Now lets say that a link comes up from A to the same classical ethernet > >>>>> network. So the network looks like this: > >>>>> ________ > >>>>> | | > >>>>> F--A--B--C--o--D > >>>>> > >>>>> Let's say the resulting tree in steady state includes all links except the > >>>>> B-C link. After the network has converged, a packet that starts out from F > >>>>> will go F->A, where A will send one copy to the A-B link and another copy > >>>>> into the CE network, from where it will be received by C and D. > >>>>> > >>>>> However, lets consider a transition stage where A and D have acted on > >>>>> their > >>>>> LSPs and programmed their forwarding plane, while B and C have not yet > >>>>> done > >>>>> so. > >>>>> This means that B and C both consider the link between them to still be > >>>>> part > >>>>> of the tree. > >>>>> > >>>>> So a packet that starts out from F and reaches A will be copied by A into > >>>>> the A-B link and the A-o link. D's RPF check says to accept packets on > >>>>> this > >>>>> tree coming from F over its link to the CE network, so it gets accepted. D > >>>>> is also adjacent to A on the tree, so the tree adjacency check also > >>>>> passes. > >>>>> > >>>>> However, the packet that gets to B gets sent out by B to C. C's RPF check > >>>>> still has the old state, and it thinks the packet is ok. C sends the > >>>>> packet > >>>>> along the old tree, which is towards the CE network. D receives one more > >>>>> packet, but the tree adjacency check passes because C is adjacent to D in > >>>>> the new tree as well. The RPF check also passes because D's link to the CE > >>>>> network is ok for receiving packets from A. > >>>>> > >>>>> So now D gets duplicates of every packet until B and C act on their LSPs > >>>>> and > >>>>> program their hardware tables. The AF state is (I believe) irrelevant here > >>>>> because we're talking about TRILL encapsulated packets, not native CE > >>>>> frames. > >>>>> > >>>>> In the example above, the adjacency check alone doesn't help, because the > >>>>> rbridge D has adjacencies to both A & C on the tree. A check on (port, > >>>>> smac) > >>>>> will pass for packets from both A and C. > >>>>> > >>>>> The only check which can stop this from happening, I believe, is if you > >>>>> replace the current RPF check which looks like this: > >>>>> {tree_id, source_rbridge}->{allowed_port} > >>>>> > >>>>> with a modified check which looks like this: > >>>>> > >>>>> {tree_id, rbridge}->{allowed_port, allowed_outer_smac} > >>>>> > >>>>> This will make sure that packets will be accepted by D only if they were > >>>>> sent by A. This combined check can be a replacement for the currently > >>>>> separate adjacency and RPF checks. > >>>>> > >>>>> Thoughts? > >>>>> -- > >>>>> Sunny Rajagopalan > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> rbridge mailing list > >>>>> rbridge@postel.org > >>>>> http://mailman.postel.org/mailman/listinfo/rbridge > >>>>> > >>>> _______________________________________________ > >>>> rbridge mailing list > >>>> rbridge@postel.org > >>>> http://mailman.postel.org/mailman/listinfo/rbridge > >>> > >>> _______________________________________________ > >>> rbridge mailing list > >>> rbridge@postel.org > >>> http://mailman.postel.org/mailman/listinfo/rbridge > >> > >> _______________________________________________ > >> rbridge mailing list > >> rbridge@postel.org > >> http://mailman.postel.org/mailman/listinfo/rbridge > > > > _______________________________________________ > > rbridge mailing list > > rbridge@postel.org > > http://mailman.postel.org/mailman/listinfo/rbridge > > _______________________________________________ > rbridge mailing list > rbridge@postel.org > http://mailman.postel.org/mailman/listinfo/rbridge > > > _______________________________________________ > rbridge mailing list > rbridge@postel.org > http://mailman.postel.org/mailman/listinfo/rbridge
_______________________________________________ rbridge mailing list rbridge@postel.org http://mailman.postel.org/mailman/listinfo/rbridge
- [rbridge] a stronger RPF check for TRILL Santosh Rajagopalan
- Re: [rbridge] a stronger RPF check for TRILL Anoop Ghanwani
- Re: [rbridge] a stronger RPF check for TRILL Donald Eastlake
- Re: [rbridge] a stronger RPF check for TRILL Radia Perlman
- Re: [rbridge] a stronger RPF check for TRILL Jon Hudson
- Re: [rbridge] a stronger RPF check for TRILL letracy
- Re: [rbridge] a stronger RPF check for TRILL Santosh Rajagopalan
- Re: [rbridge] a stronger RPF check for TRILL Sam Aldrin
- Re: [rbridge] a stronger RPF check for TRILL letracy
- Re: [rbridge] a stronger RPF check for TRILL Donald Eastlake
- Re: [rbridge] a stronger RPF check for TRILL Santosh Rajagopalan