IETF Logo Mail Archive

Re: [tsvwg] David Black's WGLC review of draft-ietf-tsvwg-rfc6040update-shim-08

"Black, David" <David.Black@dell.com> Mon, 20 May 2019 14:39 UTC

Return-Path: <David.Black@dell.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F7BA120096 for <tsvwg@ietfa.amsl.com>; Mon, 20 May 2019 07:39:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dell.com header.b=o/fTa2/L; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=emc.com header.b=d9sw+vqZ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zNSl23wKfUJo for <tsvwg@ietfa.amsl.com>; Mon, 20 May 2019 07:39:29 -0700 (PDT)
Received: from mx0b-00154904.pphosted.com (mx0b-00154904.pphosted.com [148.163.137.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27C77120089 for <tsvwg@ietf.org>; Mon, 20 May 2019 07:39:29 -0700 (PDT)
Received: from pps.filterd (m0170395.ppops.net [127.0.0.1]) by mx0b-00154904.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x4KEUAL7026562; Mon, 20 May 2019 10:38:39 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dell.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=smtpout1; bh=iLityKzjMpT0J8nRPeJ0FELkdquAyNMCSr6L/f1DVuU=; b=o/fTa2/LGENpujqZ68cyFlkcWcinCA6dV8HL8TjB40xZT35TDoSk2kuYo3jhLxSFTAvO Lh1e5HDu01jaqyBT7JHgHTQmenC6+d7b/2r5HjBul9vTIeylXz8N0IrdQ5DCeIXdL9Sm Eux54Sm7y9pjavHDZtVyBUwfqgVm43utu4zhUBA4W6x4aU44bYmtTJvAUDT6zaXWTHnT J9xb2CQ0oCAtwrGglH3KzTnw8boJ1GApkVvjn/lh4hOgDAth+tCJ1gwrosUlFel4JgKL sKZkZPrk+e1PV3J8LOqe2BxkFaOU+sCVKQk0Wu3p942o22M3OLOMdrtV3XiEedQi0Zei fA==
Received: from mx0a-00154901.pphosted.com (mx0a-00154901.pphosted.com [67.231.149.39]) by mx0b-00154904.pphosted.com with ESMTP id 2sjeqnm9bm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 20 May 2019 10:38:39 -0400
Received: from pps.filterd (m0142693.ppops.net [127.0.0.1]) by mx0a-00154901.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x4KESiFF152932; Mon, 20 May 2019 10:38:38 -0400
Received: from mailuogwhop.emc.com (mailuogwhop.emc.com [168.159.213.141]) by mx0a-00154901.pphosted.com with ESMTP id 2skv4ujbrn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 20 May 2019 10:38:38 -0400
Received: from maildlpprd06.lss.emc.com (maildlpprd06.lss.emc.com [10.253.24.38]) by mailuogwprd02.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id x4KEcTCq018417 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 20 May 2019 10:38:35 -0400
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd02.lss.emc.com x4KEcTCq018417
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1558363116; bh=wfYWiqaTnRnRf0P2vzOJm25ZyL4=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=d9sw+vqZZ+2ZJPFdvK15uS1Jej9XvfIDLsTc0KTQ0rwzARkqStIf92WEe1Km7MhA0 2i17cnYZ+KI1DHezWVzcfgVmQfkQx4/KLn7Igv/u2u6XTNn4Vc3v3K1HI0s8yUIxTr vevT6eBXMk3wUWFV5x96IxIUZK1QKwwHB6PglfM4=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd02.lss.emc.com x4KEcTCq018417
Received: from mailusrhubprd02.lss.emc.com (mailusrhubprd02.lss.emc.com [10.253.24.20]) by maildlpprd06.lss.emc.com (RSA Interceptor); Mon, 20 May 2019 10:37:55 -0400
Received: from MXHUB301.corp.emc.com (MXHUB301.corp.emc.com [10.146.3.27]) by mailusrhubprd02.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id x4KEc6MC008483 (version=TLSv1.2 cipher=AES128-SHA256 bits=128 verify=FAIL); Mon, 20 May 2019 10:38:14 -0400
Received: from MX307CL04.corp.emc.com ([fe80::849f:5da2:11b:4385]) by MXHUB301.corp.emc.com ([10.146.3.27]) with mapi id 14.03.0439.000; Mon, 20 May 2019 10:37:27 -0400
From: "Black, David" <David.Black@dell.com>
To: Bob Briscoe <ietf@bobbriscoe.net>, "gorry@erg.abdn.ac.uk" <gorry@erg.abdn.ac.uk>
CC: "tsvwg@ietf.org" <tsvwg@ietf.org>
Thread-Topic: [tsvwg] David Black's WGLC review of draft-ietf-tsvwg-rfc6040update-shim-08
Thread-Index: AdUGAGT4Th8zbG5rQXClmZ/2hSiF0gAAs+7gAZfidQAAGJaicAArho6AAGkwCgAAAF9XUA==
Date: Mon, 20 May 2019 14:37:27 +0000
Message-ID: <CE03DB3D7B45C245BCA0D243277949363057266B@MX307CL04.corp.emc.com>
References: <CE03DB3D7B45C245BCA0D243277949363055BC3F@MX307CL04.corp.emc.com> <CE03DB3D7B45C245BCA0D243277949363055BDDC@MX307CL04.corp.emc.com> <89e67cfc-9574-c7a7-b837-c909c2180595@bobbriscoe.net> <CE03DB3D7B45C245BCA0D243277949363056D070@MX307CL04.corp.emc.com> <5CDFBED3.7070207@erg.abdn.ac.uk> <dd907bc5-56bc-3c4d-8e3c-6e131e208074@bobbriscoe.net>
In-Reply-To: <dd907bc5-56bc-3c4d-8e3c-6e131e208074@bobbriscoe.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.238.21.130]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd02.lss.emc.com
X-RSA-Classifications: public
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-05-20_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1905200096
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1905200096
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/1_gKH8GM0GjlaRn2dhjlkgfHe4w>
Subject: Re: [tsvwg] David Black's WGLC review of draft-ietf-tsvwg-rfc6040update-shim-08
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 May 2019 14:39:33 -0000

+1 on Bob's comments - both the "MUST" and "SHOULD" statements in this discussion apply to the tunnel ingress.

Thanks, --David

> -----Original Message-----
> From: Bob Briscoe <ietf@bobbriscoe.net>
> Sent: Monday, May 20, 2019 6:26 AM
> To: gorry@erg.abdn.ac.uk; Black, David
> Cc: tsvwg@ietf.org
> Subject: Re: [tsvwg] David Black's WGLC review of draft-ietf-tsvwg-
> rfc6040update-shim-08
> 
> 
> [EXTERNAL EMAIL]
> 
> 
> 
> On 18/05/2019 09:14, Gorry Fairhurst wrote:
> > Just one check below:
> >
> > On 17/05/2019, 16:34, Black, David wrote:
> >>
> >> Before going further down the compliance rathole, let me suggest an
> >> alternative that might resolve this quickly.
> >>
> >> The crucial text (whose technical correctness is not in question) is:
> >> In order that the network operator can comply with the above
> >> safety rules, even if an implementation of a tunnel ingress does
> >> not claim to support RFC 6040, RFC 4301 or the full functionality
> >> mode of RFC 3168:
> >>
> >> * it MUST make propagation of the ECN field between inner and
> >> outer IP headers independent of any configuration of Diffserv
> >> codepoint propagation;
> >>
> >> * it SHOULD be able to be configured to zero the outer ECN field.
> >>
> >> The headaches are being caused by treating that text as an update to
> >> RFC 6040, but looking at it now,
> >>
> >> it reads like a best current practice recommendation, so .
> >>
> >> Would it be reasonable to move that text into the ecn-encapsulation
> >> draft (which is intended to become
> >> a BCP)? Doing that would sidestep the entire discussion of
> >> consequences of the consequences of
> >> updating RFC 6040 with that text.
> >>
> >> If that sounds plausible, we should take a look at whether any of the
> >> other RFC 6040 update text in section
> >> 4 should likewise be moved to the ECN encapsulation draft.
> >>
> > I had to read this several times, and wasn't quite sure:
> >
> > * it SHOULD be able to be configured to zero the outer ECN field.
> > Was the intention that:
> >
> > * the configuration SHOULD allow a sender to zero the ECN field in the
> > outer header.
> 
> I'm not sure whether you're using 'sender' to mean 'tunnel ingress' or
> the original sender. I've repeated the sentence with explanations in [],
> 'cos I'm not quite sure what problem you're having with it.
> 
> * it [the tunnel ingress] SHOULD be able to be configured to zero the
> outer ECN field [the ECN field in the outer header].
> 
> 
> For instance, if a tunnel ingress with no specific ECN logic had a
> configuration capability to refer to the last 2 bits of the old ToS Byte
> of the outer (e.g. with a 0x3 mask) and set them to zero, while also
> being able to allow the DSCP to be mapped or set to something, that
> would be sufficient to satisfy both the implementation requirements.
> 
> In fact, I think I'll add that as an example.
> 
> 
> Bob
> 
> >
> >
> > Gorry
> >
> >> Thanks, --David
> >>
> >> *From:*Bob Briscoe <ietf@bobbriscoe.net>
> >> *Sent:* Thursday, May 16, 2019 7:44 PM
> >> *To:* Black, David; tsvwg@ietf.org
> >> *Subject:* Re: [tsvwg] David Black's WGLC review of
> >> draft-ietf-tsvwg-rfc6040update-shim-08
> >>
> >> [EXTERNAL EMAIL]
> >>
> >> David,
> >>
> >> I'll split your email in two and solely deal with the major issue
> >> first. See inline.
> >>
> >> On 09/05/2019 02:08, Black, David wrote:
> >>
> >>     idnits found a couple of minor things:
> >>
> >>       * Current reference for IKEv2 is RFC 7296 instead of RFC 5996
> >>       * If any text was copied from pre-5378 RFCs, an additional
> >>         boilerplate disclaimer is required.
> >>
> >>     Thanks, --David
> >>
> >>     *From:* Black, David
> >>     *Sent:* Wednesday, May 8, 2019 8:50 PM
> >>     *To:* tsvwg@ietf.org <mailto:tsvwg@ietf.org>
> >>     *Subject:* David Black's WGLC review of
> >>     draft-ietf-tsvwg-rfc6040update-shim-08
> >>
> >>     This is a solidly written draft on updating tunnel protocols that
> >>     use shim headers to propagate ECN according to RFC 6040.
> >>
> >>     Unfortunately, I found a major issue with the updates [1] along
> >>     with a few minor issues (easily dealt with) and a bunch of
> >>     editorial items.
> >>
> >>     The major issue [1] on updates creating non-compliant
> >>     implementations looks like it will need WG discussion on what
> >>     should be done, as the "right thing to do" appears to be in
> >>     potential conflict with deployed "running code".
> >>
> >>     --- Major ---
> >>
> >>     [1] Compliance with RFC 6040 update
> >>
> >>     Section 3.1 says:
> >>
> >>     However, an RFC has no jurisdiction over implementations that choose
> >>
> >>     not to comply with it or cannot comply with it, including all those
> >>
> >>     implementations that pre-dated the RFC. Therefore it would have been
> >>
> >>     unreasonable to add such a requirement to RFC 6040.
> >>
> >>     But then Section 4 goes on to do exactly that by updating RFC
> >> 6040 to
> >>
> >>     add this text:
> >>
> >>     In order that the network operator can comply with the above
> >>
> >>     safety rules, even if an implementation of a tunnel ingress does
> >>
> >>     not claim to support RFC 6040, RFC 4301 or the full functionality
> >>
> >>     mode of RFC 3168:
> >>
> >>     * it MUST make propagation of the ECN field between inner and
> >>
> >>     outer IP headers independent of any configuration of Diffserv
> >>
> >>     codepoint propagation;
> >>
> >>     * it SHOULD be able to be configured to zero the outer ECN field.
> >>
> >>     followed by this attempt to excuse the result:
> >>
> >>     There might be concern that the above "MUST" makes compliant
> >>
> >>     equipment non-compliant at a stroke. However, any equipment that is
> >>
> >>     still treating the former ToS octet (IPv4) or the former Traffic
> >>
> >>     Class octet (IPv6) as a single 8-bit field is already non-compliant,
> >>
> >>     and has been since 1998 when the upper 6 bits were separated off for
> >>
> >>     the Diffserv field [RFC2474], [RFC3260]. For instance, copying the
> >>
> >>     ECN field as a side-effect of copying the DSCP is a seriously unsafe
> >>
> >>     bug that risks breaking the feedback loops that regulate load on a
> >>
> >>     tunnel.
> >>
> >>     These three chunks of text need to be aligned.. I'm not sure what
> >>     should
> >>
> >>     be done here, as the concern about updating RFC 6040 to cause
> >>     non-compliance
> >>
> >>     is an important concern.
> >>
> >> [BB] This draft proposes to update RFC6040, which in turn updated
> >> RFC3168, which in turn updated RFC2474 (there were other RFCs in the
> >> tree of updates ending at RFC6040, but those updates were not with
> >> respect to the Diffserv/ECN fields).
> >>
> >> I fully agree that we have to be careful not to make any equipment
> >> that already complies with any of these RFCs non-compliant. And we
> >> don't...
> >>
> >> If any equipment does not satisfy the proposed 'MUST' statement
> >> above, it will not be treating the DSCP and the ECN fields
> >> independently. Such equipment would not have complied with RFC2474,
> >> which separated out the last 2 bits of the ToS byte, which made it
> >> possible to specify ECN in the first place.
> >>
> >> So the proposed 'MUST' statement does not make any equipment that
> >> complied with any of these RFCs non-compliant, unless it was already
> >> non-compliant with RFC2474. And RFC2474 grandfathered all these RFCs.
> >> So the equipment would already be non-compliant with all these RFCs.
> >>
> >> Now, check the detailed wording:
> >>
> >> even if an implementation of a tunnel ingress does
> >>
> >> not claim to support RFC 6040, RFC 4301 or the full functionality
> >>
> >> mode of RFC 3168:
> >>
> >> * it MUST make propagation of the ECN field between inner and
> >>
> >> outer IP headers independent of any configuration of Diffserv
> >>
> >> codepoint propagation;
> >>
> >>
> >> You'll notice RFC2474 is not in the list of RFCs that an
> >> implementation might even not claim to support. That's because the
> >> MUST is about Diffserv configuration. If equipment offers any
> >> Diffserv configuration, it already has to comply with RFC2474.
> >> However, if it doesn't already comply with this MUST, it already
> >> doesn't comply with RFC2474.
> >>
> >> So again, this MUST does not make any equipment that complied with
> >> any of the chain of RFCs non-compliant, unless they were already
> >> non-compliant with RFC2474, and therefore non-compliant with all the
> >> RFCs in the chain of updates up to RFC6040, because RFC2474
> >> grandfathered the chain.
> >>
> >>
> >>
> >>     Analogous non-compliance concerns apply to the updates to other
> >>     RFCs in
> >>
> >>     Section 5 to varying degrees.
> >>
> >> If you accept my arguments above, but can still find other
> >> non-compliance concerns, please do point them out.
> >>
> >> Nonetheless, I'm pretty sure I've been similarly careful to avoid
> >> introducing any non-compliance surprises.
> >>
> >>
> >>
> >> Bob
> >>
> >>
> >>
> >>
> >> --
> >>
> __________________________________________________________
> ______
> >> Bob Briscoehttp://bobbriscoe.net/ <http://bobbriscoe..net/>
> >
> 
> --
> __________________________________________________________
> ______
> Bob Briscoe                               http://bobbriscoe.net/

v2.23.0 | Report a Bug | By Email