[v6ops] Fwd: [Rtg-dt-encap-considerations] overlay encapsulation group
"Fred Baker (fred)" <fred@cisco.com> Mon, 28 September 2015 20:11 UTC
Return-Path: <fred@cisco.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 735201B2C7D for <v6ops@ietfa.amsl.com>; Mon, 28 Sep 2015 13:11:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -114.511
X-Spam-Level:
X-Spam-Status: No, score=-114.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y4fiXGVf_hXP for <v6ops@ietfa.amsl.com>; Mon, 28 Sep 2015 13:11:37 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41C3E1B2C7F for <v6ops@ietf.org>; Mon, 28 Sep 2015 13:11:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7422; q=dns/txt; s=iport; t=1443471097; x=1444680697; h=from:to:cc:subject:date:message-id:references: mime-version; bh=k6l4KWdMOqCIIDZu6Xr7EGaMt6NTaAND+nicFS4T4CI=; b=NeM1HYQUKJgDONjh1hIlmb/OYpgukJ9gM9fvuMz3INTEbDDZp4BGkgvD RM79RuIAsIXQYHzVzzTAvn9swufqSFygQwBviyzPcDoZCfJG8xKKYifdF WC0PyW6054f6jZNWK+nK6FSm5CBDUk/m6tvqgUV5lDMNrCaIIWlfKUn7c 4=;
X-Files: signature.asc : 833
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0C0AgC8nQlW/5tdJa1egyRUaQaDJKtbjjoOgXEKhXkCgU04FAEBAQEBAQGBCoQkAQEBAwEjVgULAgEZAwECASoCAjIbAggCBA4FDhGIBwgNtn2UTgEBAQEBAQEBAQEBAQEBAQEBAQEBARMEiQKCboQqEQFAEQ2CKDsSHYEUBYV8gTqOOgGCSoFgBWWHeoFPkS6EVYNsAR8BQ4IQARyBVHGHYjqBBQEBAQ
X-IronPort-AV: E=Sophos;i="5.17,604,1437436800"; d="asc'?scan'208";a="192020451"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by alln-iport-4.cisco.com with ESMTP; 28 Sep 2015 20:11:36 +0000
Received: from XCH-RCD-013.cisco.com (xch-rcd-013.cisco.com [173.37.102.23]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id t8SKBZ9v027178 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 28 Sep 2015 20:11:36 GMT
Received: from xch-aln-013.cisco.com (173.36.7.23) by XCH-RCD-013.cisco.com (173.37.102.23) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Mon, 28 Sep 2015 15:11:34 -0500
Received: from xch-aln-013.cisco.com ([173.36.7.23]) by XCH-ALN-013.cisco.com ([173.36.7.23]) with mapi id 15.00.1104.000; Mon, 28 Sep 2015 15:11:34 -0500
From: "Fred Baker (fred)" <fred@cisco.com>
To: v6ops list <v6ops@ietf.org>
Thread-Topic: [Rtg-dt-encap-considerations] overlay encapsulation group
Thread-Index: AQHQ9wLa6QJAXiB3eEW5Bf0xE00y7A==
Date: Mon, 28 Sep 2015 20:11:34 +0000
Message-ID: <C3DEA004-2D81-453B-B795-FD75C3F119B7@cisco.com>
References: <CALx6S36SCWv3nu9r-tRXvKe-26MHzrbahk1UVeUJXcLdC1xQdw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.154.248.39]
Content-Type: multipart/signed; boundary="Apple-Mail=_A7D82A90-E0F5-484A-9214-B68F5D7A2D11"; protocol="application/pgp-signature"; micalg="pgp-sha1"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/6-n3X0fi11oqkAaVnTdKqNRIWKE>
Subject: [v6ops] Fwd: [Rtg-dt-encap-considerations] overlay encapsulation group
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Sep 2015 20:11:39 -0000
Running a question by the list. Tom and I got to talking about this because I proposed an approach to IPv6 networking for OpenStack (https://tools.ietf.org/html/draft-baker-openstack-ipv6-model), and Tom proposed a similar but different model in nvo3 (draft-herbert-nvo3-ila). From what he says, I gather that Facebook is looking at trial deployment of a modified version of his approach that takes an important step in the direction of mine. What I wonder is whether the WG would be interested in an operational discussion of draft-herbert-nvo3-ila and Facebook's IPv6 deployment at IETF 94? And specifically, do folks have comments on his updated draft when he posts it? On Sep 25, 2015, at 2:12 PM, Tom Herbert <tom@herbertland.com> wrote: > Thanks Fred. > > The ILA draft is https://datatracker.ietf.org/doc/draft-herbert-nvo3-ila/. > > Tom > From: Tom Herbert <tom@herbertland.com> > Subject: Re: [Rtg-dt-encap-considerations] overlay encapsulation group > Date: September 24, 2015 at 12:54:41 PM PDT > To: "Fred Baker (fred)" <fred@cisco.com> > > Hi Fred, > > I'd like to give you an update on ILA. > > We pushed an initial implementation to upstream > https://lwn.net/Articles/654540/. I have a couple of more patches to > get in, but this will get us to a pretty performant data path (much > better than what we'll get from traditional encapsulation). > > Internally (@FB), we are commencing canary deployments. There was an > interesting debate on whether to use ULA or get a larger address > allocation (the latter won), but so far this approach seems feasible. > > One design change, which I think may be along the lines of you were > asking, is that we will allow untranslated addresses to be routable. > Untranslated packets would be routed to some intermediate device in > the network which perform the translation and forward packet to the > location of the virtual node. We'll have these nodes be able to send > something like an ICMP redirect to the source to eliminate the > triangular routing for future packets. > > I'm planning on updating the ILA draft for IETF. I can present that > work at nvo3, but do you think there would be any interest or reason > to take this to an IPv6 WG? > > Thanks, > Tom > > On Mon, Apr 27, 2015 at 1:41 PM, Fred Baker (fred) <fred@cisco.com> wrote: >> >>> On Apr 27, 2015, at 1:31 PM, Tom Herbert <tom@herbertland.com> wrote: >>> In ILA the translation is always symmetric between sender and receiver, and the translation is transparent to the user in the same way that NV encapsulation would be. Applications at both endpoints see the same addresses for the connection (SIR addresses in the draft), and these are what is put into DNS. Many of the communication scenarios showing this are in section 4 of the ILA draft. On the wire intermediate devices would see the translated addresses. >> >> In the data plane, at the network layer. The redirect is in an application message and might well be encrypted. But the sender of the redirect has to get it to the receiver, and give an address for the third party that the receiver can use. >> >>> The problem we are trying to solve in virtualizing data center tasks is how to allow task A on physical host X to communicate with task B on physical host Y; and then how to continue communications when task B moves to physical host Z. I guess this could be considered a reachability, connectivity, routability, or authorization problem depending on how you want to look at it. >> >> Yes. It’s one of the first three after it moves and before it is renumbered. Before moving and after renumbering, it is just an authorization problem, IMHO. >> >>> In multi-tenancy, we have a requirement for isolation between tenants. If traffic crosses between tenant networks without authorization this is fundamentally bad, so we need strong guarantees (maybe this is what you mean by authorization problem?). >> >> Yes >> >>> The VNID is a mechanism of isolation, but not typically self-authenticated. >> >> If it’s in the IPv6 IID, it’s assigned by the orchestrator, and the BCP 38 filter in the vSwitch enforces its use. That’s the same way VLAN numbers or whatever are used. Which is to say that it’s at least as secure as using a VLAN, given tat the orchestrator installs the correct ACLs. >> >>> In GUE, we added a security option that allows shared cookie, secure hash, etc. Unfortunately, I haven't figured out how to add that in ILA and without security it makes large scale deployment for the multi tenant use case problematic (the lack of a secured VNID made VLXAN and NV-GRE non starters for us). I considered flow label for security bits in ILA, but maybe this could be something in the header options similar to what you describe in section B.2 (although I am leery of using any sort of IP options due to lack of middlebox support). >> >> I think I’m telling you how to do that... >> >>>> So, redraw my section B.5 in ILNP terms. Suppose we put the VNID (which I call a tenant number) in the IID, and treat the prefix as a locator as ILNP does. Did we accomplish your goal? I think we did, and we made it be without the coupling, and we made the ACL configuration (which is the authorization verification) consistent whether in one chassis, two data centers, or a hybrid cloud with multiple operators. >>> >>> The VNID (tenant number) is already in the identifier (IID part) in ILA. I don't see any reason why ACLs can't be created for that. Only the locator part is translated on the wire, so the VNID is also visible to intermediate devices. >> >> BUT THE LOCATOR IS TRANSLATED, which brings me back to my pervious email. In an ILNP system, it doesn’t need to be. Why not just use the ILNP address? A long list of issues go away. >>
- [v6ops] Fwd: [Rtg-dt-encap-considerations] overla… Fred Baker (fred)
- Re: [v6ops] Fwd: [Rtg-dt-encap-considerations] ov… Hemant Singh (shemant)
- Re: [v6ops] Fwd: [Rtg-dt-encap-considerations] ov… Hemant Singh (shemant)
- Re: [v6ops] Fwd: [Rtg-dt-encap-considerations] ov… Tom Herbert