On 10/10/2012 09:59, Magnus Westerlund wrote:
On 2012-10-09 20:57, Ronald Bonica wrote:
Ronald Bonica has entered the following ballot position for
draft-ietf-6man-udpzero-06: Discuss
When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)
Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.
----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------
This is a two-part DISCUSS-DISCUSS. Both parts relate to bullet points in
Section 5.1.
Bullet 5
======
"Tunnels that encapsulate IP may rely on the inner packet
integrity checks provided that the tunnel will not significantly
increase the rate of corruption of the inner IP packet."
- What does it mean to *significantly* increase the rate of corruption of
the inner IP packet?
That is a good question. And the answer is it depends. If you are
considering a tunnel protocols which target deployment area is one where
you have very low rates of corruption, lets say below 10^-6 then a
factor of 2 or even 10 might be fine as the resulting end-to-end basic
IP service may still be fine. But if that same tunnel is supposed to
support something that requires a packet loss rate below 10^-6 then any
increase in corruption might be to high.
A useful and relevant question, which is worth asking the user to consider
is what exactly are those loss rates. A lot of systems do much better than
10^-6. At 10Gb/s that is 10^4 errors/sec, so you can see they have to
do better that that. I am not sure what state of the art is, but the
range 10^-12 is often quoted as a working number.
Maybe we need to text of the form where the underlying IPv6 network is
considered to have an acceptably low error rate, that may indicate that
it is safe to operate without a UDP checksum, without further analysis
consideration of the protocols to be carried over the UDP tunnel.
- Shouldn't we also be concerned about corruption of the UDP header and
any additional encapsulation that comes between the UDP header and the
inner IP packet?
I think the formulation actually is considering that. If the
IPv6/UDP/FOO tunnel protocol carries IP and FOO is senesitive to
corruption then isn't the payload of the tunnel, i.e. the inner IP going
to suffer an increased corruption rate.
- How does a tunnel ingress node know whether the tunnel will
significantly increase the rate of corruption of the inner IP packet?
That is something you have to statistically analyze when designing the
protocol and deciding on using zero-checksum.
My concern is that is impractical, the tunnel payload is opaque.
Remember the UDP tunnel will in many cases be the functional
equivalent of GRE, and we neither have the ability to include
a c/s for IPv6/GRE, nor the ability to predict the payload type.
BTW, you need to realize that it's going to be very difficult
to do the do the c/s checking in a fast tunnel router and will
often need h/w changes. Unlike a common transport protocol
stack implementation a fast tunneling router does not
have access to all the packet data to run the c/s check.
For that reason alone, I predict that most of these routers
will neither impose or verify the UDP c/s in the tunnel case.
Bullet 7
=====-
" UDP applications that support use of a zero-checksum, should not
rely upon correct reception of the IP and UDP protocol
information (including the length of the packet) when decoding
and processing the packet payload. In particular, the
application must be designed so that corruption of this
information does not result in accumulated state or incorrect
processing of a tunneled payload."
- How could any application achieve this goal? Possibly by analyzing the
consequences if any field in the IPv6 or UDP header were corrupted?
(draft-ietf-6man-udpchecksums begins this analysis.) Again, wouldn't the
analysis have to include any additional encapsulation that comes between
the UDP header and the inner IP header?
Yes, this is a design analysis which includes the tunnel protocols headers.
- Wouldn't the analysis, mentioned above, have to include assurances
regarding the case when the destination port is corrupted? Specifically,
would it have to include a guarantee that if the encapsulated inner
packet were delivered to any randomly chosen port, it would not cause any
harm to the application listening on that port?
Clearly it can't include a guarantee that it will not harm what ever is
at the randomly chosen port. But one part we try to get across in this
document is that this is the reason we want to ensure that default
remains to have the UDP checksum enabled to avoid having applications
not having considered this in their design or at least been analyzed to
be safe enough to get zero checksummed packets.
The next step is the question of potential harm is a statistics game.
And the more traffic that are transported over the network with
zero-checksum the higher the probability that you will get a packet not
intended for your context. Thus you will have to deal with it. Here I
think most tunnel egresses are reasonably simple to analyze what
happens. You attempt to decapsulate it according to whats in the packet.
If that is not a mismatch you try to do the next step for the inner
packet, switching or forwarding that based on whats there. That either
matches or not the context and are thus sent further or discarded. If
there is a checksum on that level it can help discarding packets that
completely misses the context.
Let me take another cut on this. We accept that IPv6/GRE is safe, since
we did not update GRE for IPv6, and we have not deprecated it.
Why are we not simply saying :
"It will commonly be the case that the use of a UDP tunnel is
functionally equivalent to GRE, and consequently when the
UDP c/s is not used, there may be some level of undetected
data corruption in the tunnel which is propagated to the recipient
of the tunnel payload. Thus, where the UDP c/s is not used
in a tunnel application, the same consideration of data integrity
apply to both UDP tunnels as apply to GRE tunnels, and must
be taken into consideration by the tunnel provider."
That is probably the necessary and sufficient text for the the
reader to understand the context and the design considerations.
- Stewart
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
