Hi Tom, Not really.
RFC8200 defines an exception which is tunneling and says: As an exception to the default behavior, protocols that use UDP as a tunnel encapsulation may enable zero-checksum mode for a specific port (or set of ports) for sending and/or receiving. Any node implementing zero-checksum mode must follow the requirements specified in "Applicability Statement for the Use of IPv6 UDP Datagrams with Zero Checksums" [RFC6936 <https://datatracker.ietf.org/doc/html/rfc6936>]. So in practice if we always tunnel SRv6 there is no issue. Even Andrew agreed with that :) Cheers, Robert On Thu, Mar 28, 2024 at 4:36 PM Tom Herbert <t...@herbertland.com> wrote: > On Thu, Mar 28, 2024 at 7:46 AM Robert Raszuk <rob...@raszuk.net> wrote: > > > > Hi Tom, > > > > > because of SRH > > > > Ok I buy this that there are devices which do check checksum and are not > final destination of the packets ... I was more talking about plain > forwarding devices (aka P routers). Then I doubt firewalls would be sitting > in the core of the networks. > > > > But let me come black to what I believe is the main disconnect. > > > > Why SRH would cause an issue ? I think there is claimed issue *ONLY* > with SRv6 packets which are not encapsulated - call it raw - sent by the > hosts which talk SRv6 and sent with more then one SID/uSID which may get > swapped on the way. > > > > Because only in those cases the destination address will be changing > while checksum of the tunnel header will not be zero. > > > > So what we should I think discuss are really B.1 and B.2.2 cases. > > Robert, > > The scenario that I'm talking about is really simple, and it's not > specific to segment routing. If someone sends a TCP in an IPv6 packet > with no routing header then the convention is that the TCP checksum is > valid end to end. So if the addresses are changed in flight, like in > NAT, then we expect that some part of the packet covered by the > checksum is adjusted to offset the change. If a packet is sent in > segment routing without an SRH with EtherType 0x86DD then it IS an > IPv6 packet to the network so all the conventions and requirements of > IPv6 should be applied. IMO, if SRv6 can't maintain these conventions > and requirements then it should fork from IPv6 and use a different > EtherType. > > Tom > > > > > Francois, Pablo - could you comment on this how often do we see those > type of SRv6 deployments ? And also could you comment if operator who > enables SRv6 in the first place sees those checksum errors how difficult is > to address it ? > > > > Thx, > > Robert > > > > > > On Thu, Mar 28, 2024 at 3:29 PM Tom Herbert <t...@herbertland.com> wrote: > >> > >> On Thu, Mar 28, 2024 at 6:26 AM Robert Raszuk <rob...@raszuk.net> > wrote: > >> > > >> > Hi Alvaro, > >> > > >> > On this specific topic I think you have flatted it a bit too much. > >> > > >> > These are apparently the options on the table: > >> > > >> > A) Original packet get's encapsulated with IPv6 header > >> > > >> > A.1 SHR is added to it > >> > > >> > A.1.1. Regular SIDs are used > >> > A.1.2 Compresses SIDs are used > >> > > >> > A.2 SRH is not added to it > >> > > >> > A.2.1. Regular SID is used as destination > >> > A.2.2 Compresses SIDs are used in a container > >> > A.2.3 Compresses SID is used > >> > > >> > B) Original packet get's send from SRv6 host (without encapsulation) > >> > > >> > B.1 SHR is added to it > >> > > >> > B.1.1. Regular SIDs are used > >> > B.1.2 Compresses SIDs are used > >> > > >> > B.2 SRH is not added to it > >> > > >> > B.2.1. Regular SID is used as destination > >> > B.2.2 Compresses SIDs are used in a container > >> > B.2.3 Compresses SID is used > >> > > >> > So within all checksum related discussions so far it seems that the > only concern is about B.2.2 and perhaps B.1 however folks did state that if > there is SRH added there is no issue so I am not sure how the presence of > SRH fixes it. > >> > > >> > Maybe there was some assumption that presence of SRH mandates > encapsulation, but I do not believe this is the case for native SRv6 hosts. > >> > > >> > All in all I think it should be no business for transit nodes to > verify packet's upper layer checksum. I do not know if there is any RFC > which would describe what is an expected behavior for transit nodes or even > say that they MAY do it. > >> > >> Robert, > >> > >> I can go further than that. I believe that intermediate nodes have no > >> business parsing into the transport layer, and yet firewalls do that > >> all the time even though there is no standard RFC on it (I've asked > >> for someone to formalize the requirements of firewalls, but to no > >> avail). Validating the checksum in flight is an instance of this, and > >> there are devices that commonly do this in deployment. Protocol > >> specific checksum offload in NICs is one example. Also, if someone is > >> seeing checksum failures in their network, an obvious action is to > >> sample packets from routers in the path and look at the traces. If the > >> checksum is incorrect on the wire because of SRH then the operator > >> sees a whole bunch of checksum errors at the router, but has no way to > >> distinguish those packets that are actually good from those that are > >> bad. > >> > >> It's a long established convention in IP that the transport checksum > >> is maintained to be correct on the wire-- this is done in NAT by > >> adjusting the checksum directly, there's also checksum neutral NAT > >> that adjusts another part of the IPv6 header to keep the transport > >> layer checksum correct. IMO, deviating from this convention is risky, > >> not just to SRH packets but that can have collateral damage like > >> breaking the user's ability to debug bad links as I described above. > >> > >> Tom > >> > >> > > >> > Kind regards, > >> > Robert > >> > > >> > > >> > > >> > On Thu, Mar 28, 2024 at 1:06 PM Alvaro Retana <aretana.i...@gmail.com> > wrote: > >> >> > >> >> Focusing on the C-SID draft, some have suggested requiring the > >> >> presence of the SRH whenever C-SIDs are used. Please discuss whether > >> >> that is the desired behavior (or not) -- please be specific when > >> >> debating the benefits or consequences of either behavior. > >> >> > >> >> Please keep the related (but independent) discussion of requiring the > >> >> SRH whenever SRv6 is used separate. This larger topic may impact > >> >> several documents and is better handled in a different thread (with > >> >> 6man and spring included). > >> >> > >> >> Thanks! > >> >> > >> >> Alvaro > >> >> -- for spring-chairs > >> >> > >> >> -------------------------------------------------------------------- > >> >> IETF IPv6 working group mailing list > >> >> i...@ietf.org > >> >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > >> >> -------------------------------------------------------------------- > >> > > >> > -------------------------------------------------------------------- > >> > IETF IPv6 working group mailing list > >> > i...@ietf.org > >> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > >> > -------------------------------------------------------------------- >
_______________________________________________ spring mailing list spring@ietf.org https://www.ietf.org/mailman/listinfo/spring