Hi Joel, Let me very clear here.
I am not really proposing any changes. What is already standardized is sufficient to address all issues raised. All I was doing in those threads is to clarify what problem are we talking about and how could it be fixed reasonably. And yes I did read RFC6936 and it does seems to very well fit the subject of concern few people are expressing. To restate - if end SRv6 hosts have issues to connect due to checksum then can encap the SRv6. Solved. If we want to automate such fallback is a different topic and folks who think such fallback should be automatic can start a separate thread. The crux of the matter is that for 99.99% of deployments using today uSID there are no issues. Kind regards, Robert On Thu, Mar 28, 2024 at 4:46 PM Joel Halpern <j...@joelhalpern.com> wrote: > Robert, as far as I can tell, you are asking for a different change than > any of the other proposals. If I understand, you are proposing that even > end hosts inside an SRv6 domain should encapsulate the underlying IPv6 > packet. In order to help the chairs keep track, and tell if there are > other folks who also support such a change, I have changed the subject line > and ask that if there is more to say, people use this subject line. > > I look forward to comments from folks beyond Tom and Robert on this > subject. > > Yours, > > Joel M. Halpern > On 3/28/2024 11:40 AM, Robert Raszuk wrote: > > Hi Tom, > > Not really. > > RFC8200 defines an exception which is tunneling and says: > > As an exception to the default behavior, protocols that use UDP > as a tunnel encapsulation may enable zero-checksum mode for a > specific port (or set of ports) for sending and/or receiving. > Any node implementing zero-checksum mode must follow the > requirements specified in "Applicability Statement for the Use > of IPv6 UDP Datagrams with Zero Checksums" [RFC6936 > <https://datatracker.ietf.org/doc/html/rfc6936>]. > > > So in practice if we always tunnel SRv6 there is no issue. > > Even Andrew agreed with that :) > > Cheers, > Robert > > On Thu, Mar 28, 2024 at 4:36 PM Tom Herbert <t...@herbertland.com> wrote: > >> On Thu, Mar 28, 2024 at 7:46 AM Robert Raszuk <rob...@raszuk.net> wrote: >> > >> > Hi Tom, >> > >> > > because of SRH >> > >> > Ok I buy this that there are devices which do check checksum and are >> not final destination of the packets ... I was more talking about plain >> forwarding devices (aka P routers). Then I doubt firewalls would be sitting >> in the core of the networks. >> > >> > But let me come black to what I believe is the main disconnect. >> > >> > Why SRH would cause an issue ? I think there is claimed issue *ONLY* >> with SRv6 packets which are not encapsulated - call it raw - sent by the >> hosts which talk SRv6 and sent with more then one SID/uSID which may get >> swapped on the way. >> > >> > Because only in those cases the destination address will be changing >> while checksum of the tunnel header will not be zero. >> > >> > So what we should I think discuss are really B.1 and B.2.2 cases. >> >> Robert, >> >> The scenario that I'm talking about is really simple, and it's not >> specific to segment routing. If someone sends a TCP in an IPv6 packet >> with no routing header then the convention is that the TCP checksum is >> valid end to end. So if the addresses are changed in flight, like in >> NAT, then we expect that some part of the packet covered by the >> checksum is adjusted to offset the change. If a packet is sent in >> segment routing without an SRH with EtherType 0x86DD then it IS an >> IPv6 packet to the network so all the conventions and requirements of >> IPv6 should be applied. IMO, if SRv6 can't maintain these conventions >> and requirements then it should fork from IPv6 and use a different >> EtherType. >> >> Tom >> >> > >> > Francois, Pablo - could you comment on this how often do we see those >> type of SRv6 deployments ? And also could you comment if operator who >> enables SRv6 in the first place sees those checksum errors how difficult is >> to address it ? >> > >> > Thx, >> > Robert >> > >> > >> > On Thu, Mar 28, 2024 at 3:29 PM Tom Herbert <t...@herbertland.com> >> wrote: >> >> >> >> On Thu, Mar 28, 2024 at 6:26 AM Robert Raszuk <rob...@raszuk.net> >> wrote: >> >> > >> >> > Hi Alvaro, >> >> > >> >> > On this specific topic I think you have flatted it a bit too much. >> >> > >> >> > These are apparently the options on the table: >> >> > >> >> > A) Original packet get's encapsulated with IPv6 header >> >> > >> >> > A.1 SHR is added to it >> >> > >> >> > A.1.1. Regular SIDs are used >> >> > A.1.2 Compresses SIDs are used >> >> > >> >> > A.2 SRH is not added to it >> >> > >> >> > A.2.1. Regular SID is used as destination >> >> > A.2.2 Compresses SIDs are used in a container >> >> > A.2.3 Compresses SID is used >> >> > >> >> > B) Original packet get's send from SRv6 host (without encapsulation) >> >> > >> >> > B.1 SHR is added to it >> >> > >> >> > B.1.1. Regular SIDs are used >> >> > B.1.2 Compresses SIDs are used >> >> > >> >> > B.2 SRH is not added to it >> >> > >> >> > B.2.1. Regular SID is used as destination >> >> > B.2.2 Compresses SIDs are used in a container >> >> > B.2.3 Compresses SID is used >> >> > >> >> > So within all checksum related discussions so far it seems that the >> only concern is about B.2.2 and perhaps B.1 however folks did state that if >> there is SRH added there is no issue so I am not sure how the presence of >> SRH fixes it. >> >> > >> >> > Maybe there was some assumption that presence of SRH mandates >> encapsulation, but I do not believe this is the case for native SRv6 hosts. >> >> > >> >> > All in all I think it should be no business for transit nodes to >> verify packet's upper layer checksum. I do not know if there is any RFC >> which would describe what is an expected behavior for transit nodes or even >> say that they MAY do it. >> >> >> >> Robert, >> >> >> >> I can go further than that. I believe that intermediate nodes have no >> >> business parsing into the transport layer, and yet firewalls do that >> >> all the time even though there is no standard RFC on it (I've asked >> >> for someone to formalize the requirements of firewalls, but to no >> >> avail). Validating the checksum in flight is an instance of this, and >> >> there are devices that commonly do this in deployment. Protocol >> >> specific checksum offload in NICs is one example. Also, if someone is >> >> seeing checksum failures in their network, an obvious action is to >> >> sample packets from routers in the path and look at the traces. If the >> >> checksum is incorrect on the wire because of SRH then the operator >> >> sees a whole bunch of checksum errors at the router, but has no way to >> >> distinguish those packets that are actually good from those that are >> >> bad. >> >> >> >> It's a long established convention in IP that the transport checksum >> >> is maintained to be correct on the wire-- this is done in NAT by >> >> adjusting the checksum directly, there's also checksum neutral NAT >> >> that adjusts another part of the IPv6 header to keep the transport >> >> layer checksum correct. IMO, deviating from this convention is risky, >> >> not just to SRH packets but that can have collateral damage like >> >> breaking the user's ability to debug bad links as I described above. >> >> >> >> Tom >> >> >> >> > >> >> > Kind regards, >> >> > Robert >> >> > >> >> > >> >> > >> >> > On Thu, Mar 28, 2024 at 1:06 PM Alvaro Retana < >> aretana.i...@gmail.com> wrote: >> >> >> >> >> >> Focusing on the C-SID draft, some have suggested requiring the >> >> >> presence of the SRH whenever C-SIDs are used. Please discuss whether >> >> >> that is the desired behavior (or not) -- please be specific when >> >> >> debating the benefits or consequences of either behavior. >> >> >> >> >> >> Please keep the related (but independent) discussion of requiring >> the >> >> >> SRH whenever SRv6 is used separate. This larger topic may impact >> >> >> several documents and is better handled in a different thread (with >> >> >> 6man and spring included). >> >> >> >> >> >> Thanks! >> >> >> >> >> >> Alvaro >> >> >> -- for spring-chairs >> >> >> >> >> >> -------------------------------------------------------------------- >> >> >> IETF IPv6 working group mailing list >> >> >> i...@ietf.org >> >> >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 >> >> >> -------------------------------------------------------------------- >> >> > >> >> > -------------------------------------------------------------------- >> >> > IETF IPv6 working group mailing list >> >> > i...@ietf.org >> >> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 >> >> > -------------------------------------------------------------------- >> >
_______________________________________________ spring mailing list spring@ietf.org https://www.ietf.org/mailman/listinfo/spring
