On Thu, Apr 4, 2024, 4:59 PM Robert Raszuk <rob...@raszuk.net> wrote:

>
> Well software could know that but not NICs nor ASICs ...
>

Robert,

Sure they do. If a NIC or an ASIC wants to look at the transport layer then
they'd have to parse over the Routing Header. So they *know* it's there,
and the processing of routing headers is well specified. If they ignore the
RH and try to verify checksum based an intermediate address then it won't
work-- that's expected behavior. So when RH is present, everyone knows how
L4 checksum works.

Tom


> On Thu, Apr 4, 2024 at 10:57 PM Tom Herbert <t...@herbertland.com> wrote:
>
>>
>>
>> On Thu, Apr 4, 2024, 4:00 PM Robert Raszuk <rob...@raszuk.net> wrote:
>>
>>> Tom,
>>>
>>> I have full sympathy for your points.
>>>
>>> But I can not understand how suddenly SR uSID is the issue and normal
>>> IPv6 vanilla Routing Headers are ok as defined checksum wise in RFC8200.
>>>
>>> Maybe someone could elaborate a bit on that ?
>>>
>>
>> Robert,
>>
>> Because, when a routing header is present we know that the final address
>> in the list is the one to used as the destination address in the pseudo
>> header. If the last address is uncompressed or can be decompressed without
>> additional state then we can calculate the checksum based on that (also,
>> that allows us to track flows in the network which is another useful thing
>> in a data center).
>>
>> Tom
>>
>>
>>> Thx,
>>> R.
>>>
>>> PS. And of course in spite of all effort from Alvaro to sort the topics
>>> the threads again got completely mangled and everyone is describing their
>>> perceived issue in random thread. My gently hint for the chairs would be to
>>> log issues in github and have more structured processing them there.
>>>
>>>
>>>
>>> On Thu, Apr 4, 2024 at 9:50 PM Tom Herbert <t...@herbertland.com> wrote:
>>>
>>>>
>>>>
>>>> On Thu, Apr 4, 2024, 3:37 PM Ole Trøan <otroan=
>>>> 40employees....@dmarc.ietf.org> wrote:
>>>>
>>>>> Tom,
>>>>>
>>>>> Can you point to any IETF specification requiring that middle boxes
>>>>> should be able to validate a l4 checksum? IPsec be damn.  It just seems
>>>>> like a path we should not go down.
>>>>>
>>>>
>>>> Ole,
>>>>
>>>> No, but neither can I point to an RFC that says firewalls have to parse
>>>> deep into packets. The point is that we know people can and do such things
>>>> (packet traces and checksum offload are deployed use cases for this).
>>>>
>>>> The transport checksum has been maintained to be correct on the wire in
>>>> plain UDP,TCP/IPv6 for thirty years even in NAT. Breaking that convention
>>>> without considering the ramifications could very well lead to some
>>>> unhappiness. And my concern is that problems would not just be confined to
>>>> SR packets, but could affect non-SR (like how we debug checksum problems in
>>>> non-SR traffic).
>>>>
>>>> Tom
>>>>
>>>>
>>>>> O.
>>>>>
>>>>>
>>>>>
>>>>> On 4 Apr 2024, at 21:22, Tom Herbert <tom=
>>>>> 40herbertland....@dmarc.ietf.org> wrote:
>>>>>
>>>>> 
>>>>>
>>>>>
>>>>> On Thu, Apr 4, 2024, 3:12 PM Robert Raszuk <rob...@raszuk.net> wrote:
>>>>>
>>>>>> Tom,
>>>>>>
>>>>>> >  SR aware routers to update L4 checksum
>>>>>>
>>>>>> That is completely unrealistic.
>>>>>>
>>>>>> Show me the box which can forward all interfaces at 800 Gb/s and read
>>>>>> entire each packet and compute upper layer checksum on it.
>>>>>>
>>>>>
>>>>> Robert,
>>>>>
>>>>> It's not necessary to calculate the whole checksum, only the L4
>>>>> checksum needs to be updated by adding in the delta checksum. With IPv6 we
>>>>> can also do a checksum neutral mapping. Basically, this uses the low order
>>>>> 16 bits in the DA address as the checksum adjustment value. For instance,
>>>>> if we can use the low order bits in a SID block then that would be 
>>>>> simplest
>>>>> to implement.
>>>>>
>>>>> Tom
>>>>>
>>>>>
>>>>>> If anything just do encap and move on.
>>>>>>
>>>>>> Thx,
>>>>>> R.
>>>>>>
>>>>>>
>>>>>> On Thu, Apr 4, 2024 at 7:06 PM Tom Herbert <t...@herbertland.com>
>>>>>> wrote:
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Apr 4, 2024, 12:30 PM Robert Raszuk <rob...@raszuk.net>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi Tom,
>>>>>>>>
>>>>>>>> Yes I am with you here.
>>>>>>>>
>>>>>>>> However let's observe that this is pretty common best practice to
>>>>>>>> disable any hardware offload on the box when running tcpdump or 
>>>>>>>> wireshark.
>>>>>>>>
>>>>>>>> In fact some implementations (F5) do it for you automagically :)
>>>>>>>>
>>>>>>>> And as it has been said based on the fact that hardware offload
>>>>>>>> does not understand any Routing Headers it really does not matter if 
>>>>>>>> it is
>>>>>>>> there or not :)
>>>>>>>>
>>>>>>>
>>>>>>> Robert,
>>>>>>>
>>>>>>> tcpdump is independent of hardware offload. If the checksum is
>>>>>>> incorrect per the packet contents we'll see bad checksums reported if we
>>>>>>> snoop packets, but like I said, we can't differentiate the bad from the
>>>>>>> good.
>>>>>>>
>>>>>>> Offload becomes an issue for NICs that do protocol specific checksum
>>>>>>> offload. We lose the capability on RX which is an inconvenience, on TX 
>>>>>>> we'd
>>>>>>> need to change the implementation to ensure the checksum is not 
>>>>>>> computed by
>>>>>>> HW.
>>>>>>>
>>>>>>> If SR without SRH is needed, then I believe the best answer is for
>>>>>>> SR aware routers to update L4 checksum when they change DA per NAT
>>>>>>> requirements. This solves tcpdump as well as offloads.
>>>>>>>
>>>>>>> Tom
>>>>>>>
>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> R.
>>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, Apr 4, 2024 at 6:11 PM Tom Herbert <tom=
>>>>>>>> 40herbertland....@dmarc.ietf.org> wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Thu, Apr 4, 2024, 11:48 AM Francois Clad <fclad.i...@gmail.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Hi Tom,
>>>>>>>>>>
>>>>>>>>>> Tcpdump can determine that this packet is steered onto an SRv6
>>>>>>>>>> path by checking if the DA matches the SRv6 SID block.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Francois,
>>>>>>>>>
>>>>>>>>> That would require introducing external state to tcpdump for
>>>>>>>>> correct operation. This would be a major divergence in both 
>>>>>>>>> implementation
>>>>>>>>> and ops compared to how things work today.
>>>>>>>>>
>>>>>>>>> Tom
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>> Francois
>>>>>>>>>>
>>>>>>>>>> On 4 Apr 2024 at 16:59:59, Tom Herbert <t...@herbertland.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Thu, Apr 4, 2024, 9:39 AM Francois Clad <fclad.i...@gmail.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hi Mark,
>>>>>>>>>>>>
>>>>>>>>>>>> Tcpdump/wireshark decodes the IPv6 header just fine. I do not
>>>>>>>>>>>> see any issue here.
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Francois,
>>>>>>>>>>>
>>>>>>>>>>> The problem is that tcpdump can't tell that a packet is an SR
>>>>>>>>>>> packet if there's no SRH. For instance, if the checksum is not 
>>>>>>>>>>> maintained
>>>>>>>>>>> to be correct in the wire then tcpdump will show that the packet 
>>>>>>>>>>> has a bad
>>>>>>>>>>> L4 checksum, but there's no way to tell if that is an SR packet or 
>>>>>>>>>>> if the
>>>>>>>>>>> checksum is actually bad. This will make debugging checksum 
>>>>>>>>>>> failures in the
>>>>>>>>>>> network much more difficult, and this affects our ability to debug 
>>>>>>>>>>> all
>>>>>>>>>>> traffic not just SR packets.
>>>>>>>>>>>
>>>>>>>>>>> Tom
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> Cheers,
>>>>>>>>>>>> Francois
>>>>>>>>>>>>
>>>>>>>>>>>> On 4 Apr 2024 at 14:09:43, Mark Smith <markzzzsm...@gmail.com>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Thu, 4 Apr 2024, 22:50 Francois Clad, <fclad.i...@gmail.com>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi Alvaro, all,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> RFC 8754 allows the SR source node to omit the SRH when it
>>>>>>>>>>>>>> contains redundant information with what is already carried in 
>>>>>>>>>>>>>> the base
>>>>>>>>>>>>>> IPv6 header. Mandating its presence for C-SID does not resolve 
>>>>>>>>>>>>>> any problem
>>>>>>>>>>>>>> because it will not provide any extra information to the nodes 
>>>>>>>>>>>>>> along the
>>>>>>>>>>>>>> packet path.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> How are troubleshooting tools like 'tcpdump' going to know how
>>>>>>>>>>>>> to automatically decode these packets as SRv6 packets if there is 
>>>>>>>>>>>>> no SRH?
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Specifically for the case of middleboxes attempting to verify
>>>>>>>>>>>>>> the upper-layer checksum,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>    - An SRv6-unaware middlebox will not be able to verify
>>>>>>>>>>>>>>    the upper-layer checksum of SRv6 packets in flight, 
>>>>>>>>>>>>>> regardless of whether
>>>>>>>>>>>>>>    an SRH is present or not.
>>>>>>>>>>>>>>    - An SRv6 and C-SID aware middlebox will be able to find
>>>>>>>>>>>>>>    the ultimate DA and verify the upper-layer checksum in 
>>>>>>>>>>>>>> flight, regardless
>>>>>>>>>>>>>>    of whether an SRH is present or not.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Furthermore, transit nodes (e.g., middleboxes) should not
>>>>>>>>>>>>>> attempt to identify SRv6 traffic based on the presence of the 
>>>>>>>>>>>>>> SRH, because
>>>>>>>>>>>>>> they will miss a significant portion of it: all the best-effort 
>>>>>>>>>>>>>> or
>>>>>>>>>>>>>> Flex-Algo traffic steered with a single segment may not include 
>>>>>>>>>>>>>> an SRH,
>>>>>>>>>>>>>> even without C-SID. Instead, RFC 8402, 8754, and 8986 define 
>>>>>>>>>>>>>> identification
>>>>>>>>>>>>>> rules based on the SRv6 SID block.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>> Francois
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 2 Apr 2024 at 19:44:51, Alvaro Retana <
>>>>>>>>>>>>>> aretana.i...@gmail.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> [Moving this conversation up on your mailbox. :-) ]
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> [Thanks, Robert and Tom for your input!]
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> We want to hear from more of you, including the authors.
>>>>>>>>>>>>>>> Even if you already expressed your opinion in a different 
>>>>>>>>>>>>>>> thread, please
>>>>>>>>>>>>>>> chime in here.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> We will collect feedback until the end of this week.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks!
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Alvaro.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On March 28, 2024 at 8:06:18 AM, Alvaro Retana (
>>>>>>>>>>>>>>> aretana.i...@gmail.com) wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Focusing on the C-SID draft, some have suggested requiring
>>>>>>>>>>>>>>> the presence of the SRH whenever C-SIDs are used. Please 
>>>>>>>>>>>>>>> discuss whether
>>>>>>>>>>>>>>> that is the desired behavior (or not) -- please be specific 
>>>>>>>>>>>>>>> when debating
>>>>>>>>>>>>>>> the benefits or consequences of either behavior.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Please keep the related (but independent) discussion of
>>>>>>>>>>>>>>> requiring the SRH whenever SRv6 is used separate. This larger 
>>>>>>>>>>>>>>> topic may
>>>>>>>>>>>>>>> impact several documents and is better handled in a different 
>>>>>>>>>>>>>>> thread (with
>>>>>>>>>>>>>>> 6man and spring included).
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks!
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Alvaro
>>>>>>>>>>>>>>> -- for spring-chairs
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>>>>>>>> IETF IPv6 working group mailing list
>>>>>>>>>>>>>>> i...@ietf.org
>>>>>>>>>>>>>>> Administrative Requests:
>>>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/ipv6
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>>>>>>> IETF IPv6 working group mailing list
>>>>>>>>>>>>>> i...@ietf.org
>>>>>>>>>>>>>> Administrative Requests:
>>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/ipv6
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>>>>> IETF IPv6 working group mailing list
>>>>>>>>>>>> i...@ietf.org
>>>>>>>>>>>> Administrative Requests:
>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/ipv6
>>>>>>>>>>>>
>>>>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>> IETF IPv6 working group mailing list
>>>>>>>>> i...@ietf.org
>>>>>>>>> Administrative Requests:
>>>>>>>>> https://www.ietf.org/mailman/listinfo/ipv6
>>>>>>>>>
>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>>
>>>>>>>> --------------------------------------------------------------------
>>>>> IETF IPv6 working group mailing list
>>>>> i...@ietf.org
>>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>>> --------------------------------------------------------------------
>>>>>
>>>>>
_______________________________________________
spring mailing list
spring@ietf.org
https://www.ietf.org/mailman/listinfo/spring

Reply via email to