On Mon, Jun 3, 2024 at 5:00 AM Alvaro Retana <aretana.i...@gmail.com> wrote: > > Dear 6man WG: > > As you may be aware, the spring WG is in the process of advancing > draft-ietf-spring-srv6-srh-compression [1]. The WGLC discussions have > resulted in the need to ask you the following questions (see below) > related to the use/operation of compressed SIDs (C-SIDs). > > Please provide any opinions by June 14, 2024. > > Thanks! > > spring-chairs > > > > §6.5 (Upper-Layer Checksums) explains how to calculate the Upper-Layer > Checksum in the presence of C-SIDs. §9.3 (Upper Layer Checksum > Considerations) discusses the related operational considerations. > For convenience, both sections are reproduced here: > > ===== ===== draft-ietf-spring-srv6-srh-compression-17 ===== ===== > > 6.5. Upper-Layer Checksums > > The Destination Address used in the IPv6 pseudo-header (Section 8.1 > of [RFC8200]) is that of the ultimate destination. > > At the SR source node, that address will be the Destination Address > as it is expected to be received by the ultimate destination. When > the last element in the compressed SID list is a C-SID container, > this address can be obtained from the last element in the > uncompressed SID list or by repeatedly applying the segment behavior > as described in Section 9.2. This applies regardless of whether an > SRH is present in the IPv6 packet or omitted. > > At the ultimate destination(s), that address will be in the > Destination Address field of the IPv6 header. > > ... > > 9.3. Upper Layer Checksum Considerations > > Upper layer checksums are computed by the originator of an IPv6 > packet and verified by the ultimate destination(s) as it processes > the upper layer protocol. > > As specified in Section 6.5, SR source nodes originating TCP/UDP > packets ensure that the upper layer checksum is correctly calculated > based on the ultimate destination of the session, which may be > different from the address placed in the IPv6 destination address. > Such SR source nodes leveraging TCP/UDP offload engines may require > enhancements to convey the ultimate destination address. These > implementation enhancements are outside the scope of this document. > > It was reported that some network node implementations, including > middleboxes such as packet sniffers and one software router > implementation, may attempt to verify the upper layer checksum of > transit IPv6 packets. These nodes, if deployed inside the SR domain, > may fail to verify the upper layer checksum of transit SRv6 traffic, > possibly resulting in dropped packets or in the inability to carry > out their function. Making these implementations SRv6 aware in > general or C-SID aware in particular is out of the scope of this > document. > > ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== > > > Is this text aligned with §8.1/rfc8200 (Upper-Layer Checksums) [2]? > Does anything need to be added, deleted, changed, or clarified? > > Is using C-SIDs in the above scenarios (§9.3) compatible with IPv6 > transit node deployments compliant with rfc8200? > > Does using C-SIDs as specified above represent a modification to the > IPv6 dataplane? If so, is the modification considered acceptable to > the WG?
Alvaro, Yes, this has major impacts on host dataplanes particularly when the SRH is not present. As the new text states, this potentially breaks useful and deployed functionality in middleboxes and at end hosts (for instance, this would break certain types of NIC offloads). The new text suggests that we need to make middlebox implementations of SRv6 aware, but I think that's backwards-- it's the new protocol that's breaking existing implementations so the problems should be addressed in the protocol definition. Note the checksum problem can be fixed by applying a variant of checksum-neutral mapping NAT (Section 2.6, RFC6296). IMO, the bigger issue here is that the idea of sending a compressed SID list without a routing header is not well specified. In the draft, the only statement I can found about is: "If the SR Policy results in a Segment List containing a single segment, and there is no need to add information to the SRH flag or add TLV; the DA is set to the single Segment List entry, and the SRH MAY be omitted." This needs a lot more elaboration and requirements and motivation. AFAICT, in this mode segment routing degenerates to Network Address Translation except that there's no requirement to maintain the correct checksum. Why not explicitly say that? Also, do the benefits outweigh the costs? We could put a minimum sized 8 byte SRH in packets to ensure that the network won't try to interpret the packet as a plain IPv6 packet. Is sending eight bytes to avoid ambiguity going to really break any applications? Maybe the idea makes sense and can be justified or maybe it really isn't worth doing, but either way clarity in the draft on the requirements and motivations seems prudent. Tom > > > [1] > https://datatracker.ietf.org/doc/html/draft-ietf-spring-srv6-srh-compression > > [2] https://datatracker.ietf.org/doc/html/rfc8200#autoid-17 > > > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > i...@ietf.org > Administrative Requests: > -------------------------------------------------------------------- _______________________________________________ spring mailing list -- spring@ietf.org To unsubscribe send an email to spring-le...@ietf.org
