Pascal,
I think the root of this discussion is the distinction between IPPL and
multi-link subnets, which are similar but not they same.
Thus I'm planning to add this paragraph to the end of section 1:
The cases covered in this document are where the link has been
intentionally partitioned, which is different from the cases where a
collection of links are joined to have a common IP subnet prefix. An
example of the differences is the expected behavior for packets sent
to link-local IP addresses. The issues for such multi-link subnets
are described in [RFC4903].
I don't know if we should add more text to further clarify this distinction.
please see more inline.
On 03/02/2017 06:29 AM, Pascal Thubert (pthubert) wrote:
Erik wrote:
Do you know of any existing document/protocol which describes such
intentionally partitioned tunnel setups?
If so there would be something we could reference, and there would be a
reason to clarify the scope in this document.
[Pascal] I'm thinking of the cases described in IPv6 ND proxies, RFC
4389; the case above would be scenario 2, and the desire would be to
avoid copying the L2 broadcasts over the possibly slow PPP link. ND
proxy can indeed be useful in subnet configurations where people want to
isolate portions of the layer 2 network, not necessarily for security
reasons but also, say, to limit the broadcast domain and protect
wireless clients. The configurations proposed in the RFC force going
through L3 and appears to me as forms of IPPL. Would you agree?
The IPPL draft does mention RFC4389 not as a network topology but as a
potential solution. You might want to look at that text if you haven't
already.
So while in principle IPPL can be applied to a subnet split across
tunnels, I still don't have a document to reference which shows a IPPL
tunnel setup.
* Finally there's the multilink subnet whereby the router
interconnects the limited ports with the core at L3. In that case, the
router has multiple ports on the subnet, as opposed to the PVLAN where
it has only one, thus the risk of ARP loop. This case appears to be not
covered, though it makes the proxy ARP operation much more natural. Is
that correct?
For me to understand your case you have to separate out the L3
configuration and what it sees as L3 interfaces (whether those are L3
ports or SVIs); for IPPL it doesn't matter which mapping there is
between L3 interfaces and L2 ports.
So are the ports you refer to L2 ports with IP seeing an SVI? Or
something else?
[Pascal] No, I’m not talking about an SVI but about placing a router
where the IPPL draft places a switch.
But that would be out of scope of this draft.
IPPL is looking at cases where the layer2 is intentionally set up to
provide partial connectivity and what layer3 needs to do to correctly
handle such links i.e. coping with the L2 behavior.
If layer3 is doing something (like multi-link subnets) to gather
multiple links into a subnet prefix, then layer3 is fully in control.
Note that in a multi-link subnet case, packets sent to link-local
addresses (IPv4/v6 multicast and IPv6 unicast) would by definition stay
within the scope of the link. The subnet scope is larger than the link.
For IPPL the link itself is partitioned hence the expectation is that
packets addressed to link local destinations will be delivered. (Of
course, in some deployments there might be security policies resulting
blocking some particular 5-tuple
The router also has the effect of partitioning the L2 broadcast domain.
No, in that case the router is gluing things together, not coping with
some L2 behavior. The broadcast domain would be partitioned before the
router glues together the multiple links into one subnet.
I understand that IEEE Std 802.11 recommends the use of ND proxy to
protect the wireless edge, which is yet another form of topology, not
explicited by RFC 4389, but covered by draft-ietf-6lo-backbone-router
for the context of constrained power. Ccing Dorothy to make sure I’m not
mis-representing the IEEE position.
That sounds like a combined L2 and L3 solution, which is different than
IPPL.
My question is really about the scope of the IPPL document, considering
that the term IPPL seems a lot larger in scope than private vlans…
The document has three examples (DSL, Cable, and private VLANs) where
the L2 forwarding of frames on the link is not transitive yet the link
is seen as a single link by IP, and where IP has to cope with the
implications of the L2 behavior. Private VLANs has the richest behavior
of those, hence requires the most care.
Intentionally joining multiple links into a multi-link IP subnet is
different and we already have that behavior specified in other RFCs.
[Pascal] I agree that the DAD that the Pvlan nodes see are issued by the
router, and that’s how the end device are kept unaware of each other,
and that’s part of the router being a proxy. My point was not about the
information being transported with the same packet, but about the loop
avoidance text in the proxy operation:
“
For the ARP proxy to be robust it MUST avoid loops where router1
attached to the link sends an ARP request which is received by
router2 (also attached to the link), resulting in an ARP request from
router2 to be received by router1.
“
Point is, the L3 switch makes a difference between what’s coming from an
access port that’s private and what’s coming from a port connected to
the primary vlan (the backbone) where the routers are sitting. In
particular, DAD requests coming from the primary are not proxied back to
the primary, so there is no loop. The proxy checks if it has a matching
state on a private port in which case it replies, otherwise it drops the
DAD packet.
Such a VLAN ID check is what that section suggests. Do you see something
missing?
" At a minimum, the reception of an ARP request MUST NOT result in sending an ARP request,
and..." The "and" seems to read like this is a rule and there is more. But this is
not required to obtain the intented loop avoidance, for instance the suggestion that
the routers do not forward ARPs coming from other routers known by MAC@
but forward the others, and it appears to kill the design above. I'd
suggest to remove that quoted text, or say that this in one way of
achieving the recommendation to avoid loops that is already there.
If router1 has sent out an ARP request using the promiscuous VLAN ID,
then the bridges will deliver it to all the ports. Hence there is no
purpose for router2 to send an ARP request for the same target as a
result of receiving the ARP request from router1.
[Pascal] I thought this discussion is about proxying the ARP. And I’m
saying that “the reception of an ARP request” may actually “ result in
sending an ARP request” as long as the flooding domain is controlled and
loops are avoided, as discussed just above. Probably le being confused
in the scope of the text I was reading.
Let's get together and draw the packet flow so we can understand the
case you have in mind.
"For that reason it is NOT RECOMMENDED to configure outbound multicast
forwarding from private VLANs." Not all protocols would be impacted in a same
manner. I think that the recommendation, which applies to ND more than to many others
because of DAD, could be
more specific, like that whatever is done to propagate a multicast
beyond the limited scope allowed by the PVLAN should ensure that the
multicast is either harmless to the protocol it is propagating, or not
echoed back to the source device at all. Then again, the latter is
something that can be done in a L3 switch and a ML subnet router.
>
ND packets are never forwarded in any useful way since forward (as
described in RFCs) is a an IP operation which includes decrementing the
ttl/hopcount and ND verifies that hopcount is 255 on receipt.
[Pascal] I was confused again. I though the forwarding term here was
describing the switch behavior, and I read this text as a recommendation
that the switch does not propagate the multicast..
I'll make this more clear by using "IP forward" and "L2 forward" instead
of the generic "forward".
Section 8 tries to explain that issue with
IP Multicast which spans across multiple IP links and that have
senders that are on community or isolated ports require additional
forwarding mechanisms in the routers that are attached to the
promiscuous ports, since the routers need to forward such packets out
to any allowed receivers in the private VLAN without resulting in
packet duplication. For multicast senders on isolated ports such
forwarding would result in the sender potentially receiving the
packet it transmitted. For multicast senders on community ports, any
receivers in the same community VLAN are subject to receiving
duplicate packets; one copy directly from layer 2 from the sender and
a second copy forwarded by the multicast router.
[Pascal] I must admit I do not fully understand what this text. Maybe a
picture with the routers and the switches showing the packet duplication
at work?
Let me see what I can do.
Erik
_______________________________________________
Int-area mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/int-area
