Hi David, I do not agree with the position: “Let’s specify a standard for the software platform, the guys developing specialized ASICs should solve their problem themselves”. Tunneling is done now much often in these specialized ASICs, not in PCs. Eduard From: Black, David [mailto:[email protected]] Sent: Thursday, March 25, 2021 7:46 PM To: Vasilenko Eduard <[email protected]>; Joseph Touch <[email protected]> Cc: [email protected]; int-area <[email protected]>; Black, David <[email protected]> Subject: RE: Proxy function for PTB messages on the tunnel end
Inline … Thanks, --David From: Vasilenko Eduard <[email protected]<mailto:[email protected]>> Sent: Thursday, March 25, 2021 5:52 AM To: Black, David; Joseph Touch Cc: [email protected]<mailto:[email protected]>; int-area Subject: RE: Proxy function for PTB messages on the tunnel end [EXTERNAL EMAIL] Hi David, 1. Any real tunneling implementation does check the incoming packet against virtual link MTU, not against any buffer. Because buffers are “big enough” for tunneling that does support fragmentation/reassembly or buffer does not exist at all for tunneling that does not support fragmentation. [David>] We agree on this. The check against the virtual link MTU (which is EMTU_R in the draft) is what causes generation of the ICMP PTB. 1. Why you are talking about “NIC”, “driver”, “EMTU_R”? All these abstractions do not exist in hardware that is doing tunneling for us. [David>] That is entirely about "the link-attached-to-host case, where an ICMP PTB may be counterproductive" which also needs to be covered, in addition to the router case that you're focused on. It is the Data Plane ASIC, right? It deals with traffic flow (Verilog), not with control flow (RTC == Run to Completion, “C”). [David>] That would be in a router, actual hosts that don't have data plane ASICs also have to be covered. It does not have LINUX on board. No one would be capable to emulate “host” on this ASIC, at least not to degree that this draft demands. [David>] The draft specifies abstractions – implementations optimize across them. It was originally a very bad idea to unify tunnel end point with host – they are running on principally different hardware. The difference is much bigger than between RISC and CISC. [David>] I disagree - tunnel encap/decap software absolutely also runs on actual hosts. Remote access VPN clients are an obvious example. Eduard From: Black, David [mailto:[email protected]] Sent: Thursday, March 25, 2021 12:10 AM To: Vasilenko Eduard <[email protected]<mailto:[email protected]>>; Joseph Touch <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]>; int-area <[email protected]<mailto:[email protected]>>; Black, David <[email protected]<mailto:[email protected]>> Subject: RE: Proxy function for PTB messages on the tunnel end Hi Eduard, >> - links NEVER *generate* ICMPs >> - routers and hosts *generate* ICMPs > Why virtual link could not send ICMP PTB (like on a physical link)? The short answer (IMHO) is "yes, but the host or router generates the ICMP PTB." There's a subtle distinction here that better supports the link-attached-to-host case, where an ICMP PTB may be counterproductive. Starting with a router case, suppose that a large packet arrives at a router whose forwarding table determines that the next hop is a virtual link that encapsulates the packet to send in a tunnel. The router checks the MTU for that virtual link (tunnel EMTU_R), determines that the packet is too large to send, and the router generates an ICMP PTB to report that. This works the same way for a physical link that just sends the packet (MTU that is checked is that of the physical link) – in both cases the router generates an ICMP PTB based on link (interface) information before attempting to send the packet on that link. The host case enables a host device driver or network stack to deal with this situation without forcing an ICMP PTB to be generated and parsed. Starting with the physical link case – attempting to send a packet that's too large for the NIC to send generates an error that propagates back up the host network stack – forcing generation of an ICMP PTB in this case may be counterproductive. Exactly where that error is generated may depend on how the network stack and NIC are implemented – the error could originate from the NIC itself, the NIC device driver, or a higher layer of the network stack that checks the link MTU before the packet is handed off to the NIC device driver. For a software encapsulation implementation of a virtual link, the MTU (tunnel EMTU_R) gets checked at or above the network stack layer that does the encapsulation. If there's a software router embedded in the host (e.g., virtual switch with IP forwarding functionality), that router could generate an ICMP PTB based on the error or on directly checking the link MTU. Thanks, --David From: Int-area <[email protected]<mailto:[email protected]>> On Behalf Of Vasilenko Eduard Sent: Wednesday, March 24, 2021 4:05 PM To: Joseph Touch Cc: [email protected]<mailto:[email protected]>; int-area Subject: Re: [Int-area] Proxy function for PTB messages on the tunnel end [EXTERNAL EMAIL] Hi Joseph, You have presented below (and in many other messages) a long list of policies (extensive usage of “SHOULD”, “NEVER”, “MUST”) That are new – would change how current tunnels operate And are not justified by any reasoning. It is religion, not technology. Why virtual link could not send ICMP PTB (like on a physical link)? Just because… it is “unsolicited”. But one moment – any other PTB is unsolicited too - It is an event. You have not answered any of my questions – you continue to promote the solution from the draft-ietf-intarea-tunnels putting some excerpts in a different order. PS: I am especially sorry that draft-ietf-intarea-tunnels would scrape the best tunneling RFC that we have for IPv6. RFC 2473 was really good. Eduard From: Joseph Touch [mailto:[email protected]] Sent: Wednesday, March 24, 2021 10:01 PM To: Vasilenko Eduard <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]>; int-area <[email protected]<mailto:[email protected]>> Subject: Re: Proxy function for PTB messages on the tunnel end Two points: On Mar 24, 2021, at 7:59 AM, Vasilenko Eduard <[email protected]<mailto:[email protected]>> wrote: It would invalidate all tunneling implementations. It is not compatible with any one of them. PMTUD is killed. Revolution. PMTUD is effectively dead, so if you’re worried about it, you’re 20+ years too late - as per the RFCs I’ve already cited. All complaints against RFC 2473 are minor (if right), Except this one that is definitely wrong: o Tunnel ingress issues ICMPs This is a violation of RFC792 and 8200; the ICMPs issued are that of routers, not links. If the ingress is at the source host, these ICMPs would come from a device that is not a router. ICMP PTB is very important to deliver to the traffic source. I’m saying something very specific: - tunnels are links - links NEVER *genenerate* ICMPs - routers and hosts *generate* ICMPs based on what happens inside them, e.g,, to their processes and links So the question is “under what conditions does a link cause a router/host to generate an ICMP?” There should be no unsolicited ICMPs, i.e., routers/hosts NEVER generate ICMPs unless in reaction to a packet being sent or received. PTB means “I cannot send the packet over this link”. Not path - link. There is no PTB for a path; the assumption is that one link of a path that fails will send the ICMPs back to the source. For a tunnel, when can it NOT send a packet? - only when that packet is larger than the tunnel EMTU_R (i.e., egress received max, reassembled if reassembly is supported) A packet that can be fragmented and traverse a tunnel is not too big. It’s “bigger than you might like” or “bigger than desired”, but there is no ICMP to indicate that sort of ‘soft’ (non failure) error. So what should happen: - tunnels ingress should know and update (if changing) the tunnel EMTU_R value - routers/hosts should use EMTU_R as the tunnel MTU again, because the tunnel path MTU is a preference; the tunnel EMTU_R is the actual strict limit - routers/hosts sending packets over a tunnel generate ICMP PTBs as needed again, the router/host generates the message, not the tunnel ingress this happens when the router/host tries to send a packet over out that tunnel interface that is larger than the tunnel MTU So this all works, as long as ICMPs are relayed. Draft-tunnels does not deprecate this behavior. It describes it and explains why this is the correct behavior. Tunnel ingresses that relay PTBs inside are broken; they fail in ways they do not need to. That is the true error. Joe
_______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
