Egress Validation in Label Switched Path Ping and Traceroute Mechanisms
draft-ietf-mpls-egress-tlv-for-nil-fec-15
Yes
Jim Guichard
No Objection
Erik Kline
Orie Steele
Paul Wouters
Note: This ballot was opened for revision 13 and is now closed.
Jim Guichard
Yes
Deb Cooley
No Objection
Comment
(2024-05-27 for -13)
Sent
This is a Nit: Section 7 states: "This document defines additional MPLS LSP ping TLVs and follows the mechanisms defined in [RFC8029]. All the security considerations defined in [RFC8287] will be applicable for this document..." When one looks at RFC 8287, it states that the Security Considerations are the same as RFC 8029. It would be my recommendation to just reference RFC 8029 directly.
Erik Kline
No Objection
Gunter Van de Velde
(was Discuss)
No Objection
Comment
(2024-06-11 for -14)
Sent for earlier
# Gunter Van de Velde, RTG AD, comments for draft-ietf-mpls-egress-tlv-for-nil-fec-13 Please find https://www.ietf.org/blog/handling-iesg-ballot-positions/ documenting the handling of ballots. I would like to extend my gratitude to Stewart Bryant, Sasha Vainshtein, and He Jia for their RTG-DIR reviews. The document still contains an inconsistent mixture of "NiL" and "Nil," despite this issue being flagged in earlier RTG-DIR reviews. The text can be challenging to read due to grammatical constructs. While I have attempted to address some of these issues in my detailed review, there are areas where improvements are still needed. Below, you will find no remaining blocking DISCUSS points and a series of non-blocking COMMENTS, which I hope the authors can use to enhance the document. #DISCUSS items #============= ##[resolved] DISCUSS1 The last paragraph of section 2 describes: 187 segments on any path without upgrading transit nodes. The code point 188 used for Egress TLV is from the range 32768-65535 and can can be 189 silently dropped if not recognised as per [RFC8029] and as per 190 clarifications from [RFC9041] However RFC9041 instructs the following: " * All TLVs and sub-TLVs in the range 32768-65535 can be silently dropped if they are not recognized. Alternatively, the receiver may step over the unrecognized TLV or send an error message. " What if the receiver send an error message instead of silently dropping it? How to handle this consistent with formal procedure? ##[resolved] DISCUSS2 In section 3 is written: 196 FEC-stack TLV in the MPLS Echo Request packet. This TLV can only be 197 used in LSP ping/traceroute requests generated by the head-end node 198 of an LSP or SR policy for which verification is performed. In case What if it is used in something else as LSP ping/traceroute? what happens? How will an intermediate node react? ##[resolved] DISCUSS3 Section 4 details that RFC8029 is extended. Should then this document not update RFC8029 accordingly? ##[resolved] DISCUSS4 Section "4.2. Receiving Egress TLV in MPLS Echo Request" provides input about additional processing for the Egress TLV on the receiver node. a) It is unclear what can be considered as a received node. Is it a node that receives a packet with Egress TLV or is it the final node intended as target for the flow? b) step 1, 2, 2a and 2b have no normative RFC2119 language. Is none of this required or is all best effort for an implementation to be compliant? #DETAILED COMMENTS #================= 16 Abstract 17 18 The MPLS ping and traceroute mechanism as described in RFC 8029 and 19 related extensions for Segment Routing(SR) as defined in RFC 8287 is 20 very useful to validate the control plane and data plane 21 synchronization. In some environments, only some intermediate or 22 transit nodes may have been upgraded to support these validation 23 procedures. A simple MPLS ping and traceroute mechanism allows 24 traversing any path without validating the control plane state. RFC 25 8029 supports this mechanism with Nil Forwarding Equivalence Class 26 (FEC). The procedures described in RFC 8029 mostly apply when the 27 Nil FEC is used as an intermediate FEC in the label stack. When all 28 labels in the label stack are represented using Nil FEC, it poses 29 some challenges. 30 31 This document introduces a new Type-Length-Value (TLV) as an 32 extension to exisiting Nil FEC. It describes MPLS ping and 33 traceroute procedures using Nil FEC with this extension to overcome 34 these challenges. The abstract can be improved for better readability flow and fixing typos. What about this proposal: "The MPLS ping and traceroute mechanisms, as described in RFC 8029 and the related extensions for Segment Routing (SR) defined in RFC 8287, are highly valuable for validating control plane and data plane synchronization. In certain environments, only some intermediate or transit nodes may have been upgraded to support these validation procedures. A straightforward MPLS ping and traceroute mechanism allows traversing any path without validating the control plane state. RFC 8029 supports this mechanism with the Nil Forwarding Equivalence Class (FEC). The procedures outlined in RFC 8029 are primarily applicable when the Nil FEC is used as an intermediate FEC in the label stack. However, challenges arise when all labels in the label stack are represented using the Nil FEC. This document introduces a new Type-Length-Value (TLV) as an extension to the existing Nil FEC. It describes MPLS ping and traceroute procedures using the Nil FEC with this extension to address and overcome these challenges. " 102 Segment routing supports the creation of explicit paths using Adj- 103 SIDs, Node-SIDs, and Anycast-SIDs defined in [RFC8402]. In certain These are documented (with a slightly different name) in RFC8402 as "Link-State IGP Segments". Any reason why BGP segments are not mentioned? Maybe the text should explicit indicate that this document is for IGP domains if it was intentional? 103 SIDs, Node-SIDs, and Anycast-SIDs defined in [RFC8402]. In certain 104 usecases, the TE paths are built using mechanisms described in 105 [RFC9256] by stacking the labels that represent the nodes and links 106 in the explicit path. Controllers are often deployed to construct RFC9256 speaks about ordered lists of segments. A segment is not necessary a label according RFC9256. This document is however about MPLS Nil fec. Maybe introduction should provide indicating that his is MPLS data plane only and not IPv6 SRv6. "The packets steered into an SR Policy carry an ordered list of segments associated with that SR Policy." 107 paths across multi-domain networks. In such deployments, the head- 108 end routers may have a database of its own domain and may not be 109 aware of the FEC associated with labels that are used by the 110 controller to build paths across multiple domains. A very useful What is 'a database'. What information is the router to expect to find in such database? 119 [RFC8287]. [RFC8029] provides mechanisms to primarily validate the 120 data plane and secondarily to verify the data plane against the 121 control plane. It also provides the ability to traverse Equal cost What about following rewrite proposal: "[RFC8029] primarily provides mechanisms to validate the data plane and, secondarily, to verify the consistency of the data plane with the control plane. " 122 Mutiple Paths (ECMP) and validate each of the ECMP paths. The use of 123 Target FEC requires all nodes in the network to have implemented the 124 validation procedures. All intermediate nodes may not have been s/Mutiple/Multiple/ Not being very well experienced with LSP ping i had to look up Target FEC in RFC8029. Maybe add reference to the description or add a Terminology section for easier readability 132 Generic IPv4 and IPv6 FECs are used when the protocol that is 133 advertising the label is unknown. The information that is carried in RFC8029 talks about Target FEC Stack is a list of sub-TLVs where some have subtype "Generic IPv4 prefix" and "Generic IPv6 prefix". The text should align with the wording used in RFC8029. 132 Generic IPv4 and IPv6 FECs are used when the protocol that is 133 advertising the label is unknown. The information that is carried in 134 Generic FEC is the IPv4 or IPv6 prefix and prefix length. Thus 135 Generic FEC types perform an additional control plane validation. 136 However, the details of Generic FEC and validation procedures are not 137 very detailed in the [RFC8029]. The use-case mostly specifies inter- 138 AS VPNs as the motivation. Certain aspects of SR such as anycast 139 SIDs require clear guidelines on how the validation procedure should 140 work. Also, Generic FEC may not be widely supported and if transit 141 routers are not upgraded to support validation of Generic FEC, 142 traceroute may fail. On other hand, Nil FEC consists of the label 143 and there is no other associated FEC information. Nil FEC is used to 144 traverse the path without validation for cases where the FEC is not 145 defined or routers are not upgraded to support the FECs. Thus, it 146 can be used to check any combination of segments on any data path. 147 The procedures described in [RFC8029] are mostly applicable when the 148 Nil FEC is used where the Nil FEC is an intermediate FEC in the label 149 stack. When all labels in the label-stack are represented using Nil 150 FEC, it poses some challenges. To me this complete section needs a rewrite. Its a very dense read touching many technologies and constraints and operational complications. This draft handles about Nil FEC, and hence the text about Generic IPv4/IPv6 prefix seems slightly confusing. Why is this even discussed here? 175 To avoid this problem, there is a need to add additional information 176 in the MPLS Echo Request message in ping and treaceroute mode along 177 with Nil FEC to do minimal validation on the egress/destination 178 router and send proper information on success and failure to the 179 ingress router. This additional information should help to report 180 transit router information to the ingress/initiator router that can 181 be used by an offline application to validate the traceroute path. With this formal procedure, would it not be needed to indicate that this draft updates RFC8029 because it fixes a bug/bad-behavior? 175 To avoid this problem, there is a need to add additional information 176 in the MPLS Echo Request message in ping and treaceroute mode along 177 with Nil FEC to do minimal validation on the egress/destination 178 router and send proper information on success and failure to the 179 ingress router. This additional information should help to report 180 transit router information to the ingress/initiator router that can 181 be used by an offline application to validate the traceroute path. 183 Thus the addition of egress information in the MPLS Echo Request 184 message in ping and traceroute mode will help in validating Nil-FEC 185 on each receiving router on the label-stack path to ensure the 186 correct destination. It can be used to check any combination of 187 segments on any path without upgrading transit nodes. The code point 188 used for Egress TLV is from the range 32768-65535 and can can be 189 silently dropped if not recognised as per [RFC8029] and as per 190 clarifications from [RFC9041] What about the following rephrasing of this text: "To mitigate this issue, it is necessary to include additional information in the MPLS Echo Request message in both ping and traceroute modes, along with the Nil FEC, to perform minimal validation on the egress/destination router. This will enable the router to send appropriate success and failure information to the ingress router. This supplementary information should assist in reporting transit router details to the ingress/initiator router, which can be utilized by an offline application to validate the traceroute path. Consequently, the inclusion of egress information in the MPLS Echo Request message in ping and traceroute modes will facilitate the validation of Nil FEC on each receiving router along the label stack path, ensuring the correct destination. It can be employed to verify any combination of segments on any path without requiring upgrades to transit nodes. The code point used for the Egress TLV falls within the range 32768-65535 and can be silently discarded if not recognized, in accordance with [RFC8029] and the clarifications provided in [RFC9041]. " 187 segments on any path without upgrading transit nodes. The code point 188 used for Egress TLV is from the range 32768-65535 and can can be 189 silently dropped if not recognised as per [RFC8029] and as per 190 clarifications from [RFC9041] RFC9041 instructs the following: " * All TLVs and sub-TLVs in the range 32768-65535 can be silently dropped if they are not recognized. Alternatively, the receiver may step over the unrecognized TLV or send an error message. " WHat if the received send an error message instead of silently dropping it? 194 The Egress TLV MAY be included in an MPLS Echo Request message. It 195 is an optional TLV and if it is present it MUST appear before the 196 FEC-stack TLV in the MPLS Echo Request packet. This TLV can only be 197 used in LSP ping/traceroute requests generated by the head-end node 198 of an LSP or SR policy for which verification is performed. In case 199 multiple Nil FECs are present in Target FEC Stack TLV, Egress TLV 200 MUST be added corresponding to the ultimate egress of the label- 201 stack. It can be used for any kind of path with Egress TLV added 202 corresponding to the endpoint of the path. Explicit Path can be 203 created using Node-SID, Adj-SID, Binding-SID etc. Prefix field of 204 Egress TLV MUST be derived from path egress/destination. The format 205 is as specified below This section is hard to follow. May i suggest following rewrite: "The Egress TLV MAY be included in an MPLS Echo Request message. It is an optional TLV and, if present, MUST appear before the FEC-stack TLV in the MPLS Echo Request packet. This TLV can only be used in LSP ping/traceroute requests generated by the head-end node of an LSP or SR policy for which verification is performed. In cases where multiple Nil FECs are present in the Target FEC Stack TLV, the Egress TLV must be added corresponding to the ultimate egress of the label stack. It can be used for any type of path with the Egress TLV added corresponding to the endpoint of the path. Explicit paths can be created using Node-SID, Adj-SID, Binding-SID, etc. The prefix field of the Egress TLV must be derived from the path egress/destination. The format is as specified below: " 235 As stated earlier, when the sender node builds an Echo Request with 236 target FEC Stack TLV, Egress TLV when present, MUST appear before 237 Target FEC-stack TLV in the MPLS Echo Request packet. Suggested rewrite: As previously mentioned, when the sender node constructs an Echo Request with a Target FEC Stack TLV, the Egress TLV, if present, MUST appear before the Target FEC Stack TLV in the MPLS Echo Request packet. 241 When sender node builds an Echo Request with target FEC Stack TLV 242 that contains a single NiL FEC corresponding to the last segment of s/NiL/Nil/ 241 When sender node builds an Echo Request with target FEC Stack TLV 242 that contains a single NiL FEC corresponding to the last segment of 243 the SR Policy path, the sender node MUST add an Egress TLV with the 244 prefix obtained from SR policy endpoint field Previously it was mentioned that the prefix could be obtained : "from the egress of Nil FEC corresponding to the last label in the label-stack or SR policy endpoint field [I.D-ietf-idr-sr-policy-safi]." This seems inconsistent with the text blob here. similar is with next few lines of the paragraph. IS SRTE the only ue-case for this? 257 b. If the last SID in the policy is a Binding SID, the prefix 258 represents the last node of the path represented by the Binding 259 SID. Could this not lead to situation where on a transit node there is absolutely no awareness where this last node is located outside the scope of the local domain? (intern=mediate node may not have a full routing table) 263 When sender node builds an Echo Request with target FEC Stack TLV 264 that contains NiL FEC corresponding to last segment of the segment- s/buids/constructs/ s/NiL/Nil/ 270 Although there is no requirement to do so, an implementation MAY send 271 multiple Nil FEC if that makes the it easier for the implementation. 272 In case the headend sends multiple Nil FECs the last one MUST 273 correspond to the Egress TLV. The Label value in the Nil FEC MAY be Please add more info hat is intended with "headend". I assume it is the SRTE headend, but maybe it refers to some other hierarchical tunnel constructs or technologies. 273 correspond to the Egress TLV. The Label value in the Nil FEC MAY be 274 set to zero for the last Nil FEC. In case the endpoint is not What happens, or should happen, if the Nil FEC is not set to zero? 274 set to zero for the last Nil FEC. In case the endpoint is not 275 specified or is equal to 0 ( as in case of color-only SR Policy),the 276 sender MUST use the the prefix corresponding to the last segment 277 endpoint of the SR Policy path i.e. ultimate egress as the prefix for 278 Egress TLV. is this color-only SR Policy suggesting "8.8.1. Color-Only BGP Destination Steering" from RFC9256? Maybe add reference. 317 Additional processing is done for the Egress TLV on the receiver node 318 as follows: Is a receiver node the final node in the path or is it a transit node that receives a packet enriched with an Egress TLV? Please clarify. 330 2a. If the Egress TLV prefix lookup succeeds, set Best-return-code 331 to 36 ("Replying router is an egress for the prefix in Egress TLV for 332 the FEC at stack depth RSC") (Section 6.2) egress ok in MPLS Echo 333 Reply message. This does not very well resonate with me. When removing the brackets () then the remainder of the text reads: 2a. If the Egress TLV prefix lookup succeeds, set Best-return-code to 36 egress ok in MPLS Echo Reply message. 339 3.In cases where multiple Nil FECs are sent from ingress, one each 340 corresponding to the labels in the label stack along with Egress 341 TLV,when the packet reaches egress, the number of labels in the Previously the term headend was used, and now it is ingress. Maybe consistent terminology should be used for best formal procedure 348 The extensions defined in this document is backward compatible with 349 procedures described in [RFC8029]. A Router that does not support 350 Egress TLV, will ignore it and use current the Nil-FEC procedures 351 described in [RFC8029]. RFC9041 indicate that an implementation could send a error message instead of silently ignoring. How would this impact the solution?
John Scudder
No Objection
Comment
(2024-05-29 for -13)
Sent
Thanks for this document. I have two comments. ### Section 3 and following, prefix The field you call prefix here, is really an address, not a prefix, since you constrain the value to be either an IPv4 /32 or an IPv6 /128, but nothing else. I suggest that you s/prefix/address/ in this section and all the following sections. (The occurrences in Section 1 appear to be correct as written.) I notice that Éric Vyncke raised a similar concern. ### Section 4.2, egress ok 2a. If the Egress TLV prefix lookup succeeds, set Best-return-code to 36 ("Replying router is an egress for the prefix in Egress TLV for the FEC at stack depth RSC") (Section 6.2) egress ok in MPLS Echo Reply message. What does "egress ok" in that paragraph mean? Is it an editing error, and should it be removed?
Mahesh Jethanandani
No Objection
Comment
(2024-05-24 for -13)
Sent
Paragraph 2 Although the document is short, it is hard to read in parts and could have done with some editing before being sent for publication. Section 4.1.2, paragraph 7 > In ping Echo Request, with target FEC Stack TLV that contains a > single NiL FEC corresponding to 1007, should add Egress TLV for > endpoint/destination prefix X with type as Egress TLV, length depends > on if X is IPv4 or IPv6 address and prefix as X. > > In traceroute Echo Request, with target FEC Stack TLV that contains a > single NiL FEC corresponding to the complete label-stack (1002, 1004, > 1007) or multiple Nil-FEC corresponding to each label in the label- > stack, should add single Egress TLV for endpoint/destination prefix X > with type as Egress TLV, length depends on if X is IPv4 or IPv6 > address and prefix as X. In case X is not present or is set to 0 ( > as in the case of color-only SR Policy), sender should use the > endpoint of segment 1007 as a prefix for Egress TLV. These two paragraphs were particularly hard to read with long sentences, and articles & prepositions missing. Can it be rewritten? ------------------------------------------------------------------------------- NIT ------------------------------------------------------------------------------- All comments below are about very minor potential issues that you may choose to address in some way - or ignore - as you see fit. Some were flagged by automated tools (via https://github.com/larseggert/ietf-reviewtool), so there will likely be some false positives. There is no need to let me know what you did with these suggestions. Section 4.1, paragraph 1 > As stated earlier, when the sender node builds an Echo Request with > target FEC Stack TLV, Egress TLV when present, MUST appear before > Target FEC-stack TLV in the MPLS Echo Request packet. Inconsistent use of the term Target FEC Stack TLV. Sometimes, Target is with a small t, sometimes there is a -, etc. Section 1, paragraph 2 > 4 or IPv6 prefix and prefix length. Thus Generic FEC types perform an additio > ^^^^ A comma may be missing after the conjunctive/linking adverb "Thus". Section 2, paragraph 2 > on to validate the traceroute path. Thus the addition of egress information i > ^^^^ A comma may be missing after the conjunctive/linking adverb "Thus". Section 4.1.1, paragraph 1 > end multiple Nil FEC if that makes the it easier for the implementation. In > ^^^^^^ Please verify. Did you mean "it" or "the IT" (= information technology)?
Murray Kucherawy
No Objection
Comment
(2024-05-29 for -13)
Not sent
The document shepherd's answer to question #11 is incomplete.
Orie Steele
No Objection
Paul Wouters
No Objection
Roman Danyliw
No Objection
Comment
(2024-05-28 for -13)
Not sent
Thank you to Linda Dunbar for the GENART review. I have no GEN Area feedback.
Warren Kumari
No Objection
Comment
(2024-05-29 for -13)
Sent
Thank you for writing this document. Also, *much* thanks to Yingzhen Qu for the OpsDir review -- https://datatracker.ietf.org/doc/review-ietf-mpls-egress-tlv-for-nil-fec-13-opsdir-lc-qu-2024-05-20/ I strongly suggest that the authors review this - Yingzhen has provided a much improved Abstract, in addition to some helpful nit fixes. (Gunter has also provided an option)
Zaheduzzaman Sarker
No Objection
Comment
(2024-05-30 for -13)
Not sent
Thanks for working on this specification. I have no issues here from transport protocol point of view.
Éric Vyncke
No Objection
Comment
(2024-05-27 for -13)
Sent for earlier
# Éric Vyncke, INT AD, comments for draft-ietf-mpls-egress-tlv-for-nil-fec-13 Thank you for the work put into this document. The text is sometimes convoluted (e.g., section 2). Please find below some non-blocking COMMENT points (but replies would be appreciated even if only for my own education), and some nits. Special thanks to Tarek Saad for the shepherd's detailed write-up including the WG consensus *BUT* it lacks the justification of the intended status. I hope that this review helps to improve the document, Regards, -éric # COMMENTS (non-blocking) ## Section 1 "domain" is used several times in this section, but is not qualified. Suggest to use "operator domain" or "controller domain" or... The same section also uses "nodes", should it rather be "routers" ? ## Section 3 Suggest to mention that the length is measured in octets. Possibly due to my ignorance of the use case but can the prefix be a multicast prefix ? can the prefix be shorter than 128 or 32 ? E.g., 2001:db8:cafe::/48 ? ## Section 4.1.1 Should [I.D-ietf-idr-sr-policy-safi] be a normative reference rather than an informative one ? ## Section 4.2 What is the expected behavior when receiving a Target FEC TLV whose length if neither 4 or 16 ? # NITS (non-blocking / cosmetic) ## Section 2 s/treaceroute/traceroute/