[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FW: Questions about tunneltrace

To: Ron Bonica <rbonica@MCI.NET>
Subject: Re: FW: Questions about tunneltrace
From: Eric Rosen <erosen@cisco.com>
Date: Tue, 13 Mar 2001 09:35:52 -0500
cc: yakov@juniper.net, ccamp@ops.ietf.org
Delivery-date: Tue, 13 Mar 2001 06:37:02 -0800
Envelope-to: ccamp-data@psg.com
Reply-To: erosen@cisco.com
User-Agent: EMH/1.10.0 WEMI/1.13.2 (Mochimune) FLIM/1.12.1(Nishinokyō) Emacs/20.6 (sparc-sun-solaris2.5.1)MULE/4.0 (HANANOEN)


Ron> We  are  trying  to  avoid  the trap  into  which  draft-ietf-mpls-icmp
Ron> fell. 

Political incorrectness?

Ron> The basic  problem with that  draft was that  it looked inside  an MPLS
Ron> payload,  found and  IP header,  and  assumed that  the source  address
Ron> specified by that IP header  was meaningful within the LSRs layer three
Ron> routing context.

Ron> For example, lets  say that the source address is  10.1.1.1 and the LSR
Ron> has a route to 10.1.1.1.  Is the  host to which the LSR has a route the
Ron> same one the originated the datagram?  If the LSR does not have a route
Ron> to 10.1.1.1, it sends the ICMP  message to the egress LSR.  Is the host
Ron> to which  the egress LSR  has a route  the same one the  originated the
Ron> datagram?

RFC3032 describes a pretty simple  procedure for getting the ICMP message to
the egress  of the outermost tunnel  before routing it back  to the original
source.  Chances  are rather high that  the address means the  same thing at
both ends of the outermost tunnel.

But there is an advantage of sending the response to the ingress rather than
the egress.  This has  to do with the fact that if  one of the inner tunnels
is broken, the RFC3032 procedure may  not get the response to the egress, in
which case  responses never get back  to the original source,  and the trace
doesn't tell  you anything that  you didn't already know  (i.e., something's
broken).  So having a procedure for  getting back to the tunnel ingress does
seem like a good idea.  

I  would  question  though  whether  it  is  really  necessary  to  get  the
traceresponse  back to  the OUTERMOST  tunnel ingress.   I think  that  if a
traceresponse comes from the middle of  a tunnel, it is probably good enough
to get it back to the  ingress of the immediately containing tunnel, even if
this is an interior tunnel.

True, this won't work if there is  no route between the enduser who is doing
the trace and the ingress of  the interior tunnel.  However, I think that if
there is no such route, that's  because the owner of the tunnel ingress does
not want  the enduser to  be able to  send packets to  it.  GTTP opens  up a
security hole here.  Yes, GTTP provides an authentication mechanism that can
be used to close the hole.  But  unless there is good reason to believe that
service providers will often want to  leave this hole open, we might as well
just nail  it closed; this would  result in a  significant simplification of
the protocol.

To trace a tunnel, the enduser would always have to direct the traceprobe to
the ingress of  THAT tunnel.  The traceprobe packet  which the ingress sends
through the  tunnel could itself carry  the address of the  ingress, so that
the traceresponse  could come  back.  Then  there would be  no need  for ANY
router to maintain ANY state for a traceprobe.

I would  also suggest that when a  traceresponse is generated by  a node, it
contain  ALL the  information that  the node  would have  used to  route the
arriving  probe, had  the probe's  TTL not  expired.  To  make sure  ALL the
necessary information is included,  we should probably include an identifier
for the probe's incoming  interface, as well as the full set  of MPLS and IP
headers.  Call this a "forwarding information object". 

The original traceprobe sent by an  enduser should also be able to contain a
forwarding information  object.  This would  enable you to trace,  e.g., the
path of a  packet which arrives on a particular  interface with a particular
label stack. 

Once  you've  received  a  traceresponse  from every  node  along  the  path
(excluding nodes within tunnels), you need  to send a new traceprobe to each
of those nodes.  The traceprobe sent to a particular node should contain the
forwarding information  object returned  in that node's  traceresponse.  The
semantics  would be "if  this is  the forwarding  information for  a packet,
would you put the packet in a tunnel?  if so, please initiate a trace of the
tunnel".   Since a particular  node may  be the  ingress to  multiple nested
tunnels, we  need include a tunnel depth  number, but I don't  think we need
anything as complicated as the hop object.

It's still  not clear  to me  though that this  produces something  which is
significantly  better  than  a  pseudo-trace procedure  which  examines  the
control plane exclusively.

Prev by Date: SDH/SONET concatenation signal types
Next by Date: Re: CCAMP agenda
Prev by thread: RE: FW: Questions about tunneltrace
Next by thread: [Fwd: I-D ACTION:draft-walker-ccamp-req-00.txt]
Index(es):
- Date
- Thread