1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
|
## IOAM for IPv6 {#ioam_ipv6_doc}
IOAM data is transported as options in an IPv6 hop-by-hop extension header.
### Export of IOAM data
IPv6 IOAM hop-by-hop data collected is exported as IPfix records.
#### Export data format and flow
- Capturing sections of selected packets: First few cachelines of packet starting at IP6 header is copied and appended into a MTU sized buffer.
- Encoding of the data captured: IPFIX is used with new template ID to indicate raw binary data export that is first 192 octets starting at IPv6 header, padded if the total length of packet is less than 192 octets. So no formatting of the data is required – we could call it “bulk transport of telemetry data over IPFIX”.
- Sections of captured packets are appended to the buffer – This buffer contains an homogenous ipfix data set so no additional formatting is needed. It is then up to the IPFIX collector to parse, filter, and transform the data into the desired format for a particular deployment or use-case
- Preparing the data for export: slapping the IP, UDP and IPfix header onto the captured set of buffer.
- Sending the data : When the buffers are full they are flushed out and replaced. When the packet rate is low then periodically ipfix packets are flushed from per thread buffers.
[https://gerrit.fd.io/r/#/c/2267] brings in this support.
Performance on a node where iOAM data is exported and removed:
Name State Calls Vectors Suspends Clocks Vectors/Call
ip6-export active 1145933 272387308 0 1.12e2 237.69
ip6-hop-by-hop active 1145933 272387308 0 4.25e1 237.69
ip6-pop-hop-by-hop active 1145933 272387308 0 4.41e1 237.69
## Configuration
Configuring IOAM involves:
- Selecting the packets for which IOAM data must be inserted, updated or removed
- Selection of packets for IOAM data insertion on IOAM encapsulating node.
Selection of packets is done by 5-tuple based classification
- Selection of packets for updating IOAM data is implicitly done on the
presence of IOAM options in the packet
- Selection of packets for removing the IOAM data is done on 5-tuple
based classification
- The kind of data to be collected
- Tracing data
- Proof of transit
- Edge-to-Edge sequence numbers
- Additional details for processing IOAM data to be collected
- For trace data - trace type, number of nodes to be recorded in the trace,
time stamp precision, etc.
- For POT data - configuration of POT profile required to process the POT data
- Enabling sequence numbers per classified flows
The CLI for configuring IOAM is explained here followed by detailed steps
and examples to deploy IOAM on VPP as an encapsulating, transit or
decapsulating IOAM node in the subsequent sub-sections.
VPP IOAM configuration for creating trace profile and enabling trace:
# set ioam-trace profile trace-type <0x1f|0x7|0x9|0x11|0x19>
trace-elts <number of trace elements> trace-tsp <0|1|2|3>
node-id <node ID in hex> app-data <application data in hex>
A description of each of the options of the CLI follows:
- trace-type : An entry in the "Node data List" array of the trace option
can have different formats, following the needs of the a deployment.
For example: Some deployments might only be interested
in recording the node identifiers, whereas others might be interested
in recording node identifier and timestamp.
The following types are currently supported:
- 0x1f : Node data to include hop limit (8 bits), node ID (24 bits),
ingress and egress interface IDs (16 bits each), timestamp (32 bits),
application data (32 bits)
- 0x7 : Node data to include hop limit (8 bits), node ID (24 bits),
ingress and egress interface IDs (16 bits each)
- 0x9 : Node data to include hop limit (8 bits), node ID (24 bits),
timestamp (32 bits)
- 0x11: Node data to include hop limit (8 bits), node ID (24 bits),
application data (32 bits)
- 0x19: Node data to include hop limit (8 bits), node ID (24 bits),
timestamp (32 bits), application data (32 bits)
- trace-elts : Defines the length of the node data array in the trace option.
- trace-tsp : Defines the timestamp precision to use with the enumerated value
for precision as follows:
- 0 : 32bits timestamp in seconds
- 1 : 32bits timestamp in milliseconds
- 2 : 32bits timestamp in microseconds
- 3 : 32bits timestamp in nanoseconds
- node-id : Unique identifier for the node, included in the node ID
field of the node data in trace option.
- app-data : The value configured here is included as is in
application data field of node data in trace option.
Enabling trace is done by setting "trace" in the following command:
# set ioam [trace] [pot] [seqno] [analyse]
### Trace configuration
#### On IOAM encapsulating node
- **Configure classifier and apply ACL** to select packets for
IOAM data insertion
- Example to enable IOAM data insertion for all the packets
towards IPv6 address db06::06:
vpp# classify table acl-miss-next ip6-node ip6-lookup mask l3 ip6 dst
vpp# classify session acl-hit-next ip6-node ip6-add-syn-hop-by-hop
table-index 0 match l3 ip6 dst db06::06 ioam-encap test-encap
vpp# set int input acl intfc GigabitEthernet0/0/0 ip6-table 0
- **Enable tracing** : Specify node ID, maximum number of nodes for which
trace data should be recorded, type of data to be included for recording,
optionally application data to be included
- Example to enable tracing with a maximum of 4 nodes recorded
and the data to be recorded to include - hop limit, node id,
ingress and egress interface IDs, timestamp (millisecond precision),
application data (0x1234):
vpp# set ioam-trace profile trace-type 0x1f trace-elts 4 trace-tsp 1
node-id 0x1 app-data 0x1234
vpp# set ioam rewrite trace
#### On IOAM transit node
- The transit node requires trace type, timestamp precision, node ID and
optionally application data to be configured,
to update its node data in the trace option.
Example:
vpp# set ioam-trace profile trace-type 0x1f trace-elts 4 trace-tsp 1
node-id 0x2 app-data 0x1234
#### On the IOAM decapsulating node
- The decapsulating node similar to encapsulating node requires
**classification** of the packets to remove IOAM data from.
- Example to decapsulate IOAM data for packets towards
db06::06, configure classifier and enable it as an ACL as follows:
vpp# classify table acl-miss-next ip6-node ip6-lookup mask l3 ip6 dst
vpp# classify session acl-hit-next ip6-node ip6-lookup table-index 0
match l3 ip6 dst db06::06 ioam-decap test-decap
vpp# set int input acl intfc GigabitEthernet0/0/0 ip6-table 0
- Decapsulating node requires trace type, timestamp precision,
node ID and optionally application data to be configured,
to update its node data in the trace option before it is decapsulated.
Example:
vpp# set ioam-trace profile trace-type 0x1f trace-elts 4
trace-tsp 1 node-id 0x3 app-data 0x1234
### Proof of Transit configuration
For details on proof-of-transit,
see the IETF draft [IOAM-ietf-proof-of-transit].
To enable Proof of Transit all the nodes that participate
and hence are verified for transit need a proof of transit profile.
A script to generate a proof of transit profile as per the mechanism
described in [IOAM-ietf-proof-of-transit] will be available at [IOAM-Devnet].
The Proof of transit mechanism implemented here is based on
Shamir's Secret Sharing algorithm.
The overall algorithm uses two polynomials
POLY-1 and POLY-2. The degree of polynomials depends on number of nodes
to be verified for transit.
POLY-1 is secret and constant. Each node gets a point on POLY-1
at setup-time and keeps it secret.
POLY-2 is public, random and per packet.
Each node is assigned a point on POLY-1 and POLY-2 with the same x index.
Each node derives its point on POLY-2 each time a packet arrives at it.
A node then contributes its points on POLY-1 and POLY-2 to construct
POLY-3 (POLY-3 = POLY-1 + POLY-2) using lagrange extrapolation and
forwards it towards the verifier by updating POT data in the packet.
The verifier constructs POLY-3 from the accumulated value from all the nodes
and its own points on POLY-1 and POLY-2 and verifies whether
POLY-3 = POLY-1 + POLY-2. Only the verifier knows POLY-1.
The solution leverages finite field arithmetic in a field of size "prime number"
for reasons explained in description of Shamir's secret sharing algorithm.
Here is an explanation of POT profile list and profile configuration CLI to
realize the above mechanism.
It is best to use the script provided at [IOAM-Devnet] to generate
this configuration.
- **Create POT profile** : set pot profile name <string> id [0-1]
[validator-key 0xu64] prime-number 0xu64 secret_share 0xu64
lpc 0xu64 polynomial2 0xu64 bits-in-random [0-64]
- name : Profile list name.
- id : Profile id, it can be 0 or 1.
A maximum of two profiles can be configured per profile list.
- validator-key : Secret key configured only on the
verifier/decapsulating node used to compare and verify proof of transit.
- prime-number : Prime number for finite field arithmetic as required by the
proof of transit mechanism.
- secret_share : Unique point for each node on the secret polynomial POLY-1.
- lpc : Lagrange Polynomial Constant(LPC) calculated per node based on
its point (x value used for evaluating the points on the polynomial)
on the polynomial used in lagrange extrapolation
for reconstructing polynomial (POLY-3).
- polynomial2 : Is the pre-evaluated value of the point on
2nd polynomial(POLY-2). This is unique for each node.
It is pre-evaluated for all the coefficients of POLY-2 except
for the constant part of the polynomial that changes per packet
and is received as part of the POT data in the packet.
- bits-in-random : To control the size of the random number to be
generated. This number has to match the other numbers generated and used
in the profile as per the algorithm.
- **Set a configured profile as active/in-use** :
set pot profile-active name <string> ID [0-1]
- name : Name of the profile list to be used for computing
POT data per packet.
- ID : Identifier of the profile within the list to be used.
- **Enable POT**:
set ioam rewrite pot
#### On IOAM encapsulating node
- Configure the classifier and apply ACL to select packets for IOAM data insertion.
- Example to enable IOAM data insertion for all the packet towards
IPv6 address db06::06 -
vpp# classify table miss-next ip6-node ip6-lookup mask l3 ip6 dst
vpp# classify session acl-hit-next ip6-node
ip6-add-hop-by-hop table-index 0 match l3 ip6 dst db06::06 ioam-encap test-encap
vpp# set int input acl intfc GigabitEthernet0/0/0 ip6-table 0
- Configure the proof of transit profile list with profiles.
Each profile list referred to by a name can contain 2 profiles,
only one is in use for updating proof of transit data at any time.
- Example profile list example with a profile generated from the
script to verify transit through 3 nodes is:
vpp# set pot profile name example id 0 prime-number 0x7fff0000fa884685
secret_share 0x6c22eff0f45ec56d lpc 0x7fff0000fa884682
polynomial2 0xffb543d4a9c bits-in-random 63
- Enable one of the profiles from the configured profile list as active
so that is will be used for calculating proof of transit
Example enable profile ID 0 from profile list example configured above:
vpp# set pot profile-active name example ID 0
- Enable POT option to be inserted
vpp# set ioam rewrite pot
#### On IOAM transit node
- Configure the proof of transit profile list with profiles for transit node.
Example:
vpp# set pot profile name example id 0 prime-number 0x7fff0000fa884685
secret_share 0x564cdbdec4eb625d lpc 0x1
polynomial2 0x23f3a227186a bits-in-random 63
#### On IOAM decapsulating node / verifier
- The decapsulating node, similar to the encapsulating node requires
classification of the packets to remove IOAM data from.
- Example to decapsulate IOAM data for packets towards db06::06
configure classifier and enable it as an ACL as follows:
vpp# classify table miss-next ip6-node ip6-lookup mask l3 ip6 dst
vpp# classify session acl-hit-next ip6-node ip6-lookup table-index 0
match l3 ip6 dst db06::06 ioam-decap test-decap
vpp# set int input acl intfc GigabitEthernet0/0/0 ip6-table 0 ioam-decap test-decap
- To update and verify the proof of transit, POT profile list should be configured.
- Example POT profile list configured as follows:
vpp# set pot profile name example id 0 validate-key 0x7fff0000fa88465d
prime-number 0x7fff0000fa884685 secret_share 0x7a08fbfc5b93116d lpc 0x3
polynomial2 0x3ff738597ce bits-in-random 63
### Configuration to enable sequence numbers
#### On IOAM encapsulating node
- Configure the classifier and apply ACL to select packets for IOAM data insertion.
- Example to enable IOAM data insertion for all the packet towards
IPv6 address db06::06 -
vpp# classify table miss-next ip6-node ip6-lookup mask l3 ip6 dst
vpp# classify session acl-hit-next ip6-node
ip6-add-hop-by-hop table-index 0 match l3 ip6 dst db06::06 ioam-encap test-encap
vpp# set int input acl intfc GigabitEthernet0/0/0 ip6-table 0
To enable insertion of sequence numbers on the IOAM encapsulation node do the following:
set ioam rewrite seqno
This will create and insert a unique sequence numbers for every flow matching a classify session.
On IOAM decapsulating node to analyze the sequence numbers do the following:
- Configure the classifier and apply ACL to select packets for IOAM data removal.
- Example to enable IOAM data insertion for all the packet towards
IPv6 address db06::06 -
vpp# classify table miss-next ip6-node ip6-lookup mask l3 ip6 dst
vpp# classify session acl-hit-next ip6-node
ip6-add-hop-by-hop table-index 0 match l3 ip6 dst db06::06 ioam-decap test-decap
vpp# set int input acl intfc GigabitEthernet0/0/0 ip6-table 0
Following command will analyze the sequence numbers received:
set ioam rewrite analyse
### Export configuration
On IOAM decapsulating node where trace is decap is configured add the following:
set ioam export ipfix collector <ip4-address> src <ip4-address>
## Operational data
Following CLIs are available to check IOAM operation:
- To check IOAM configuration that are effective use "show IOAM summary"
Example:
vpp# show ioam summary
REWRITE FLOW CONFIGS - Not configured
HOP BY HOP OPTIONS - TRACE CONFIG -
Trace Type : 0x1f (31)
Trace timestamp precision : 1 (Milliseconds)
Num of trace nodes : 4
Node-id : 0x2 (2)
App Data : 0x1234 (4660)
POT OPTION - 1 (Enabled)
Try 'show IOAM pot and show pot profile' for more information
- To find statistics about packets for which IOAM options were
added (encapsulating node) and removed (decapsulating node) execute
**show errors**
Example on encapsulating node:
vpp# show error
Count Node Reason
1208804706 ip6-inacl input ACL hits
1208804706 ip6-add-hop-by-hop Pkts w/ added ip6 hop-by-hop options
Example on decapsulating node:
vpp# show error
Count Node Reason
69508569 ip6-inacl input ACL hits
69508569 ip6-pop-hop-by-hop Pkts w/ removed ip6 hop-by-hop options
- To check the POT profiles use "show pot profile"
Example:
vpp# show pot profile
Profile list in use : example
POT Profile at index: 0
ID : 0
Validator : False (0)
Secret share : 0x564cdbdec4eb625d (6218586935324795485)
Prime number : 0x7fff0000fa884685 (9223090566081300101)
2nd polynomial(eval) : 0x23f3a227186a (39529304496234)
LPC : 0x1 (1)
Bit mask : 0x7fffffffffffffff (9223372036854775807)
Profile index in use: 0
Pkts passed : 0x36 (54)
- To get statistics of POT for packets use "show IOAM pot"
Example at encapsulating or transit node:
vpp# show ioam pot
Pkts with ip6 hop-by-hop POT options - 54
Pkts with ip6 hop-by-hop POT options but no profile set - 0
Pkts with POT in Policy - 0
Pkts with POT out of Policy - 0
Example at decapsulating/verification node:
vpp# show ioam pot
Pkts with ip6 hop-by-hop POT options - 54
Pkts with ip6 hop-by-hop POT options but no profile set - 0
Pkts with POT in Policy - 54
Pkts with POT out of Policy - 0
- For statistics on number of packets processed for trace execute **show ioam trace**
vpp# show ioam trace
Pkts with ip6 hop-by-hop trace options - 0
Pkts with ip6 hop-by-hop trace options but no profile set - 0
Pkts with trace updated - 0
Pkts with trace options but no space - 0
- For statistics and information on sequence number processing execute **show ioam e2e**
On IOAM encapsulating node:
vpp# show ioam e2e
IOAM E2E information:
Flow name: test-encap
SeqNo Data:
Current Seq. Number : 156790
On IOAM decapsulating node:
vpp# show ioam e2e
IOAM E2E information:
Flow name: test-decap
SeqNo Data:
Current Seq. Number : 156789
Highest Seq. Number : 156789
Packets received : 156789
Lost packets : 0
Reordered packets : 0
Duplicate packets : 0
Flow name: test-decap2
SeqNo Data:
Current Seq. Number : 0
Highest Seq. Number : 0
Packets received : 0
Lost packets : 0
Reordered packets : 0
Duplicate packets : 0
- Tracing - enable trace of IPv6 packets to view the data inserted and
collected.
Example when the nodes are receiving data over a DPDK interface:
Enable tracing using "trace add dpdk-input 20"
(or other interface xxx-input e.g. af-packet-input, tapcli-rx etc) and
execute "show trace" to view the IOAM data collected:
vpp# trace add dpdk-input 20
vpp# show trace
------------------- Start of thread 0 vpp_main -------------------
Packet 1
00:00:19:294697: dpdk-input
GigabitEthernetb/0/0 rx queue 0
buffer 0x10e6b: current data 0, length 214, free-list 0, totlen-nifb 0, trace 0x0
PKT MBUF: port 0, nb_segs 1, pkt_len 214
buf_len 2176, data_len 214, ol_flags 0x0, data_off 128, phys_addr 0xe9a35a00
packet_type 0x0
IP6: 00:50:56:9c:df:72 -> 00:50:56:9c:be:55
IP6_HOP_BY_HOP_OPTIONS: db05::2 -> db06::6
tos 0x00, flow label 0x0, hop limit 63, payload length 160
00:00:19:294737: ethernet-input
IP6: 00:50:56:9c:df:72 -> 00:50:56:9c:be:55
00:00:19:294753: ip6-input
IP6_HOP_BY_HOP_OPTIONS: db05::2 -> db06::6
tos 0x00, flow label 0x0, hop limit 63, payload length 160
00:00:19:294757: ip6-lookup
fib 0 adj-idx 15 : indirect via db05::2 flow hash: 0x00000000
IP6_HOP_BY_HOP_OPTIONS: db05::2 -> db06::6
tos 0x00, flow label 0x0, hop limit 63, payload length 160
00:00:19:294802: ip6-hop-by-hop
IP6_HOP_BY_HOP: next index 5 len 96 traced 96 Trace Type 0x1f , 1 elts left
[0] ttl 0x0 node ID 0x0 ingress 0x0 egress 0x0 ts 0x0
app 0x0
[1] ttl 0x3e node ID 0x3 ingress 0x1 egress 0x2 ts 0xb68c2213
app 0x1234
buffer 0x10e6b: current data 0, length 214, free-list 0, totlen-nifb 0, trace 0x0
PKT MBUF: port 0, nb_segs 1, pkt_len 214
buf_len 2176, data_len 214, ol_flags 0x0, data_off 128, phys_addr 0xe9a35a00
packet_type 0x0
IP6: 00:50:56:9c:df:72 -> 00:50:56:9c:be:55
IP6_HOP_BY_HOP_OPTIONS: db05::2 -> db06::6
tos 0x00, flow label 0x0, hop limit 63, payload length 160
00:00:19:294737: ethernet-input
IP6: 00:50:56:9c:df:72 -> 00:50:56:9c:be:55
00:00:19:294753: ip6-input
IP6_HOP_BY_HOP_OPTIONS: db05::2 -> db06::6
tos 0x00, flow label 0x0, hop limit 63, payload length 160
00:00:19:294757: ip6-lookup
fib 0 adj-idx 15 : indirect via db05::2 flow hash: 0x00000000
IP6_HOP_BY_HOP_OPTIONS: db05::2 -> db06::6
tos 0x00, flow label 0x0, hop limit 63, payload length 160
00:00:19:294802: ip6-hop-by-hop
IP6_HOP_BY_HOP: next index 5 len 96 traced 96 Trace Type 0x1f , 1 elts left
[0] ttl 0x0 node ID 0x0 ingress 0x0 egress 0x0 ts 0x0
app 0x0
[1] ttl 0x3e node ID 0x3 ingress 0x1 egress 0x2 ts 0xb68c2213
app 0x1234
[2] ttl 0x3f node ID 0x2 ingress 0x1 egress 0x2 ts 0xb68c2204
app 0x1234
[3] ttl 0x40 node ID 0x1 ingress 0x5 egress 0x6 ts 0xb68c2200
app 0x1234
POT opt present
random = 0x577a916946071950, Cumulative = 0x10b46e78a35a392d, Index = 0x0
00:00:19:294810: ip6-rewrite
tx_sw_if_index 1 adj-idx 14 : GigabitEthernetb/0/0
IP6: 00:50:56:9c:be:55 -> 00:50:56:9c:df:72 flow hash: 0x00000000
IP6: 00:50:56:9c:be:55 -> 00:50:56:9c:df:72
IP6_HOP_BY_HOP_OPTIONS: db05::2 -> db06::6
tos 0x00, flow label 0x0, hop limit 62, payload length 160
00:00:19:294814: GigabitEthernetb/0/0-output
GigabitEthernetb/0/0
IP6: 00:50:56:9c:be:55 -> 00:50:56:9c:df:72
IP6_HOP_BY_HOP_OPTIONS: db05::2 -> db06::6
tos 0x00, flow label 0x0, hop limit 62, payload length 160
00:00:19:294820: GigabitEthernetb/0/0-tx
GigabitEthernetb/0/0 tx queue 0
buffer 0x10e6b: current data 0, length 214, free-list 0, totlen-nifb 0, trace 0x0
IP6: 00:50:56:9c:be:55 -> 00:50:56:9c:df:72
IP6_HOP_BY_HOP_OPTIONS: db05::2 -> db06::6
tos 0x00, flow label 0x0, hop limit 62, payload length 160
|
