IETF Logo Mail Archive

Re: [Edm] Please review draft-iab-use-it-or-lose-it-01

Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 19 July 2021 21:03 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: edm@ietfa.amsl.com
Delivered-To: edm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DD453A0978 for <edm@ietfa.amsl.com>; Mon, 19 Jul 2021 14:03:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZNG48_kuXLVv for <edm@ietfa.amsl.com>; Mon, 19 Jul 2021 14:03:31 -0700 (PDT)
Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 684F33A0976 for <edm@iab.org>; Mon, 19 Jul 2021 14:03:31 -0700 (PDT)
Received: by mail-pf1-x435.google.com with SMTP id 21so17707954pfp.3 for <edm@iab.org>; Mon, 19 Jul 2021 14:03:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=lizWgVSHzJAqjnUht1xZjjbamne68AC+6qQdNdehqkw=; b=XdAj37tjmgyZFv2q7377ZBvKyPV/OQQlQRKcm9E2b8OOhjiYkE9TVtHblaJ/4s4paa DR4jgxeDheHVP5y4Ol940zINNdbAwF61HFhOk+xgWfuEe+3vucgJudMDsTuYFTnQdJs9 ZWkovd/cv3ViQYgUKuEzUugbeDlTMneJUvYAVjoot8R/F5LTFrQBVsXn9N2IYIC/o/qm hnOW0+xmsvYzl2I63bau/S9zSkFDmNx0ybEwuq0kyQFHHUCn7eKcvLvA0EhkH2wGNMBS aAAw1ZU/KVt+9h5DYTGKR57Dr8MDCcr+UIpoSsWt8IuhhI6jHfl5ubRLliUdy+qjfZix x7nA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=lizWgVSHzJAqjnUht1xZjjbamne68AC+6qQdNdehqkw=; b=YHTTd/UvKZITEtBhsz5p1/OnmE7c/C+tCT5LPG6pdotPNlrwGM9j/2TLArmly1DalI eXLaupZd3eOXLCytlUCyppUgh6+YKUTXvBoxxHnUItIh93ghR4XW2LNSg+FT9em8Nf3v ybQbjryQlbKNLhYCU41CalUAc45IBNwOQBBAQFilo/J0GpVq+RLt/hY/mNgFDcmXJZsP H9Oyz6BS0roIqdu5z7QKA8A4d7WvIb5w+qKtQM6+pnJl2QCAyxHdA6CSy8UcZViKpq0p iQiZcu+VLLdfhYPB5SzYIYWjxDbampNqSgfO2ASbsLKAhrnL3o2rZ4BlnWc1L8yGEzk5 DWhQ==
X-Gm-Message-State: AOAM531p3cmNj6kkZVQp+xYenII1YAHEIr4P3QDJbceSFfRw0j3SLZL7 NRItWoIUvKNNJZLA9G10weKB8q+Y5OKnlQ==
X-Google-Smtp-Source: ABdhPJwn/xNPeZ3j5lejndVdQZgJ0jVyU8rFkLXXIHb76tD761yeppIVJBZvJm8a7AuJPchxG089vQ==
X-Received: by 2002:a63:1d47:: with SMTP id d7mr15639169pgm.44.1626728609881; Mon, 19 Jul 2021 14:03:29 -0700 (PDT)
Received: from ?IPv6:2406:e003:1188:5b01:80b2:5c79:2266:e431? ([2406:e003:1188:5b01:80b2:5c79:2266:e431]) by smtp.gmail.com with ESMTPSA id j6sm17581746pji.23.2021.07.19.14.03.27 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 19 Jul 2021 14:03:29 -0700 (PDT)
To: Martin Thomson <mt@lowentropy.net>, Toerless Eckert <tte@cs.fau.de>
Cc: edm@iab.org
References: <162626887655.14379.5438309391409890693@ietfa.amsl.com> <80F3F8A2-2C3C-4DE8-BD1D-07842F5B2F89@apple.com> <20210715154649.GD24216@faui48e.informatik.uni-erlangen.de> <5149e82e-4f98-411b-9e34-27f243352b95@www.fastmail.com> <a2a718ba-7231-449f-8a55-fcc6a7823d59@www.fastmail.com> <20210716231731.GR24216@faui48e.informatik.uni-erlangen.de> <01832870-dfe9-42c8-b10f-d22169b94096@www.fastmail.com> <9a5eec9d-90ae-ffd3-fc83-00e3800d7f9c@gmail.com> <5d0baa69-8634-49de-bed3-cc8467c5e34f@www.fastmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <28895b98-f412-e3bb-810f-c6aabb718619@gmail.com>
Date: Tue, 20 Jul 2021 09:03:24 +1200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <5d0baa69-8634-49de-bed3-cc8467c5e34f@www.fastmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/edm/wopMgQBXvvA7qshxFUb_jDFGPac>
Subject: Re: [Edm] Please review draft-iab-use-it-or-lose-it-01
X-BeenThere: edm@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Evolvability, Deployability, & Maintainability \(Proposed\) Program" <edm.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/edm>, <mailto:edm-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/edm/>
List-Post: <mailto:edm@iab.org>
List-Help: <mailto:edm-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/edm>, <mailto:edm-request@iab.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jul 2021 21:03:36 -0000

On 19-Jul-21 14:24, Martin Thomson wrote:
> On Mon, Jul 19, 2021, at 11:54, Brian E Carpenter wrote:
>>> The unexpected participation observation doesn't really apply to the IP version example as you have to expect that every router on path needs to participate.
>>
>> Not really. That's what Router Alert is all about. I'm saying it is 
>> much of a success, but it recognized from the start that not all 
>> routers are equal.
>>
>> The ineffectiveness of both RFC2113 and RFC2711 illustrates that there 
>> is fundamentally no difference between IPv4 Options and IPv6 Extension 
>> Headers in this respect. The network is equally ossified and opaque to 
>> new ones in both cases.
> 
> Oh, the options/header extension mess is multi-dimensional.  I didn't get the impression that misuse at the root of the problem, 

I don't think so. There is a 3-way tussle here between the realities of line-speed routing hardware, a tendency by protocol designers to assume that routers are general-purpose computers with lots of time to analyse packet headers, and the desire of firewall vendors to block anything suspicious, including anything new.

By way of anecdote, when my student a few years ago deployed the SHIM6 header extensions between the University of Auckland and a site in Ireland, we had to circumvent firewall rules at both sites in order to do so; traversing the wide-area Internet was no problem at all. But "greasing" those site firewalls simply isn't a meaningful concept; they *exist* to prevent unknown stuff getting through.

The generic issue is that any mechanism that requires an intermediate system to analyse a transport header (or, worse, a payload) at line speed is stymied by unexpected IPv6 extension headers. You can't say "don't do that" when doing so is a requirement, as it is for firewalls and server load balancing to name but two cases. (We tried to fix this problem for server load balancing with RFC7098, but I'm not sure we succeeded.)

> though your first reference implies that it might be.  I'm not following that work closely to say that it is the only problem here or even if it is the main problem.  
> 
> Do you think that it is worth talking about here?  A one paragraph contribution that talked about the Router Alert Option/EH might help.  if only to highlight how this is not always caused by bugs, but it can be interaction with policies that participants might choose to implement (that look like bugs).  To some extent, that's consistent with the SIP intermediation story, which is dominated by policy.

I certainly think the point is worth mentioning, if only as a case where greasing probably won't help.

    Brian

v2.23.0 | Report a Bug | By Email