IETF Logo Mail Archive

Re: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt> (Implications of Oversized IPv6 Header Chains) to Proposed Standard

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 09 October 2013 22:21 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9032321F9B90; Wed, 9 Oct 2013 15:21:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.547
X-Spam-Level:
X-Spam-Status: No, score=-102.547 tagged_above=-999 required=5 tests=[AWL=0.052, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WqQl7Y85ScDf; Wed, 9 Oct 2013 15:21:35 -0700 (PDT)
Received: from mail-pd0-x231.google.com (mail-pd0-x231.google.com [IPv6:2607:f8b0:400e:c02::231]) by ietfa.amsl.com (Postfix) with ESMTP id 40B5821E81C6; Wed, 9 Oct 2013 15:21:32 -0700 (PDT)
Received: by mail-pd0-f177.google.com with SMTP id y10so1607351pdj.8 for <multiple recipients>; Wed, 09 Oct 2013 15:21:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=UtIt7IW8dgroLa5U6prSejhIJGLl3dTBB1Vf3Gv5uSs=; b=oq/eHwqT/s1vH9KSq8dntWuNJAk95daRkCdIDXTi/pddV8U/GSov9qq1p1kEY1IJ2+ kVqYgBb++2dGYOBpFvWphSWyazZZ3aRDJGUeE0dU2pm0EsdCCaHpxEkEEFVCuQEsN4pk 0S35Y8yP9HGgV025FOezObrWmRJWok5Z7zEY15yixa6q/i5Hj3cvDNjLFGnEKXIEdKc+ TFt9YfId5uDGnuNTrA4jUGTrHbEHDpH7cPgt+LbGZk06QvQZWvjya38ikESAkqTcr+ZU BQ09RG1rkz3k4B8C37JWBGWJ93AHFwkKwRMR52VhgtKoBFvBVPVesBtMduKMjEeL9pby XVrg==
X-Received: by 10.67.5.132 with SMTP id cm4mr65764pad.186.1381357291923; Wed, 09 Oct 2013 15:21:31 -0700 (PDT)
Received: from [192.168.178.20] (103.197.69.111.dynamic.snap.net.nz. [111.69.197.103]) by mx.google.com with ESMTPSA id zq10sm57534522pab.6.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 09 Oct 2013 15:21:31 -0700 (PDT)
Message-ID: <5255D6EE.4050300@gmail.com>
Date: Thu, 10 Oct 2013 11:21:34 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: "Templin, Fred L" <Fred.L.Templin@boeing.com>
Subject: Re: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt> (Implications of Oversized IPv6 Header Chains) to Proposed Standard
References: <20131002185522.20697.96027.idtracker@ietfa.amsl.com> <2134F8430051B64F815C691A62D9831811AEFC@XCH-BLV-504.nw.nos.boeing.com> <2134F8430051B64F815C691A62D9831811BDD3@XCH-BLV-504.nw.nos.boeing.com> <9300F272-E282-41C3-9DA8-59134B975FC7@employees.org> <9e33a47bb2834c15ba4269ae8c79c46f@BLUPR05MB433.namprd05.prod.outlook.com> <2134F8430051B64F815C691A62D9831811EB23@XCH-BLV-504.nw.nos.boeing.com> <D1F5CE61-253E-4F07-AED1-4A4AB4C4AB68@employees.org> <2134F8430051B64F815C691A62D9831811EE66@XCH-BLV-504.nw.nos.boeing.com> <E29381FD-C839-4DBA-8711-3A4EBA83E379@employees.org> <2134F8430051B64F815C691A62D9831811EF1C@XCH-BLV-504.nw.nos.boeing.com>
In-Reply-To: <2134F8430051B64F815C691A62D9831811EF1C@XCH-BLV-504.nw.nos.boeing.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: "ipv6@ietf.org" <ipv6@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Oct 2013 22:21:35 -0000

Fred,

See below...

On 10/10/2013 06:42, Templin, Fred L wrote:
> Hi Ole,
> 
>> -----Original Message-----
>> From: Ole Troan [mailto:otroan@employees.org]
>> Sent: Wednesday, October 09, 2013 10:31 AM
>> To: Templin, Fred L
>> Cc: Ronald Bonica; ipv6@ietf.org; ietf@ietf.org
>> Subject: Re: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt>
>> (Implications of Oversized IPv6 Header Chains) to Proposed Standard
>>
>> Fred,
>>
>>>>>> -----Original Message-----
>>>>>> From: Ronald Bonica [mailto:rbonica@juniper.net]
>>>>>> Sent: Tuesday, October 08, 2013 5:46 PM
>>>>>> To: Ole Troan; Templin, Fred L
>>>>>> Cc: ipv6@ietf.org; ietf@ietf.org
>>>>>> Subject: RE: Last Call: <draft-ietf-6man-oversized-header-chain-
>>>> 08.txt>
>>>>>> (Implications of Oversized IPv6 Header Chains) to Proposed
>> Standard
>>>>>> I agree with Ole.
>>>>> How so? A tunnel that crosses a 1280 MTU link MUST fragment
>>>>> in order to satisfy the IPv6 minMTU. If it must fragment, then
>>>>> an MTU-length IPv6 header chain would not fit within the first
>>>>> fragment, and we have opened an attack vector against tunnels.
>>>>> This is not a matter to be agreed or disagreed with - it is
>>>>> a simple fact.
>>>> right, and RFC2460 has this to say about it:
>>>>
>>>>   IPv6 requires that every link in the internet have an MTU of 1280
>>>>   octets or greater.  On any link that cannot convey a 1280-octet
>>>>   packet in one piece, link-specific fragmentation and reassembly
>> must
>>>>   be provided at a layer below IPv6.
>>> Very true. In this case, the "link" is the tunnel and the "link-
>> specific
>>> fragmentation" is IPv6 fragmentation. Which places the first part of
>> an
>>> MTU-length IPv6 header chain in the first fragment and the remainder
>> of
>>> the header chain in the second fragment.
>> indeed. which would violate the MUST in oversized-header-chain.
>>
>> what do we do?
>> a) ignore this particular corner case
>> b) suggest the tunnel head end to drop the packet
>> c) develop a new tunnel segmentations scheme that doesn't depend on
>> IPv6 fragmentation. :-)
> 
> You know I have an interest in alternative c), but that does not
> address the issue of splitting the header chain across multiple
> fragments. So, my choice is:
> 
> d) limit the size of the IPv6 header chain so that the chain will
> fit within the first fragment by having the host limit the chain
> to the MTU size minus 256 bytes.
> 
> Actually, I would be even happier if we just asked the host to limit
> the size of the header chain to 1024 bytes regardless of the path MTU.

Since the problem recurses as we tunnel tunnels, I don't see how any
finite limit can solve the problem. 1280 itself is a pragmatic choice
of "a bit shorter than 1500".

The problem is that you are asserting that middleboxes that a tunnel
passes through are expected to examine the complete header chain of
the encapsulated packet even if the encapsulated packet is a fragment.
I think that's an unreasonable expectation. A reasonable expectation
is that middleboxes should identify the encapsulated packet as
a payload that they cannot analyse, and let it go (unless they
have a policy setting to drop tunnelled packets, which is a
different discussion).

I understood that to be the basis on which the WG reached consensus.

    Brian

v2.23.0 | Report a Bug | By Email