IETF Logo Mail Archive

Re: [Int-area] New Version Notification for draft-herbert-ipv4-udpencap-eh-00.txt

Joe Touch <touch@strayalpha.com> Thu, 07 March 2019 05:29 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6385130EA5 for <int-area@ietfa.amsl.com>; Wed, 6 Mar 2019 21:29:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.219
X-Spam-Level:
X-Spam-Status: No, score=-1.219 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6nBP6AGMOOHP for <int-area@ietfa.amsl.com>; Wed, 6 Mar 2019 21:29:30 -0800 (PST)
Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 229C7130EA1 for <int-area@ietf.org>; Wed, 6 Mar 2019 21:29:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=6n97CvWh8z29DCVqX6yz4pM2o5goJOD76MqbMIVYjg0=; b=CUHkq5eTGUki3FchY37Iaruiv Qe/34yyXLMK3iM3cTO2itwO5PW6UBHCt4sILSANomDj5WdNXieuJ4FOz0+IC+nunIKMlHlsieL42u tjT79cdJ3s7BU3sFp28k4oXjRbk/z0QkUus4McETL2LhAtGkwhtsaiT+Srojo5EYbUuW+TSQuenhr A31fNl86Ef+rRVs6KipSSwYBK3CEIPF7mH9mzO1UaMY29RMqskhDUuTty1Z29zKOR4UptPj6fpHau 8OhsaKc6tjLDbogzCIOSgzfA/zehyZPcUgcgtZQK1NqI3ApxyXcNevpPk1e4YOagy4jbPctQEBilW tmtaYozhA==;
Received: from cpe-172-250-240-132.socal.res.rr.com ([172.250.240.132]:54764 helo=[192.168.1.77]) by server217.web-hosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <touch@strayalpha.com>) id 1h1law-002RNL-RT; Thu, 07 Mar 2019 00:29:28 -0500
Content-Type: multipart/alternative; boundary="Apple-Mail=_458CEE3D-9AD4-4E27-B873-7A19037C262A"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Joe Touch <touch@strayalpha.com>
In-Reply-To: <CALx6S34NDRCC0NeWJLxtzs=p+Q1m9EyidkkyPqqDurMoPgmxYQ@mail.gmail.com>
Date: Wed, 06 Mar 2019 21:29:25 -0800
Cc: Tom Herbert <tom@quantonium.net>, "Templin (US), Fred L" <Fred.L.Templin@boeing.com>, int-area <int-area@ietf.org>
Message-Id: <F59C4EDD-15A9-4052-B210-70A4196D0014@strayalpha.com>
References: <155129875579.13940.18077034152695268824.idtracker@ietfa.amsl.com> <CAPDqMeofwtqye_+55Yc_3rAkQqNLQ9Dw9TohJ7gcYCgUJrs-Jg@mail.gmail.com> <dbcef0c979f24aecb638babded309117@boeing.com> <CAPDqMeryKrE2t47kY1YXcpf80bJ8W3cx9m3UX+vfiYTy_kE6yA@mail.gmail.com> <7e858ddb-5372-b77b-1ebb-e9b0e297b479@strayalpha.com> <CALx6S34sRo1bzYZs3bEE4cWkhZb_vmomYE4F=vrpesNqG8SuXw@mail.gmail.com> <0f185c50-0450-aba7-c2cb-6f047fe08a28@strayalpha.com> <CAPDqMeqGt7-mdpnnr70Jjg3Zd_fyvva=5qkS1+zAD=XYVF214w@mail.gmail.com> <b06f8cc1ba0a931221bd1d76fe1961ff@strayalpha.com> <CALx6S34NDRCC0NeWJLxtzs=p+Q1m9EyidkkyPqqDurMoPgmxYQ@mail.gmail.com>
To: Tom Herbert <tom@herbertland.com>
X-Mailer: Apple Mail (2.3445.9.1)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/0mqUzd2LrhXLNRX5CqiTvVjGbyY>
Subject: Re: [Int-area] New Version Notification for draft-herbert-ipv4-udpencap-eh-00.txt
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Mar 2019 05:29:32 -0000


> On Mar 6, 2019, at 2:38 PM, Tom Herbert <tom@herbertland.com> wrote:
> 
> On Wed, Mar 6, 2019 at 10:59 AM Joe Touch <touch@strayalpha.com <mailto:touch@strayalpha.com>> wrote:
>> 
>> 
>> 
>> 
>> 
>> On 2019-03-06 09:12, Tom Herbert wrote:
>> 
>> On Wed, Mar 6, 2019 at 9:03 AM Joe Touch <touch@strayalpha.com> wrote:
>> 
>> ...
>> 
>> And yes, we can build an Internet on the Internet - again, as I've noted
>> repeatedly throughout the IETF. Or we can use UDP fragmentation - which
>> ought to solve all these issues in one shot.
>> 
>> So what's the gain here?
>> 
>> 
>> Joe,
>> 
>> Please view the proposal in its entirety.
>> 
>> 
>> Here are the problems, which I already stated, but seem to need restating in the exact context of the proposal:
>> 
>> - IP options already cause routers to drop traffic
>>  this is true for both IPv4 and IPv6; making those options look like IPv6 just gives routers a different WAY to drop them
>> 
> Some routers drop extension headers, but not all of them.

See RFC 7126.

> If all of
> them drop extension headers, then a whole bunch of effort in 6man is
> pointless.

No argument there.

> 
>> - DPI looks for transport port numbers that are expected, either for service gating or even deeper DPI
>>  and GUE isn't one of them
>> 
> There's no requirement to support DPI into the transport layer.

Sure, but the current problem is that mechanisms that defeat DPI can result in traffic being blocked.

> In
> fact, encryption of the transport layer, like in QUIC, effectively
> renders DPI into the transport layer useless.

Yes, but not the transport ports.
> ...
> 
>> - pushing the actual UDP port numbers used inside a GUE header creates an "internet in an internet"
>>  as noted above, that's a losing battle we've repeatedly tried
> 
> I'm not sure what you mean by "actual UDP port numbers”.

The E2E transport being used, rather than the encapsulation layer that you need to create a place between IP and transport for these options as if they were protocols.

The issue is that DPI that allows port 443 (even encrypted) and a finite set of other ports would likely block the GUE port. And it wouldn’t dive in to the sequence of headers to find the “actual” transport port inside.

— 

What we know so far is that:
- for on-path signaling, routers don’t want to be signaled or interacted with; they’re too busy just forwarding packets
- the only other reason for these headers are endpoint features that can - and IMO should - be done at the transport layer

Joe

v2.23.0 | Report a Bug | By Email