Re: [Int-area] WGLC on draft-ietf-intarea-frag-fragile-05 (Tom Herbert)
Ron Bonica <rbonica@juniper.net> Wed, 16 January 2019 20:08 UTC
Return-Path: <rbonica@juniper.net>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEDC913111E for <int-area@ietfa.amsl.com>; Wed, 16 Jan 2019 12:08:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.253
X-Spam-Level:
X-Spam-Status: No, score=-5.253 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, KHOP_DYNAMIC=2, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pNvHFZFD9XD6 for <int-area@ietfa.amsl.com>; Wed, 16 Jan 2019 12:08:21 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 774C5130E5E for <int-area@ietf.org>; Wed, 16 Jan 2019 12:08:21 -0800 (PST)
Received: from pps.filterd (m0108157.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x0GK6kgf005807; Wed, 16 Jan 2019 12:08:20 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=PPS1017; bh=rMInqWZHyv2obSUM/GoAKaSZe6a1lxj3GOQoXOb68zA=; b=0qUeFnei+uoNvsb63z6UYX4lfvK7rR2WCVp5lh9vZV3sk8ESOb6YDjbFcXB4VN/crUlG i84ZgsMXxfd2Pt/D0P5mUCCrt8TFJWp9jP9qLy3ZQvVdCvwgFAjX4V/RfOezRiaPGxWn lv1lkgkCVgYhhAVPF0rcEWrdmNAfHvge+0PHAYzPj7yETNH2+NGujGx8bbkounFAlx+n xU9UIz3tzTKg7GlE5rB/04A809ZNpsq3OEQ2SWefBQiDBBYajQZKTgI2mA8/O/Wz3jpu FKsmHQGun+6auxU4eAmG/WM1f1gyE7evaop+eSMCSmVNWZ+Xp6Vj4FXQnvKJjfQsuZMT TQ==
Received: from nam03-by2-obe.outbound.protection.outlook.com (mail-by2nam03lp2052.outbound.protection.outlook.com [104.47.42.52]) by mx0a-00273201.pphosted.com with ESMTP id 2q24150rsj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 16 Jan 2019 12:08:20 -0800
Received: from BYAPR05MB4245.namprd05.prod.outlook.com (20.176.252.26) by BYAPR05MB5415.namprd05.prod.outlook.com (20.177.184.220) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1537.16; Wed, 16 Jan 2019 20:08:18 +0000
Received: from BYAPR05MB4245.namprd05.prod.outlook.com ([fe80::7598:d648:d84f:9304]) by BYAPR05MB4245.namprd05.prod.outlook.com ([fe80::7598:d648:d84f:9304%3]) with mapi id 15.20.1537.018; Wed, 16 Jan 2019 20:08:18 +0000
From: Ron Bonica <rbonica@juniper.net>
To: Tom Herbert <tom@herbertland.com>
CC: int-area <int-area@ietf.org>
Thread-Topic: [Int-area] WGLC on draft-ietf-intarea-frag-fragile-05 (Tom Herbert)
Thread-Index: AdStQYYXSZyE1bgJQxWWrsMjLI1zXgAj+ECAAAA9JIAAAQRtgAAALV0w
Date: Wed, 16 Jan 2019 20:08:18 +0000
Message-ID: <BYAPR05MB4245571B694F0F696400656BAE820@BYAPR05MB4245.namprd05.prod.outlook.com>
References: <BYAPR05MB4245CCEDF88CEB261D6B5D53AE820@BYAPR05MB4245.namprd05.prod.outlook.com> <CALx6S34f_uV=+d+y8_kgu57UYYwAZ3aJeJJ4e9m9arfo5h_Xow@mail.gmail.com> <BYAPR05MB4245F13F5E8A779332B1AD92AE820@BYAPR05MB4245.namprd05.prod.outlook.com> <CALx6S37JDx0kAqXiRCN7gSC_0cf_-LkWo42xV8sfB7Z7iucJ8w@mail.gmail.com>
In-Reply-To: <CALx6S37JDx0kAqXiRCN7gSC_0cf_-LkWo42xV8sfB7Z7iucJ8w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.1.0.61
dlp-reaction: no-action
x-originating-ip: [66.129.241.11]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BYAPR05MB5415; 6:vohbbqK8Nk1r6f2VCi0SgkPNv1enYe4s56TWoUELKv8xaiTA2x+HV7z2nhAqLw5atSuCxNdV0ZRxTNqHRjaGkUepTXTIjAhnlpH9ie/coghN6M3K2Ld26W2uPXRdpKMCCZ5O9r27QGWibMhHeuPDnlTDlJKpNd5BVgkdB92k19MY+F+T2mTQQfl3kSfSsUZ5eX8GpPvY4lxGtqdLSYLvFpc6LjR1xA0yMiyxwFbAAvEj7yj1xrH9lsr8pVV2zA1VW7vfblN6HdyB3VuX04Wgp7EgfnXqzUZXVIUMEEeHvEcopgrlPz9HFrkt3OgIRL6wxsr38If+VViDhQWldmgI1kfVyeJpU1VZnu0LMenXM2bBCp0q9CkFXrH8P4rYup4rewEhR+rAYuxIkcRFsCjxCA34TlD5Dny2bnUl10pR1XSB8klheo2ly1+SZwC969Obf2CU+J+jNrKDeFy7MreN9Q==; 5:FX5kT3tz0gBIJGEYKyb2kj6mwsUZ20woGK2OJ7KYzZOwL7oXPpOPeDiaO3RC8LTAnMmfMEgIl/Zv6KnCLoA9jdYM7d+YB9qQZQMCebQaTNe/BlJ+nDwjGg5Ys+tTD3/rKrZnN0mbVEZhrCiWp83ZXtJUCmf1TIVUuuxfyDKt7z4q0vRdFk6lCxtd2CcYjQ0MWDVAECszm411cGGT6uPTJQ==; 7:2ehghnjVHPDH3nuVG1y9zE48lCNcySLx6K69VfD5RJFmN0Og8VB6HlE3W4fGBVU2ZphEsyTWN5hHZYlprgga+iedbo91Em/XqdQynWptgx2eRP/hNzfKJAHyC73zZSBmZqdGFNAfu4VHXGu69DOcQA==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 8491725d-da20-40b8-ac11-08d67bee5b8b
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:BYAPR05MB5415;
x-ms-traffictypediagnostic: BYAPR05MB5415:
x-microsoft-antispam-prvs: <BYAPR05MB5415A1BAD4F47300544C527FAE820@BYAPR05MB5415.namprd05.prod.outlook.com>
x-forefront-prvs: 091949432C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(39860400002)(366004)(346002)(396003)(376002)(13464003)(189003)(199004)(53546011)(6306002)(7696005)(26005)(6506007)(93886005)(11346002)(76176011)(81156014)(71190400001)(2906002)(316002)(8676002)(446003)(55016002)(81166006)(5660300001)(74316002)(9686003)(86362001)(3846002)(6116002)(186003)(71200400001)(6436002)(97736004)(6346003)(476003)(68736007)(102836004)(33656002)(966005)(4326008)(6246003)(99286004)(53936002)(25786009)(478600001)(305945005)(229853002)(14454004)(256004)(106356001)(105586002)(486006)(8936002)(19627235002)(66066001)(6916009)(7736002); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR05MB5415; H:BYAPR05MB4245.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: f6AKhz36UGYGQKYLlZhbTDy0n9rAak+k2kcKpruhDpf+lIJaBzIlb3o1n1whdEsCuWw8vNhRiglJ6i4zuKYpp1o5M+O+p2wNr2d8kHnpsHD+u1zvYhUepyi6bwaC3UVoRvIn+3fOHIHzVd4vxGNeZl+Dt+tc8UJM816K5VSftmdlGylvt6Kk1XCg+SOO9lznMWQr9FruS4F6jEXfYJtXevlobINJQaaHUQhVbKHhefEcgK+eyj1T1cSJfO79WGjHL/SSFc0SCBxizd8RN7nh7XSY8qQVCtyanMS45GQJ6L+C/PYcRc7D6mv3eI8ERMIQp/W8sK60lgoSbVXz9/mrKG54f0IEJHxnvV6BdekOefeXQM1STlXm9JU0gzHbpcScgWVsWuRr1xMXbQluC/DDaqsqkG3KMmYVyg3O6NwHy50=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 8491725d-da20-40b8-ac11-08d67bee5b8b
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jan 2019 20:08:18.6706 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB5415
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-01-16_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901160161
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/7Dhj77EvOy0JV0EkShXt6vMgzjE>
Subject: Re: [Int-area] WGLC on draft-ietf-intarea-frag-fragile-05 (Tom Herbert)
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Jan 2019 20:08:24 -0000
Tom,
We seem to be talking past one another.
Would you objection be satisfied if I deleted the sentence?
Ron
> -----Original Message-----
> From: Tom Herbert <tom@herbertland.com>
> Sent: Wednesday, January 16, 2019 3:03 PM
> To: Ron Bonica <rbonica@juniper.net>
> Cc: int-area <int-area@ietf.org>
> Subject: Re: [Int-area] WGLC on draft-ietf-intarea-frag-fragile-05 (Tom
> Herbert)
>
> On Wed, Jan 16, 2019 at 11:40 AM Ron Bonica <rbonica@juniper.net> wrote:
> >
> > Inline…..
> >
> >
> >
> > From: Tom Herbert <tom@herbertland.com>
> > Sent: Wednesday, January 16, 2019 2:27 PM
> > To: Ron Bonica <rbonica@juniper.net>
> > Cc: int-area <int-area@ietf.org>
> > Subject: Re: [Int-area] WGLC on draft-ietf-intarea-frag-fragile-05
> > (Tom Herbert)
> >
> >
> >
> >
> >
> > On Tue, Jan 15, 2019, 6:17 PM Ron Bonica <rbonica@juniper.net wrote:
> >
> > Tom,
> >
> > Please take a look at Section 4.3 (Stateless Firewalls). How can the stateless
> firewall behave optimally without maintaining state?
> >
> >
> >
> > Ron,
> >
> >
> >
> > A stateless firewall that maintains state is no longer a stateless firewall.
> Introducing state requires memory and additional logic that are at odds with
> the goal of cheap low end devices.
> >
> >
> >
> > True, but orthogonal to the issue at hand. You asked why a middle box might
> need to maintain state to perform properly. I offered the example of a
> firewall. In the presence of fragments, only a stateful firewall can perform its
> intended task.
> >
> Ron,
>
> I don't follow. If the intended task is to drop packets based on some filter then
> dropping the first fragment meets the requirement. If the intent is something
> else then the requirements should be enumerated.
> Neither do I understand why a stateful firewall uniquely satisfies the
> requirements without breaking others. All we know from the description is
> that they're stateful, but we don't know how they should manage and using
> state nor the requirements they have followed. Think of it this way, if I were a
> manufacturer of a stateless device and I read the draft I might be convinced of
> the recommedation that I need to add state to my devices. But then what does
> that mean? Where is the specification and requirements that tells me how to
> do that?
>
> Tom
>
> >
> >
> >
> >
> > A stateless firewall could just drop the first fragment that contains the
> transport layer header and allow non first fragments to past. This achieves the
> filtering goal to prevent delivery of the reassmbled packet. It does mean
> fragments that can't possibly be reassembled make it to the destination.
> Whether or not that is a mere nuisance or causes real problems that creates a
> DOS vector depends on other factors in deployment.
> >
> >
> >
> > It is at least a nuisance and at worst a DOS vector.
> >
> >
> >
> > Also, if state is required then what is the algorithm that uses that state? in
> section 4.6 virtual reassembly is mentioned in passing, but they goes on to say
> that has problems. It's also true that stateful firewalls inevitably break multi-
> path but stateless firewalls don't which is a big advantage. It's not clear to me
> that making stateless firewalls stateful is an improvement.
> >
> >
> >
> > This is beyond the scope of this document.
> >
> >
> >
> > Ron
> >
> >
> >
> >
> >
> > Tom
> >
> >
> >
> >
> >
> >
> > While flow labels may help in the case of load balancers, the don't help at all
> in the case of stateless firewalls.
> >
> >
> > Ron
> >
> > > Secondly, the only specified interaction between fragmentation and
> > > intermediate nodes is that routers can fragment packets in IPv4.
> > > Other than that, a middlebox that complies with RFC791 and RFC8200
> > > does not process or consider fragmentation of packets. Given that,
> > > it's unclear to me why middle boxes would need to maintain state to
> > > be protocol compliant. It's possible that the implicit exception of
> > > the requirement is that middleboxes might perform "in-network
> reassembly"
> > > or "virtual reassemlby" which would require state. If that is indeed
> > > the case then the requirements for the mechanisms should be spelled out.
> > >
> > > For stateless load balancing (described in section 4.4), the IPv6
> > > flow label obviates the need for DPI. It is sufficient to hash over
> > > the three tuple <saddr, daddr, flow label> to get good load
> > > balancing. All major OSes have been updated to set flow labels, and there
> are devices that already support this.
> > > IMO, the draft should make using flow label for stateless load
> > > balancing a SHOULD.
> > >
> > > Tom
> >
> > _______________________________________________
> > Int-area mailing list
> > Int-area@ietf.org
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail
> > man_listinfo_int-2Darea&d=DwIFaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-
> ndb3voD
> > TXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-
> AWF2EfpHcAwrDThKP8&m=9zVoUdr9_Qfuu
> > va6rZQ-CZAiv-
> hwpTgbMYOwTZQk5CY&s=cVqZEBCUgpPByE1PsvHyK7FzO1NuJmVuPdOCv
> > bfWfGs&e=
- [Int-area] WGLC on draft-ietf-intarea-frag-fragil… Ron Bonica
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Tom Herbert
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Ron Bonica
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Tom Herbert
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Ron Bonica
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Joe Touch
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Fernando Gont