IETF Logo Mail Archive

Re: [Int-area] New Version Notification for draft-herbert-ipv4-eh-03.txt

Tom Herbert <tom@herbertland.com> Fri, 22 March 2024 19:45 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B6F2C14F704 for <int-area@ietfa.amsl.com>; Fri, 22 Mar 2024 12:45:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.106
X-Spam-Level:
X-Spam-Status: No, score=-1.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, URI_DOTEDU=1] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I7Zf3YiuumnO for <int-area@ietfa.amsl.com>; Fri, 22 Mar 2024 12:45:49 -0700 (PDT)
Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D88C6C14F6A0 for <int-area@ietf.org>; Fri, 22 Mar 2024 12:45:49 -0700 (PDT)
Received: by mail-lf1-x12e.google.com with SMTP id 2adb3069b0e04-513d3746950so3130224e87.1 for <int-area@ietf.org>; Fri, 22 Mar 2024 12:45:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1711136748; x=1711741548; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=3v34c5BkRiE/wCTQgPQEfWvEJRl/JK/LtpsyewuFY+8=; b=GCUfM1qBgJiDWgA98Qq4lbRg23RJubRp9jzhh5sDgohPMMjT5t0ROxJ6KjzqGGMvdw 4HX+j9KphKlvbhRTweS4gH4GENrzSAjxpIvMMKYDikvA7zHh05HWR8zM/xTW8FhLux36 VJYfbNeqj9zEwuo43AF3LZrTfv7lj5U1HmaUGXyyWZmXqIN4g03pVrwvO4DgUY2LaSqL +Yb8+y1bcnbrLjMt3pf7elFvKf4efgsfGqTaaEhLI98M4JkBQWfnOpZ/O/wlA8pzgHjA JwZsAQRL0+taT+dxN2Eswu75GeU8xBz23LS9cPP45vKPBhh39tEILsVnvZlCU2Jx0eyV 15fA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711136748; x=1711741548; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3v34c5BkRiE/wCTQgPQEfWvEJRl/JK/LtpsyewuFY+8=; b=fZXDm8TebwPkd2gJnE50iYzgJpmpIl6/ufuhNrDc3khu2HMReEDOY47h0EHITJcwzp kjTtjD5h8+pDOgC1uQb+LEduRZgOC1rt8RE9LMxDwh2+XCUVSz/7k32/w8kyDapL1wV6 25Q9p30B5UFCiEvpttuzHodJhZC7XEcg+ocqZX33URoG8SmLJs79gECyRdOoQwDdxfj7 G6hxRTJS2bn/pOSl8qC3UmXSe3FvCxdjNxjZQQHT1cAXVL6PPtzk8ziv8kp1wT7+WeJV mMqv1c1bhNuXwDCca5b3GbfRuTcxxjv5drgp2J+N6bBwU567KneNxa02xZOAzD0TaM7c wX5g==
X-Gm-Message-State: AOJu0YzNKnZ6hccucqRZByWmKMdHa0bcOjA6UDHendLu30gzw6Xjz+rs qMGoqi7S7uCU5COXUIxYYXTazZAOnm3vR8yC4VTdoS3ve6QBGlN1UfR0Tqk6/gyuB12E4FO2DVI YzH84pKMxaPUKn+E0gXf1vk1G3BdZJfFWGLPu9MhAqZ9yRlKwOV9u
X-Google-Smtp-Source: AGHT+IHsghOc309UusSLfskpJnLdg8PXCGlJQkT1Cbn3j1Ro5+XKlbajL+0UVVSXSQB24xcSxcIsXUJBRvQrApos/XM=
X-Received: by 2002:a19:e01a:0:b0:513:bc95:50c3 with SMTP id x26-20020a19e01a000000b00513bc9550c3mr297846lfg.12.1711136747679; Fri, 22 Mar 2024 12:45:47 -0700 (PDT)
MIME-Version: 1.0
References: <170865175505.14082.3856617737779580933@ietfa.amsl.com> <ZfurRK_oNVES2hVz@faui48e.informatik.uni-erlangen.de> <CALx6S36L57vPa5YkiV3khYbFpPPgPUVynWaRVno0BufvXcALeA@mail.gmail.com> <Zfu5GQ7101lMnHGs@faui48e.informatik.uni-erlangen.de> <DCE2D4E2-9C5D-40B7-952F-7424E7FCBAFE@strayalpha.com> <CALx6S37XnjWcpeGZUQWXFyE0jP=XyodmUBBh+69SonLw3ndvaQ@mail.gmail.com> <57C622DE-2C8E-4415-805D-7053309B0D01@strayalpha.com> <CALx6S36Dpn0qC9e0ZGaK-ckbT58hRkeLHDKkNqmmJn0vQ5ONUw@mail.gmail.com> <B1CC8B09-A701-4401-8BEA-C31DE0FD0FD3@strayalpha.com> <CALx6S354xQHqk4y+0dTkTQ524n5vrN01gJe57FBjbV1UuToWLA@mail.gmail.com> <FF84650B-6739-4D12-B390-977627A1296E@strayalpha.com> <CALx6S34ePRxNNqx1TOSon9=QgKvq0wJh7mMFRH7gr2OUjZ_zmw@mail.gmail.com> <E89DABED-3612-4B18-93FF-4FB31A072508@strayalpha.com> <CALx6S34F0FTyUhf8ew0tAuyaLJquRPdiOHVnT0OE7pFAQY+c_Q@mail.gmail.com> <0087c4475ce244848354c2755cb8e3f3@huawei.com> <SN6PR08MB392050BC6FEA009B4BDBDF16E6312@SN6PR08MB3920.namprd08.prod.outlook.com> <f24c7dc7-32f8-4fe9-b154-6335714c4a8d@gmail.com>
In-Reply-To: <f24c7dc7-32f8-4fe9-b154-6335714c4a8d@gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Fri, 22 Mar 2024 12:45:36 -0700
Message-ID: <CALx6S37wUsAko+K8-BtT0F6xzcyMQW7x-ZAg1=wjCisrfh0nwA@mail.gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: int-area@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/8BqewjeGdwdRDTsLVjSGrFBFcSw>
Subject: Re: [Int-area] New Version Notification for draft-herbert-ipv4-eh-03.txt
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Internet Area WG Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2024 19:45:54 -0000

On Fri, Mar 22, 2024 at 12:17 PM Brian E Carpenter
<brian.e.carpenter@gmail.com> wrote:
>
> On 23-Mar-24 03:40, Robinson, Herbie wrote:
> > Legitimate reasons for a middle box to look at transport headers:
> >
> > Firewalls need to look at port numbers to perform their quite necessary job.
>
> Steve Bellovin pointed out in 1999 that such firewalls should be in the destination host**. That works very well, and in particular it scales perfectly in proportion to the number of hosts in the Internet, so doesn't need hardware assist.
>
> Firewall vendors don't agree and never have done.

Brian,

That functionality is certainly in Android and iOS I would imagine.

>
> Unfortunately for Tom's argument, firewalls at enterprise network boundaries are widespread and hosts without adequate self-protection are common. It's a sad state of affairs. It will be interesting to see whether QUIC manages to effect change.

There might be some argument for enterprise firewalls for the purpose
of protecting network resources. One example is the filtering packets
that contain Hop-by-Hop Options _might_ be reasonable in some
circumstances since they are directed towards routers and not just end
hosts, so filtering them conceptually protects the enterprise's
network resources from attack. Although, I'd prefer that they remove
HBH at the edge instead of dropping like in
draft-herbert-eh-inflight-removal (that's also in the ipv4eh draft).
Also, it probably never makes sense to accept packets with Routing
Headers from the Internet into a limited domain.

Tom
>
> ** https://www.cs.columbia.edu/~smb/papers/distfw.pdf
>
>     Brian
>
> >
> > Anything forwarding packets (including NICs) needs to make sure TCP packets for a given IP/port/IP/port go through the same path to avoid re-ordering.
> >
> > Note that firewalls usually have a hardware assisted fast path and a software based slow path.  Any new protocol features will kick packets into the slow path until the hardware gets updated (and that’s if the hardware gets updated).
> >
> > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> >
> > Hello,
> >
> > Interestingly, there is a similar discussion going on in Spring around the C-SID draft, about whether people think it is legitimate for intermediate nodes to be able to parse / process / check information that are supposed to be used by end nodes or not. This goes with checksum, port numbers, segment IDs, etc.
> >
> > I think that acknowledging the possibility for middleboxes to look at and modify fields that are supposed to be looked at and checked by end nodes is an issue, and breaks fundamental end to end assumptions that are foundational in the Internet design. Thus, I think we should allow shim headers (you can name them IPv4 extension headers if you want) to be deployed between IPv4 header and Transport layer protocol, provided they get a proper protocol number. Of course, this will break the operation of middleboxes that try to look at information in transport headers, but they should not look at those information in the first place, or at least do it in a robust way.
> >
> > Best regards,
> >
> > Antoine
> >
> > *From:* Int-area <int-area-bounces@ietf.org <mailto:int-area-bounces@ietf.org>> *On Behalf Of *Tom Herbert
> > *Sent:* vendredi 22 mars 2024 04:49
> > *To:* Joe Touch <touch@strayalpha.com <mailto:touch@strayalpha.com>>
> > *Cc:* Toerless Eckert <tte@cs.fau.de <mailto:tte@cs.fau.de>>; int-area <int-area@ietf.org <mailto:int-area@ietf.org>>
> > *Subject:* Re: [Int-area] New Version Notification for draft-herbert-ipv4-eh-03.txt
> >
> > On Thu, Mar 21, 2024, 8:28 PM touch@strayalpha.com <mailto:touch@strayalpha.com> <touch@strayalpha.com <mailto:touch@strayalpha.com>> wrote:
> >
> >     <Joe>
> >
> >             You’ve just described a transport protocol that the intermediate nodes know.
> >
> >         Joe,
> >
> >         A transport protocol doesn't meet the requirements. They don't work with any transport protocol other than themselves,
> >
> >     They do when you define them that way, i.e., “here’s a transport protocol header A, after which you can use any transport protocol, as indicated in field X”.
> >
> >         and intermediate nodes cannot robustly parse transport headers
> >
> >     They can’t parse these either. But, if upgraded to do so for headers “A”, as per above.
> >
> >         This has to be L3 protocol.
> >
> >     It’s not. It’s L4, or at least that’s what it is* to IP.
> >
> > Joe,
> >
> > Please give one concrete example of a transport protocol explicitly designed to be processed and modified by intermediate nodes. If you say TCP as in modifying port numbers for NAT, I'll point out it that the TCP was never designed for this, it breaks TCP Auth option, and QUIC closed this architectural aberration by encrypting the transport layer so that intermediate nodes can't muck with it :-)
> >
> > IMO, network nodes have no business participating in transport layer, doing so has led to a lot of protocol ossification.
> >
> > Tom
> >
> >     IPv6 can call them extensions because all IPv6 nodes already know what to do with them, even for codepoints they’ve never seen. IPv4 implementations have no knowledge of this new transport protocol - only those who have been upgraded.
> >
> >     No different in principle - or implementation - than DCCP or SCTP.
> >
> >     No easier to deploy.
> >
> >     No more unique utility, IMO.
> >
> >     Joe
> >
> >     *All protocol layers are relative, so you COULD do the following:
> >
> >     IPa IPb UDPc UDPd
> >
> >     To IPa, its view of itself is layer 3, IPb is layer 4, not an extension to layer 3.
> >
> >     To IPb, its view of itself is layer 3, IPa is layer 2 and UDPc is layer 4.
> >
> >
> > _______________________________________________
> > Int-area mailing list
> > Int-area@ietf.org
> > https://www.ietf.org/mailman/listinfo/int-area
> _______________________________________________
> Int-area mailing list
> Int-area@ietf.org
> https://www.ietf.org/mailman/listinfo/int-area

v2.23.0 | Report a Bug | By Email