IETF Logo Mail Archive

Re: [Int-area] I-D Action: draft-ietf-intarea-frag-fragile-06.txt

Tom Herbert <tom@herbertland.com> Thu, 31 January 2019 00:56 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4CF2130EBF for <int-area@ietfa.amsl.com>; Wed, 30 Jan 2019 16:56:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.042
X-Spam-Level:
X-Spam-Status: No, score=-2.042 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wAmlIJXoGAjS for <int-area@ietfa.amsl.com>; Wed, 30 Jan 2019 16:56:39 -0800 (PST)
Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B72D1286D9 for <int-area@ietf.org>; Wed, 30 Jan 2019 16:56:38 -0800 (PST)
Received: by mail-qt1-x82f.google.com with SMTP id r14so1811967qtp.1 for <int-area@ietf.org>; Wed, 30 Jan 2019 16:56:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=iS2pO1luRXxAPJnp8AuvM3W+VLwKLGrlxjdtex9Lz3c=; b=t/lIN/eFM2v9CoinjO+kXmIwUTa8begJlqkIl6fX0Escdsf0ChO9HJtVnRnNo2Go44 QLgW4E6NQ3RaOXKoMkDjctIAfcu+36kRjodREDaWbEuROq8/uH/iRsJrNAj/LnoskUjM rn3Xxq+kr2MbSViNczodRQcxei7L0Yzzr6mINzNh/yaZiILaM0yBw3PY7UrkEg+U1an3 qHEo7542cWx2CFiVWO6BAsQHdAj5BPILSRKm7VoNzRwG3lfZP2P+VWMajUTK1qnOVU3c e1r8DqgX7fwT/8mEp8kpF7Fx4fu01fah10wqaAfSIOa5EHakkPxD1lX+RLcRvYY0BQv/ ZZhg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=iS2pO1luRXxAPJnp8AuvM3W+VLwKLGrlxjdtex9Lz3c=; b=CfeN/WCmg06oqAqXF3uvuU1Sq8eSXy5RRcdkdyFR+HvJTvOhIFbTApLowSCuyvP5Ly XsmQ6AT7/kAIfwXUWfhajW+mOQ6yzj9312TaXDS47CrUDucGCuOBc3+b01nGwBwzGbGh LfKkAWYBjS5FbXY33Mx5ibsjV7vXUe47Qblg59ad9gVVzj2mJEerbJUgBl3zHp1Y1jzo C+BhKHcijOWi5k1bIK3Yq18hPbCq2RFzWiJU7izgGun9weCamFMHtxZCWH0CIsQScfs6 mFf92Lq8IHo/ZmmN67sZrzEuqYTQEdoO9rz9BcIszLXXArTnjlvRw1Y/WUa69BTfXnIu WrIw==
X-Gm-Message-State: AJcUukcwonCW+31DsdB3K7mOewIQnwhE0Md1/5ARJmnxF5SceLCCAY9R sMfxwS7adr+nrHqu+LyKRZ2FhpRSDUy7zrArVR/oaA==
X-Google-Smtp-Source: ALg8bN7P59uzrj/Xy3+r1l6e5fm0d3ONFH54hWr1lwZ2U8E6yhsKapKd3sIYct/9r+UvuWrihKAOGQZiypiLuvRajYI=
X-Received: by 2002:a0c:ec92:: with SMTP id u18mr30835791qvo.168.1548896197395; Wed, 30 Jan 2019 16:56:37 -0800 (PST)
MIME-Version: 1.0
References: <BYAPR05MB424584AA4D0D11D7D0098B81AE900@BYAPR05MB4245.namprd05.prod.outlook.com>
In-Reply-To: <BYAPR05MB424584AA4D0D11D7D0098B81AE900@BYAPR05MB4245.namprd05.prod.outlook.com>
From: Tom Herbert <tom@herbertland.com>
Date: Wed, 30 Jan 2019 16:56:26 -0800
Message-ID: <CALx6S35-F_8L+QCcwN6--3TrrRdE5OG3vUACTEH03AmKYerLSw@mail.gmail.com>
To: Ron Bonica <rbonica@juniper.net>
Cc: "int-area@ietf.org" <int-area@ietf.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/8ZfuY2CygwwCsNQnwt5IwBMPTTw>
Subject: Re: [Int-area] I-D Action: draft-ietf-intarea-frag-fragile-06.txt
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Jan 2019 00:56:43 -0000

On Wed, Jan 30, 2019 at 12:57 PM Ron Bonica <rbonica@juniper.net> wrote:
>
> Inline......
>
> > Message: 3
> > Date: Tue, 29 Jan 2019 11:45:45 -0800
> > From: Tom Herbert <tom@herbertland.com>
> > To: int-area <int-area@ietf.org>
> > Subject: [Int-area] Comments on draft-ietf-intarea-frag-fragile-06
> > Message-ID:
> >       <CALx6S35kwvHL5iE4Ci10LQbPzun3k1C-
> > T4m5B55yAyL+nP4sdQ@mail.gmail.com>
> > Content-Type: text/plain; charset="UTF-8"
> >
> > Hello,
> >
> > I have suggested text for the draft to address some previous comments made
> > on the list.
> >
> > Last paragraph in section 4.3:
> >
> > "This problem does not occur in stateful firewalls or Network Address
> > Translation (NAT) devices. Such devices maintain state so that they can afford
> > identical treatment to each fragment that belongs to a packet. Note, however,
> > that stateful firewalls and NAT devices impose the external requirement that
> > all packets of a flow and fragments of a packets for a flow must traverse the
> > same stateful device; stateless devices do not force this requirement."
> >
>
> The first two sentence that you suggest already appear in version 06 of the document.
>
> I would prefer to omit the final sentence for the following reasons:
>
> - It isn't absolutely necessary
> - It opens another can of worms that I don't want to address. Specifically, some stateful firewalls perform virtual reassembly but don't maintain TCP session state. Some stateful firewalls perform virtual reassemble and maintain TCP state. You third sentence is true for one firewall type and false for the other.
>
Yes, but as Fred mentioned, the current text is a blanket statement
that stateful firewalls don't have this problem. Some firewalls may
have implemented virtual reassembly, but others may not and might not
do anything we'd consider reasonable for handling fragments. So
similarly the statement in the draft may be "true for one firewall
type and false for the other". Also, any implication that people
should swap out their stateless devices for stateful ones because they
solve one problem without mentioning that they introduce other
problems would be a disservice IMO.

To avoid the can of worms, I suggest the whole paragraph and any
discussion about stateful devices could be removed from the draft
without loss of content.

Tom

> > Section 4.5:
> > "IP fragmentation causes problems for some routers that support Equal Cost
> > Multipath (ECMP). Many routers that support ECMP execute the algorithm
> > described in Section 4.4 in order to perform flow based forwarding; therefore,
> > the exhibit they same problematic behaviors described in Section 4.4. In IPv6,
> > the flow label may alternatively used as input to the algorithm as opposed to
> > parsing the transport layer of packets to discern port numbers. The flow label
> > should be consistently set for a packets of flow including fragments, such that
> > a device does not need to parse packets beyond the IP header for the
> > purposes of ECMP."
>
> This comment is almost identical to one made by Brian Carpenter. I have addressed his comment in Section 4.4. Rather than repeating the same text in Section 4.5, I have merged the two sections.
>
> >
> > Add to section 7.3:
> >
> > "Routers SHOULD use IPv6 flow label for ECMP routing as described in
> > [RFC6438]."
>
> Brian suggested similar text, but in a new section. Look for the new section in version 07
>
>

v2.23.0 | Report a Bug | By Email