IETF Logo Mail Archive

Re: [Int-area] Comment on draft-ietf-intarea-frag-fragile-02

Joe Touch <touch@strayalpha.com> Mon, 12 November 2018 16:13 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A02D6130E4B for <int-area@ietfa.amsl.com>; Mon, 12 Nov 2018 08:13:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Level:
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2QpAjg0zkw5z for <int-area@ietfa.amsl.com>; Mon, 12 Nov 2018 08:13:01 -0800 (PST)
Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB2BD12F1AC for <int-area@ietf.org>; Mon, 12 Nov 2018 08:13:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id: Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:Mime-Version: Content-Type:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=7JLFdWHEiCheV/NKlJbpdRlkX7S5o+gQ/zVJiUJHlMQ=; b=Dh7lzwouqVdUeIy8bTldFYRJa yhOgOgV4k9XKUFqW5+LQFjorQXecSHah+gSvxjR67n8Yf7AWbkGeLdDj7fuFG9UiQvOfI9B6bCSxf GWIuJKhGze5mthyeoAewc6FjJiEPVlNh+u6jCf547H1cX9PSSTkcogE/gjD6UZFZmWSp8ou1pZCiM NcrBddRHLFm+9Cy76cuWStrc57SjK6u4TNO86W+Loq09KcR6ZXWCF+M7bCKJxU3uUWPNwoXUcPi3h tc+eG73d3PTDVyyQJNg/X9D6mrSWbjcuCa1EvSGrpBk55w4LUs17ggzlXGwKRJohbGYjweX/nk9LZ /cDFtTBiQ==;
Received: from cpe-172-250-240-132.socal.res.rr.com ([172.250.240.132]:58537 helo=[192.168.1.77]) by server217.web-hosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <touch@strayalpha.com>) id 1gMEpd-003WeH-06; Mon, 12 Nov 2018 11:13:00 -0500
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Joe Touch <touch@strayalpha.com>
In-Reply-To: <CAFU7BASZFCZFtHDtt=0x9pkJUpXb1V8fuo--H4bGktjEqmyZyw@mail.gmail.com>
Date: Mon, 12 Nov 2018 08:12:57 -0800
Cc: int-area@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <C29D9C45-A6C2-438D-B738-A1455A581B92@strayalpha.com>
References: <CAFU7BARv90VcSaLsGOkxaSX+epix4Jz6ON2NShTO_fs=utKs0w@mail.gmail.com> <022EB775-2A35-43B9-9981-DEBAFF331370@strayalpha.com> <CAFU7BASZFCZFtHDtt=0x9pkJUpXb1V8fuo--H4bGktjEqmyZyw@mail.gmail.com>
To: Jen Linkova <furry13@gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
X-OutGoing-Spam-Status: No, score=-0.5
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/HCMIt3osLhcK0pov2ttl9_xYsP4>
Subject: Re: [Int-area] Comment on draft-ietf-intarea-frag-fragile-02
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Nov 2018 16:13:04 -0000


> On Nov 11, 2018, at 4:02 PM, Jen Linkova <furry13@gmail.com> wrote:
> 
> On Fri, Nov 9, 2018 at 2:32 AM Joe Touch <touch@strayalpha.com> wrote:
>>> (https://tools.ietf.org/html/draft-ietf-intarea-frag-fragile-02#section-7.4)
>>> 
>>> recommends that operators do not filter ICMPv6 PTB. I believe it would
>>> be beneficial to make an explicit recommendation to permit fragmented
>>> packets to/from operator's DNS servers.
>> 
>> Fragment forwarding is a MUST in our standards.
> 
> I believe you are talking about routers supporting forwarding
> fragmented packets, not about policy decisions. While the
> recommendations in the draft (not to filter ICMP PTB messages) are
> about policies.
> So just another policy-related recommendation makes sense, IMHO.

So first, what is the *policy* reason for doing this? The policy of “Rocket” (Guardians of the Galaxy movie)? “Because I really want to”?

There are some ICMP messages you could argue might be useful to block or throttle, though RFC1812 and its updates already lists those. But the blanket blocking of ICMPs by routers for “policy” reasons has itself caused problems - in the name of “protecting the endpoints”, operators end up creating damage to those endpoints themselves.

However, let’s just look at fragments - who are you trying to protect by blocking them?
	- endpoints can already drop whatever they can’t reassemble 
	- an endpoint that lets fragments interfere with complete packets isn’t implementing reassembly correctly

Let’s please not dance around the issue - the only policy at play here is “vendors want to make money lying about what they sell”.

> 
>> This document is BCP and cannot update a standard. It cannot relax that requirement, so the middlebox needs to be updated accordingly.
> 
> If we already have a document which is saying 'operators MUST NOT
> filter any fragmented packets' then
> it would be nice to reference it in the draft.

We don’t have a document saying they MAY. 

> 
>> *Additionally*, it’s bad practice to indicate “SHOULD” unless the text also explains why it isn’t a MUST, i.e., under what conditions it is OK to not forward fragments.
> 
> Sorry, I'm a bit confused. Which standard would need to be updated if
> the proposed recommendation is made?

If you’re going to systematically drop fragments:
	RFC791 - which creates them for a reason; you need to show that reason as invalid/risky for operators to allow at all OR provide an alternative
	RFC8200 - see RFC791
	RFC1812 - revise the forwarding rules to explain how dropping all fragments is needed for policy reasons

Joe

v2.23.0 | Report a Bug | By Email