IETF Logo Mail Archive

Re: [Int-area] WGLC on draft-ietf-intarea-frag-fragile-05

Tom Herbert <tom@herbertland.com> Thu, 17 January 2019 21:10 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96467130ED4 for <int-area@ietfa.amsl.com>; Thu, 17 Jan 2019 13:10:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.042
X-Spam-Level:
X-Spam-Status: No, score=-2.042 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FcOxcRmO2Dpk for <int-area@ietfa.amsl.com>; Thu, 17 Jan 2019 13:10:17 -0800 (PST)
Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2BB3130EF7 for <int-area@ietf.org>; Thu, 17 Jan 2019 13:10:11 -0800 (PST)
Received: by mail-qt1-x832.google.com with SMTP id l11so13050624qtp.0 for <int-area@ietf.org>; Thu, 17 Jan 2019 13:10:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Ht+OLTg4BNYcYnOutFqRsFwjaVvvQc8VHtxW3b65q0Y=; b=wJ+OKB+GY/+9x94+WBeOS8D7wWpGr7nh8XhAbllVd67KNAptAVxrI31T27PjSPT79w 8naVU9Ni+aSjqL7JuARYNFOC/DdUmF5ORrDK1KCE39MLfjvOCObQcbbEqoBGKiTJaSZ5 /Wk2AH2+Jwnw7lAQ4LPhudDrfKIVIseYZ1Uqr1X8bq6BqMOK6gIHmWvDTcWdrp7WcXOU U7uXu1JW8E6dGtg5lcWnrcrbm1MEnOqkrgwklrDXIVz5YnXwBIBlR2A9cKFakN0y0fyE 8TDLEbml1zZwPfUa/QtFIjt/nMg4ID2J6cWJ7KPt1uPukSOb1C50UM/yhShlruqgmwYP jhog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Ht+OLTg4BNYcYnOutFqRsFwjaVvvQc8VHtxW3b65q0Y=; b=icUCs+I5oQmrF7ylCkBxZu24p8wjQwXcp4v7P8jpqWfsER+thOCm7v1o+eRNBFjV00 OJdgHxsb4Pu+dubeBiH2Iay0t57n+w6vAAYsiIau3wGYSBkuGUfmoHBvttTteTKEPsiY Tx+GCiAjRVD70qbyEXgzV286uMZefJscCXJ2H06z4i96uUSUL7qUu1ZOOqsJxmuPDJjl JtDrE3h366zeC0ulfxL6/oM0FMW72mAC9TNBBJQFGPaEYdnhnMl2UoXpBX5gnpdCs5EW tQSo9VDBMbO1r7ZQuWyY6s9Dgyz/Lbmig4b87gyH+29EZMnNDh58LYr5cibQaK91FCHW YtRQ==
X-Gm-Message-State: AJcUukfM9UT1SvcALtW1uO54TSQr69FzOe/2YCqGUZ7iRfZDweoXX+uw 8vilw2tPQxIijmlXxQl2UQXjmme2oqTQQ1B8LgA1FZKC
X-Google-Smtp-Source: ALg8bN5nroqyghRiAypZPAtwZJB1M3gja0khYUTJGXfAXipjxaOCf71qsXRwTjBr9me4rEWq4mZ7D4UOxCqEuNpW/Ds=
X-Received: by 2002:ac8:274a:: with SMTP id h10mr13021614qth.189.1547759410471; Thu, 17 Jan 2019 13:10:10 -0800 (PST)
MIME-Version: 1.0
References: <D060DC26-15C7-4D3F-A3C5-641072C75CC5@ericsson.com> <4a283194-98f5-8f38-211a-29cfbc4c9c3e@joelhalpern.com> <CALx6S36btHxs0UTjahSMXEmOgfnQMAD+xYVFam=vKvQQfvOVdQ@mail.gmail.com> <984bfc0f-8e48-ca87-8f5c-064ae290bb0e@strayalpha.com> <CALx6S36bvohww=X8T_Yc7MmVWnD04hFmgvfW2VEEa-F-kTPERQ@mail.gmail.com> <31109D45-3F4A-45A5-99B9-386B045CF81B@strayalpha.com> <CALx6S35jigE3YapYN8uPg7bP_FPfA71iyDApF8D_AJZK_jAu_w@mail.gmail.com> <90788fb5f4ab20c1c262a40baf1db11d@strayalpha.com> <CALx6S373eVDkwfZfbBT7wcOi4H-iV7a7eRA4Oe+WjVw7UDdDtA@mail.gmail.com> <27de569f15754d1c6844b0a019c7810b@strayalpha.com>
In-Reply-To: <27de569f15754d1c6844b0a019c7810b@strayalpha.com>
From: Tom Herbert <tom@herbertland.com>
Date: Thu, 17 Jan 2019 13:09:59 -0800
Message-ID: <CALx6S37LMrUPZC8sdWkQmZivQ=19WTEQEUWKSDgdeKnqhtCO=g@mail.gmail.com>
To: Joe Touch <touch@strayalpha.com>
Cc: "Joel M. Halpern" <jmh@joelhalpern.com>, "internet-area@ietf.org" <int-area@ietf.org>, intarea-chairs@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/Ha5oaSIMoK0xDxWamb1Pdk1YY_I>
Subject: Re: [Int-area] WGLC on draft-ietf-intarea-frag-fragile-05
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jan 2019 21:10:21 -0000

On Thu, Jan 17, 2019 at 12:48 PM Joe Touch <touch@strayalpha.com> wrote:
>
> Hi, Tom,
>
>
>
>
> On 2019-01-17 08:58, Tom Herbert wrote:
>
> On Thu, Jan 17, 2019 at 8:24 AM Joe Touch <touch@strayalpha.com> wrote:
>
>
> ...
> Hint - if a packet arrives on your interface with your IP address, you ARE a host.
>
> Joe,
>
> Conversley, if a packet arrives on your interface that isn't destined
> to your IP address, you ARE NOT a host.
>
>
> Correct. Note that the association of host with traffic counts for both transmission and reception, though.
>
>
>
> I suspects that
> implementations of in-network reassembly commonly make two incorrect
> assumptions:
>
>
> The first one is above...
>
>
> 1) All fragments of a packet traverse the network device performing reassembly
> 2) The first fragment is always received first
>
> Neither of these assumptions are valid for IP.
>
>
> Agreed, but again, there are three incorrect assumptions. The first is that a NAT isn't a host, and too often that's the one that causes the above two to actually cause pain.
>
> If NAT is a host, then it is only a host in the return path. Packets
> sent from the client behind a NAT have destinations addresses that are
> not those of the the NAT device. If a device is performing host
> procedures on such packets, like reassembly, then it is being done
> outside the auspices of the standard.
>
>
>
> Not quite. The return path is certainly easier to see, but the forward path doesn't *relay* the incoming packets; it consumes them. Which is what a host does.
>
> The outgoing packets are emitted with the source IP of the NAT. So in the forward direction, strictly, only the *content* is relayed.
>
> If that content is modified (i.e., address/port rewriting) or inspected, then that device is acting as a host.
> If the outgoing HOST packets depend on something of the incoming ones, then that device is also acting as a host.
>
>
>
> In any case, this isn't a NAT specific issue. Stateful firewalls
> regularly process packets for which they aren't the destination.
>
>
> And they are similarly bound by the rules of being a host *when they do*.
>
> Joe,
>
> That's impossible. The first rule is that a host is defined as a node
> to which packets are addressed.
>
>
> A second rule - per RFC 1812 - is that forwarding devices modify only the opcount and certain IP options.
>
>
>
> Intermediate nodes performing host
> processing on packets that don't have their address have already
> violated rule #1.
>
>
> They consume those packets, they are acting as if they think all outgoing dest addresses are theirs and assigned to their interface. I.e., from the outside, they act exactly as if their interface has ALL those addresses.
>
>
> If they're keeping flow state in the network
> (connection state or reassembly), then that inevitably forces the
> requirement that packets have to be routed through a particular node
> in order for state to be maintained.
>
>
> Agreed. And because they act as host, they fail badly when they're not deployed under host assumptions and requirements.
>
>
>
> This is not a problem hosts have,
>
>
> It is - that's implicit in the function of their reassembly mechanism and a reason why it's hard to deploy "virtual" hosts that live in multipe places on the network (e.g., for single-IP load balancing server farms, for virtual deployment of copies of a single IP in multiple places, etc.)
>
>
> and it's not required in IP that packets of a flow have to always take
> the same path to a destination.
>
>
>
> Path, no - agreed. But *destination*, yes. Again, the host *is* the destination.
>
>
>
> Without additional requirements on
> deployment, stateful devices break multi-path.
>
>
> Other way around; multipath breaks stateful devices (they don't work as desired) when they're not deployed *as the hosts they actually are and always have been* (at least when they perform certain functions we're talking about there).
>
>
>
> So if these devices need to *emulate* host behaviors then there really
> should be a specification to that effect.
>
>
> When you act as a host, you have to follow the rules of being a host.
>
>
>
> It's not enough to simply
> say they have to follow host requirements.
>
> They can't and they clearly
> impose additional requirements.
>
>
> I agree they don't; it's clear they CAN (it would be costly).
>
> They don't impose any new requirements beyond being the host they are, though.
>
Joe,

When they attempt to do host processing on packets that don't belong
to them they're not hosts. And when they do this, they impose a new
requirement that hosts do not have which is that packets for some flow
must consistently the traverse the same intermediate node.

In any case, as I said previously, reassembly is only specified as an
operations at destination hosts. It seems like there might be a need
for in-network reassmbly, or some nodes might be doing it already.
But, in that case we really need the specification of the protocol to
have a meaning discussion about it.

Tom

> Joe

v2.23.0 | Report a Bug | By Email