Re: [Int-area] WGLC on draft-ietf-intarea-frag-fragile-05 (Tom Herbert)
Tom Herbert <tom@herbertland.com> Wed, 16 January 2019 19:26 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7976130EF2 for <int-area@ietfa.amsl.com>; Wed, 16 Jan 2019 11:26:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.04
X-Spam-Level:
X-Spam-Status: No, score=-2.04 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pi3IhuIGjDVU for <int-area@ietfa.amsl.com>; Wed, 16 Jan 2019 11:26:52 -0800 (PST)
Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D76E5130EDB for <int-area@ietf.org>; Wed, 16 Jan 2019 11:26:51 -0800 (PST)
Received: by mail-qt1-x82e.google.com with SMTP id u47so8557286qtj.6 for <int-area@ietf.org>; Wed, 16 Jan 2019 11:26:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iK2jCuVo+FPFNgbfIUtP2hjcVOfYm9PAFRQr+6kqo5I=; b=vmdbKHV4rzqkdoIXwK/JhRPeCaKiIQAEzruQXiNl7ejeZM9WoNu6KvS3YiVjpA3MhK hOkRFQtBVlT/waJS/UCke0f6ArRuBUfpIpd9DLtq4yzXTJ1kx6MLfypv+imcmS3SxFzW iaSthEQt/BHzq+7hESvW+//cZT21PDXg5+k8xFbweIwLpcDZker8jVb0pe+r//JK5JNk IybxSntjY0yl6OIhoFS0eH3Zreu41M2G7vsjjf0tLR6V/YPDRsniO4HS5eGzsGi7ExcD bQjmmKXIj1flwclGqfmm2AcNAWSFqXDoGGkW8Z8QbVUInuYd6BOKmjZTwMISoB0PXr1+ abJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iK2jCuVo+FPFNgbfIUtP2hjcVOfYm9PAFRQr+6kqo5I=; b=Srkk5Tt/w1AQ33I5HmEEKsmlFWubNM4tnwIEYW0S0S1wqG8QviOZ1Eh1FYayt2Fd+8 jPMly/+x4qOV2p/JMgD/dQLGSx6szuI+KVOYhtoD41Y67zC+uSRV/6/EQTQYd6f+P+n9 m/BsomVVU3MAh3J+taAp7r83jjiILNprJUEbSO4OClUmknR0hwG/CQFYO/4mOCFiZWvp Fs9zurI0xPdpPds3HUOPVC1uPNxS2STAufJr6ZM7X3p424GAuPjZlnNb1/f1MhOu3K0X JlKnDTmdxVrmwat1XNjve4DUQJS6bLfWenipz8ecScJULj9RWZhGjMCilyTt69k7omKo 5oYA==
X-Gm-Message-State: AJcUukdBnZ7FjX1yoYeNfV/vr6iH0+BxwFVFQeOVQsd1HELACVEC3CzR stvgkVsm6rjG3yB88xAw1WHZ6AjrfLuvvhwVkL8gmQ==
X-Google-Smtp-Source: ALg8bN4waRaWqjriWARAO3p6Q1inDDdQ5nToV4DsmTgm0YIreEK2QdpZhabKLUO2OLSfiyKis6y/rtMYgzEZg2kiBVs=
X-Received: by 2002:aed:38c6:: with SMTP id k64mr7951722qte.97.1547666810811; Wed, 16 Jan 2019 11:26:50 -0800 (PST)
MIME-Version: 1.0
References: <BYAPR05MB4245CCEDF88CEB261D6B5D53AE820@BYAPR05MB4245.namprd05.prod.outlook.com>
In-Reply-To: <BYAPR05MB4245CCEDF88CEB261D6B5D53AE820@BYAPR05MB4245.namprd05.prod.outlook.com>
From: Tom Herbert <tom@herbertland.com>
Date: Wed, 16 Jan 2019 11:26:39 -0800
Message-ID: <CALx6S34f_uV=+d+y8_kgu57UYYwAZ3aJeJJ4e9m9arfo5h_Xow@mail.gmail.com>
To: Ronald Bonica <rbonica@juniper.net>
Cc: int-area <int-area@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007d4a22057f984240"
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/LPjl8BdevV3RXRDgcwPMro9a59E>
Subject: Re: [Int-area] WGLC on draft-ietf-intarea-frag-fragile-05 (Tom Herbert)
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Jan 2019 19:26:55 -0000
On Tue, Jan 15, 2019, 6:17 PM Ron Bonica <rbonica@juniper.net wrote: > Tom, > > Please take a look at Section 4.3 (Stateless Firewalls). How can the > stateless firewall behave optimally without maintaining state? > Ron, A stateless firewall that maintains state is no longer a stateless firewall. Introducing state requires memory and additional logic that are at odds with the goal of cheap low end devices. A stateless firewall could just drop the first fragment that contains the transport layer header and allow non first fragments to past. This achieves the filtering goal to prevent delivery of the reassmbled packet. It does mean fragments that can't possibly be reassembled make it to the destination. Whether or not that is a mere nuisance or causes real problems that creates a DOS vector depends on other factors in deployment. Also, if state is required then what is the algorithm that uses that state? in section 4.6 virtual reassembly is mentioned in passing, but they goes on to say that has problems. It's also true that stateful firewalls inevitably break multi-path but stateless firewalls don't which is a big advantage. It's not clear to me that making stateless firewalls stateful is an improvement. Tom > While flow labels may help in the case of load balancers, the don't help > at all in the case of stateless firewalls. > Ron > > > Secondly, the only specified interaction between fragmentation and > > intermediate nodes is that routers can fragment packets in IPv4. Other > than > > that, a middlebox that complies with RFC791 and RFC8200 does not process > > or consider fragmentation of packets. Given that, it's unclear to me why > > middle boxes would need to maintain state to be protocol compliant. It's > > possible that the implicit exception of the requirement is that > middleboxes > > might perform "in-network reassembly" > > or "virtual reassemlby" which would require state. If that is indeed the > case > > then the requirements for the mechanisms should be spelled out. > > > > For stateless load balancing (described in section 4.4), the IPv6 flow > label > > obviates the need for DPI. It is sufficient to hash over the three tuple > <saddr, > > daddr, flow label> to get good load balancing. All major OSes have been > > updated to set flow labels, and there are devices that already support > this. > > IMO, the draft should make using flow label for stateless load balancing > a > > SHOULD. > > > > Tom > > _______________________________________________ > Int-area mailing list > Int-area@ietf.org > https://www.ietf.org/mailman/listinfo/int-area >
- [Int-area] WGLC on draft-ietf-intarea-frag-fragil… Ron Bonica
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Tom Herbert
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Ron Bonica
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Tom Herbert
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Ron Bonica
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Joe Touch
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Fernando Gont