Re: [Int-area] WGLC on draft-ietf-intarea-frag-fragile-05
Joe Touch <touch@strayalpha.com> Thu, 17 January 2019 15:06 UTC
Return-Path: <touch@strayalpha.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 580C11295D8; Thu, 17 Jan 2019 07:06:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.221
X-Spam-Level:
X-Spam-Status: No, score=-1.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z6A5lFKhdTvL; Thu, 17 Jan 2019 07:06:20 -0800 (PST)
Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A63691294FA; Thu, 17 Jan 2019 07:06:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id: Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:Mime-Version: Content-Type:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=MBehWILanYjyOLVBxn6SP5h8qsRtBRDflGPF/ymZB/I=; b=LFf6UCSH1eIGZcoLE1rwvrjA/ iKOje5NPNIwir2Y8LHkZ0JDOECzo3ywxSIZ0sC5xXFH+pvsqzVuaGDf4UQPiRB4X1mzDxgR4LtiMT Zsk6cMatQL1p8rLuxyiSPmZJfO17dBZvvwpMkJd9xeBKzOC0cqL+vm9wSFUTMTD4goF1MdtpRFcFz mAT5NFs/xuoIlQaEpcYO0TKMi+hAYDNZ45kghGKS4aemcgZo261s6t+WiKzCTkOufVb6Qr0axWfqf ALINEuqv008b+u3N2tR+53ZCgHqBlCQcA4BsMoEVIotgfBV806WK1HaAiPGFSyKIwq0eNXeKWCIf+ 7KCswYEoQ==;
Received: from cpe-172-250-240-132.socal.res.rr.com ([172.250.240.132]:60458 helo=[192.168.1.16]) by server217.web-hosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <touch@strayalpha.com>) id 1gk9FH-002LYn-9o; Thu, 17 Jan 2019 10:06:18 -0500
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: Joe Touch <touch@strayalpha.com>
X-Mailer: iPad Mail (16C50)
In-Reply-To: <CALx6S36bvohww=X8T_Yc7MmVWnD04hFmgvfW2VEEa-F-kTPERQ@mail.gmail.com>
Date: Thu, 17 Jan 2019 07:06:14 -0800
Cc: "Joel M. Halpern" <jmh@joelhalpern.com>, "internet-area@ietf.org" <int-area@ietf.org>, "intarea-chairs@ietf.org" <intarea-chairs@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <31109D45-3F4A-45A5-99B9-386B045CF81B@strayalpha.com>
References: <D060DC26-15C7-4D3F-A3C5-641072C75CC5@ericsson.com> <4a283194-98f5-8f38-211a-29cfbc4c9c3e@joelhalpern.com> <CALx6S36btHxs0UTjahSMXEmOgfnQMAD+xYVFam=vKvQQfvOVdQ@mail.gmail.com> <984bfc0f-8e48-ca87-8f5c-064ae290bb0e@strayalpha.com> <CALx6S36bvohww=X8T_Yc7MmVWnD04hFmgvfW2VEEa-F-kTPERQ@mail.gmail.com>
To: Tom Herbert <tom@herbertland.com>
X-OutGoing-Spam-Status: No, score=-0.5
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/LoOqc2H1PgOSbFiLSdam0exztf4>
Subject: Re: [Int-area] WGLC on draft-ietf-intarea-frag-fragile-05
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jan 2019 15:06:22 -0000
Hi Tom, > On Jan 17, 2019, at 6:55 AM, Tom Herbert <tom@herbertland.com> wrote: > >> On Wed, Jan 16, 2019 at 10:20 PM Joe Touch <touch@strayalpha.com> wrote: >> >> Tom, >> >> On 1/14/2019 2:04 PM, Tom Herbert wrote: >> >> Hello. I have a couple of comments: >> >>> From the draft: >> "Middle boxes SHOULD process IP fragments in a manner that is >> compliant with RFC 791 and RFC 8200. In many cases, middle boxes must >> maintain state in order to achieve this goal." >> >> This requirement is confusing to me on several accounts. First of all, >> there are a lot of requirements about fragmentation in both RFC791 and >> RFC8200, including some MUSTs. This requirement seems to be updating >> and possibly relaxing some of those requirements, but is not specific. >> >> I disagree; being compliant with existing RFCs neither updates nor relaxes those RFCs. >> >> This seems ambiguous as a normative requirement. >> >> Perhaps vague, agreed. >> >> Secondly, the only specified interaction between fragmentation and >> intermediate nodes is that routers can fragment packets in IPv4. >> >> Agreed. However, nodes that *create* packets with their own IP addresses act as hosts; in that regard, middleboxes act both as intermediate (from the private side to public) and hosts (from the public side). As hosts, packets entering them, destined to *their* IP addresses, need to be reassembled, just as with any other host. >> >> This is addressed in detail here: >> >> Touch, J,. "Middlebox Models Compatible with the Internet," Technical Report, USC/ISI (ISI-TR-711), 2016. >> >> https://www.strayalpha.com/pubs/isi-tr-711.pdf >> >> Other >> than that, a middlebox that complies with RFC791 and RFC8200 does not >> process or consider fragmentation of packets. Given that, it's unclear >> to me why middle boxes would need to maintain state to be protocol >> compliant. >> >> If they process only IP headers, they don't. If they further consume the packet's contents - as would a *host*, they need to reassemble that content (even if virtually) to be able to interpret it. That includes associating transport headers with all the content as well as inspecting that content. >> > Joe, > > As I mentioned, in-network reassembly has not been specified, only > reassembly at end destinations has been. Hint - if a packet arrives on your interface with your IP address, you ARE a host. > I suspects that > implementations of in-network reassembly commonly make two incorrect > assumptions: The first one is above... > > 1) All fragments of a packet traverse the network device performing reassembly > 2) The first fragment is always received first > > Neither of these assumptions are valid for IP. Agreed, but again, there are three incorrect assumptions. The first is that a NAT isn’t a host, and too often that’s the one that causes the above two to actually cause pain. > >> It's possible that the implicit exception of the >> requirement is that middleboxes might perform "in-network reassembly" >> or "virtual reassemlby" which would require state. If that is indeed >> the case then the requirements for the mechanisms should be spelled >> out. >> >> As with Ron, I agree that seems out of scope for this doc. >> >> For stateless load balancing (described in section 4.4), the IPv6 flow >> label obviates the need for DPI. >> >> Only for flow-based routing; not for DPI processing involving content beyond the transport header, e.g., content-based routing. I.e., it depends on how far into the packet the DPI is going... >> > TLS and payload encryption have largely eliminated the ability for > intermediate devices to perform DPI into content. Transport layer > header encryption, like done in QUIC, will further reduce the value of > doing DPI. Yes and no; there are still devices that do DPI on content - especially devices that spoof the initial splash page for Internet access when at hotspots. Some of them won’t even open a splash page unless customers first access a non-TLS website. Joe
- [Int-area] WGLC on draft-ietf-intarea-frag-fragil… Wassim Haddad
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Joel M. Halpern
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Tom Herbert
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Brian E Carpenter
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Tom Herbert
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Ron Bonica
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Ron Bonica
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Ron Bonica
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Fred Baker
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Joe Touch
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Mikael Abrahamsson
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Tom Herbert
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Joe Touch
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Tom Herbert
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Joe Touch
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Tom Herbert
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Joe Touch
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Tom Herbert
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Joe Touch
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Joe Touch
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Tom Herbert
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Joe Touch
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Ron Bonica
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Tom Herbert
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Joe Touch