Re: [Int-area] I-D Action: draft-ietf-intarea-frag-fragile-06.txt
Joe Touch <touch@strayalpha.com> Fri, 01 February 2019 16:23 UTC
Return-Path: <touch@strayalpha.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0FFE130F4D for <int-area@ietfa.amsl.com>; Fri, 1 Feb 2019 08:23:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.22
X-Spam-Level:
X-Spam-Status: No, score=-1.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yKmy12eNEtSc for <int-area@ietfa.amsl.com>; Fri, 1 Feb 2019 08:23:12 -0800 (PST)
Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B32E130F4F for <int-area@ietf.org>; Fri, 1 Feb 2019 08:23:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id: Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:Mime-Version: Content-Type:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=g8XGg2fuhe7qJBCjw2xjBeo5K3zmRlGWpIlycNtFXzs=; b=Eh9ltdnh3wtZ9V/zbE+FkzsSD gfxgdUL86jK6Mwu5tFSUUIOER1DYmCZFWmm0Bh0Fhuud8mQR2hHbveFPhekjJUfeCJHFBMFoKYL9K GSGowLfxgFfSGujjYJKMbW9fbjwiiMSsxgLUvUyHdf+OKBFg+to6fHpKafn4IuKVUBhSfw1IZcc0r 6iAUmjoROcgMul3dxKF8MXquvX1gXhUbhZ7uSbtddqAmcNH+10zX+rijnnWKOW4JfE9ZN8LCh05wt HYWA4tuVZH7+bsOuTr+0oGJezP/9gZlwepi7a0qA3amk9uekjQNYiM2Ld0I3sDoLpyw8ODDPefshO +8YQ3Lr1w==;
Received: from cpe-172-250-240-132.socal.res.rr.com ([172.250.240.132]:50323 helo=[192.168.1.16]) by server217.web-hosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <touch@strayalpha.com>) id 1gpban-001uR2-MX; Fri, 01 Feb 2019 11:23:04 -0500
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: Joe Touch <touch@strayalpha.com>
X-Mailer: iPad Mail (16C50)
In-Reply-To: <CALx6S35x89FjRVAq1HOMRiLXLZMnv0ZOgwtvyN1c+N2GF5SoTA@mail.gmail.com>
Date: Fri, 01 Feb 2019 08:23:00 -0800
Cc: "Templin (US), Fred L" <Fred.L.Templin@boeing.com>, Ron Bonica <rbonica@juniper.net>, int-area <int-area@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2CCE72FC-5B53-467E-985B-102BF7705C79@strayalpha.com>
References: <BYAPR05MB424584AA4D0D11D7D0098B81AE900@BYAPR05MB4245.namprd05.prod.outlook.com> <CALx6S35-F_8L+QCcwN6--3TrrRdE5OG3vUACTEH03AmKYerLSw@mail.gmail.com> <BYAPR05MB4245604C8E234D72F42E0D8CAE910@BYAPR05MB4245.namprd05.prod.outlook.com> <10861CAC-3650-4B69-A8B0-437C2A3494CA@strayalpha.com> <CALx6S35XMV+7uXoGatsFEg7Bh+ueuHGVDZrXa8o4cSQKdON7iA@mail.gmail.com> <eb0cd9a4bd898310122ea77e0fade3f9@strayalpha.com> <CALx6S3708uQN2cey8ZDWUKsRR0KUH_uEPk6JwUu4eY4h0Op6xA@mail.gmail.com> <75e840b19c2e439ab3ff13d7c105ce8f@boeing.com> <CALx6S35tKRUDuMQmpiA7dVJV7D9ijXAWD-exGe7-3xZT-k9XVw@mail.gmail.com> <65c1231056cf4eb68abb2d3af7b2ba5d@boeing.com> <CALx6S35x89FjRVAq1HOMRiLXLZMnv0ZOgwtvyN1c+N2GF5SoTA@mail.gmail.com>
To: Tom Herbert <tom@herbertland.com>
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/_h46iYUZYKm-It5sFJ8OjJPQS8M>
Subject: Re: [Int-area] I-D Action: draft-ietf-intarea-frag-fragile-06.txt
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Feb 2019 16:23:16 -0000
This isn’t a formal protocol spec and there is no equivalent detailed specification for stateful firewalls or load balancers. > On Feb 1, 2019, at 8:15 AM, Tom Herbert <tom@herbertland.com> wrote: > > On Fri, Feb 1, 2019 at 7:39 AM Templin (US), Fred L > <Fred.L.Templin@boeing.com> wrote: >> >> Hi Tom, >> >>> -----Original Message----- >>> From: Tom Herbert [mailto:tom@herbertland.com] >>> Sent: Thursday, January 31, 2019 5:17 PM >>> To: Templin (US), Fred L <Fred.L.Templin@boeing.com> >>> Cc: Joe Touch <touch@strayalpha.com>; Ron Bonica <rbonica@juniper.net>; int-area <int-area@ietf.org> >>> Subject: Re: [Int-area] I-D Action: draft-ietf-intarea-frag-fragile-06.txt >>> >>> On Thu, Jan 31, 2019 at 5:03 PM Templin (US), Fred L >>> <Fred.L.Templin@boeing.com> wrote: >>>> >>>> >>>> >>>>> -----Original Message----- >>>>> From: Int-area [mailto:int-area-bounces@ietf.org] On Behalf Of Tom Herbert >>>>> Sent: Thursday, January 31, 2019 4:40 PM >>>>> To: Joe Touch <touch@strayalpha.com> >>>>> Cc: Ron Bonica <rbonica@juniper.net>; int-area <int-area@ietf.org> >>>>> Subject: Re: [Int-area] I-D Action: draft-ietf-intarea-frag-fragile-06.txt >>>>> >>>>>> On Thu, Jan 31, 2019 at 3:10 PM Joe Touch <touch@strayalpha.com> wrote: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On 2019-01-31 13:56, Tom Herbert wrote: >>>>>> >>>>>> On Thu, Jan 31, 2019 at 7:59 AM Joe Touch <touch@strayalpha.com> wrote: >>>>>> >>>>>> >>>>>> The problem with dropping the entire paragraph is the section title - talking about stateless firewalls begs the question of >>> stateful >>>>> ones. This is reinforced later in the recommendations. The sentences you remove were the only thing that tied the two together, >>>>> which IMO is important. >>>>>> >>>>>> >>>>>> Joe, >>>>>> >>>>>> The term "Stateless firewalls" is unambiguous in this context. In a >>>>>> stateless firewall, each packet is inspected and judge based solely on >>>>>> it's content. >>>>>> >>>>>> >>>>>> My statement above has no relation to any potential ambiguity in the term. >>>>>> >>>>>> --- >>>>>> >>>>>> However, the term stateless is inaccurate in a few places: >>>>>> >>>>>> (Sec 4.6) NAT is a stateful procedure for an otherwise stateless protocol as well. The same could be argued for load balancers >>> that >>>>> retain similar state through a connection for a flow (i.e., not just hashing the flow or tuple, but doing round-robin per-flow/tuple >>>>> 'sticky' routing) >>>>>> >>>>>> (Sec 7.3) The problem is not just stateless middle boxes, but also certain stateful ones (e.g., NATs, some load balancers, etc.) >>>>>> >>>>>> --- >>>>>> >>>>>> Thus "stateful" actually is both ambiguous and inaccurate here. >>>>>> >>>>>> You appear to want to distinguish between the state needed for virtual reassembly and the state needed to maintain NAT >>>>> translations or sticky round-robin load balancing, but there's no simple term that differentiates them. They're both content- >>>>> dependent, context-dependent, and stateful. >>>>>> >>>>>> >>>>>> Further, as you note there are no *specified* algorithms for virtual reassembly, nor are there any *specified* for NAT >>> translation >>>>> table maintenance or sticky load balancing. Everyone comes up with their own and the basic concept is well enough defined as to >>> not >>>>> need a specification. >>>>>> >>>>> In that case, if it's so obvious and well defined then there shouldn't >>>>> be any issue in either providing a reference to a description or >>>>> specifying it in the draft (if authors do choose discuss virtual >>>>> reassembly in the draft). >>>> >>>> I have been telling everyone about virtual fragmentation reassembly for >>>> years. You will find it in many of my docs. Here is what cisco says about it: >>>> >>>> >>> https://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/12_4/sec_data_plane_12_4_book/sec_virt_frag_ >>> reassm.html >>> >>> Hi Fred, >>> >>> It does seem that Cisco configuration manuals and marketing materials >>> are the best source of information on virtual reassembly. >>> >>> https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_frre/configuration/xe-3s/frre-xe-3s-book/virt-frag-reassembly.html >>> is a little more interesting in that it provides a few more details. >>> In particular the requirement that all fragments must traverse the >>> same intermediate device is mentioned: >>> >>> "The reassembly process requires all fragments within an IP datagram. >>> If fragments within an IP datagram are sent to different devices due >>> to load balancing VFR may fail and fragments may be dropped." >> >> Yes, of course the fragments all need to go through the same destination where >> VFR is caching the fragments. That is assured due to the IP destination address >> for unicast, but not necessarily for anycast. But, for anycast, the considerations >> are no different for middleboxes than they are for anycast final destinations. >> >> An analogy for VFR is that the middlebox receives the pieces of a puzzle from >> the network. It checks each piece to make sure it is OK and holds them until >> all pieces have arrived, but then instead of assembling the puzzle it forwards >> the pieces on to the next hop destination, with the realization that there could >> be NATs-within-NATs. Then, when the final destination receives all pieces it >> assembles the puzzle. >> >> I don' t think there needs to be a spec for this because the behavior is >> inherently understood from the title (*Virtual* Fragment Reassembly). >> > Fred, > > I don't see this. It is not at all clear from three words that > everyone could draw the same conclusions on what the protocol is and > how it works. Your description above about the interaction between > multicast and unicast is not obvious from the title. Neither is it > obvious there is on only compliant way to implement the protocol > (there are at least three variants that have been implemented with > varying degrees of interoperability problems). I still maintain that > if virtual reassembly were to be used in a normative context, it needs > a normative definition. If nothing else, that ensures there is no > ambiguity in what the protocol is, how it works, and what > implementations need to do to be interoperable-- after all that is the > goal of formal protocol specifications. > > Tom > >> Thanks - Fred >> >>> Tom >>> >>>> >>>> Fred >>>>> >>>>> Tom >>>>> >>>>>> Joe >>>>> >>>>> _______________________________________________ >>>>> Int-area mailing list >>>>> Int-area@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/int-area
- [Int-area] I-D Action: draft-ietf-intarea-frag-fr… internet-drafts
- Re: [Int-area] I-D Action: draft-ietf-intarea-fra… Brian E Carpenter
- Re: [Int-area] I-D Action: draft-ietf-intarea-fra… Ron Bonica
- Re: [Int-area] I-D Action: draft-ietf-intarea-fra… Ron Bonica
- Re: [Int-area] I-D Action: draft-ietf-intarea-fra… Brian E Carpenter
- Re: [Int-area] I-D Action: draft-ietf-intarea-fra… Tom Herbert
- Re: [Int-area] I-D Action: draft-ietf-intarea-fra… Ron Bonica
- Re: [Int-area] I-D Action: draft-ietf-intarea-fra… Joe Touch
- Re: [Int-area] I-D Action: draft-ietf-intarea-fra… Tom Herbert
- Re: [Int-area] I-D Action: draft-ietf-intarea-fra… Joe Touch
- Re: [Int-area] I-D Action: draft-ietf-intarea-fra… Tom Herbert
- Re: [Int-area] I-D Action: draft-ietf-intarea-fra… Joe Touch
- Re: [Int-area] I-D Action: draft-ietf-intarea-fra… Tom Herbert
- Re: [Int-area] I-D Action: draft-ietf-intarea-fra… Templin (US), Fred L
- Re: [Int-area] I-D Action: draft-ietf-intarea-fra… Tom Herbert
- Re: [Int-area] I-D Action: draft-ietf-intarea-fra… Ole Troan
- Re: [Int-area] I-D Action: draft-ietf-intarea-fra… Templin (US), Fred L
- Re: [Int-area] I-D Action: draft-ietf-intarea-fra… Joe Touch
- Re: [Int-area] I-D Action: draft-ietf-intarea-fra… Joe Touch
- Re: [Int-area] I-D Action: draft-ietf-intarea-fra… Tom Herbert
- Re: [Int-area] I-D Action: draft-ietf-intarea-fra… Joe Touch
- Re: [Int-area] I-D Action: draft-ietf-intarea-fra… Templin (US), Fred L
- Re: [Int-area] I-D Action: draft-ietf-intarea-fra… Tom Herbert
- Re: [Int-area] I-D Action: draft-ietf-intarea-fra… Templin (US), Fred L