IETF Logo Mail Archive

Re: [Int-area] I-D Action: draft-ietf-intarea-frag-fragile-06.txt

Joe Touch <touch@strayalpha.com> Fri, 01 February 2019 16:23 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0FFE130F4D for <int-area@ietfa.amsl.com>; Fri, 1 Feb 2019 08:23:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.22
X-Spam-Level:
X-Spam-Status: No, score=-1.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yKmy12eNEtSc for <int-area@ietfa.amsl.com>; Fri, 1 Feb 2019 08:23:12 -0800 (PST)
Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B32E130F4F for <int-area@ietf.org>; Fri, 1 Feb 2019 08:23:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id: Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:Mime-Version: Content-Type:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=g8XGg2fuhe7qJBCjw2xjBeo5K3zmRlGWpIlycNtFXzs=; b=Eh9ltdnh3wtZ9V/zbE+FkzsSD gfxgdUL86jK6Mwu5tFSUUIOER1DYmCZFWmm0Bh0Fhuud8mQR2hHbveFPhekjJUfeCJHFBMFoKYL9K GSGowLfxgFfSGujjYJKMbW9fbjwiiMSsxgLUvUyHdf+OKBFg+to6fHpKafn4IuKVUBhSfw1IZcc0r 6iAUmjoROcgMul3dxKF8MXquvX1gXhUbhZ7uSbtddqAmcNH+10zX+rijnnWKOW4JfE9ZN8LCh05wt HYWA4tuVZH7+bsOuTr+0oGJezP/9gZlwepi7a0qA3amk9uekjQNYiM2Ld0I3sDoLpyw8ODDPefshO +8YQ3Lr1w==;
Received: from cpe-172-250-240-132.socal.res.rr.com ([172.250.240.132]:50323 helo=[192.168.1.16]) by server217.web-hosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <touch@strayalpha.com>) id 1gpban-001uR2-MX; Fri, 01 Feb 2019 11:23:04 -0500
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: Joe Touch <touch@strayalpha.com>
X-Mailer: iPad Mail (16C50)
In-Reply-To: <CALx6S35x89FjRVAq1HOMRiLXLZMnv0ZOgwtvyN1c+N2GF5SoTA@mail.gmail.com>
Date: Fri, 01 Feb 2019 08:23:00 -0800
Cc: "Templin (US), Fred L" <Fred.L.Templin@boeing.com>, Ron Bonica <rbonica@juniper.net>, int-area <int-area@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2CCE72FC-5B53-467E-985B-102BF7705C79@strayalpha.com>
References: <BYAPR05MB424584AA4D0D11D7D0098B81AE900@BYAPR05MB4245.namprd05.prod.outlook.com> <CALx6S35-F_8L+QCcwN6--3TrrRdE5OG3vUACTEH03AmKYerLSw@mail.gmail.com> <BYAPR05MB4245604C8E234D72F42E0D8CAE910@BYAPR05MB4245.namprd05.prod.outlook.com> <10861CAC-3650-4B69-A8B0-437C2A3494CA@strayalpha.com> <CALx6S35XMV+7uXoGatsFEg7Bh+ueuHGVDZrXa8o4cSQKdON7iA@mail.gmail.com> <eb0cd9a4bd898310122ea77e0fade3f9@strayalpha.com> <CALx6S3708uQN2cey8ZDWUKsRR0KUH_uEPk6JwUu4eY4h0Op6xA@mail.gmail.com> <75e840b19c2e439ab3ff13d7c105ce8f@boeing.com> <CALx6S35tKRUDuMQmpiA7dVJV7D9ijXAWD-exGe7-3xZT-k9XVw@mail.gmail.com> <65c1231056cf4eb68abb2d3af7b2ba5d@boeing.com> <CALx6S35x89FjRVAq1HOMRiLXLZMnv0ZOgwtvyN1c+N2GF5SoTA@mail.gmail.com>
To: Tom Herbert <tom@herbertland.com>
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/_h46iYUZYKm-It5sFJ8OjJPQS8M>
Subject: Re: [Int-area] I-D Action: draft-ietf-intarea-frag-fragile-06.txt
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Feb 2019 16:23:16 -0000

This isn’t a formal protocol spec and there is no equivalent detailed specification for stateful firewalls or load balancers. 

> On Feb 1, 2019, at 8:15 AM, Tom Herbert <tom@herbertland.com> wrote:
> 
> On Fri, Feb 1, 2019 at 7:39 AM Templin (US), Fred L
> <Fred.L.Templin@boeing.com> wrote:
>> 
>> Hi Tom,
>> 
>>> -----Original Message-----
>>> From: Tom Herbert [mailto:tom@herbertland.com]
>>> Sent: Thursday, January 31, 2019 5:17 PM
>>> To: Templin (US), Fred L <Fred.L.Templin@boeing.com>
>>> Cc: Joe Touch <touch@strayalpha.com>; Ron Bonica <rbonica@juniper.net>; int-area <int-area@ietf.org>
>>> Subject: Re: [Int-area] I-D Action: draft-ietf-intarea-frag-fragile-06.txt
>>> 
>>> On Thu, Jan 31, 2019 at 5:03 PM Templin (US), Fred L
>>> <Fred.L.Templin@boeing.com> wrote:
>>>> 
>>>> 
>>>> 
>>>>> -----Original Message-----
>>>>> From: Int-area [mailto:int-area-bounces@ietf.org] On Behalf Of Tom Herbert
>>>>> Sent: Thursday, January 31, 2019 4:40 PM
>>>>> To: Joe Touch <touch@strayalpha.com>
>>>>> Cc: Ron Bonica <rbonica@juniper.net>; int-area <int-area@ietf.org>
>>>>> Subject: Re: [Int-area] I-D Action: draft-ietf-intarea-frag-fragile-06.txt
>>>>> 
>>>>>> On Thu, Jan 31, 2019 at 3:10 PM Joe Touch <touch@strayalpha.com> wrote:
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> On 2019-01-31 13:56, Tom Herbert wrote:
>>>>>> 
>>>>>> On Thu, Jan 31, 2019 at 7:59 AM Joe Touch <touch@strayalpha.com> wrote:
>>>>>> 
>>>>>> 
>>>>>> The problem with dropping the entire paragraph is the section title - talking about stateless firewalls begs the question of
>>> stateful
>>>>> ones. This is reinforced later in the recommendations. The sentences you remove were the only thing that tied the two together,
>>>>> which IMO is important.
>>>>>> 
>>>>>> 
>>>>>> Joe,
>>>>>> 
>>>>>> The term "Stateless firewalls" is unambiguous in this context. In a
>>>>>> stateless firewall, each packet is inspected and judge based solely on
>>>>>> it's content.
>>>>>> 
>>>>>> 
>>>>>> My statement above has no relation to any potential ambiguity in the term.
>>>>>> 
>>>>>> ---
>>>>>> 
>>>>>> However, the term stateless is inaccurate in a few places:
>>>>>> 
>>>>>> (Sec 4.6) NAT is a stateful procedure for an otherwise stateless protocol as well. The same could be argued for load balancers
>>> that
>>>>> retain similar state through a connection for a flow (i.e., not just hashing the flow or tuple, but doing round-robin per-flow/tuple
>>>>> 'sticky' routing)
>>>>>> 
>>>>>> (Sec 7.3) The problem is not just stateless middle boxes, but also certain stateful ones (e.g., NATs, some load balancers, etc.)
>>>>>> 
>>>>>> ---
>>>>>> 
>>>>>> Thus "stateful" actually is both ambiguous and inaccurate here.
>>>>>> 
>>>>>> You appear to want to distinguish between the state needed for virtual reassembly and the state needed to maintain NAT
>>>>> translations or sticky round-robin load balancing, but there's no simple term that differentiates them. They're both content-
>>>>> dependent, context-dependent, and stateful.
>>>>>> 
>>>>>> 
>>>>>> Further, as you note there are no *specified* algorithms for virtual reassembly, nor are there any *specified* for NAT
>>> translation
>>>>> table maintenance or sticky load balancing. Everyone comes up with their own and the basic concept is well enough defined as to
>>> not
>>>>> need a specification.
>>>>>> 
>>>>> In that case, if it's so obvious and well defined then there shouldn't
>>>>> be any issue in either providing a reference to a description or
>>>>> specifying it in the draft (if authors do choose discuss virtual
>>>>> reassembly in the draft).
>>>> 
>>>> I have been telling everyone about virtual fragmentation reassembly for
>>>> years. You will find it in many of my docs. Here is what cisco says about it:
>>>> 
>>>> 
>>> https://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/12_4/sec_data_plane_12_4_book/sec_virt_frag_
>>> reassm.html
>>> 
>>> Hi Fred,
>>> 
>>> It does seem that Cisco configuration manuals and marketing materials
>>> are the best source of information on virtual reassembly.
>>> 
>>> https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_frre/configuration/xe-3s/frre-xe-3s-book/virt-frag-reassembly.html
>>> is a little more interesting in that it provides a few more details.
>>> In particular the requirement that all fragments must traverse the
>>> same intermediate device is mentioned:
>>> 
>>> "The reassembly process requires all fragments within an IP datagram.
>>> If fragments within an IP datagram are sent to different devices due
>>> to load balancing VFR may fail and fragments may be dropped."
>> 
>> Yes, of course the fragments all need to go through the same destination where
>> VFR is caching the fragments. That is assured due to the IP destination address
>> for unicast, but not necessarily for anycast. But, for anycast, the considerations
>> are no different for middleboxes than they are for anycast final destinations.
>> 
>> An analogy for VFR is that the middlebox receives the pieces of a puzzle from
>> the network. It checks each piece to make sure it is OK and holds them until
>> all pieces have arrived, but then instead of assembling the puzzle it forwards
>> the pieces on to the next hop destination, with the realization that there could
>> be NATs-within-NATs. Then, when the final destination receives all pieces it
>> assembles the puzzle.
>> 
>> I don' t think there needs to be a spec for this because the behavior is
>> inherently understood from the title (*Virtual* Fragment Reassembly).
>> 
> Fred,
> 
> I don't see this. It is not at all clear from three words that
> everyone could draw the same conclusions on what the protocol is and
> how it works. Your description above about the interaction between
> multicast and unicast is not obvious from the title. Neither is it
> obvious there is on only compliant way to implement the protocol
> (there are at least three variants that have been implemented with
> varying degrees of interoperability problems). I still maintain that
> if virtual reassembly were to be used in a normative context, it needs
> a normative definition. If nothing else, that ensures there is no
> ambiguity in what the protocol is, how it works, and what
> implementations need to do to be interoperable-- after all that is the
> goal of formal protocol specifications.
> 
> Tom
> 
>> Thanks - Fred
>> 
>>> Tom
>>> 
>>>> 
>>>> Fred
>>>>> 
>>>>> Tom
>>>>> 
>>>>>> Joe
>>>>> 
>>>>> _______________________________________________
>>>>> Int-area mailing list
>>>>> Int-area@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/int-area

v2.23.0 | Report a Bug | By Email