IETF Logo Mail Archive

Re: [Int-area] I-D Action: draft-ietf-intarea-frag-fragile-06.txt

Tom Herbert <tom@herbertland.com> Fri, 01 February 2019 17:07 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6084A131041 for <int-area@ietfa.amsl.com>; Fri, 1 Feb 2019 09:07:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.041
X-Spam-Level:
X-Spam-Status: No, score=-2.041 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lnd7f4O3CvQz for <int-area@ietfa.amsl.com>; Fri, 1 Feb 2019 09:07:32 -0800 (PST)
Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 947E0130934 for <int-area@ietf.org>; Fri, 1 Feb 2019 09:07:32 -0800 (PST)
Received: by mail-qt1-x82f.google.com with SMTP id l11so8382567qtp.0 for <int-area@ietf.org>; Fri, 01 Feb 2019 09:07:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ziaNYcYISlsTE+0rxqS1vNNFAAaLCg12X0K4GkzXcnA=; b=dcsxL1vAhxh0/R30zKoF1Ceuw33mNjHA61EMA/TlVHagUExNYccOveB5XetvLuM+s4 RPHnnaYpIqY86qj+Mun+MySbvhevHL/78iPHYqMvRyhC/CBfpj1yXStfTjBiRuuPcYNv BocmdNlHKO2GUoRU3Wv2ZY/0QZTfpxHlAdtLbEos4p2HfnW+5VlKUc9TMuAQ9nbP5+Cr J3jHvf5WsB8RKnAI0xQ0hVuJurJSgAH+oJGPYDc57x/3lAHZGgaxR4R0j7FjmoTLS042 tbJ1ojLIsFhVmRi9B490eLbMkLFLrUxCrQaL6oo7KsHcFT1WrqACWpkgeF4e9yYMGUMv Rckw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ziaNYcYISlsTE+0rxqS1vNNFAAaLCg12X0K4GkzXcnA=; b=qmc3z0lFHUuRD4HXhNR6i7NxMiJCbyiQc6b3uwW1uibZ+bRLiN5TIuE2WTSwUylmIF Zvq7p3fU371pJvDB22yOFCW2U8/bHJmOsYXXmSApcEgQK1MF+frs7yihlXvkxdhbLj8o QodVVn6I94RztGWrr7JXAKyKxRVrNKHU+ER4FrJbRkEDJvfx8tkBBCL2B6Ez9fctfZtV Ra9nUqq2COjplRaIVy7SYr+r8YvWvRFLtBqo2/nGldep0/SlYvhBeOFSm0MgO7xgyU2l /B+t4H8N2lFUkEHBo05/iFphZNq+j3vzcfVyqeYksjB6/OQxtG/2NYyT1rih8mt9vs6w ABQg==
X-Gm-Message-State: AJcUukdPzw/TJNSDC6sXDzdRrTnnxjGCDGvxWOxVke3BW+k8S95ftkh2 GhgR/4YvyPotuY+0cxfY9DGqPcC++gNH+h86PhLc62e3+bg=
X-Google-Smtp-Source: ALg8bN4HnbLh6mUMadjw8fSp23ugkSF/DXOss4Tlh2SG9ecHuhmyb96dB+736IpiGujdocqu/cibxg7AJyNbepJ2Cgc=
X-Received: by 2002:aed:38c6:: with SMTP id k64mr37001149qte.97.1549040851295; Fri, 01 Feb 2019 09:07:31 -0800 (PST)
MIME-Version: 1.0
References: <BYAPR05MB424584AA4D0D11D7D0098B81AE900@BYAPR05MB4245.namprd05.prod.outlook.com> <CALx6S35-F_8L+QCcwN6--3TrrRdE5OG3vUACTEH03AmKYerLSw@mail.gmail.com> <BYAPR05MB4245604C8E234D72F42E0D8CAE910@BYAPR05MB4245.namprd05.prod.outlook.com> <10861CAC-3650-4B69-A8B0-437C2A3494CA@strayalpha.com> <CALx6S35XMV+7uXoGatsFEg7Bh+ueuHGVDZrXa8o4cSQKdON7iA@mail.gmail.com> <eb0cd9a4bd898310122ea77e0fade3f9@strayalpha.com> <CALx6S3708uQN2cey8ZDWUKsRR0KUH_uEPk6JwUu4eY4h0Op6xA@mail.gmail.com> <75e840b19c2e439ab3ff13d7c105ce8f@boeing.com> <CALx6S35tKRUDuMQmpiA7dVJV7D9ijXAWD-exGe7-3xZT-k9XVw@mail.gmail.com> <65c1231056cf4eb68abb2d3af7b2ba5d@boeing.com> <CALx6S35x89FjRVAq1HOMRiLXLZMnv0ZOgwtvyN1c+N2GF5SoTA@mail.gmail.com> <4dc8e447ec594453afe289850cfd818e@boeing.com>
In-Reply-To: <4dc8e447ec594453afe289850cfd818e@boeing.com>
From: Tom Herbert <tom@herbertland.com>
Date: Fri, 01 Feb 2019 09:07:19 -0800
Message-ID: <CALx6S36qSabo9e3tYimoXyyu6m3QgQjPnVvHKbw8T5U6GeYLKQ@mail.gmail.com>
To: "Templin (US), Fred L" <Fred.L.Templin@boeing.com>
Cc: Joe Touch <touch@strayalpha.com>, Ron Bonica <rbonica@juniper.net>, int-area <int-area@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/aK6OYi-g-y9SsWxrTxPOmTFo41E>
Subject: Re: [Int-area] I-D Action: draft-ietf-intarea-frag-fragile-06.txt
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Feb 2019 17:07:35 -0000

On Fri, Feb 1, 2019 at 8:25 AM Templin (US), Fred L
<Fred.L.Templin@boeing.com> wrote:
>
> Hi Tom,
>
> > -----Original Message-----
> > From: Tom Herbert [mailto:tom@herbertland.com]
> > Sent: Friday, February 01, 2019 8:15 AM
> > To: Templin (US), Fred L <Fred.L.Templin@boeing.com>
> > Cc: Joe Touch <touch@strayalpha.com>; Ron Bonica <rbonica@juniper.net>; int-area <int-area@ietf.org>
> > Subject: Re: [Int-area] I-D Action: draft-ietf-intarea-frag-fragile-06.txt
> >
> > On Fri, Feb 1, 2019 at 7:39 AM Templin (US), Fred L
> > <Fred.L.Templin@boeing.com> wrote:
> > >
> > > Hi Tom,
> > >
> > > > -----Original Message-----
> > > > From: Tom Herbert [mailto:tom@herbertland.com]
> > > > Sent: Thursday, January 31, 2019 5:17 PM
> > > > To: Templin (US), Fred L <Fred.L.Templin@boeing.com>
> > > > Cc: Joe Touch <touch@strayalpha.com>; Ron Bonica <rbonica@juniper.net>; int-area <int-area@ietf.org>
> > > > Subject: Re: [Int-area] I-D Action: draft-ietf-intarea-frag-fragile-06.txt
> > > >
> > > > On Thu, Jan 31, 2019 at 5:03 PM Templin (US), Fred L
> > > > <Fred.L.Templin@boeing.com> wrote:
> > > > >
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Int-area [mailto:int-area-bounces@ietf.org] On Behalf Of Tom Herbert
> > > > > > Sent: Thursday, January 31, 2019 4:40 PM
> > > > > > To: Joe Touch <touch@strayalpha.com>
> > > > > > Cc: Ron Bonica <rbonica@juniper.net>; int-area <int-area@ietf.org>
> > > > > > Subject: Re: [Int-area] I-D Action: draft-ietf-intarea-frag-fragile-06.txt
> > > > > >
> > > > > > On Thu, Jan 31, 2019 at 3:10 PM Joe Touch <touch@strayalpha.com> wrote:
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On 2019-01-31 13:56, Tom Herbert wrote:
> > > > > > >
> > > > > > > On Thu, Jan 31, 2019 at 7:59 AM Joe Touch <touch@strayalpha.com> wrote:
> > > > > > >
> > > > > > >
> > > > > > > The problem with dropping the entire paragraph is the section title - talking about stateless firewalls begs the question of
> > > > stateful
> > > > > > ones. This is reinforced later in the recommendations. The sentences you remove were the only thing that tied the two
> > together,
> > > > > > which IMO is important.
> > > > > > >
> > > > > > >
> > > > > > > Joe,
> > > > > > >
> > > > > > > The term "Stateless firewalls" is unambiguous in this context. In a
> > > > > > > stateless firewall, each packet is inspected and judge based solely on
> > > > > > > it's content.
> > > > > > >
> > > > > > >
> > > > > > > My statement above has no relation to any potential ambiguity in the term.
> > > > > > >
> > > > > > > ---
> > > > > > >
> > > > > > > However, the term stateless is inaccurate in a few places:
> > > > > > >
> > > > > > > (Sec 4.6) NAT is a stateful procedure for an otherwise stateless protocol as well. The same could be argued for load balancers
> > > > that
> > > > > > retain similar state through a connection for a flow (i.e., not just hashing the flow or tuple, but doing round-robin per-
> > flow/tuple
> > > > > > 'sticky' routing)
> > > > > > >
> > > > > > > (Sec 7.3) The problem is not just stateless middle boxes, but also certain stateful ones (e.g., NATs, some load balancers, etc.)
> > > > > > >
> > > > > > > ---
> > > > > > >
> > > > > > > Thus "stateful" actually is both ambiguous and inaccurate here.
> > > > > > >
> > > > > > > You appear to want to distinguish between the state needed for virtual reassembly and the state needed to maintain NAT
> > > > > > translations or sticky round-robin load balancing, but there's no simple term that differentiates them. They're both content-
> > > > > > dependent, context-dependent, and stateful.
> > > > > > >
> > > > > > >
> > > > > > > Further, as you note there are no *specified* algorithms for virtual reassembly, nor are there any *specified* for NAT
> > > > translation
> > > > > > table maintenance or sticky load balancing. Everyone comes up with their own and the basic concept is well enough defined as
> > to
> > > > not
> > > > > > need a specification.
> > > > > > >
> > > > > > In that case, if it's so obvious and well defined then there shouldn't
> > > > > > be any issue in either providing a reference to a description or
> > > > > > specifying it in the draft (if authors do choose discuss virtual
> > > > > > reassembly in the draft).
> > > > >
> > > > > I have been telling everyone about virtual fragmentation reassembly for
> > > > > years. You will find it in many of my docs. Here is what cisco says about it:
> > > > >
> > > > >
> > > >
> > https://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/12_4/sec_data_plane_12_4_book/sec_virt_frag_
> > > > reassm.html
> > > >
> > > > Hi Fred,
> > > >
> > > > It does seem that Cisco configuration manuals and marketing materials
> > > > are the best source of information on virtual reassembly.
> > > >
> > > > https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_frre/configuration/xe-3s/frre-xe-3s-book/virt-frag-reassembly.html
> > > > is a little more interesting in that it provides a few more details.
> > > > In particular the requirement that all fragments must traverse the
> > > > same intermediate device is mentioned:
> > > >
> > > > "The reassembly process requires all fragments within an IP datagram.
> > > > If fragments within an IP datagram are sent to different devices due
> > > > to load balancing VFR may fail and fragments may be dropped."
> > >
> > > Yes, of course the fragments all need to go through the same destination where
> > > VFR is caching the fragments. That is assured due to the IP destination address
> > > for unicast, but not necessarily for anycast. But, for anycast, the considerations
> > > are no different for middleboxes than they are for anycast final destinations.
> > >
> > > An analogy for VFR is that the middlebox receives the pieces of a puzzle from
> > > the network. It checks each piece to make sure it is OK and holds them until
> > > all pieces have arrived, but then instead of assembling the puzzle it forwards
> > > the pieces on to the next hop destination, with the realization that there could
> > > be NATs-within-NATs. Then, when the final destination receives all pieces it
> > > assembles the puzzle.
> > >
> > > I don' t think there needs to be a spec for this because the behavior is
> > > inherently understood from the title (*Virtual* Fragment Reassembly).
> > >
> > Fred,
> >
> > I don't see this. It is not at all clear from three words that
> > everyone could draw the same conclusions on what the protocol is and
> > how it works. Your description above about the interaction between
> > multicast and unicast is not obvious from the title. Neither is it
>
> I said "anycast"; not multicast. Multicast is different in that all nodes that
> are members of the group will receive all fragments. With anycast, only
> one node out of potentially many gets the fragments, and it may not
> always be the same node for all fragments.
>
> > obvious there is on only compliant way to implement the protocol
> > (there are at least three variants that have been implemented with
> > varying degrees of interoperability problems). I still maintain that
> > if virtual reassembly were to be used in a normative context, it needs
> > a normative definition. If nothing else, that ensures there is no
> > ambiguity in what the protocol is, how it works, and what
> > implementations need to do to be interoperable-- after all that is the
> > goal of formal protocol specifications.
>
> The only requirement is that the node receiving the fragments and doing
> VFR internally has to emit them looking just like they did originally - albeit
> with a potentially different IP destination address. What goes on inside the
> box in terms of VFR is completely implementation-dependent, and not a
> topic for standardization.
>
Fred,
i
That is only true if the implementation is standards conformant and
doesn't break interoperability. We've already identified one instance
of non-conformance with virtual routing that breaks interoperability
(namely the aforementioned requirement that packets of flow must
traverse the same device). There is another variant of virtual routing
that has been deployed in which the implementation only tracks
reassembly state, but does not actually queue fragments. As long as
the first fragment is received by the device first, this works. This
probably works probably 99.9% of the time, and represents a huge cost
savings in terms of memory. There is even a simpler variant of that in
which an implementation just creates a state for <src, dst, id>,
allows non-first fragments to pass, and then destroys the state when
MF is not set in a fragment. This is even more savings in memory,
substantially reduces CPU overhead, and probably works 99.8% of the
time. Of course, IP does not require in order delivery, so like the
requirement above, such implementations are technically non-conformant
and inevitably will break interoperability for someone.

Tom

> Thanks - Fred
>
> > Tom
> >
> > > Thanks - Fred
> > >
> > > > Tom
> > > >
> > > > >
> > > > > Fred
> > > > > >
> > > > > > Tom
> > > > > >
> > > > > > > Joe
> > > > > >
> > > > > > _______________________________________________
> > > > > > Int-area mailing list
> > > > > > Int-area@ietf.org
> > > > > > https://www.ietf.org/mailman/listinfo/int-area

v2.23.0 | Report a Bug | By Email