Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile
Toerless Eckert <tte@cs.fau.de> Tue, 28 August 2018 22:09 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0046B130F44; Tue, 28 Aug 2018 15:09:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VOQZI78EF3ik; Tue, 28 Aug 2018 15:09:20 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 218B012D7F8; Tue, 28 Aug 2018 15:09:19 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id C55DB58C513; Wed, 29 Aug 2018 00:09:15 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id B6BE9440054; Wed, 29 Aug 2018 00:09:15 +0200 (CEST)
Date: Wed, 29 Aug 2018 00:09:15 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Joe Touch <touch@strayalpha.com>
Cc: Christian Huitema <huitema@huitema.net>, Tom Herbert <tom@herbertland.com>, int-area <int-area@ietf.org>, intarea-chairs@ietf.org
Message-ID: <20180828220915.fpx5hi7nhl46ou6r@faui48f.informatik.uni-erlangen.de>
References: <20180825032457.ol5rlrr7h2kqi6px@faui48f.informatik.uni-erlangen.de> <CALx6S35-n_ROEZv0NReVEWTUhnyc25SNJb5DaeqtnxPAPk6QjQ@mail.gmail.com> <CAF493D3-37A2-4A89-BA88-81567E5B88F1@huitema.net> <538A6193-2BD7-4E72-BD28-736B81F97B33@strayalpha.com> <20180826215558.6hzff2povrxuis3y@faui48f.informatik.uni-erlangen.de> <0A065EE6-463C-4C71-BF12-C0E5A1C51680@strayalpha.com> <20180826233350.kz3q6gzqbq36nn4r@faui48f.informatik.uni-erlangen.de> <810cea0d-809f-040d-bc79-7c7413cd99f2@strayalpha.com> <20180827023513.2bxjrk335al2lbvz@faui48f.informatik.uni-erlangen.de> <E02F3C36-ECE6-419E-A219-08A15AD98D13@strayalpha.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <E02F3C36-ECE6-419E-A219-08A15AD98D13@strayalpha.com>
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/dmuCBv1WXGkaPKSVuOBt5yIWzFM>
Subject: Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Aug 2018 22:09:23 -0000
Thanks, Joe This has gotten pretty long. Let me sumarize my suggestions upfront: For the draft itself, how about it also consideres recommendations not only for IPv6 but IPv4. Such as simply also only do what we've accepted to be feasible for IPv6. Like: do never rely on in-network fragmentation but only use DF packets. The remaining considerations are more generic, and i wonder if this draft wants to have the guts to even mention them. Probably not. But IMHO we will continue to be architecturally stuck in the hole we are if we do not tackle them for poor middleboxes: The IETF may think they are bad and not needed, but reality does need middleboxes that function at linerate of only per-packet inspection and not at the lower speed achievable with "virtual reassembly based inspection". Therefore we need options to have in every fragment all the same context that middleboxes reasonably should be able to inspect. Its IMHO a clean pragmatic solution to say that this additional context can be in the higher-layer protocol and that layer willingly exposes it to middleboxes - and encrypts everthing else. This view then requires that higher-layer protocol to perform packet layer fragmentation. Like we can do with TCP. Thats why that approach is IMHO a good recommendation to use. If other transport protocols want to support the same degree of interaction with middleboxes. Fine. If not, fine too. Given how we do have TCP PLMTUD, i think it would be nice to suggest the use of it instead of relying on IP layer fragmentation to make TCP flows more middlebox friendly. In this draft. AFAIK, its the only option that does not require new spec work, thats why it could make the cut for this draft. For longer term architectural evolution of middlebox friendly IP fragmentation, we could indeed have a new IP option carrying that context, and fragmentation would put this option into every fragment. The definition of this context could be per-transport proto. I think there could be better middlebox contexts better than port numbers, but to make fragments work better for existing TCP/UDP middlebox functions, those 32 bits are it. But given how we can expect exposure of information only from willing higher layers, they will have a much easier way to get what they want to support by packet layer fragmentation. A simple generic packet layer fragmentation for UDP would therefore be nice IMHO so that UDP applications wanting to be friendly would not have to reinvent that wheel. If we actually ever do such an IP option, it MUST be a destination option, because the insufficient RFCs defining the treatment of hop-by-hop options burned any ability to deploy those. For IPsec, IP in IP or similar higher layer protocols, i would either use them as the key beneficiary of generic UDP fragmentation (IPsec/IP-UDP-IP) for pragmatic short term solutions, or else the IP option would equally be applicable to them (interesting discussionw aht the best context for them would be, but the two port numbers would make them be most compatible with those typcialyl very TCP/UDP centric middlebox functions). Specific answers to your points below Cheers Toerless On Sun, Aug 26, 2018 at 08:01:07PM -0700, Joe Touch wrote: > IPv6. IP options. IMHO hop-by-hop optsion got burned and are undeployable because the RFCs never made it mandatory enough to have them never impact forwarding performance randonly and badly. We had to abandon perfectly good hop-by-hop inspection solutions because there whee so many stupid router implemntations out there that didn't even have the feature but would still punt those packets to slow-path, then the operators saw those packets as DoS packets and filtered them. > And (perhaps) any new proposed solution. The main issue of everything written on top is that the main business interests the IETF works against is that of non-middlebox friendly participants. > We have to aim at what network components *need* to do to participate. IP fragmentation is exactly that. See above. The technical question is how to enable sufficient per-packet context. > That???s easy to say, but since any host might be an IPsec tunnel endpoint, you???re back where we are now - needing IP fragmentation support everywhere, ultimately. asked and answered. > My view is simple - if you fix what we KNOW is wrong with NATs and firewalls - in KNOWN ways - then not only don???t we have to solve this problem, we don???t have a lot of other problems either (e.g., lack of state when a flow takes a different path into an enterprise). Thats an orthogonal discussion. The goal in this fragmentation thread is purely to eliminate virtual-reassembly complexity on middleboxes. However good or bad it is what they do. Actually, its not fully orthogonal. By eliminating virtual reassembly needs, we make the middlebox also work for cases where fragments use different paths. > > And yes, that would enable > > me to make NAT and firewalls (for the firewall functions i think make sense) > > for host stack traffic something that does not require to bother about > > fragmentation and could therefore be done easier at higher speed > > and architecturally as something only in the network layer. > > You???re optimizing a long-term impact solution for a short-term limitation. That???s a bad idea; protocols last a very long time. The diference between per-packet operation and virtual-fragment-reassembly is orders of magnitude of complexity. Its the same order of magnitude a business problem for network device development as those unnecessary RTTs in pre-QUIC transport are for companies trying to make make money from ADD millenials on web pages. > > The draft in question argues to limit what future work should do > > within the existing requirements, which is fine. I was merely > > pointing out that we could move more into what i think would be > > a useful evolution if we also went beyond our current arch > > and evolved it. > > I am fine with encouraging the *search* for new solutions, as long as *in the meantime* we also call out firewalls and NATs for how they are already broken. Until IP fragmentation is deprecated, that has to be our position as a community. Probably easier trying to figure out what subset of NAT/FW/middleboxes we'd find to be worthwhile enough to support explicitly. Especially for firewalls, many business interests say NONE and they will only revert position when e.g.: they fail to get enough market share with that position. > > I think fragmentation is best pushed up on the stack. > > Again, please tell me how to do that for IPsec tunnels - which, again, can start/end anywhere in the network. See above. I was talking about the pragmatic approach for consenting hosts and middleboxes to get away without having to enhance IP. > >>> If i wouldn't have to worry about such proxy forwarding plane capabilities, > >>> i definitely would prefer models like SOCKS. If i have to think about them > >>> it becomes certainly difficult to even model this well. > >> When you find a complete model better than the Internet, propose it. > >> Until then... > > > > HTTPs over DWDM with application layer proxies on every hop. > > You didn't define how to measure "better" ;-) > > Agreed, but that???s exactly where you???re headed when you say ???kick the can down the road to the upper layer protocol???. I am still not sure about the meaning of your answers to Ole, but i may have tried to argue on this point ("i like SOCKS") maybe in the direction of how you may view middleboxes in your paper, e.g.: doing a lot more higher layer. But thats a much larger story independent of the problem of virtual fragment reassembly, which i think should be the only relevant issue in this fragmentation specific thread (and not the general bitching or improvments on firewall semantics).
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Brian E Carpenter
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Ole Troan
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Ole Troan
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- [Int-area] WG Adoption Call: IP Fragmentation Con… Wassim Haddad
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Black, David
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Templin (US), Fred L
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Brian E Carpenter
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Brian E Carpenter
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Eric Vyncke (evyncke)
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Templin (US), Fred L
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Ron Bonica
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Ron Bonica
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Mikael Abrahamsson
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Mikael Abrahamsson
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Black, David
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Ron Bonica
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Templin (US), Fred L
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Templin (US), Fred L
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Mikael Abrahamsson
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Ole Troan
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Fernando Gont
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Mikael Abrahamsson
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Templin (US), Fred L
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Fernando Gont
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Ole Troan
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Brian E Carpenter
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Ole Troan
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Brian E Carpenter
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Fernando Gont
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Fernando Gont
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Ole Troan
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Brian E Carpenter
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Mikael Abrahamsson
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Ole Troan
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Ole Troan
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Mikael Abrahamsson
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Mikael Abrahamsson
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Ole Troan
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Ole Troan
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Ole Troan
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Mikael Abrahamsson
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Ole Troan
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Mikael Abrahamsson
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Ole Troan
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Ole Troan
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Mikael Abrahamsson
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Ole Troan
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Ole Troan
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Mikael Abrahamsson
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Wassim Haddad
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Toerless Eckert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Mikael Abrahamsson
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joel Jaeggli
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Christian Huitema
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Ole Troan
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Toerless Eckert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Toerless Eckert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Toerless Eckert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Toerless Eckert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Toerless Eckert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Toerless Eckert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Toerless Eckert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Toerless Eckert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Toerless Eckert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Ole Troan
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Ole Troan
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Toerless Eckert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Toerless Eckert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Toerless Eckert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… tom
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Christian Huitema
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Christian Huitema
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Templin (US), Fred L
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Tom Herbert
- Re: [Int-area] WG Adoption Call: IP Fragmentation… Joe Touch