Re: [Int-area] WGLC on draft-ietf-intarea-frag-fragile-05
Tom Herbert <tom@herbertland.com> Thu, 17 January 2019 15:27 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C48F5130934 for <int-area@ietfa.amsl.com>; Thu, 17 Jan 2019 07:27:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.042
X-Spam-Level:
X-Spam-Status: No, score=-2.042 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qwL_0HvQXakA for <int-area@ietfa.amsl.com>; Thu, 17 Jan 2019 07:27:34 -0800 (PST)
Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6937F130DCB for <int-area@ietf.org>; Thu, 17 Jan 2019 07:27:34 -0800 (PST)
Received: by mail-qk1-x731.google.com with SMTP id a1so6213771qkc.5 for <int-area@ietf.org>; Thu, 17 Jan 2019 07:27:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=NROcgxflsO+IJ0uSUgrJxxsaaqyOfROB3fF1ork9Bn0=; b=NJBzp1xXZdGCxj3zhgLJcvuDwRBNGY6IIziG/dK2+lZfoY4edJ9BRkoDqcQJ++vm9N eKK9UaNe5330PVLkPNycwdGszlSAdbKRTnWZuIrxndjKRIecCATqvE8VYfmo2w4tUC3G QJxlYkm9Zv+ccjlZYiEdkjGVUs4EtFWyN6k50mk23j216xEI6mPqjfB7H2BZlc1m7V61 SuND9hthof3rqLP+ONKSsgN3rhfCu570ppIcJoBnYNuGlvGToY8LzpT8CRa0KX9fTkHT HbYaci73RXGphoVX17wPZVg0YpeSL1VXkZZP6KFGQJs1pa2EJ/iVc4CckeVxWWPKQL8b F5Wg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=NROcgxflsO+IJ0uSUgrJxxsaaqyOfROB3fF1ork9Bn0=; b=iLoVTqHP4PNR+/2ivegaQY86QzaCfNsUlAwP5klk5wujYKMxj9DiEygeuw7TWlOEaj V+Q8Olb4I85eAoFUlRN5gqQichB96pYrHLcQhUT/HWfOy5EBDF7TZpPxDtHH1iU3gSis M0kHt9GtALAa0M1ZR5gYDunqyjMOOAfbKgh0yHHQi+lRRfz5dMpG6+z5gD1BNxotOoQf n1E5hJF5A4HIKu+iaQHn24RBZQb7SOdtdNlgK7Yolx0v6rzsCZLR3bCIwq1W5qfhwmxe zw9MhcVks624oH16e3DfR2wCLeeot86Flf3jAYifwYjk0J6v2K0nxND/5RNBVEtD6MVF eFiA==
X-Gm-Message-State: AJcUukfWh0B47YZWZaKu7y+eBLmMnmvhKCQ6reBj34ico6w5jHB0CcA+ IHW0WBm2PUOFB3wt8j3JmWO77Kcxb1cKa/X8xCxqng==
X-Google-Smtp-Source: ALg8bN6c4BYWd3yn84mNvAymkyArlYyqtutqk+T8Ls6upbgq3RUa4NwPd9EiigqzI43i8cnYN/JSwkJvQBKTpprtNEA=
X-Received: by 2002:a37:7885:: with SMTP id t127mr11495111qkc.323.1547738853231; Thu, 17 Jan 2019 07:27:33 -0800 (PST)
MIME-Version: 1.0
References: <D060DC26-15C7-4D3F-A3C5-641072C75CC5@ericsson.com> <4a283194-98f5-8f38-211a-29cfbc4c9c3e@joelhalpern.com> <CALx6S36btHxs0UTjahSMXEmOgfnQMAD+xYVFam=vKvQQfvOVdQ@mail.gmail.com> <984bfc0f-8e48-ca87-8f5c-064ae290bb0e@strayalpha.com> <CALx6S36bvohww=X8T_Yc7MmVWnD04hFmgvfW2VEEa-F-kTPERQ@mail.gmail.com> <31109D45-3F4A-45A5-99B9-386B045CF81B@strayalpha.com>
In-Reply-To: <31109D45-3F4A-45A5-99B9-386B045CF81B@strayalpha.com>
From: Tom Herbert <tom@herbertland.com>
Date: Thu, 17 Jan 2019 07:27:22 -0800
Message-ID: <CALx6S35jigE3YapYN8uPg7bP_FPfA71iyDApF8D_AJZK_jAu_w@mail.gmail.com>
To: Joe Touch <touch@strayalpha.com>
Cc: "Joel M. Halpern" <jmh@joelhalpern.com>, "internet-area@ietf.org" <int-area@ietf.org>, "intarea-chairs@ietf.org" <intarea-chairs@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/hLccRNGf2YNxbQXkBaz5S8o-sAg>
Subject: Re: [Int-area] WGLC on draft-ietf-intarea-frag-fragile-05
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jan 2019 15:27:37 -0000
On Thu, Jan 17, 2019 at 7:06 AM Joe Touch <touch@strayalpha.com> wrote: > > Hi Tom, > > > On Jan 17, 2019, at 6:55 AM, Tom Herbert <tom@herbertland.com> wrote: > > > >> On Wed, Jan 16, 2019 at 10:20 PM Joe Touch <touch@strayalpha.com> wrote: > >> > >> Tom, > >> > >> On 1/14/2019 2:04 PM, Tom Herbert wrote: > >> > >> Hello. I have a couple of comments: > >> > >>> From the draft: > >> "Middle boxes SHOULD process IP fragments in a manner that is > >> compliant with RFC 791 and RFC 8200. In many cases, middle boxes must > >> maintain state in order to achieve this goal." > >> > >> This requirement is confusing to me on several accounts. First of all, > >> there are a lot of requirements about fragmentation in both RFC791 and > >> RFC8200, including some MUSTs. This requirement seems to be updating > >> and possibly relaxing some of those requirements, but is not specific. > >> > >> I disagree; being compliant with existing RFCs neither updates nor relaxes those RFCs. > >> > >> This seems ambiguous as a normative requirement. > >> > >> Perhaps vague, agreed. > >> > >> Secondly, the only specified interaction between fragmentation and > >> intermediate nodes is that routers can fragment packets in IPv4. > >> > >> Agreed. However, nodes that *create* packets with their own IP addresses act as hosts; in that regard, middleboxes act both as intermediate (from the private side to public) and hosts (from the public side). As hosts, packets entering them, destined to *their* IP addresses, need to be reassembled, just as with any other host. > >> > >> This is addressed in detail here: > >> > >> Touch, J,. "Middlebox Models Compatible with the Internet," Technical Report, USC/ISI (ISI-TR-711), 2016. > >> > >> https://www.strayalpha.com/pubs/isi-tr-711.pdf > >> > >> Other > >> than that, a middlebox that complies with RFC791 and RFC8200 does not > >> process or consider fragmentation of packets. Given that, it's unclear > >> to me why middle boxes would need to maintain state to be protocol > >> compliant. > >> > >> If they process only IP headers, they don't. If they further consume the packet's contents - as would a *host*, they need to reassemble that content (even if virtually) to be able to interpret it. That includes associating transport headers with all the content as well as inspecting that content. > >> > > Joe, > > > > As I mentioned, in-network reassembly has not been specified, only > > reassembly at end destinations has been. > > Hint - if a packet arrives on your interface with your IP address, you ARE a host. > Joe, Conversley, if a packet arrives on your interface that isn't destined to your IP address, you ARE NOT a host. > > I suspects that > > implementations of in-network reassembly commonly make two incorrect > > assumptions: > > The first one is above... > > > > 1) All fragments of a packet traverse the network device performing reassembly > > 2) The first fragment is always received first > > > > Neither of these assumptions are valid for IP. > > Agreed, but again, there are three incorrect assumptions. The first is that a NAT isn’t a host, and too often that’s the one that causes the above two to actually cause pain. > If NAT is a host, then it is only a host in the return path. Packets sent from the client behind a NAT have destinations addresses that are not those of the the NAT device. If a device is performing host procedures on such packets, like reassembly, then it is being done outside the auspices of the standard. In any case, this isn't a NAT specific issue. Stateful firewalls regularly process packets for which they aren't the destination. Tom > > > >> It's possible that the implicit exception of the > >> requirement is that middleboxes might perform "in-network reassembly" > >> or "virtual reassemlby" which would require state. If that is indeed > >> the case then the requirements for the mechanisms should be spelled > >> out. > >> > >> As with Ron, I agree that seems out of scope for this doc. > >> > >> For stateless load balancing (described in section 4.4), the IPv6 flow > >> label obviates the need for DPI. > >> > >> Only for flow-based routing; not for DPI processing involving content beyond the transport header, e.g., content-based routing. I.e., it depends on how far into the packet the DPI is going... > >> > > TLS and payload encryption have largely eliminated the ability for > > intermediate devices to perform DPI into content. Transport layer > > header encryption, like done in QUIC, will further reduce the value of > > doing DPI. > > Yes and no; there are still devices that do DPI on content - especially devices that spoof the initial splash page for Internet access when at hotspots. Some of them won’t even open a splash page unless customers first access a non-TLS website. > > Joe
- [Int-area] WGLC on draft-ietf-intarea-frag-fragil… Wassim Haddad
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Joel M. Halpern
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Tom Herbert
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Brian E Carpenter
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Tom Herbert
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Ron Bonica
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Ron Bonica
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Ron Bonica
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Fred Baker
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Joe Touch
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Mikael Abrahamsson
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Tom Herbert
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Joe Touch
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Tom Herbert
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Joe Touch
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Tom Herbert
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Joe Touch
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Tom Herbert
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Joe Touch
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Joe Touch
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Tom Herbert
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Joe Touch
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Ron Bonica
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Tom Herbert
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Joe Touch