IETF Logo Mail Archive

Re: [Int-area] WGLC on draft-ietf-intarea-frag-fragile-05

Tom Herbert <tom@herbertland.com> Thu, 17 January 2019 15:27 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C48F5130934 for <int-area@ietfa.amsl.com>; Thu, 17 Jan 2019 07:27:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.042
X-Spam-Level:
X-Spam-Status: No, score=-2.042 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qwL_0HvQXakA for <int-area@ietfa.amsl.com>; Thu, 17 Jan 2019 07:27:34 -0800 (PST)
Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6937F130DCB for <int-area@ietf.org>; Thu, 17 Jan 2019 07:27:34 -0800 (PST)
Received: by mail-qk1-x731.google.com with SMTP id a1so6213771qkc.5 for <int-area@ietf.org>; Thu, 17 Jan 2019 07:27:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=NROcgxflsO+IJ0uSUgrJxxsaaqyOfROB3fF1ork9Bn0=; b=NJBzp1xXZdGCxj3zhgLJcvuDwRBNGY6IIziG/dK2+lZfoY4edJ9BRkoDqcQJ++vm9N eKK9UaNe5330PVLkPNycwdGszlSAdbKRTnWZuIrxndjKRIecCATqvE8VYfmo2w4tUC3G QJxlYkm9Zv+ccjlZYiEdkjGVUs4EtFWyN6k50mk23j216xEI6mPqjfB7H2BZlc1m7V61 SuND9hthof3rqLP+ONKSsgN3rhfCu570ppIcJoBnYNuGlvGToY8LzpT8CRa0KX9fTkHT HbYaci73RXGphoVX17wPZVg0YpeSL1VXkZZP6KFGQJs1pa2EJ/iVc4CckeVxWWPKQL8b F5Wg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=NROcgxflsO+IJ0uSUgrJxxsaaqyOfROB3fF1ork9Bn0=; b=iLoVTqHP4PNR+/2ivegaQY86QzaCfNsUlAwP5klk5wujYKMxj9DiEygeuw7TWlOEaj V+Q8Olb4I85eAoFUlRN5gqQichB96pYrHLcQhUT/HWfOy5EBDF7TZpPxDtHH1iU3gSis M0kHt9GtALAa0M1ZR5gYDunqyjMOOAfbKgh0yHHQi+lRRfz5dMpG6+z5gD1BNxotOoQf n1E5hJF5A4HIKu+iaQHn24RBZQb7SOdtdNlgK7Yolx0v6rzsCZLR3bCIwq1W5qfhwmxe zw9MhcVks624oH16e3DfR2wCLeeot86Flf3jAYifwYjk0J6v2K0nxND/5RNBVEtD6MVF eFiA==
X-Gm-Message-State: AJcUukfWh0B47YZWZaKu7y+eBLmMnmvhKCQ6reBj34ico6w5jHB0CcA+ IHW0WBm2PUOFB3wt8j3JmWO77Kcxb1cKa/X8xCxqng==
X-Google-Smtp-Source: ALg8bN6c4BYWd3yn84mNvAymkyArlYyqtutqk+T8Ls6upbgq3RUa4NwPd9EiigqzI43i8cnYN/JSwkJvQBKTpprtNEA=
X-Received: by 2002:a37:7885:: with SMTP id t127mr11495111qkc.323.1547738853231; Thu, 17 Jan 2019 07:27:33 -0800 (PST)
MIME-Version: 1.0
References: <D060DC26-15C7-4D3F-A3C5-641072C75CC5@ericsson.com> <4a283194-98f5-8f38-211a-29cfbc4c9c3e@joelhalpern.com> <CALx6S36btHxs0UTjahSMXEmOgfnQMAD+xYVFam=vKvQQfvOVdQ@mail.gmail.com> <984bfc0f-8e48-ca87-8f5c-064ae290bb0e@strayalpha.com> <CALx6S36bvohww=X8T_Yc7MmVWnD04hFmgvfW2VEEa-F-kTPERQ@mail.gmail.com> <31109D45-3F4A-45A5-99B9-386B045CF81B@strayalpha.com>
In-Reply-To: <31109D45-3F4A-45A5-99B9-386B045CF81B@strayalpha.com>
From: Tom Herbert <tom@herbertland.com>
Date: Thu, 17 Jan 2019 07:27:22 -0800
Message-ID: <CALx6S35jigE3YapYN8uPg7bP_FPfA71iyDApF8D_AJZK_jAu_w@mail.gmail.com>
To: Joe Touch <touch@strayalpha.com>
Cc: "Joel M. Halpern" <jmh@joelhalpern.com>, "internet-area@ietf.org" <int-area@ietf.org>, "intarea-chairs@ietf.org" <intarea-chairs@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/hLccRNGf2YNxbQXkBaz5S8o-sAg>
Subject: Re: [Int-area] WGLC on draft-ietf-intarea-frag-fragile-05
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jan 2019 15:27:37 -0000

On Thu, Jan 17, 2019 at 7:06 AM Joe Touch <touch@strayalpha.com> wrote:
>
> Hi Tom,
>
> > On Jan 17, 2019, at 6:55 AM, Tom Herbert <tom@herbertland.com> wrote:
> >
> >> On Wed, Jan 16, 2019 at 10:20 PM Joe Touch <touch@strayalpha.com> wrote:
> >>
> >> Tom,
> >>
> >> On 1/14/2019 2:04 PM, Tom Herbert wrote:
> >>
> >> Hello. I have a couple of comments:
> >>
> >>> From the draft:
> >> "Middle boxes SHOULD process IP fragments in a manner that is
> >> compliant with RFC 791 and RFC 8200.  In many cases, middle boxes must
> >> maintain state in order to achieve this goal."
> >>
> >> This requirement is confusing to me on several accounts. First of all,
> >> there are a lot of requirements about fragmentation in both RFC791 and
> >> RFC8200, including some MUSTs. This requirement seems to be updating
> >> and possibly relaxing some of those requirements, but is not specific.
> >>
> >> I disagree; being compliant with existing RFCs neither updates nor relaxes those RFCs.
> >>
> >> This seems ambiguous as a normative requirement.
> >>
> >> Perhaps vague, agreed.
> >>
> >> Secondly, the only specified interaction between fragmentation and
> >> intermediate nodes is that routers can fragment packets in IPv4.
> >>
> >> Agreed. However, nodes that *create* packets with their own IP addresses act as hosts; in that regard, middleboxes act both as intermediate (from the private side to public) and hosts (from the public side). As hosts, packets entering them, destined to *their* IP addresses, need to be reassembled, just as with any other host.
> >>
> >> This is addressed in detail here:
> >>
> >> Touch, J,. "Middlebox Models Compatible with the Internet," Technical Report, USC/ISI (ISI-TR-711), 2016.
> >>
> >> https://www.strayalpha.com/pubs/isi-tr-711.pdf
> >>
> >> Other
> >> than that, a middlebox that complies with RFC791 and RFC8200 does not
> >> process or consider fragmentation of packets. Given that, it's unclear
> >> to me why middle boxes would need to maintain state to be protocol
> >> compliant.
> >>
> >> If they process only IP headers, they don't. If they further consume the packet's contents - as would a *host*, they need to reassemble that content (even if virtually) to be able to interpret it. That includes associating transport headers with all the content as well as inspecting that content.
> >>
> > Joe,
> >
> > As I mentioned, in-network reassembly has not been specified, only
> > reassembly at end destinations has been.
>
> Hint - if a packet arrives on your interface with your IP address, you ARE a host.
>
Joe,

Conversley, if a packet arrives on your interface that isn't destined
to your IP address, you ARE NOT a host.

> > I suspects that
> > implementations of in-network reassembly commonly make two incorrect
> > assumptions:
>
> The first one is above...
> >
> > 1) All fragments of a packet traverse the network device performing reassembly
> > 2) The first fragment is always received first
> >
> > Neither of these assumptions are valid for IP.
>
> Agreed, but again, there are three incorrect assumptions. The first is that a NAT isn’t a host, and too often that’s the one that causes the above two to actually cause pain.
>
If NAT is a host, then it is only a host in the return path. Packets
sent from the client behind a NAT have destinations addresses that are
not those of the the NAT device. If a device is performing host
procedures on such packets, like reassembly, then it is being done
outside the auspices of the standard.

In any case, this isn't a NAT specific issue. Stateful firewalls
regularly process packets for which they aren't the destination.

Tom

> >
> >> It's possible that the implicit exception of the
> >> requirement is that middleboxes might perform "in-network reassembly"
> >> or "virtual reassemlby" which would require state. If that is indeed
> >> the case then the requirements for the mechanisms should be spelled
> >> out.
> >>
> >> As with Ron, I agree that seems out of scope for this doc.
> >>
> >> For stateless load balancing (described in section 4.4), the IPv6 flow
> >> label obviates the need for DPI.
> >>
> >> Only for flow-based routing; not for DPI processing involving content beyond the transport header, e.g., content-based routing. I.e., it depends on how far into the packet the DPI is going...
> >>
> > TLS and payload encryption have largely eliminated the ability for
> > intermediate devices to perform DPI into content. Transport layer
> > header encryption, like done in QUIC, will further reduce the value of
> > doing DPI.
>
> Yes and no; there are still devices that do DPI on content - especially devices that spoof the initial splash page for Internet access when at hotspots. Some of them won’t even open a splash page unless customers first access a non-TLS website.
>
> Joe

v2.23.0 | Report a Bug | By Email