Re: [Int-area] WGLC on draft-ietf-intarea-frag-fragile-05 (Tom Herbert)
Tom Herbert <tom@herbertland.com> Wed, 16 January 2019 20:02 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62CAA130EAA for <int-area@ietfa.amsl.com>; Wed, 16 Jan 2019 12:02:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.041
X-Spam-Level:
X-Spam-Status: No, score=-2.041 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RQ6dbN-Urlnr for <int-area@ietfa.amsl.com>; Wed, 16 Jan 2019 12:02:49 -0800 (PST)
Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FC3A130E8B for <int-area@ietf.org>; Wed, 16 Jan 2019 12:02:49 -0800 (PST)
Received: by mail-qt1-x834.google.com with SMTP id r14so8754046qtp.1 for <int-area@ietf.org>; Wed, 16 Jan 2019 12:02:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=oD3JM5W/3lOzXLma3HUS/ebmKaMLYy2JYROOlkbjWIE=; b=hnOK2r+o9PFBkCYgytkDK3oeKTLh4/u/AY6IC0zBfWQ0CMm3zoEWvcEE9jLnl34yW2 dfDoEm8Bk5lsb40hf0y7cKcREQT6pX5hIfMdlyhKveD8dhhR1vgrsh3ScxMyN+cCi0CT 4TVyST+j8fgx8ne280HRtl117CCFD4wS/FRgP7mdx2ZyVG8845PVyJeDBxFHWSO1fSYF ZLfe8WD+ebhge7jGSma8Gcdn8oKv4TDHqP1+JE9Ndtg88rBBsu21NBjdlf5+zut+VvOm KqthzJ1IL4CQ1mKRihbC0ACdZrJWbYPcTz1Jwx8gJhREAlvaupH5pB4uRWf33YQBl1fn Xyvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=oD3JM5W/3lOzXLma3HUS/ebmKaMLYy2JYROOlkbjWIE=; b=CJiJ4Eg1HZANcs/HklMV5Gn9oXLf3t9OtR3Cjgp+JIbthK+mjKr082yB0hNTOle2XI 51GjarXoAjKmPuTwk59CKtBgi6Q1nb+F1yW2pRPxqvsBIPGiHJkqam6u+rOmTjeAQNGk HJwGU9VSB2+yT5kwFyo/jNGGQ+CgdcaFgGms0dzYL8JAVybzcY8AQXBg+tMejnJ9EHq+ Lcqd3gTIaHICr7kX9SgsMoaNK49PBlWIAZxmcnaW4la7nWHL+biVSaqqFRpqgXfN/qUG 8m7S73Cs3kTZyAVfp3XGumUQtU5MmMciDJm4Wwejhxev3DPvOuLsWgupF2L1SOLkBNZX 03EA==
X-Gm-Message-State: AJcUukecVYf4CgipUK7ZHLXRobZmeTPDc3bdusl4yOiuJlEJJw4CgsGR DFRCJuF64weUunQHIveRs8jW1mrVha/bPO6gTFodAQ==
X-Google-Smtp-Source: ALg8bN6BASacRFpRhF7uVjCnfnvd7uWbZ0Ndf3z/8krfbcVWsJTn+27UPlhEiLoqU+zQ43V1u1jTzDq6fQuaCX/vkcE=
X-Received: by 2002:a0c:ec92:: with SMTP id u18mr8575044qvo.168.1547668968129; Wed, 16 Jan 2019 12:02:48 -0800 (PST)
MIME-Version: 1.0
References: <BYAPR05MB4245CCEDF88CEB261D6B5D53AE820@BYAPR05MB4245.namprd05.prod.outlook.com> <CALx6S34f_uV=+d+y8_kgu57UYYwAZ3aJeJJ4e9m9arfo5h_Xow@mail.gmail.com> <BYAPR05MB4245F13F5E8A779332B1AD92AE820@BYAPR05MB4245.namprd05.prod.outlook.com>
In-Reply-To: <BYAPR05MB4245F13F5E8A779332B1AD92AE820@BYAPR05MB4245.namprd05.prod.outlook.com>
From: Tom Herbert <tom@herbertland.com>
Date: Wed, 16 Jan 2019 12:02:37 -0800
Message-ID: <CALx6S37JDx0kAqXiRCN7gSC_0cf_-LkWo42xV8sfB7Z7iucJ8w@mail.gmail.com>
To: Ron Bonica <rbonica@juniper.net>
Cc: int-area <int-area@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/huWioyT9icek1umriThuzMVRXw4>
Subject: Re: [Int-area] WGLC on draft-ietf-intarea-frag-fragile-05 (Tom Herbert)
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Jan 2019 20:02:52 -0000
On Wed, Jan 16, 2019 at 11:40 AM Ron Bonica <rbonica@juniper.net> wrote: > > Inline….. > > > > From: Tom Herbert <tom@herbertland.com> > Sent: Wednesday, January 16, 2019 2:27 PM > To: Ron Bonica <rbonica@juniper.net> > Cc: int-area <int-area@ietf.org> > Subject: Re: [Int-area] WGLC on draft-ietf-intarea-frag-fragile-05 (Tom Herbert) > > > > > > On Tue, Jan 15, 2019, 6:17 PM Ron Bonica <rbonica@juniper.net wrote: > > Tom, > > Please take a look at Section 4.3 (Stateless Firewalls). How can the stateless firewall behave optimally without maintaining state? > > > > Ron, > > > > A stateless firewall that maintains state is no longer a stateless firewall. Introducing state requires memory and additional logic that are at odds with the goal of cheap low end devices. > > > > True, but orthogonal to the issue at hand. You asked why a middle box might need to maintain state to perform properly. I offered the example of a firewall. In the presence of fragments, only a stateful firewall can perform its intended task. > Ron, I don't follow. If the intended task is to drop packets based on some filter then dropping the first fragment meets the requirement. If the intent is something else then the requirements should be enumerated. Neither do I understand why a stateful firewall uniquely satisfies the requirements without breaking others. All we know from the description is that they're stateful, but we don't know how they should manage and using state nor the requirements they have followed. Think of it this way, if I were a manufacturer of a stateless device and I read the draft I might be convinced of the recommedation that I need to add state to my devices. But then what does that mean? Where is the specification and requirements that tells me how to do that? Tom > > > > > A stateless firewall could just drop the first fragment that contains the transport layer header and allow non first fragments to past. This achieves the filtering goal to prevent delivery of the reassmbled packet. It does mean fragments that can't possibly be reassembled make it to the destination. Whether or not that is a mere nuisance or causes real problems that creates a DOS vector depends on other factors in deployment. > > > > It is at least a nuisance and at worst a DOS vector. > > > > Also, if state is required then what is the algorithm that uses that state? in section 4.6 virtual reassembly is mentioned in passing, but they goes on to say that has problems. It's also true that stateful firewalls inevitably break multi-path but stateless firewalls don't which is a big advantage. It's not clear to me that making stateless firewalls stateful is an improvement. > > > > This is beyond the scope of this document. > > > > Ron > > > > > > Tom > > > > > > > While flow labels may help in the case of load balancers, the don't help at all in the case of stateless firewalls. > > > Ron > > > Secondly, the only specified interaction between fragmentation and > > intermediate nodes is that routers can fragment packets in IPv4. Other than > > that, a middlebox that complies with RFC791 and RFC8200 does not process > > or consider fragmentation of packets. Given that, it's unclear to me why > > middle boxes would need to maintain state to be protocol compliant. It's > > possible that the implicit exception of the requirement is that middleboxes > > might perform "in-network reassembly" > > or "virtual reassemlby" which would require state. If that is indeed the case > > then the requirements for the mechanisms should be spelled out. > > > > For stateless load balancing (described in section 4.4), the IPv6 flow label > > obviates the need for DPI. It is sufficient to hash over the three tuple <saddr, > > daddr, flow label> to get good load balancing. All major OSes have been > > updated to set flow labels, and there are devices that already support this. > > IMO, the draft should make using flow label for stateless load balancing a > > SHOULD. > > > > Tom > > _______________________________________________ > Int-area mailing list > Int-area@ietf.org > https://www.ietf.org/mailman/listinfo/int-area
- [Int-area] WGLC on draft-ietf-intarea-frag-fragil… Ron Bonica
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Tom Herbert
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Ron Bonica
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Tom Herbert
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Ron Bonica
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Joe Touch
- Re: [Int-area] WGLC on draft-ietf-intarea-frag-fr… Fernando Gont