Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile

Tom Herbert <> Wed, 29 August 2018 01:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EE3F6130E23 for <>; Tue, 28 Aug 2018 18:02:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ealKGlnxS0yI for <>; Tue, 28 Aug 2018 18:02:21 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 342DB130DD5 for <>; Tue, 28 Aug 2018 18:02:21 -0700 (PDT)
Received: by with SMTP id b19-v6so2322821qkc.6 for <>; Tue, 28 Aug 2018 18:02:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=GXN5gKbgWwqDEj1OBo6AXSPVf1o9wJKq6FAEgE5Xdss=; b=a2sCal7zFnuhjCmUTBanpEeW/5DY/DzshUysUC76zjuy7cSLjo0E7+uEE0X261WhfZ /YeIa4+q4TozmuNAAy2JX6gG9ovL4ePC1KaEG7FOKKjKjlWcrwG7fRmFcCBBBkUeJt2S EpOaUEtpb509BYvk5WKXGs+GBhjzvvKYtQ6RfrlJwb62n8k3bub78X43tBhcCFqQ02ew WNgEMRif0jhAV+NHYDVGvet9xxhbNo2WOVMZstgb7WFstR5pkxfS29QRVffnPrjcbJby 2zLcb9+HIl/rDfX/qgRoNlK/90euK/D/kEny1sg52zZ0e9bxfbWfRage7nyIJCQ5wsko lp6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=GXN5gKbgWwqDEj1OBo6AXSPVf1o9wJKq6FAEgE5Xdss=; b=hUuP1U7ERvuyRcbLCJ50XQtcwg4HO6p2tPuMgC/ce2dQ2hSmdg1WSJXfOm4PNARMJN kgnzPoipbZG2K+vy0QK4YQfpj07RLlHRzVYqelGi/NiJeea4W0cL8sV8vcMSPioXLAG/ Wvbs/b4/ezJHU/uwTe1HvJ6O+F0pvlBsd+yN/38CNp+fNFqjJ4xY0keaFDaW0N8pqys9 X+amxhEwLxBWz3rqBIxgZHcfSeXfx6frjqXxlHcpiScEfbMEBUx9bwVO9+ws1MOi2JYA m3q7yCrDUA2kL+XCLsNO5pSTEQZyBa0lN02sCBiA62lZ83MjCZ68SvP8eBbyPu3pLcee IKlw==
X-Gm-Message-State: APzg51BC4s365zw98LIflrKEqbk3YKiIEeLBL/nTxq26kbrFhwPXSTf1 2nPvKUeTxb1yH1R+SQA5xGfGFN9FfqP8uU0zn32VEg==
X-Google-Smtp-Source: ANB0VdapcWd+IGVxfRAo1aW4+n79Q4bdHvYMBHQEVZn0ZrbwjTNWLMLYFu6D1pmTAuzYPkH3z0sCPn+eA5enLkYJ4iI=
X-Received: by 2002:a37:5a06:: with SMTP id o6-v6mr4324179qkb.44.1535504540021; Tue, 28 Aug 2018 18:02:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ac8:3312:0:0:0:0:0 with HTTP; Tue, 28 Aug 2018 18:02:19 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <>
From: Tom Herbert <>
Date: Tue, 28 Aug 2018 18:02:19 -0700
Message-ID: <>
To: Toerless Eckert <>
Cc: Joe Touch <>, Christian Huitema <>, int-area <>,
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF Internet Area Mailing List <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 29 Aug 2018 01:02:24 -0000

On Tue, Aug 28, 2018 at 5:24 PM, Toerless Eckert <> wrote:
> On Tue, Aug 28, 2018 at 03:51:58PM -0700, Tom Herbert wrote:
>> I think it's the opposite-- the definition of the context should be
>> protocol agnostic. We need to get middleboxes out of doing DPI and to
>> stop worrying only about select transport protocols. So we need a
>> mechanism  that works equally well with with TCP, UDP, SCTP, ICMP,
>> IPsec, fragments, etc. It definitely needs to be secure though.
> Sure, i meant to imply that port-numbers are useful pragmatically,
> but other context identifiers would long term be better.
> Demux-Identifiers at the granualarity of a subscriber or
> application wold be a lot more scalable than flow identifiers.
> Security is a wide topic. The firewall function of permitting return
> traffic on a flow for internally initiated flows for example is a
> wonderful simple function that in most deployment does a fine job
> without additional security. And in a lot of embedded/walled-garden
> networks, additionals ecurity throgh e.g.: ACLs (like through MUD)
> is a more appropriate solution than cryptographic security. So
> a bit more exploration of viable options would be useful. The least
> i want to do is to force Internet PKI and complex out-of-band
> middlebox discovery on all solutions where it's not needed.
>> > I think there could be better middlebox contexts better than port numbers,
>> > but to make fragments work better for existing TCP/UDP middlebox
>> > functions, those 32 bits are it. But given how we can expect exposure of
>> > information only from willing higher layers, they will have a much easier
>> > way to get what they want to support by packet layer fragmentation. A
>> > simple generic packet layer fragmentation for UDP would therefore be nice IMHO
>> > so that UDP applications wanting to be friendly would not have to
>> > reinvent that wheel.
>> That's already in UDP options and some UDP encapsulations like GUE.
> Pointers ?

>> It's a good idea, but doesn't completely obsolete the use of IP
>> fragmentation.
> Nothing pragmatic will. Just a possible part of recommendations.
>> > If we actually ever do such an IP option, it MUST be a destination option,
>> > because the insufficient RFCs defining the treatment of hop-by-hop options
>> > burned any ability to deploy those.
>> >
>> In PANRG when I suggested that FAST could be done in a Destination
>> Option there was a lot of push back. I think it was for good reason.
> WHat was for good reason ? Your proposal or the pushback ?
The pushback was reasonable. Using Destination Options in this way
would be a hack and non-conformant with the standard.

>> Hop-by-Hop were designed precisely for inspection and potential
>> modification at intermediate nodes, and the requirement that all nodes
>> in the path process HBH has been relaxed in RFC8200.
> Hop-by-hop options have been burned as i said through bad
> implementations that for example punt them. Thats why operators often
> configure to drop packets with those options to avoid them
> burning their bad routers.
> Lets say we come up with some good new solution that depends on
> new code written. I would hope we can document/standardize this
> in such a way that new code would not be subject to this
> legacy problem. But we can not get the benefit of that new code when
> we use the existing burned code point for hop-by-hop because
> we can not expect to get EXISTING code fixed and we will always
> have paths with such old code.
> Aka: if the religious architecture faction makes a fuzz out of
> not using destination options for onpath functions, then lets
> consider that we could simply rev the codepoint for hop-by-hop
> options, but to make that solution stick, we would have to
> show that we can write up correct processing RFCs for that
> gen2 code-point such that it will not again get burned like
> the first odepoint through bad new code.
> Sorry for the soapbox, it's just been a frustration of
> mine since  the early 2000 when the IPv6 specs did not
> well enough improve on this point vs. IPv4 and i had
> to rant about a lack of focus on reality of implementation
> deltails to the IPv6 architects.
Per RFC8200:

"NOTE: While [RFC2460] required that all nodes must examine and
process the Hop-by-Hop Options header, it is now expected that nodes
along a packet's delivery path only examine and process the Hop-by-Hop
Options header if explicitly configured to do so."

That allowance should be sufficient to resolve most of the the
Hop-by-Hop being dropped problem. All that is being asked of
middleboxes is that they ignore HBH instead of dropping the packet if
they don't want to deal with them. That should not be difficult to
implement. Hopefully, it's just a matter of evangelization and time to
improve the situation.

> *sigh*.
>> Options (as well as Fragment EH) aren't supposed to even be inspected
>> at intermediate nodes. The rationale for using DestOpts is of course
>> that they're less likely to be dropped by intermediate nodes. That's
>> true, they are more likely to be dropped; per RFC7872 it's about
>> 15-17% drop rate for DestOpts and  40-43% for HBH. However, given the
>> update in RFC8200 and if some useful HBH options are defined, I would
>> expect that new deployments and replacements might start to lower the
>> HBH drop rate. In any case, the drop rates for DestOpts are still no
>> where close to zero, so regardless of which option is used used some
>> backoff is needed when the options are dropped to continue to work but
>> in a potentially degraded service mode relative to what a working
>> option could provide.
> Yes, its a darn unthankful job trying to come up with good
> architectures for middleboxes when three is so much bad code and
> bad operations out there.
> Hence the thought in another venue
> to have those middlebox instructions encrypted in such a
> way that any onpath node not explicitly trusted to process
> would have no way to even determine whether those options are there
> and hence had no way to figure out what packets to drop. Of course
> this approach is a lot more expensive for forwarding planes and
> does require a lot more out-of-band synchronization.

Yes. But if this is done right, it would eliminate the need to
maintain costly flow state in the network. See

> See above: short of something that extreme, we should focus
> on doing the right thing for new code but build it in
> such a way that it is not blocked by bad existing old onpath code.