IETF Logo Mail Archive

Re: [Int-area] New Version Notification for draft-herbert-ipv4-eh-03.txt

"touch@strayalpha.com" <touch@strayalpha.com> Fri, 22 March 2024 02:29 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 334DAC15106B for <int-area@ietfa.amsl.com>; Thu, 21 Mar 2024 19:29:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.326
X-Spam-Level:
X-Spam-Status: No, score=-1.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XVPwMY96CZZd for <int-area@ietfa.amsl.com>; Thu, 21 Mar 2024 19:28:58 -0700 (PDT)
Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3734EC14F60C for <int-area@ietf.org>; Thu, 21 Mar 2024 19:28:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id: Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:Mime-Version: Content-Type:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=SH+18UU90pV4MzR7YWFwWz9PosxpKUFHOiEhCPbBhnQ=; b=1nmsz2sOsMp3lQDPWcmJTwljkc ZGm6UIDmH+B8xp+BVSfZVfbtWhMscoPVhtRlBUzjlLd5/1j2XNww8SM2Ha0a8zd6kDQ/15zvYlQeE PK7BSOntP2X9N7rrDIlYbW/arH2LsRnzkNohO5wjiQn0UbTHbP4PCeHpMIS2eazqb89+ZWcxVkjgk DDDfCHyYXoOg2N9Ocb3fidTYZaeOaE2IuWpv6lejq18VdwQMe2QkRIiBLlLAaw8C1B9kezekxHJsU 31ipV+ALCqwdIRQYzePmh1rB/qYb+tmIroAvXXbhvzWI8jTPVNPOwNJhpMfhfS4YktsCPWwoER/2E 9WrgEZQQ==;
Received: from [172.58.209.101] (port=52085 helo=smtpclient.apple) by server217.web-hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96.2) (envelope-from <touch@strayalpha.com>) id 1rnUeJ-002QW6-1A; Thu, 21 Mar 2024 22:28:56 -0400
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.500.171.1.1\))
From: "touch@strayalpha.com" <touch@strayalpha.com>
In-Reply-To: <CALx6S354xQHqk4y+0dTkTQ524n5vrN01gJe57FBjbV1UuToWLA@mail.gmail.com>
Date: Thu, 21 Mar 2024 19:28:38 -0700
Cc: Toerless Eckert <tte@cs.fau.de>, int-area <int-area@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <FF84650B-6739-4D12-B390-977627A1296E@strayalpha.com>
References: <170865175505.14082.3856617737779580933@ietfa.amsl.com> <CALx6S363oh+7rNMaMa0s+9A-xeyLBy+ct-Q_Bx0xQm_di1PPJA@mail.gmail.com> <ZeZjGyxmuapXz5tb@faui48e.informatik.uni-erlangen.de> <CALx6S34OFL7tzabL+RMvB3nkad5k9esCD_dFpMi6DUtUEG-Dmg@mail.gmail.com> <ZedO1u7aheBhZ26N@faui48e.informatik.uni-erlangen.de> <ZfurRK_oNVES2hVz@faui48e.informatik.uni-erlangen.de> <CALx6S36L57vPa5YkiV3khYbFpPPgPUVynWaRVno0BufvXcALeA@mail.gmail.com> <Zfu5GQ7101lMnHGs@faui48e.informatik.uni-erlangen.de> <DCE2D4E2-9C5D-40B7-952F-7424E7FCBAFE@strayalpha.com> <CALx6S37XnjWcpeGZUQWXFyE0jP=XyodmUBBh+69SonLw3ndvaQ@mail.gmail.com> <57C622DE-2C8E-4415-805D-7053309B0D01@strayalpha.com> <CALx6S36Dpn0qC9e0ZGaK-ckbT58hRkeLHDKkNqmmJn0vQ5ONUw@mail.gmail.com> <B1CC8B09-A701-4401-8BEA-C31DE0FD0FD3@strayalpha.com> <CALx6S354xQHqk4y+0dTkTQ524n5vrN01gJe57FBjbV1UuToWLA@mail.gmail.com>
To: Tom Herbert <tom@herbertland.com>
X-Mailer: Apple Mail (2.3774.500.171.1.1)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/nsZUBcpZBwQJ_itkD7G1O70mbOY>
Subject: Re: [Int-area] New Version Notification for draft-herbert-ipv4-eh-03.txt
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Internet Area WG Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2024 02:29:02 -0000

> On Mar 21, 2024, at 7:18 PM, Tom Herbert <tom@herbertland.com> wrote:
> 
> On Thu, Mar 21, 2024 at 6:52 PM touch@strayalpha.com
> <touch@strayalpha.com> wrote:
>> 
>> On Mar 21, 2024, at 6:36 PM, Tom Herbert <tom@herbertland.com> wrote:
>>> 
>>> On Thu, Mar 21, 2024 at 5:38 PM touch@strayalpha.com
>>> <touch@strayalpha.com> wrote:
>>>> 
>>>> On Mar 21, 2024, at 8:01 AM, Tom Herbert <tom@herbertland.com> wrote:
>>>> 
>>>> I haven’t seen it mentioned yet (apologies if so), but there is a big difference between extension headers and encapsulated protocols.
>>>> 
>>>> Extension headers - no matter how many - can each refer back to the base header. Same for the first encapsulated protocol.
>>>> 
>>>> E.g.:
>>>> 
>>>> IP1 IP2 IP3 TCP…. TCP uses a pseudo header based on IP3
>>>> But:
>>>> IPv6a EHb EHc TCP… TCP uses a pseudo header based on IPv6a; each of the EH’s can also refer back to IPv6a
>>>> 
>>>> I see NO way to do this with any mechanism for IPv4 except options (whose space is limited). There’s no way to redefine protocol processing to ensure that information can be “Carried” forward across EHs.
>>>> 
>>>> This seems like a show-stopper; has it been addressed?
>>>> 
>>>> 
>>>> Joe,
>>>> 
>>>> It already happens in IPv4. Consider the header chain IPv4-AH-TCP. In
>>>> practice, host stacks have already accounted for this so I don't see
>>>> this as a problem.
>>>> 
>>>> Tom
>>>> 
>>>> 
>>>> There’s a big difference and it relates to discussions we've had about UDP options.
>>>> 
>>>> With IPsec, the assumption is “if I add it, it MUST be checked”, so an endpoint that doesn’t know to check would drop the packet as expected.
>>> 
>>> Joe,
>>> 
>>> As you know from the discussions on UDP Options, I believe that if
>>> someone sends security information in a packet then the information
>>> MUST be verified. It's always better to drop something you don't
>>> understand, rather than accept it and put the user at risk for
>>> security or data corruption.
>> 
>> I understand; for ESP, the data is also modified and not useful.
>> For EH, we can debate whether it’s important to *force* checks t at the receiver.
> 
> Joe,
> 
> There's nothing to debate.

We can debate what IPsec requires and whether that was an appropriate choice.
What it currently requires is not under debate, of course.

>> 
>> But either way, there are also options that you might want a legacy receiver to allow, and this approach won’t do that. So it’s necessarily limited.
>> 
>>>> But that means these extensions can only be useful where they MUST be supported; you can’t send them to (or through) legacy devices (or NATs) and have them work correctly.
>>> 
>>> We can't send AH, ESP, DCCP, SCTP, GRE through NAT either. For that
>>> matter, has any ever tested if IPv6 EH can make it through NAT. In any
>>> case, from IPv6 data we already know that extension headers will
>>> probably ever only be useful in limited domains, so I don't believe
>>> NAT traversal is a showstopper.
>> 
>> Whether EH *does* make it through any NAT is different than whether it could. It could - there’s enough information.
>> 
>> This approach for IPv4 cannot - because it doesn’t change the base protocol.
> 
> IPv4 works the same way as IPv6.

Not for EHs. An existing IPv6 NAT can skip over EHs because they were defined when IPv6 was defined; an existing IPv4 NAT cannot.

>>>> In which case, rather than this mechanism, you could as easily do basically ANYTHING else too - because it’s no longer a matter of backward compatibility.
>>> 
>>> But isn't that the *whole point* of an extensible protocol like IP?...
>> 
>> My point is that you’re NOT extending IP.
> 
> I guess it depends on what you mean by "extending". To me "extension"
> headers are a mechanism to "extend" a protocol.

Yes, but you’re not extending IP. You’re running a protocol inside IP. These are “pre transport extensions” (or see next section).

>> This is just a protocol layer like any other. It doesn’t really have any relation to IP. IPv4 endpoints don’t know how to skip them if they don’t support or understand them.
> 
> Correct. That's the benefit of extension headers compared to IP options.

A protocol inside IP that has no relation to IP is just a transport protocol.

>>> to allow innovation and extensions to be able to solve problems that
>>> would never have been foreseen when the protocol was first developed.
>>> And not everything we do can be backwards compatible, if that were a
>>> requirement IETF never could have created IPv6.
>> 
>> IPv6 is not an extension to IPv4.
>> 
>> My point is that this proposal isn’t either. I’m not saying it’s not useful, but it’s not particularly tied to IP any more than any other protocol layer is or would be, AFAICT.
> 
> Right. So operationally it's no different than introducing any other
> new protocol in the network.

New endpoint, basically transport protocol, yes.

So it’s not an extension to IP. Just another transport.

>> So let’s say it’s useful and let's say there are two places you would want to use it:
>> 
>> - for a protocol that legacy receivers silently ignore
>>        that won’t work
>> 
>> - for a protocol that upgraded receivers will support
>>        the will work - but at that point, ANY solution above IPv4 would work too - e.g., redefining TCP to have a “pre header” with the same effect.
> 
> But it doesn't. Extension headers are the *only* correct mechanism to
> send ancillary network layer information that works with any transport
> protocol and allows intermediate nodes to robustly read and
> potentially modify the information.

You’ve just described a transport protocol that the intermediate nodes know.

> The only possible alternative I
> know of is IP options, but as Brian mentioned those have been
> considered dead for over twenty years. (if there's an other
> alternative that I'm missing please point it out)

This is just a transport protocol.

The problem with a new transport is exactly the same as the problem here - that there’s no way to make it silently backward compatible with legacy endpoints.

That’s not the case for IPv6 options because the option mechanism was defined at the time IPv6 was. But that’s not the case for IPv4.

Joe

v2.23.0 | Report a Bug | By Email