IETF Logo Mail Archive

Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile

tom <tom@herbertland.com> Wed, 29 August 2018 16:53 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A80BF130E91 for <int-area@ietfa.amsl.com>; Wed, 29 Aug 2018 09:53:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oinlLty9VKFK for <int-area@ietfa.amsl.com>; Wed, 29 Aug 2018 09:53:54 -0700 (PDT)
Received: from mail-qk0-x234.google.com (mail-qk0-x234.google.com [IPv6:2607:f8b0:400d:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E109A130DFD for <int-area@ietf.org>; Wed, 29 Aug 2018 09:53:52 -0700 (PDT)
Received: by mail-qk0-x234.google.com with SMTP id b19-v6so3804315qkc.6 for <int-area@ietf.org>; Wed, 29 Aug 2018 09:53:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=pRA17iiZHYJACwliFJjeS/3gSSJcqWSrNLkmujQTY7U=; b=MVEndb8ArHA5vq5g2J1jP1VpSQZyEOEE7qKWANcR5w7owxXWkbx+vA0rWDt6H/rdoW kyh771bjrI8Y6Ki6jTdLfUGhm73JCoQwgwOskeE6mZQucRWU77Vpx6KBQws6kNK2ZN54 d5BtQi62sQGq7PiH/K4hSuMbMioGJRRzmXRJ7lIZZ5LoQC8+CKIt4sdc38D2o2Cpe6Lw /Xkw1KuuKz8CrR9OGDYBUgaM0W6OaIUV2hPGc3HWcOrsG5qGTDS03S1vQOk9FmjpCtwH nbqzcTvao/soNJI0i0W69c3WlRA4D0Y/j5hPec+yZcnoQlHBbP18DAX7IVasUYKHEp7y X0YQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=pRA17iiZHYJACwliFJjeS/3gSSJcqWSrNLkmujQTY7U=; b=MCo67qKyAwOYq4haJI/6yCv6bfvAPtojt0uOs8gJ+D9eHgFoYtMuNBMRkKHDKp424o dDzlpedvWJCWlGn/JaRoOyd5S+qetPhrrLGe3LWW1gzrCtk2Xr6j97Zm3ppYBC9n1Ear fZ3zRa2CinmS84tl2yT2i2Fgg0vDGq2o8xaUhAAwCDNrdJlUKkIpM4R2gtv5qHza48+s Y46xs14bpi0eTD7GI/JsBUpLdZK/grxe9rlHA2WExIUxcWWHWl3MXfuv4UuW++R4Fe3R cXzH5ZFyqDtDue0gp4i+mQuiKpgKWGdI1M2WHY/KixHkVlARMbihjZ/5Jw4n5yot+8TU qd7g==
X-Gm-Message-State: APzg51C5FMxxHg09piH5HJDyGYdOb2C4Xrm2quCZ4ldktOyZhoPxSH8U CgnjVLIqgOdtCwYbYbUFHmPoYB6xjGppZawLG+Pg7Q==
X-Google-Smtp-Source: ANB0VdbtN7fqbw+xkIjxb5016YYBs7/Qapx5sEF/NWbcM1xCqkyuI4X6+4Ch8w+nm7Rf6OfL8ezBxTz7piQ7XeRfGD8=
X-Received: by 2002:a37:168e:: with SMTP id 14-v6mr7262382qkw.168.1535561631925; Wed, 29 Aug 2018 09:53:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ac8:3312:0:0:0:0:0 with HTTP; Wed, 29 Aug 2018 09:53:50 -0700 (PDT)
In-Reply-To: <af424b4b449c4a1459b69ed01a984e48@strayalpha.com>
References: <CAF493D3-37A2-4A89-BA88-81567E5B88F1@huitema.net> <538A6193-2BD7-4E72-BD28-736B81F97B33@strayalpha.com> <20180826215558.6hzff2povrxuis3y@faui48f.informatik.uni-erlangen.de> <0A065EE6-463C-4C71-BF12-C0E5A1C51680@strayalpha.com> <20180826233350.kz3q6gzqbq36nn4r@faui48f.informatik.uni-erlangen.de> <810cea0d-809f-040d-bc79-7c7413cd99f2@strayalpha.com> <20180827023513.2bxjrk335al2lbvz@faui48f.informatik.uni-erlangen.de> <E02F3C36-ECE6-419E-A219-08A15AD98D13@strayalpha.com> <20180828220915.fpx5hi7nhl46ou6r@faui48f.informatik.uni-erlangen.de> <CALx6S35vbtYOiEx2opqSh1uq9rfgG5QHEQcb+ccWLMcwWZA-uQ@mail.gmail.com> <20180829002430.fojlqonvnqdrhw4z@faui48f.informatik.uni-erlangen.de> <af424b4b449c4a1459b69ed01a984e48@strayalpha.com>
From: tom <tom@herbertland.com>
Date: Wed, 29 Aug 2018 09:53:50 -0700
Message-ID: <CALx6S3563g___ZP03dD5+sV++ZH7U5yudqRX0Bf2744BbBxGgQ@mail.gmail.com>
To: Joe Touch <touch@strayalpha.com>
Cc: Toerless Eckert <tte@cs.fau.de>, Christian Huitema <huitema@huitema.net>, int-area <int-area@ietf.org>, intarea-chairs@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/vEs-mo-U-Jc6O1h-X1Rd-IKau8M>
Subject: Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Aug 2018 16:53:56 -0000

On Wed, Aug 29, 2018 at 8:11 AM, Joe Touch <touch@strayalpha.com> wrote:
>
>
>
>
> On 2018-08-28 17:24, Toerless Eckert wrote:
>
> ...Sure, i meant to imply that port-numbers are useful pragmatically,
> but other context identifiers would long term be better.
> Demux-Identifiers at the granualarity of a subscriber or
> application wold be a lot more scalable than flow identifiers.
>
>
> There are many problems with this issue.
>
> First, the reason that port numbers would be needed is that they are
> *currently* how NATs demux, firewalls enforce policy, and routers manage

There is no requirement in IP that all packets have a transport layer
header that with port numbers. In fact, there are several that don't
have them like IPsec, fragmented packets, or ICMP. Firewalls that drop
anything but UDP and TCP are doing nothing more that ossifying the
Internet. Besides that, there are now better alternatives anyway.
Reassembly for NAT doesn't require any knowledge or port numbers or
even what the transport protocol is. Routers can now use the IPv6 flow
label instead of expensive DPI to get transport ports for ECMP as all
major OSes now set non-zero flow labels.

> flows. For each of these, a different identifier could be developed, but
> they would not then reduce the need for ALL of these at the IP level at some
> boxes. E.g., see draft-touch-tcpm-sno
>
> Ultimately, we have to admit that a device that acts on behalf of a host IS
> a host and costs what a host costs.

That in turn breaks the the end-to-end model. Middleboxes that attempt
to participate transport protocols, like a host, inevitably break
things and hence is another source of ossification. This is readily
evident apparent in that they can't participate in end-to-end crypto.
Of course they have tried to insert themselves into that realm, but
then we get abominations such as the forced MITM attacks of SSL
inspection. IMO, real end-to-end security is a core requirement that
outweighs any tradeoffs we might make for the security benefits of
firewalls.

>
> We can't keep believing there is magic dust that can establish a solution
> otherwise.
>
As they say, the answer to ossification is encryption. It does a long
way to at least force the issue. First TLS negated payload inspection
at middelboxes. QUIC's encryption of transport layer header
subsequently negated intermediate devices ability to peruse the
transport layer. But, crypto isn't magic dust either. There is only so
much of the packet we can encrypt, and a host at its discretion MAY
want to share to share transport layer information in the network to
get better service. So we need to keep working on solutions.

Tom

> Joe

v2.23.0 | Report a Bug | By Email