IETF Logo Mail Archive

Re: [Int-area] I-D Action: draft-ietf-intarea-frag-fragile-06.txt

"Templin (US), Fred L" <Fred.L.Templin@boeing.com> Fri, 01 February 2019 15:39 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA5D3130E11 for <int-area@ietfa.amsl.com>; Fri, 1 Feb 2019 07:39:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y581SxlcOg6G for <int-area@ietfa.amsl.com>; Fri, 1 Feb 2019 07:39:28 -0800 (PST)
Received: from clt-mbsout-01.mbs.boeing.net (clt-mbsout-01.mbs.boeing.net [130.76.144.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B76B6130DEC for <int-area@ietf.org>; Fri, 1 Feb 2019 07:39:27 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by clt-mbsout-01.mbs.boeing.net (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with SMTP id x11FdOCI002171; Fri, 1 Feb 2019 10:39:25 -0500
Received: from XCH16-07-07.nos.boeing.com (xch16-07-07.nos.boeing.com [144.115.66.109]) by clt-mbsout-01.mbs.boeing.net (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id x11FdHI2000735 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=FAIL); Fri, 1 Feb 2019 10:39:17 -0500
Received: from XCH16-07-10.nos.boeing.com (144.115.66.112) by XCH16-07-07.nos.boeing.com (144.115.66.109) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1591.10; Fri, 1 Feb 2019 07:39:15 -0800
Received: from XCH16-07-10.nos.boeing.com ([fe80::e065:4e77:ac47:d9a8]) by XCH16-07-10.nos.boeing.com ([fe80::e065:4e77:ac47:d9a8%2]) with mapi id 15.01.1591.012; Fri, 1 Feb 2019 07:39:15 -0800
From: "Templin (US), Fred L" <Fred.L.Templin@boeing.com>
To: Tom Herbert <tom@herbertland.com>
CC: Joe Touch <touch@strayalpha.com>, Ron Bonica <rbonica@juniper.net>, int-area <int-area@ietf.org>
Thread-Topic: [Int-area] I-D Action: draft-ietf-intarea-frag-fragile-06.txt
Thread-Index: AQHUuca6SuivHwZx+kuGWrzT5CVq16XKIAkggACKE4CAAGcsgA==
Date: Fri, 01 Feb 2019 15:39:15 +0000
Message-ID: <65c1231056cf4eb68abb2d3af7b2ba5d@boeing.com>
References: <BYAPR05MB424584AA4D0D11D7D0098B81AE900@BYAPR05MB4245.namprd05.prod.outlook.com> <CALx6S35-F_8L+QCcwN6--3TrrRdE5OG3vUACTEH03AmKYerLSw@mail.gmail.com> <BYAPR05MB4245604C8E234D72F42E0D8CAE910@BYAPR05MB4245.namprd05.prod.outlook.com> <10861CAC-3650-4B69-A8B0-437C2A3494CA@strayalpha.com> <CALx6S35XMV+7uXoGatsFEg7Bh+ueuHGVDZrXa8o4cSQKdON7iA@mail.gmail.com> <eb0cd9a4bd898310122ea77e0fade3f9@strayalpha.com> <CALx6S3708uQN2cey8ZDWUKsRR0KUH_uEPk6JwUu4eY4h0Op6xA@mail.gmail.com> <75e840b19c2e439ab3ff13d7c105ce8f@boeing.com> <CALx6S35tKRUDuMQmpiA7dVJV7D9ijXAWD-exGe7-3xZT-k9XVw@mail.gmail.com>
In-Reply-To: <CALx6S35tKRUDuMQmpiA7dVJV7D9ijXAWD-exGe7-3xZT-k9XVw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [137.137.12.6]
x-tm-snts-smtp: C2AD54C850736D29C3DB379F683A0D20D3DC967A2B0FBB1B50259AC0728CC0922000:8
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-TM-AS-GCONF: 00
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/vWLjOFhvZrx-74Lp84fVkoWjYQg>
Subject: Re: [Int-area] I-D Action: draft-ietf-intarea-frag-fragile-06.txt
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Feb 2019 15:39:31 -0000

Hi Tom,

> -----Original Message-----
> From: Tom Herbert [mailto:tom@herbertland.com]
> Sent: Thursday, January 31, 2019 5:17 PM
> To: Templin (US), Fred L <Fred.L.Templin@boeing.com>
> Cc: Joe Touch <touch@strayalpha.com>; Ron Bonica <rbonica@juniper.net>; int-area <int-area@ietf.org>
> Subject: Re: [Int-area] I-D Action: draft-ietf-intarea-frag-fragile-06.txt
> 
> On Thu, Jan 31, 2019 at 5:03 PM Templin (US), Fred L
> <Fred.L.Templin@boeing.com> wrote:
> >
> >
> >
> > > -----Original Message-----
> > > From: Int-area [mailto:int-area-bounces@ietf.org] On Behalf Of Tom Herbert
> > > Sent: Thursday, January 31, 2019 4:40 PM
> > > To: Joe Touch <touch@strayalpha.com>
> > > Cc: Ron Bonica <rbonica@juniper.net>; int-area <int-area@ietf.org>
> > > Subject: Re: [Int-area] I-D Action: draft-ietf-intarea-frag-fragile-06.txt
> > >
> > > On Thu, Jan 31, 2019 at 3:10 PM Joe Touch <touch@strayalpha.com> wrote:
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On 2019-01-31 13:56, Tom Herbert wrote:
> > > >
> > > > On Thu, Jan 31, 2019 at 7:59 AM Joe Touch <touch@strayalpha.com> wrote:
> > > >
> > > >
> > > > The problem with dropping the entire paragraph is the section title - talking about stateless firewalls begs the question of
> stateful
> > > ones. This is reinforced later in the recommendations. The sentences you remove were the only thing that tied the two together,
> > > which IMO is important.
> > > >
> > > >
> > > > Joe,
> > > >
> > > > The term "Stateless firewalls" is unambiguous in this context. In a
> > > > stateless firewall, each packet is inspected and judge based solely on
> > > > it's content.
> > > >
> > > >
> > > > My statement above has no relation to any potential ambiguity in the term.
> > > >
> > > > ---
> > > >
> > > > However, the term stateless is inaccurate in a few places:
> > > >
> > > > (Sec 4.6) NAT is a stateful procedure for an otherwise stateless protocol as well. The same could be argued for load balancers
> that
> > > retain similar state through a connection for a flow (i.e., not just hashing the flow or tuple, but doing round-robin per-flow/tuple
> > > 'sticky' routing)
> > > >
> > > > (Sec 7.3) The problem is not just stateless middle boxes, but also certain stateful ones (e.g., NATs, some load balancers, etc.)
> > > >
> > > > ---
> > > >
> > > > Thus "stateful" actually is both ambiguous and inaccurate here.
> > > >
> > > > You appear to want to distinguish between the state needed for virtual reassembly and the state needed to maintain NAT
> > > translations or sticky round-robin load balancing, but there's no simple term that differentiates them. They're both content-
> > > dependent, context-dependent, and stateful.
> > > >
> > > >
> > > > Further, as you note there are no *specified* algorithms for virtual reassembly, nor are there any *specified* for NAT
> translation
> > > table maintenance or sticky load balancing. Everyone comes up with their own and the basic concept is well enough defined as to
> not
> > > need a specification.
> > > >
> > > In that case, if it's so obvious and well defined then there shouldn't
> > > be any issue in either providing a reference to a description or
> > > specifying it in the draft (if authors do choose discuss virtual
> > > reassembly in the draft).
> >
> > I have been telling everyone about virtual fragmentation reassembly for
> > years. You will find it in many of my docs. Here is what cisco says about it:
> >
> >
> https://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/12_4/sec_data_plane_12_4_book/sec_virt_frag_
> reassm.html
> 
> Hi Fred,
> 
> It does seem that Cisco configuration manuals and marketing materials
> are the best source of information on virtual reassembly.
> 
> https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_frre/configuration/xe-3s/frre-xe-3s-book/virt-frag-reassembly.html
> is a little more interesting in that it provides a few more details.
> In particular the requirement that all fragments must traverse the
> same intermediate device is mentioned:
> 
> "The reassembly process requires all fragments within an IP datagram.
> If fragments within an IP datagram are sent to different devices due
> to load balancing VFR may fail and fragments may be dropped."

Yes, of course the fragments all need to go through the same destination where
VFR is caching the fragments. That is assured due to the IP destination address
for unicast, but not necessarily for anycast. But, for anycast, the considerations
are no different for middleboxes than they are for anycast final destinations.

An analogy for VFR is that the middlebox receives the pieces of a puzzle from
the network. It checks each piece to make sure it is OK and holds them until
all pieces have arrived, but then instead of assembling the puzzle it forwards
the pieces on to the next hop destination, with the realization that there could
be NATs-within-NATs. Then, when the final destination receives all pieces it
assembles the puzzle.

I don' t think there needs to be a spec for this because the behavior is
inherently understood from the title (*Virtual* Fragment Reassembly).

Thanks - Fred

> Tom
> 
> >
> > Fred
> > >
> > > Tom
> > >
> > > > Joe
> > >
> > > _______________________________________________
> > > Int-area mailing list
> > > Int-area@ietf.org
> > > https://www.ietf.org/mailman/listinfo/int-area

v2.23.0 | Report a Bug | By Email