IETF Logo Mail Archive

Re: draft-wang-6man-flow-label-reflection

Jeroen Massar <jeroen@massar.ch> Tue, 18 November 2014 02:22 UTC

Return-Path: <jeroen@massar.ch>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA39A1AD061 for <ipv6@ietfa.amsl.com>; Mon, 17 Nov 2014 18:22:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.45
X-Spam-Level:
X-Spam-Status: No, score=0.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_CHARSET_FARAWAY=2.45] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V9VSdZ9BaJ0n for <ipv6@ietfa.amsl.com>; Mon, 17 Nov 2014 18:22:37 -0800 (PST)
Received: from bastion.ch.unfix.org (bastion.ch.unfix.org [IPv6:2a02:2528:503:2::4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89FF11A6F9A for <ipv6@ietf.org>; Mon, 17 Nov 2014 18:22:37 -0800 (PST)
Received: from kami.ch.unfix.org (kami.ch.unfix.org [IPv6:2001:1620:f42:99:7256:81ff:fea5:2925]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: jeroen) by bastion.ch.unfix.org (Postfix) with ESMTPSA id 90EFA1003A8FE; Tue, 18 Nov 2014 02:22:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=massar.ch; s=DKIM2009; t=1416277354; bh=RSPtczja2hLST2l/qjy7WSzw5sksK4O3jgplQdSh0i4=; h=Date:From:To:Subject:References:In-Reply-To; b=CqoHOSyz4UY2db7rupjeRw1qVLbygZkZxc58cDfuZgReTrlIe1ibDpCo9znAuFhry 8SU3Devf25RH1dbBV3bncjNyr28Ci/dPtgSdROeXstPc2sny/6wuBU49APqiFKM952 lTJqg7B3v/DOgbc1Jvh3Yw37IQiq0Ta6wnCiT6nqy7YJQpQZVXspi1aAHN2Ahrby+e Cjh01tHAJ8sJbMKyZEOlNBe+SD9Vvbfnl92PNJkCR+Fu5zCVIH1eapRQIk9Hn8pViJ HgLVGKC/a68n2r4Vdb8OHFEoJJ/xONmK+3kGmdMl5TwS1s3JOpq0bcJ0QN/x28mSlv pgmr5yt0uQiSA==
Message-ID: <546AAD68.4020400@massar.ch>
Date: Tue, 18 Nov 2014 03:22:32 +0100
From: Jeroen Massar <jeroen@massar.ch>
Organization: Massar
MIME-Version: 1.0
To: Aijun Wang <wangaijun@tsinghua.org.cn>, 'Sheng Jiang' <jiangsheng@huawei.com>, '6man WG' <ipv6@ietf.org>
Subject: Re: draft-wang-6man-flow-label-reflection
References: <5465C0AC.10801@massar.ch> <5D36713D8A4E7348A7E10DF7437A4B923AF75421@nkgeml512-mbx.china.huawei.com>, <546681A0.9070703@massar.ch> <5D36713D8A4E7348A7E10DF7437A4B923AF75695@nkgeml512-mbx.china.huawei.com> <5466928E.6070800@massar.ch> <008801d00070$580df030$0829d090$@org.cn> <5466BFB0.303@massar.ch> <008601d00203$4175c8e0$c4615aa0$@org.cn> <5469ABB2.4060303@massar.ch> <006801d002d0$f1a01e00$d4e05a00$@org.cn>
In-Reply-To: <006801d002d0$f1a01e00$d4e05a00$@org.cn>
Content-Type: text/plain; charset="gbk"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ipv6/-rfBDO8PL3irz3kijI5ci1LD4tY
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Nov 2014 02:22:41 -0000

On 2014-11-18 02:42, Aijun Wang wrote:
[..]
>> But more importantly, do you think the Operator community can actually use
>> it?
>>
> 【Aijun】: When the IPv6 traffic are dominant in the internet, the analysis
> for application traffic that based on IPv6 will increased, the flow label
> filed will be exploited gradually.

Why would they use it?

[..]
> For service operator, they are eager to know the application traffic
> distribution within their network, not just the total traffic volume and
> every link's usage.

As the Flow Label does not identify any application, how is the above
relevant?


> For IPv4-based packet, they must know such info via
> 5-tuple message of one packet or via some deep analysis devices in both
> directions. For IPv6 packet, such process can be simpler if they use the
> flow label and flow label reflection mechanism-----the flow label is in IPv6
> fix header potion and the flow label reflection mechanism can correlate the
> upstream and downstream of one session together easily.

The Flow Label is a random number. It does not identify anything.

As such, the 5-tuple is a lot more worthy than that.

>> See below for more about that.
>>
>>
>>> We also consider other usage scenarios for flow label reflection, for
>>> detail information, you can review the presentation document(the link
>>> on the current IETF website connect to the wrong file, then I attached
>>> it via
>>> e-mail.)
>>
>> Those "Usage Scenarios" should be in your draft. That is the only way
> people
>> can properly comment on them.
>>
> 【Aijun】:The "Usage Scenarios" are also described in
> http://datatracker.ietf.org/doc/draft-wang-6man-flow-label-reflection/?inclu
> de_text=1 section 5. The presentation document may be more vivid due to some
> colorful sketch. That's the reason I recommend you to refer the presentation
> document.

You will want to remove this section completely:
8<-------------
   There is rapidly increasing requirement from service providers (SP)
   to cooperate with the content providers (CP) to provide more accurate
   services and charging policies based on accurate traffic recognition."
---------->8

You are basically describing that they will be charging based on
content. That completely defies any kind of "Net Neutrality". Definitely
not something the IETF wants to promote.

Also due to a rather bad connotation of the abbreviation, please do not
use "CP".

Note also, that as the Flow Label is a random number, it does not add
any value to the information already known (typically that the Content
Provider only has a single service on that IP/port).

As such, that is not a good useage scenario.

"5.2.  Flow Label Reflection for Bi-direction Tunnels"

Tunnel providers KNOW what is in the inside. And typically these folks
(think: anonymous VPN) will not want to expose any traffic relation anyway.

Hence, they will not properly use the Flow Label, which still is a
random number, and the src+dst address will tell you the same thing:
some user is sending traffic from src to dst.

"5.3.  Flow Label Reflection on edge devices" has "the service provider
could always use it for bi-directional traffic recognition."

That they can do that is one, but they can already do that based on
other properties.... thus why would they do it this way?


I am very sorry, but I really do not see any need for the Flow Label.
Let alone bothering 'reflecting' it.



>>>> Oh, and IPv6 Errors (ICMPv6) are part of that flow, but the Flow
>>>> Label
>>> will not
>>>> include those.
>>>>
>>> 【Aijun】:ICMP Errors packets are often regenerated by the router, not
>>> the original data packet destination(3-tuple information has been
>>> changed). So the process for flow label reflection would be different
>>> and we will consider it more carefully later.
>>
>> As you are attempting to change this whole Flow Label mechanism (again),
>> please consider how to handle this _now_ and not another RFC later.
>>
>> The Flow Label for "flow identification" is useless without ICMPv6 Errors
> being
>> part of the flow as it typically indicates why that specific flow has
> ended.
>>
> 【Aijun】: The original flow info can be gotten from the message body of
> ICMP error message. As the RFC4443 section 2.4 sub clause c) 'description:
> "Every ICMPv6 error message (type < 128) MUST include as much of the IPv6
> offending (invoking) packet (the packet that caused the error) as possible
> without making the error message packet exceed the minimum IPv6 MTU", the
> (src,dest, flowlabel) of this part can be used to identify which specific
> flow cause the ICMP error.

While that is great. Load Balancers, those things that are described to
be the primary use of Flow Labels, do not do that. This as they do not
want to look beyond the first 40 bytes of the IPv6 header.

If they can look after the 40 bytes, then they can just as well check
the TCP and UDP ports. Why bother with a Flow Label?



> What we are considering is how to set the flow label value of the ICMP error
> message itself(the outer part). Does it need to copy the original packet's
> value or not.

It would be very useful. But it requires all the hosts in the world to
do so.

Seeing the little uptake of the last revision of the Flow Label
demonstrates that this is not going to happen.

Especially as folks are getting more and more privacy conscious. Note
that the IETF has a mandate around that too now.


>> In the case of IPFIX/NetFlow you will find that there you also get two
>> flows: one for instance for TCP and another for ICMPv6. Only the better
>> IPFIX/NetFlow analyzers out there are able to bind together the two so
> that the
>> first (the TCP Flow) has the detail of why it was ended (eg Port
> Unreachable).
> 
> 【Aijun】As you mentioned here, then it seems more reasonable to copy the
> flow label info of the original packet to the same field of its
> corresponding ICMP error message. The IPFIX/Netflow then can easily know
> which source, which flow cause the generation of ICMP error message. If you
> agree with this, we can add it into our draft later.

But that would require redefining the Flow Label completely and getting
that deployed world wide, which is not going to happen...

Note also that folks doing IPFIX/NetFlow already HAS the capability of
matching these up as processing IPFIX/NetFlow can be done really fast.

The problem is that one cannot do that at line-rate in a load balancer,
which will not bother with checking these things.


>>> For PTB error message in ECMP environment, especially for the load
>>> balancer before server farm, we recommend the load balancer to deal
>>> with specially such PTB error message, that is to say, send this error
>>> message to all servers that have the same address.
>>
>> And then an attacker sends a few thousand ICMPv6 PTBs and your load
>> balancer then nicely explodes that to the 1000 servers in the farm behind
> it,
>> yeah, that is going to scale.
>>
>> As you see, that is not an answer. No operator would want to see that.
>> They are much better off just limiting the Internet to a MTU of 1280 as
> that is a
>> safe thing to do.
>>
> 【Aijun】: The reason that I consider the servers in one cluster should all
> receive such PTB message is that if only one server receive and change the
> MTU of its output packet, when load balancer allocate to traffic to another
> server in next round, the new selected server will still encounter the PTB
> error message and increase the TCP and application process dealy.

The ECMP hash is stable. Thus unless the server is replaced with
another, thus the final/real destination will not change that often.

Much less often than broadcasting a single packet to all your 1000
backends at least.


> Actually,
> there may exist some attack explosion influences, but I think it should be
> considered and mitigated by the load balancer. 

The 'mitigation' at those speeds is: rate limit.

Hence, it will break various setups.

> The process of DHCP DISCOVERY/OFFER/REQUEST/ACKNOWLEDGE uses the similar
> notify mechanism, to inform other DHCP servers that one of the server in the
> broadcast domain has served the client.

DHCP is not done at several gigabits/second...


>>> Such method is more simple and less
>>> influences to redefine the meaning of this field.
>>
>> Your approach does not simplify anything.
>>
>> It does provide a great attack vector.
>>
>> As there are papers like this out:
>> http://christian-rossow.de/publications/amplification-ndss2014.pdf
>>
> 【Aijun】: I can't download this document, would you like to send it to me
> individually?

Google/Bing/Yahoo/etc for "Amplification Hell: Revisiting
Network Protocols for DDoS Abuse"

eg also at:
http://www.internetsociety.org/sites/default/files/01_5.pdf

There is lots of copies of this around as it is a really important
document to be aware of.

>> Operators will do anything to minimize any kind of amplification attacks
> on their
>> infrastructures.
>>
>>> Servers that receive the
>>> PTB error message should all reduce their following packet size
>>> according to the recommending MTU value.
>>
>> They MUST NEVER do that. They should only lower MTU when the payload
>> packet in the ICMPv6 matches a packet that they could have sent.
> 
> 【Aijun】: Please see the explain above.

That does not explain why you would want to restrict your whole server
farm to such a low MTU...


[..]
>> They will just do what they have been doing for well over a decade: src
>> + dst + proto + src & dst ports
>>
>> As that does give them a reasonable assumption of what they are looking
> at.
>>
>> The "Flow Label" is not giving them any details whatsoever.
> 
> 【Aijun】: we only need the "flow label" to identify one unique flow between
> two hosts. Based on the flow label filed and flow label reflection, the
> service provider need only do the deep analysis work once and can understand
> such traffic in other places, in both direction.  SFC, NFVRG etc. group can
> also benefit from this filed in future.

Here you state that they will do "deep analysis work".

Why do we need a Flow Label then?

Please note that a five-tuple is perfectly fine for making up a random
id so that one "only has to do deep analysis work once". This is what
people have been using for as long a they have been doing this kind of work.

Greets,
 Jeroen

v2.23.0 | Report a Bug | By Email