Re: Proposal for changing how IPv6 Hop-by-Hop Options are processed
Fernando Gont <fernando@gont.com.ar> Sat, 05 December 2020 06:12 UTC
Return-Path: <fernando@gont.com.ar>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33A223A0CD5 for <ipv6@ietfa.amsl.com>; Fri, 4 Dec 2020 22:12:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QYT-otUAJMua for <ipv6@ietfa.amsl.com>; Fri, 4 Dec 2020 22:12:09 -0800 (PST)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3D013A0CD4 for <ipv6@ietf.org>; Fri, 4 Dec 2020 22:12:04 -0800 (PST)
Received: from [IPv6:2800:810:464:8164:896a:de13:c010:ff3a] (unknown [IPv6:2800:810:464:8164:896a:de13:c010:ff3a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 72B33283C44; Sat, 5 Dec 2020 06:11:58 +0000 (UTC)
Subject: Re: Proposal for changing how IPv6 Hop-by-Hop Options are processed
To: Bob Hinden <bob.hinden@gmail.com>, IPv6 List <ipv6@ietf.org>
Cc: Gorry Fairhurst <gorry@erg.abdn.ac.uk>
References: <160703668657.9405.8891046478566468162@ietfa.amsl.com> <C573A554-9221-49C2-94AB-E552F1BA69E4@gmail.com>
From: Fernando Gont <fernando@gont.com.ar>
Message-ID: <5efd7f59-23a5-fd5f-4b47-05cd4ca85d8b@gont.com.ar>
Date: Sat, 05 Dec 2020 03:08:19 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <C573A554-9221-49C2-94AB-E552F1BA69E4@gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/0StnOkB92v9FQi452BJxAKcpPwM>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Dec 2020 06:12:14 -0000
Hello, Bob & Gorry, I've just read your I-D. -- I see there has been some discussion on the mailing-list regarding this document, and I've not yet been able to catch up with the discussion. So my apologies if some (or even all!) of my comments have been mentioned/raised by others. Here's my feedback: 1) Section 4: > The changes meant that an implementation complied with the IPv6 > specification even if it did not process hop-by-hop options, and that > it was expected that routers would add configuration information to > control which hop-by-hop options they would process. > > Unfortunately, this did not improve the processing of Hop-by-Hop > options and they are often not possible to be deployed and used in > the Internet. It merely documented how they were being used in the > Internet. While I'm not I'd say the changes incorporated into RFC8200 *will* make a difference, I'm not sure we can say they haven't or won't, either. RFC8200 was published mid 2017. I've seen rather trivial (software) changes to take a year to test and implement. It would probably take longer when the change involves hardware. And then the devices needs to be bought and deployed. So in that sense I think it's premature to tell whether the corresponding change in RFC8200 has made or will make any difference. 2) > In hindsight, hop-by-hop options were still not practical to be used > widely in the Internet. Many operational routers are configured to > drop all packets containing a hop-by-hop option header. At the risk of "soudign our own horn", I think a referecen to RFC7872 is missing here. 3) > * Allowing multiple hop-by-hop options in a single packet makes it > even more expensive in router resources to process these packets > in the fast path. It adds complexity to the number of > permutations that might need to be processed. As noted in draft-ietf-v6ops-ipv6-ehs-packet-drops, there are other implications of EHs, that do not necessarily have to do with the number of options. One of them is the option size. Because many (most?) implementations have limits when it comes to how deep into a packet they can peek. So, allowing a single option in a packet, without contraining its size (or at least recommending against long options) has the potential of resulting in packets where the IPv6 header chain spans past the fast memory that the device employs to do fast processing of the packets. This is a key point, and is discussed at length in draft-ietf-v6ops-ipv6-ehs-packet-drops . 4) > For example [Hendriks] > states that "dropping all packets with Extension Headers, is a bad > practice", and that "The share of traffic containing more than one EH > however, is very small. For the design of hardware able to handle > the dynamic nature of EHs, we therefore recommend to support at least > one EH" I recently read this paper, after Gorry had pointed to it. When it comes to the part you quote, I have two obervations: * Dropping all packets with EHs might not be nice. But having your box owned or DoS'ed is certainly worse. So, at the end of the day, you choose the lesser evil. In that light, the claim that "dropping all packets with EHs is bad practice" is unfounded and lacks context. One might actually argue the opposite: if *not* dropping packets with EHs will open your box to DoS, then, then *not* dropping such packets is really bad practice. * If anything, what the paper shows is that EHs are scarcely used. The measurements in the aforementioned paper show that a neglegible amount of traffic employs EHs. And that traffic boils down to: fragmented UDP traffic, IPsec, local traffic (mostly MLD), or bogus traffic (fragmented TCP, ICMP errors that get fragmented or employ HBH options, etc.. Other than IPsec, there's not much of a use case for EHs nowadays... so I'm not sure one could venture into "how many EHs nodes typically employ", because there's nor really much to be measured in the first place. 5) > Nodes processing a packet with a Hop-by-Hop options header MUST > discard the packet if there is more than one Hop-by-Hop option in > that header. Limiting things, in general, can make the allowed subset feasible -- rather than target at way too much flexibility that it's very expensive to implement, if at all possible. That said, my question is: why is the number of options seen as a more important item than, say, the overall length of the HbH, or the overall length of the IPv6 header chain as a whole? Is the number of options within a HbH really a thing for hardware platforms? 6) > If the IPv6 node can not > process the Hop-by-Hop Option header in the fast path is MUST skip > over this option and continue processing the header normally. Typo: s/is/it/ 7) Section 5.2: Isn't this the current behavior, anyway? e.g., generation of error messages is already rate-limited, and there are multiple reasons for generating them (including traceroute). Is this specific trigger any special? OTOH, RFC8200 states that HbH should only be processed if the router has a reason to -- which seems like good advice to me. So I'm not sure what is being changed. It seems that the only thing that is changed is that even if there's explicit configuration to process HbH, the router wouldn't even process it if that can't be done in the fast path. -- but, at the end of the day, if the operator has explicitly configured the router to process HbH, it's probably because they have no option. 8) Section 6. Hop-by-Hop Option Header Alignment Some options might have a size that wouldn't make the *end* of the HbH fall into a 8-byte boundary, and hence would *require* padding. Router Alert seems to be one of those, and is indeed the most common option employed with HbH. The requirement to drop packets that contain more than one option in the HbH would thus cause the packets for the only current user of HbH to be droopped. For example, the pcap for MLD at: https://www.cloudshark.org/captures/696d02f3316e (the first one I found when googling for one) has a total of three (not even just two1) options: one router alert, and two pad1 options for padding (you might argue that they could have used a single PadN... but still, a PadN option would have been needed). In that light, I'm not sure you'd be able to implement this document (the constrain on the number of options per HbH) in a way that is backwards-compatible. 9) Section 6.2: You catched my previous comment. Apologies -- I was writing comments while reading. That said, in the light of my previous comment, I wonder if, if you really wanted to pursue this idea, whether it would be better to define a *new* EH. OTOH, modulo all the comments I made above, you could probably achive the same by simply requiring the router to process the first option, and ignore the rest. IN that way, it would seem to me that you'd achieve what it seems you want to achieve, in a way that it would still work (*) with current users of HbH. (*) there could still be cases where implementations include the Pad options *first*, and then the router alert. WHile possibly awkward, such approach is still valid as per current standards. Hope the above are of help. Thanks! Regards, Fernando On 3/12/20 20:15, Bob Hinden wrote: > Hi, > > Gorry and I put together a draft that proposes to change how IPv6 Hop-by-Hop Options are processed. Links to the draft below. > > Abstract: > > This document specifies procedures for how IPv6 Hop-by-Hop options > are processed. It modifies the procedures specified in the IPv6 > Protocol Specification (RFC8200) to make processing in routers more > practical with the goal of making IPv6 Hop-by-Hop options useful to > deploy in the Internet. When published, this document updates > RFC8200. > > A very short summary is that there can only be one Hop-by-Hop option in a Hop-by-Hop Option header, and that Hop-by-Hop Options must be process in the fast path. > > Please read and comment on the draft (that is, not on just this email). We think this might make Hop-by-Hop options practical to use in the Internet. > > Bob & Gorry > > >> Begin forwarded message: >> >> From: internet-drafts@ietf.org >> Subject: New Version Notification for draft-hinden-6man-hbh-processing-00.txt >> Date: December 3, 2020 at 3:04:46 PM PST >> To: "Robert M. Hinden" <bob.hinden@gmail.com>, "Godred Fairhurst" <gorry@erg.abdn.ac.uk>, "Robert Hinden" <bob.hinden@gmail.com>, "Gorry Fairhurst" <gorry@erg.abdn.ac.uk> >> >> >> A new version of I-D, draft-hinden-6man-hbh-processing-00.txt >> has been successfully submitted by Robert M. Hinden and posted to the >> IETF repository. >> >> Name: draft-hinden-6man-hbh-processing >> Revision: 00 >> Title: IPv6 Hop-by-Hop Options Processing Procedures >> Document date: 2020-12-03 >> Group: Individual Submission >> Pages: 11 >> URL: https://www.ietf.org/archive/id/draft-hinden-6man-hbh-processing-00.txt >> Status: https://datatracker.ietf.org/doc/draft-hinden-6man-hbh-processing/ >> Html: https://www.ietf.org/archive/id/draft-hinden-6man-hbh-processing-00.html >> Htmlized: https://tools.ietf.org/html/draft-hinden-6man-hbh-processing-00 >> >> >> Abstract: >> This document specifies procedures for how IPv6 Hop-by-Hop options >> are processed. It modifies the procedures specified in the IPv6 >> Protocol Specification (RFC8200) to make processing in routers more >> practical with the goal of making IPv6 Hop-by-Hop options useful to >> deploy in the Internet. When published, this document updates >> RFC8200. >> >> >> >> >> Please note that it may take a couple of minutes from the time of submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> The IETF Secretariat >> >> > > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
- Proposal for changing how IPv6 Hop-by-Hop Options… Bob Hinden
- RE: Proposal for changing how IPv6 Hop-by-Hop Opt… Templin (US), Fred L
- RE: Proposal for changing how IPv6 Hop-by-Hop Opt… Tianran Zhou
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Tom Herbert
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Jen Linkova
- RE: Proposal for changing how IPv6 Hop-by-Hop Opt… Haoyu Song
- RE: Proposal for changing how IPv6 Hop-by-Hop Opt… Pengshuping (Peng Shuping)
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Gorry Fairhurst
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Nick Hilliard
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Tom Herbert
- RE: Proposal for changing how IPv6 Hop-by-Hop Opt… Ron Bonica
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… tom petch
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Tom Herbert
- RE: Proposal for changing how IPv6 Hop-by-Hop Opt… Ron Bonica
- RE: Proposal for changing how IPv6 Hop-by-Hop Opt… Templin (US), Fred L
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Gyan Mishra
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Tom Herbert
- RE: [EXTERNAL] Re: Proposal for changing how IPv6… Templin (US), Fred L
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Jeff Tantsura
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Fernando Gont
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Fernando Gont
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Fernando Gont
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Brian E Carpenter
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Tom Herbert
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Fernando Gont
- RE: Proposal for changing how IPv6 Hop-by-Hop Opt… Ron Bonica
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Gyan Mishra
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Fernando Gont
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… tom petch
- RE: [EXTERNAL] Re: Proposal for changing how IPv6… Templin (US), Fred L
- Re: [EXTERNAL] Proposal for changing how IPv6 Hop… otroan
- RE: [EXTERNAL] Proposal for changing how IPv6 Hop… Templin (US), Fred L
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Gyan Mishra
- Re: [EXTERNAL] Proposal for changing how IPv6 Hop… otroan
- RE: Proposal for changing how IPv6 Hop-by-Hop Opt… Templin (US), Fred L
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Tom Herbert
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Tom Herbert
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Templin (US), Fred L
- RE: Proposal for changing how IPv6 Hop-by-Hop Opt… Templin (US), Fred L
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Tom Herbert
- RE: [EXTERNAL] Re: Proposal for changing how IPv6… Templin (US), Fred L
- RE: Proposal for changing how IPv6 Hop-by-Hop Opt… Ron Bonica
- Re: [EXTERNAL] Re: Proposal for changing how IPv6… Tom Herbert
- RE: [EXTERNAL] Re: Proposal for changing how IPv6… Templin (US), Fred L
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Joel M. Halpern
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Tom Herbert
- Re: [EXTERNAL] Re: Proposal for changing how IPv6… Tom Herbert
- Re: [EXTERNAL] Re: Proposal for changing how IPv6… Brian E Carpenter
- RE: [EXTERNAL] Re: Proposal for changing how IPv6… Templin (US), Fred L
- RE: Proposal for changing how IPv6 Hop-by-Hop Opt… Ron Bonica
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Fernando Gont
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Fernando Gont
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Gyan Mishra
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Eric Vyncke (evyncke)
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Tom Herbert
- Re: Proposal for changing how IPv6 Hop-by-Hop Opt… Gyan Mishra
- RE: Proposal for changing how IPv6 Hop-by-Hop Opt… Xiejingrong (Jingrong)