Re: 6MAN WG Call for adoption draft-gont-6man-oversized-header-chain-02
Fernando Gont <fgont@si6networks.com> Sat, 30 June 2012 13:08 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1428821F8648 for <ipv6@ietfa.amsl.com>; Sat, 30 Jun 2012 06:08:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.065
X-Spam-Level:
X-Spam-Status: No, score=-2.065 tagged_above=-999 required=5 tests=[AWL=0.535, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZVFpbbu9NBYV for <ipv6@ietfa.amsl.com>; Sat, 30 Jun 2012 06:08:41 -0700 (PDT)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:d10:2000:e::3]) by ietfa.amsl.com (Postfix) with ESMTP id AD5CB21F84CD for <ipv6@ietf.org>; Sat, 30 Jun 2012 06:08:40 -0700 (PDT)
Received: from lst-amand-152-31-6-27.w193-253.abo.wanadoo.fr ([193.253.193.27] helo=[192.168.101.212]) by web01.jbserver.net with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <fgont@si6networks.com>) id 1SkxPc-0005Sk-1O; Sat, 30 Jun 2012 15:08:32 +0200
Message-ID: <4FEEFA4D.7010401@si6networks.com>
Date: Sat, 30 Jun 2012 15:08:29 +0200
From: Fernando Gont <fgont@si6networks.com>
Organization: SI6 Networks
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: Suresh Krishnan <suresh.krishnan@ericsson.com>
Subject: Re: 6MAN WG Call for adoption draft-gont-6man-oversized-header-chain-02
References: <AB6FAEC8-2486-46A2-9152-C9A376979A54@employees.org> <4FEB6E72.9010601@ericsson.com> <4FEBC589.2020900@si6networks.com> <4FEE4CD0.2060002@ericsson.com>
In-Reply-To: <4FEE4CD0.2060002@ericsson.com>
X-Enigmail-Version: 1.5pre
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "6man-chairs@tools.ietf.org Chairs" <6man-chairs@tools.ietf.org>, "draft-gont-6man-oversized-header-chain@tools.ietf.org" <draft-gont-6man-oversized-header-chain@tools.ietf.org>, "ipv6@ietf.org Mailing List" <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Jun 2012 13:08:42 -0000
Hi, Suresh, Thanks so much for yur feedback! -- Please find my comments in-line... On 06/30/2012 02:48 AM, Suresh Krishnan wrote: >> I simply disagree. While I have no objection with including "a crisper >> definition of what 'entire IPv6 header chain'", I think claiming that >> "the draft in current for is not actionable" is taking it way too far. >> For instance, a bunch of people clearly understood what the document is >> talking about -- with the entire IPv6 header chain being all headers >> from the fixed IPv6 header chain, till the upper layer protocol (TCP, >> UDP, etc. -- assuming there's one of those), including any extension >> headers. > > This description works for me. Just put it in the draft and we are all set. Ok, great! >> Essentially, what is important is the sending behaviour: You must >> include the entire IPv6 header chain in the first fragment. Intermediate >> nodes may simply forward non-compliant packets, but may also decide to >> drop them -- ditto for end nodes. > > I asked because there is a legitimate problem that you raise in Section 4 > > "However, if the first > fragment fails to include the entire IPv6 header chain, they may have > no option other than "blindly" allowing or blocking the corresponding > fragment. If they blindly allow the packet, then the firewall can be > easily circumvented by intentionally sending fragmented packets that > fail to include the entire IPv6 header chain in the first fragment." > > but the draft does nothing to mitigate this issue. Well, the problem *was* that at least in theory such packets could exist in practice. Now that we'll ban those packets, then a middle-box is free to drop first-fragments that fail to include the entire IPv6 header chain, since those packets are illegitimate in the first place (i.e., problem solved!). (Note: such packets have not been found in real networks, and middle-boxes area already dropping them -- hence we're aligning the specs with the real-world). Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- 6MAN WG Call for adoption draft-gont-6man-oversiz… Ole Trøan
- Re: 6MAN WG Call for adoption draft-gont-6man-ove… Dave Hart
- Re: 6MAN WG Call for adoption draft-gont-6man-ove… Rémi Després
- Re: 6MAN WG Call for adoption draft-gont-6man-ove… Dominik Elsbroek
- Re: 6MAN WG Call for adoption draft-gont-6man-ove… Vishwas Manral
- Re: 6MAN WG Call for adoption draft-gont-6man-ove… Suresh Krishnan
- Re: 6MAN WG Call for adoption draft-gont-6man-ove… Fernando Gont
- Conclusion of 6MAN WG Call for adoption draft-gon… Bob Hinden
- Re: 6MAN WG Call for adoption draft-gont-6man-ove… Suresh Krishnan
- Re: 6MAN WG Call for adoption draft-gont-6man-ove… Fernando Gont