IETF Logo Mail Archive

Re: Comments on draft-herbert-ipv6-update-dest-ops

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 12 September 2018 02:46 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87AFF130DF0 for <ipv6@ietfa.amsl.com>; Tue, 11 Sep 2018 19:46:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6y5lhBjKAa5h for <ipv6@ietfa.amsl.com>; Tue, 11 Sep 2018 19:46:53 -0700 (PDT)
Received: from mail-pl1-x633.google.com (mail-pl1-x633.google.com [IPv6:2607:f8b0:4864:20::633]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79406130DC1 for <ipv6@ietf.org>; Tue, 11 Sep 2018 19:46:53 -0700 (PDT)
Received: by mail-pl1-x633.google.com with SMTP id p5-v6so224777plk.3 for <ipv6@ietf.org>; Tue, 11 Sep 2018 19:46:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=WOPmS3uJZJVrSc8j2Vyj+vSdpR6aelS1gUzgZr3mXTQ=; b=KDUcjA8VZjuu70NS2zlQEYonLzmi5M6BnTzePsA1cy9K3Q68T62egaDlxt57QuPl77 nP2joM5eBI/r8iDRw2UZCMhojcV2/aWYxqHe2b9p1Bc1ZEvvj9jJpfjAN4j/jlcQ5wkk 8iVvNDq6uoFALtaT3y17+mQYvVmJFqr1qZnWqu9VUbCngjtNA7P4QFpW9CEa7UGgMshe JSXeL/TtYfLje3QlgKAeTIWAvYJGc0xou9uvSK2FU/czmg4CIwM09VsSXaltN+3nIHTv Apk/ZdZoIglz6e6pq0xTih6msEyiULBkumFuDHxmE7MP0Q/O6iYO2OBPSCW7Gn+GX7rm UeVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=WOPmS3uJZJVrSc8j2Vyj+vSdpR6aelS1gUzgZr3mXTQ=; b=WnfBfq8yzHL+v+qBhsHGSUiTyqsM8qrunuGSu0gCzX5paCxZXzZlgOkS21lBB/3d9X YX377bAAGuSKMFLqJXZQXd7xXilFYC4sXWjo/4Cnxq5O4Q0r/XnP6UdiEbbLRqo0KJmy 3+AXM9hl3ksAM0KVM9kxO6kSz5z18ayaeWsO1cXDEb6ME0ctemP1EmFcHaPUXQ3N45JZ nzoh2EJQa1QXfQZLlZRaiXkIHM3M5kQVagSIhYImQT/kDmSRR2Mwb9c6+i1RfRZ2+TXf u+Tg0cfVYkr5/8Gsg+hfSIjCwpmxjTiY2Tw29L17/SwVMx529VrYgJz7grFbUGtQbzrg 2Rlg==
X-Gm-Message-State: APzg51DSRMcpTGgPIptAX6VBMW7Nn4cYPicCcuCKbEZpWTGFaKSn+LpA pIyWNLeHEx8e0xtTIXdt+vFvLWMx
X-Google-Smtp-Source: ANB0VdYrPywv9vJRaLC9vYDiabjBKp8+HaPcVvAfgTYXPJNGfPaQXlox+5kcfcjgfcN2qQcybtR8ZQ==
X-Received: by 2002:a17:902:402:: with SMTP id 2-v6mr29989732ple.277.1536720412698; Tue, 11 Sep 2018 19:46:52 -0700 (PDT)
Received: from [192.168.178.27] ([118.148.76.40]) by smtp.gmail.com with ESMTPSA id z2-v6sm22328312pgv.12.2018.09.11.19.46.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 Sep 2018 19:46:51 -0700 (PDT)
Subject: Re: Comments on draft-herbert-ipv6-update-dest-ops
To: Tom Herbert <tom@herbertland.com>
Cc: Ole Troan <otroan@employees.org>, "C. M. Heard" <heard@pobox.com>, 6man WG <ipv6@ietf.org>
References: <CACL_3VF+EoKOEF-TkB3179UsmN_Yhaqt60jh_h2d2GLnE0EWDA@mail.gmail.com> <CACL_3VGfMj6DjAWsxib6Hw_x=5X3CWASKU1oiGqvFdksDuFXDw@mail.gmail.com> <CALx6S37c_WCa+A3aD7X-rq-kj_RTGfGur8HVekt_LWTg6Os18g@mail.gmail.com> <F01E55CE-0E88-47BF-A30B-B83A0B7F5F0F@employees.org> <CALx6S35mAnjCw=0Jmz7Niacobw2QmKkUxNJPJ-CNVok_4dAOeQ@mail.gmail.com> <EDE97FE5-B72A-4ED5-A4B0-F143A0F23C3A@employees.org> <CALx6S35mZQ1HyDS3EWLZXJtT0ViXNJt1L_v3QqrKH9n7zDOM1g@mail.gmail.com> <837265C7-AF4A-4E78-A7B4-5D4AE5C38C8A@employees.org> <CALx6S37mE6wXGk9jkkJeG_tuSA8x157wgCGqh-QxW-3Kws1ZnQ@mail.gmail.com> <CBA29A6D-9C4C-4F7D-9621-6C3A04AEFC7E@employees.org> <CALx6S35uOuoAd2rdAxKTnEgcuXg2z0AQPdKrP2=7jm0ehVd3fQ@mail.gmail.com> <970CDF5C-1E76-4241-9BCA-B053F637DE40@employees.org> <CALx6S36rgC=FVo-qabKBJED3dLU3yHc06k6Vw8GzK46i5KYYJw@mail.gmail.com> <be5f8180-64d4-8ef3-94b1-5de2deb9517c@gmail.com> <CALx6S37pt6t36ytQELyPAbMK-9aeAA79jTXAXcOS1-qMz1Nk6w@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <34b285e1-1c49-2d84-5bd7-b76ae9c5308b@gmail.com>
Date: Wed, 12 Sep 2018 14:46:47 +1200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CALx6S37pt6t36ytQELyPAbMK-9aeAA79jTXAXcOS1-qMz1Nk6w@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/2SaTWf_5cEqmqSzxID4vE9uFcrg>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Sep 2018 02:46:56 -0000

Hi Tom,
On 2018-09-12 07:23, Tom Herbert wrote:

<snip>

>>>> You have at least 4 arguments going at once here.
>>>>
>>>> 1) How to deal with destination options on intermediate devices terminating and forwarding traffic (tunnels, source routing)
>>
>> The words "destination option" and "marked to be changeable" in the same
>> sentence make my head hurt.
> 
> Hi Brian,
> 
> Yeah, I liken trying to resolve this to interpreting the meaning
> single obscure phrase in a consititution a hundred years after the
> fact!

A well regulated header format, being necessary to the security of a free Internet, the right of the people to keep and transmit destination options, shall not be infringed. 
 
>> So I think that indeed 8200 needs clarifying
>> on this, much as the draft says: if the option *precedes* the routing header
>> it's intended to be processed by the intermediate forwarder.
> 
> Is section 3 of the draft not clear on this?

Yes, I intended to indicate agreement.

>> (As a side
>> question, should that forwarder be entitled to remove the option completely,
>> as well as to modify it?)
> 
> My interpretation of RFC8200 is that if an option (HBH or Dest Opt) is
> marked changeable, then only the option data may change. Length and
> type cannot change, Options cannot be added nor deleted, and neither
> can extension headers be added nor removed, nor their lengths change.
> I think these requirements must be strict to achieve proper
> accountability in IP. For instance, if an intermeidate node makes some
> change to a packet field outside of what the sender has declared
> changeable, and if the change causes an error in a dowstream node, an
> ICMP error might be sent with a pointer to change data. The problem is
> that the ICMP error is sent to the source address not the party that
> made the change. The source might be able to deduce that the packet
> was changed and that caused the error, but would have no idea who
> actually made the change or how to prevent them from continuing to do
> that in subsequent packets. Does this need clarification in the draft?

I think it would do no harm to make it 100% clear. It's never been clear
to me whether a change in the option data is allowed to change the *length*
of the option data; changing the length breaks IPsec (see RFC 4302 section
3.3.3.1.2.2) and might confuse PMTUD.

>> But apart from that, "changeable" is a nonsense
>> for a *destination* option and should be forbidden.
>>
> 
> I'm not sure what forbidden would mean at least beyond what second
> paragraph describes. If someone marks a destination option a
> changeable in dest opts that is after a routing header or no routing
> header, then that is ignored (except for the auth header interaction).
> It's still legal to set the bit in that case. Does this paragraph need
> further clarification?

No, it seems clear enough to me.

   Brian

> 
> Tom
> 
>>>> 2) Dealing with destination options when terminating traffic as a host
>>
>> That seems clear cut.
>>
>>>> 3) Dealing with destination options when acting as a layer violating middlebox.
>>>
>>> Note that that RFC8200 doesn't distiguish any of the cases. Per the
>>> spec there is no difference between a tunnel endpoint and a end host
>>> in how they are supposed to process Destination Options. Neither is
>>> there is any difference between how a hardware and software
>>> implemenation of protocol is supposed to work. Middleboxes that aren't
>>> destinations of a packet aren't supposed to be looking at Destination
>>> Options header at all.
>>
>> +1
>>
>>>
>>>> 4) Why after 20 years aren’t there any “useful” destination options created?
>>>
>>> One could also argue that IPv6 itself has gotten enough traction until
>>> recently to warrant interest in the creating them.
>>
>> +1.
>>
>>>
>>> All these fall under the same root problem, namely how do we undo the
>>> effects of non-compliant implementations for core protocol features
>>> (i.e. Destination Options in this case). It seems like there's three
>>> alternatives: abandon trying to use the feature and try to do
>>> something else to get the functionality, fix implementations to be
>>> compliant, change protocols to adapt to reality of implementation that
>>> best preserves the feature.
>>
>> There's a 4th alternative hiding in draft-carpenter-limited-domains-03.
>> Namely, only use them where they actually work.
>>
>>    Brian
>>
>>> VPP is an example of an implementation that should simply be fixed to
>>> be compliant (I have taken that up with the VPP developers). This
>>> draft updates processing of Destination Options before the Routing
>>> header relax the requirements similar to how this was does for
>>> Hop-by-Hop options. It makes the assumption that some intermediate
>>> devices in a routing list won't processing the Destination Options per
>>> the current specification. That assumption seems to be true for VPP,
>>> and it seems like that some other implementations will also not be
>>> processing them ostensibly because of performance hit and processing
>>> cost.
>>>
>>> Tom
>>>
>>>> Best regards,
>>>> Ole
>>>>
>>>>
>>>
>>> --------------------------------------------------------------------
>>> IETF IPv6 working group mailing list
>>> ipv6@ietf.org
>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>> --------------------------------------------------------------------
>>>
>>
>

v2.23.0 | Report a Bug | By Email