IETF Logo Mail Archive

Re: Meta-issues: On the deprecation of the fragmentation function

Mark Andrews <marka@isc.org> Sat, 06 July 2013 02:06 UTC

Return-Path: <marka@isc.org>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EBA411E80EC for <ipv6@ietfa.amsl.com>; Fri, 5 Jul 2013 19:06:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vtqTPg0AfNTA for <ipv6@ietfa.amsl.com>; Fri, 5 Jul 2013 19:06:16 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id D98F811E80AE for <ipv6@ietf.org>; Fri, 5 Jul 2013 19:06:16 -0700 (PDT)
Received: from mx.pao1.isc.org (localhost [127.0.0.1]) by mx.pao1.isc.org (Postfix) with ESMTP id 210CEC94FF; Sat, 6 Jul 2013 02:06:07 +0000 (UTC) (envelope-from marka@isc.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=dkim2012; t=1373076376; bh=8JfSnfkdIl+z7nzdj9bv3bv6PbgzgGwMLDAJOD9cmig=; h=To:Cc:From:References:Subject:In-reply-to:Date; b=ZV6a8T8pWC772rrVqCjiAdnmi6km/Aw5XJF6LmGOjvC6ehkowzm+UFGzydtFg9/oo t/MeBtVe8Q2dLjwLijEcShSa359oLYYSfvsJ+ttao0v2pHkJVZZxl73fltZa7uHeaN z6/2z4jmg0Pdb206IQDxTcv7rXVTuf/adPUoH4VU=
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.pao1.isc.org (Postfix) with ESMTP; Sat, 6 Jul 2013 02:06:07 +0000 (UTC) (envelope-from marka@isc.org)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 20F73160105; Sat, 6 Jul 2013 02:08:01 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id qubzoJ7pT5pu; Sat, 6 Jul 2013 02:07:58 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id D2F8F160104; Sat, 6 Jul 2013 02:07:58 +0000 (UTC)
X-Virus-Scanned: amavisd-new at zmx1.isc.org
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ow13z3-6zqcv; Sat, 6 Jul 2013 02:07:58 +0000 (UTC)
Received: from drugs.dv.isc.org (c211-30-172-21.carlnfd1.nsw.optusnet.com.au [211.30.172.21]) by zmx1.isc.org (Postfix) with ESMTPSA id 484DB160103; Sat, 6 Jul 2013 02:07:58 +0000 (UTC)
Received: from drugs.dv.isc.org (localhost [IPv6:::1]) by drugs.dv.isc.org (Postfix) with ESMTP id 61F4736F1E1F; Sat, 6 Jul 2013 12:05:57 +1000 (EST)
To: Fernando Gont <fgont@si6networks.com>
From: Mark Andrews <marka@isc.org>
References: <51CE05E5.4040202@si6networks.com> <2CF4CB03E2AA464BA0982EC92A02CE2509F85151@BY2PRD0512MB653.namprd05.prod.outlook.com> <51C56E60.5040009@fud.no> <8C48B86A895913448548E6D15DA7553B9237F3@xmb-rcd-x09.cisco.com> <CAKr6gn17O+B78HJofr-z7Nsgv-y8+w4hgKy+YPicgNS126qwXA@mail.gmail.com> <2CF4CB03E2AA464BA0982EC92A02CE2509F870FC@BY2PRD0512MB653.namprd05.prod.outlook.com> <CAKr6gn2zu2n-pJMirG-seN5WX=Evyquu9EqqLOV-zf-RKQ9eYg@mail.gmail.com> <20130625015317.6B256363BD8F@drugs.dv.isc.org> <2CF4CB03E2AA464BA0982EC92A02CE2509F878B0@BY2PRD0512MB653.namprd05.prod.outlook.com> <20130625040207.1CCA7363C42A@drugs.dv.isc.org> <CAKr6gn1cnGfktfKraQegHNP_kjHyzNKGzw3ZDe1cZ__Czsu_kw@mail.gmail.com> <51C98103.4050008@fud.no> <010f01ce71e3$7f43aea0$7dcb0be0$@tndh.net> <20130625233717.618C53642429@drugs.dv.isc.org> <Pine.LNX.4.64.1306301228050.21119@shell4.bayarea.net> <51D6DF54.9030304@si6networks.com>
Subject: Re: Meta-issues: On the deprecation of the fragmentation function
In-reply-to: Your message of "Fri, 05 Jul 2013 16:59:32 +0200." <51D6DF54.9030304@si6networks.com>
Date: Sat, 06 Jul 2013 12:05:56 +1000
Message-Id: <20130706020557.61F4736F1E1F@drugs.dv.isc.org>
X-DCC--Metrics: post.isc.org; whitelist
Cc: "C. M. Heard" <heard@pobox.com>, IPv6 <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Jul 2013 02:06:21 -0000

In message <51D6DF54.9030304@si6networks.com>, Fernando Gont writes:
> On 06/30/2013 10:42 PM, C. M. Heard wrote:
> > Fernando> So far (and without having read Ron's recent I-D -- shame on me),
>  it
> > Fernando> looks like the main two reasons for deprecating the fragmentation
> > Fernando> function are:
> > Fernando> 
> > Fernando> 1) The inability of middle-boxes to parse past the first XXX
> > Fernando>    bytes of a packet
> > Fernando> 
> > Fernando> 2) Unavailability of the connection-id (five-tuple) in the
> > Fernando>    non-first fragments.
> > 
> > I disagree -- I think Mark Andrews got it (mostly) right in his message of 
> > Wed, 26 Jun 2013: 
> > 
> > Mark> One needs to get the L4 information the firewall/loadbalancer uses in
> > *each* fragment.
> 
> Do you have this in IPv4? -- No.
> 
> Then, why is it that special in v6?

It's not special in IPv6.  It is however easily *fixable* in IPv6
as the IPv6 packet format was designed to extended.  Additionally
IPv6 is the future and we are still very early into the lifetime
of IPv6.

If one wants to extend IPv4 to have similar capabilities go for it.
I just think doing so will be wasted effort but I'm not going to
stand in the way of someone that wants to do it.

> > However, it won't help middle boxes that implement stateless packet
> > filters.  Indeed, such boxes have fundamental problems with non-first
> > fragments irrespective of how many bytes of extension headers they can
> > parse or whether there are sufficient length limits on the extension
> > header chain that guarantee that the L4 header always appears in the
> > first fragment.
> 
> If you want to do stateless filtering, you should focus on filtering the
> first fragment. And have the end nodes (severs or whatever) implement
> sensible garbage collection for queued fragments (as it's usually the case).

Which is what I do but it doesn't help with those that worry about
those non initial fragments filling pipes and reassembly queues to
the point where legitimate fragments that they want get discarded
too soon.

We need to be able to better classify non-initial fragments.  At
the moment we are classifying them to the L4 type (tcp, udp, icmp6,
ipv6, ipv4, etc.)

> > As I see it, the biggest meta-issue in this discussionis for the IPv6
> > WG is to decide out whether middle boxes that implement stateless packet
> > filters with a "default-deny" policy will be a  significant part of the
> > landscape indefinitely, regardless of what the IETF says about their
> > merits or lack thereof.
> 
> Again: Why is this more special in v6 than in v4?
> 
> -- You seem to be ignored the "questions" that I've asked.
> 
> Thanks,
> -- 
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
> 
> 
> 
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email