IETF Logo Mail Archive

RE: UDP+Fragmentation (was: "Deprecate")

"Templin, Fred L" <Fred.L.Templin@boeing.com> Wed, 07 August 2013 14:51 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF33E11E8139 for <ipv6@ietfa.amsl.com>; Wed, 7 Aug 2013 07:51:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.51
X-Spam-Level:
X-Spam-Status: No, score=-6.51 tagged_above=-999 required=5 tests=[AWL=0.089, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qwbh9bQTU+cJ for <ipv6@ietfa.amsl.com>; Wed, 7 Aug 2013 07:51:07 -0700 (PDT)
Received: from blv-mbsout-01.boeing.com (blv-mbsout-01.boeing.com [130.76.32.231]) by ietfa.amsl.com (Postfix) with ESMTP id 1F35811E8138 for <ipv6@ietf.org>; Wed, 7 Aug 2013 07:50:58 -0700 (PDT)
Received: from blv-mbsout-01.boeing.com (localhost.localdomain [127.0.0.1]) by blv-mbsout-01.boeing.com (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with ESMTP id r77Epe9M028695 for <ipv6@ietf.org>; Wed, 7 Aug 2013 07:51:40 -0700
Received: from XCH-NWHT-09.nw.nos.boeing.com (xch-nwht-09.nw.nos.boeing.com [130.247.25.115]) by blv-mbsout-01.boeing.com (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id r77EpdgN028682 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=OK); Wed, 7 Aug 2013 07:51:39 -0700
Received: from XCH-BLV-207.nw.nos.boeing.com (10.57.37.63) by XCH-NWHT-09.nw.nos.boeing.com (130.247.25.115) with Microsoft SMTP Server (TLS) id 8.3.297.1; Wed, 7 Aug 2013 07:50:56 -0700
Received: from XCH-BLV-504.nw.nos.boeing.com ([169.254.4.29]) by XCH-BLV-207.nw.nos.boeing.com ([169.254.7.243]) with mapi id 14.02.0328.011; Wed, 7 Aug 2013 07:50:55 -0700
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: Ronald Bonica <rbonica@juniper.net>, "C. M. Heard" <heard@pobox.com>, IPv6 <ipv6@ietf.org>
Subject: RE: UDP+Fragmentation (was: "Deprecate")
Thread-Topic: UDP+Fragmentation (was: "Deprecate")
Thread-Index: AQHOjsXExBsThTTW2kO9nlkD8PFVZ5mAluIAgAb8kICAAPVUoIAABuLggAAsSnCAAAXBcIAACeHggAAvSpCAAODTEA==
Date: Wed, 07 Aug 2013 14:50:55 +0000
Message-ID: <2134F8430051B64F815C691A62D983180E16BE@XCH-BLV-504.nw.nos.boeing.com>
References: <782A011A-B28F-4BD9-B3F1-C194D6244DFA@gmail.com> <Pine.LNX.4.64.1308010951100.15607@shell4.bayarea.net> <Pine.LNX.4.64.1308052027420.28100@shell4.bayarea.net> <f4cb5436e86b4ec88d34f2d21e2bbb24@BL2PR05MB243.namprd05.prod.outlook.com> <2134F8430051B64F815C691A62D983180E0A69@XCH-BLV-504.nw.nos.boeing.com> <fee4460daf2748e0bc5efda62c00b7df@BL2PR05MB243.namprd05.prod.outlook.com> <2134F8430051B64F815C691A62D983180E0D96@XCH-BLV-504.nw.nos.boeing.com> <2134F8430051B64F815C691A62D983180E0E0D@XCH-BLV-504.nw.nos.boeing.com> <ce9ac441c5c949d184997bcce7d154f5@BL2PR05MB243.namprd05.prod.outlook.com>
In-Reply-To: <ce9ac441c5c949d184997bcce7d154f5@BL2PR05MB243.namprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.247.104.6]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-MML: disable
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 14:51:13 -0000

Hi Ron,

> -----Original Message-----
> From: Ronald Bonica [mailto:rbonica@juniper.net]
> Sent: Tuesday, August 06, 2013 6:46 PM
> To: Templin, Fred L; C. M. Heard; IPv6
> Subject: RE: UDP+Fragmentation (was: "Deprecate")
> 
> Fred,
> 
> We should probably be clear about which problem we are trying to solve.
> The following are possibilities:
> 
> a) Remove network administrators' motivation for blocking IPv6
> fragments. To this end, we assume that the network administrators'
> primary motivation is the tiny fragment problem. So, we solve the tiny
> fragment problem by changing the way that IPv6 fragmentation works. In
> the new fragmentation scheme, each fragment contains parsable
> information regarding the payload protocol and port.
> 
> b) Make UDP-based applications work in a world where network
> administrators block IPv6 fragments. We do this by either modifying UDP
> so that it supports fragmentation and reassembly of long payloads or
> creating a new UDP-like protocol that supports the fragmentation and
> reassembly of long payloads.
> 
> Draft-andrews-6man-fragopt solves the problem posed in draft-bonica-
> 6man-frag-deprecate by solving problem a). Mike's proposal solves the
> problem posed in draft-bonica-6man-frag-deprecate by solving problem
> a).
> 
> IMHO, both proposals address the problem. We are currently trying to
> figure out which will work best.

SEAL solves the problem too. Transport-mode SEAL took me 15 minutes
to write, and is really just a couple of paragraphs. In addition to
providing a universal sublayer that can handle any transport protocol
'X', SEAL also provides an RFC4821 path MTU probing facility. And, if
ingress filtering is thought to be a problem, it also provides a data
origin authentication facility.

It seems Ron that you are trying to avoid a closer examination of SEAL.


Thanks - Fred
fred.l.templin@boeing.com
 
>                                                       Ron
> 
> 
> > -----Original Message-----
> > From: Templin, Fred L [mailto:Fred.L.Templin@boeing.com]
> > Sent: Tuesday, August 06, 2013 6:36 PM
> > To: Ronald Bonica; C. M. Heard; IPv6
> > Subject: RE: UDP+Fragmentation (was: "Deprecate")
> >
> > Ron,
> >
> > One other thing for now is that Mike's proposal doesn't even address
> > the attack vector that 'draft-bonica-6man-frag-deprecate'
> > is concerned about. To address the tiny fragment concern, the
> protocol
> > must ensure that tiny fragments cannot ever be created.
> >
> > Thanks - Fred
> > fred.l.templin@boeing.com
> >
> > > -----Original Message-----
> > > From: ipv6-bounces@ietf.org [mailto:ipv6-bounces@ietf.org] On
> Behalf
> > > Of Templin, Fred L
> > > Sent: Tuesday, August 06, 2013 3:07 PM
> > > To: Ronald Bonica; C. M. Heard; IPv6
> > > Subject: RE: UDP+Fragmentation (was: "Deprecate")
> > >
> > > Hi Ron,
> > >
> > > > -----Original Message-----
> > > > From: Ronald Bonica [mailto:rbonica@juniper.net]
> > > > Sent: Tuesday, August 06, 2013 2:54 PM
> > > > To: Templin, Fred L; C. M. Heard; IPv6
> > > > Subject: RE: UDP+Fragmentation (was: "Deprecate")
> > > >
> > > > Fred,
> > > >
> > > > If that's the case, we have a good argument for changing Mike's
> > > > proposal ever so slightly, so that it uses a new protocol ID. But
> > > > still, Mike's proposal is elegant because:
> > > >
> > > > a) It solves the problem at the right layer
> > > > b) It reuses UDP transport machinery. (The only exception is the
> in
> > > > LENGTH field)
> > > > c) It reuses IP fragmentation machinery (moving it to the
> transport
> > > > layer)
> > > > d) Aside from b) and c), it introduces no new protocol machinery.
> > > > So, it can be described in a few short pages. This is in stark
> > > > contrast
> > > to
> > > > SEAL (draft-templin-intarea-seal-61) whose protocol machinery
> > > requires
> > > > 41 pages to describe
> > >
> > > There is a lot of boiler plate in the draft that is not required to
> > > describe the protocol machinery. Plus, there are many things that
> > need
> > > to be described in a functional specification beyond just posting a
> > > concept in an e-mail thread.
> > >
> > > > which required 61 draft versions to get right.
> > >
> > > The best things in life are worth investing the time and energy to
> > get
> > > right. Plus, SEAL is a universal format that handles both
> > > tunnel- and transport-mode requirements for all manners of existing
> > > protocols.
> > >
> > > If we are going to define a new protocol type, let's define one
> that
> > > addresses everything we are currently struggling with and has the
> > > extensibility to address additional requirements moving forward
> into
> > > the future.
> > >
> > > Thanks - Fred
> > > fred.l.templin@boeing.com
> > >
> > > >                                                  Ron
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Templin, Fred L [mailto:Fred.L.Templin@boeing.com]
> > > > > Sent: Tuesday, August 06, 2013 2:58 PM
> > > > > To: Ronald Bonica; C. M. Heard; IPv6
> > > > > Subject: RE: UDP+Fragmentation (was: "Deprecate")
> > > > >
> > > > > With a protocol as ossified as UDP, I have a hard time
> imagining
> > > all
> > > > > middleboxes passing the packets with what they would see as a
> > > > corrupted
> > > > > length field.
> > > > >
> > > > > Thanks - Fred
> > > > > fred.l.templin@boeing.com
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: ipv6-bounces@ietf.org [mailto:ipv6-bounces@ietf.org] On
> > > > Behalf
> > > > > > Of Ronald Bonica
> > > > > > Sent: Tuesday, August 06, 2013 11:49 AM
> > > > > > To: C. M. Heard; IPv6
> > > > > > Subject: RE: UDP+Fragmentation (was: "Deprecate")
> > > > > >
> > > > > > Mike,
> > > > > >
> > > > > > The proposal sounds elegant. I will try to paraphrase it to
> > make
> > > > sure
> > > > > > that I understand.
> > > > > >
> > > > > > When originating a UDP datagram, the host always queries it
> > > > > underlying
> > > > > > IP stack to determine the PMTU for the destination. If the
> PMTU
> > > > > > greater than or equal to the size of the payload plus the UDP
> > > > header
> > > > > > plus the IP header, plus all IP extension headers, the
> > > originating
> > > > > > host emits a conventional UDP packet which is characterized
> as
> > > > > follows:
> > > > > >
> > > > > > - Protocol = 17
> > > > > > - Length <= L4 length from IP
> > > > > >
> > > > > > If the PMTU less than the size of the payload plus the UDP
> > > > > > header
> > > > > plus
> > > > > > the IP header, plus all IP extension headers, the originating
> > > host
> > > > > > emits an unconventional UDP packet which is characterized as
> > > > follows:
> > > > > >
> > > > > > - Protocol = 17
> > > > > > - Length > L4 length from IP
> > > > > > - Segment Offset, M-bit and Identification fields added to
> UDP
> > > > header
> > > > > > before the payload
> > > > > >
> > > > > > If an unconventional UDP packet arrives a destination that
> > > supports
> > > > > > unconventional packets, it is reassembled at the transport
> > layer.
> > > > If
> > > > > > an unconventional UDP packet arrives a destination that does
> > not
> > > > > > support unconventional packets, it is  discarded.
> > > > > >
> > > > > > Do I have this much right?
> > > > > >
> > > > > >                           Ron
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: ipv6-bounces@ietf.org [mailto:ipv6-bounces@ietf.org]
> On
> > > > > Behalf
> > > > > > Of
> > > > > > > C. M. Heard
> > > > > > > Sent: Monday, August 05, 2013 11:53 PM
> > > > > > > To: IPv6
> > > > > > > Subject: Re: UDP+Fragmentation (was: "Deprecate")
> > > > > > >
> > > > > > > On Thu, 1 Aug 2013, C. M. Heard wrote:
> > > > > > > > On Thu, 1 Aug 2013, RJ Atkinson wrote:
> > > > > > > > > I agree that C.M. Heard's ideas should be explored in
> > more
> > > > > > > > > detail
> > > > > > > by
> > > > > > > > > the IETF.
> > > > > > >
> > > > > > > The idea was essentially UDP with segmentation fields,
> which
> > > > would
> > > > > > > require a new protocol number.
> > > > > > >
> > > > > > > In an offline discussion with Mark Smith and I kicked
> around
> > > > > > > an
> > > > > idea
> > > > > > > for an alternate version not requiring a new protocol
> number,
> > > but
> > > > > > > relying instead on the redundancy of the UDP Length field.
> > > > > > > The
> > > > UDP
> > > > > > > Length field is not actually needed; TCP does not have one
> > but
> > > > > > > rather relies on the length reported by the IP layer.
> Under
> > > > > current
> > > > > > > standards, the UDP Length field must be at least 8 and
> cannot
> > > > > exceed
> > > > > > > the IP payload length minus the combined length of any
> > > extension
> > > > > > > headers -- let's call this the L4 length from IP.  Existing
> > > > > > > implementations are supposed to drop UDP datagrams that
> fail
> > > this
> > > > > > > check, and all the ones I know of do so.
> > > > > > >
> > > > > > > The question then arises whether it might reasonably be
> > > possible
> > > > to
> > > > > > re-
> > > > > > > purpose the case UDP Length > L4 length from IP to mean a
> > > > segmented
> > > > > > UDP
> > > > > > > datagram.
> > > > > > >
> > > > > > > In that case 8 <= UDP Length <= L4 length from IP would be
> > > > > > > intepreted as a standard unsegmented UDP datagram, as is it
> > > now.
> > > > > > > That's the case pictured below.  Note that if the L4 length
> > > > > > > indicated by the IP layer exceeds the UDP Length, then the
> > > extra
> > > > > > > octets would
> > > > > > be
> > > > > > > discarded and are not delivered to the application; that is
> > > > > > > the behavior of the implementations I know of.
> > > > > > >
> > > > > > >      0                            15 16
> > > > > 31
> > > > > > >     +-+-+-+-+-+-+-+-|-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|-+-+-
> +-
> > +-
> > > +-
> > > > +-
> > > > > +-+
> > > > > > >     |         Source Port           |      Destination Port
> > > > > |
> > > > > > >     +-+-+-+-+-+-+-+-|-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|-+-+-
> +-
> > +-
> > > +-
> > > > +-
> > > > > +-+
> > > > > > >     |   Length <= L4 length from IP |            Checksum
> > > > > |
> > > > > > >     +-+-+-+-+-+-+-+-|-+-+-+-+-+-+-+-|-+-+-+-+-+-+-+-|-+-+-
> +-
> > +-
> > > +-
> > > > +-
> > > > > +-+
> > > > > > >     |                          data octets
> ...
> > > > > > >     +-+-+-+-+-+-+-+-|-+-+-+-+-+-+-+-|-+-+-+-+-+-+-+-|
> ...
> > > > > > >
> > > > > > > Now suppose that we have a long UDP datagram that we want
> to
> > > send
> > > > > in
> > > > > > > segments.  We set the Length and Checksum fields as usual,
> > and
> > > > then
> > > > > > cut
> > > > > > > the datagram into segments, each of which looks like this:
> > > > > > >
> > > > > > >      0                            15 16
> > > > > 31
> > > > > > >     +-+-+-+-+-+-+-+-|-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|-+-+-
> +-
> > +-
> > > +-
> > > > +-
> > > > > +-+
> > > > > > >     |         Source Port           |      Destination Port
> > > > > |
> > > > > > >     +-+-+-+-+-+-+-+-|-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|-+-+-
> +-
> > +-
> > > +-
> > > > +-
> > > > > +-+
> > > > > > >     |  Length > L4 length from IP   |            Checksum
> > > > > |
> > > > > > >     +-+-+-+-+-+-+-+-|-+-+-+-+-+-+-+-|-+-+-+-+-+-+-+-|-+-+-
> +-
> > +-
> > > +-
> > > > +-
> > > > > +-+
> > > > > > >     |        (reserved = 0)         |       Segment Offset
> > > > > |Res|M|
> > > > > > >     +-+-+-+-+-+-+-+-|-+-+-+-+-+-+-+-|-+-+-+-+-+-+-+-|-+-+-
> +-
> > +-
> > > +-
> > > > +-
> > > > > +-+
> > > > > > >     |                         Identification
> > > > > |
> > > > > > >     +-+-+-+-+-+-+-+-|-+-+-+-+-+-+-+-|-+-+-+-+-+-+-+-|-+-+-
> +-
> > +-
> > > +-
> > > > +-
> > > > > +-+
> > > > > > >     |                          data octets
> ...
> > > > > > >     +-+-+-+-+-+-+-+-|-+-+-+-+-+-+-+-|-+-+-+-+-+-+-+-|
> ...
> > > > > > >
> > > > > > > We put the same UDP header in each segment, so (if we take
> > > > > > > some
> > > > > care
> > > > > > in
> > > > > > > how we choose the length of the segments) each one will
> have
> > a
> > > > UDP
> > > > > > > Length field that is greater than the IP payload length
> minus
> > > the
> > > > > > > combined length of any extension headers.  Implementations
> > > > > > > that
> > > > > > conform
> > > > > > > to the current specifications should discard these
> segments,
> > > and
> > > > so
> > > > > > > should not mistakenly consider the segmentation fields as
> > part
> > > of
> > > > > > > the application data.  That should make it possible for
> > > segmented
> > > > > > > UDP datagrams to safely coexist with conventional
> unsegmented
> > > > one,
> > > > > > without
> > > > > > > getting a new protocol number.
> > > > > > >
> > > > > > > Possible downsides: some middleboxes may filter such
> > > "erroneous"
> > > > > > > datagrams, and some existing erroneous implementations may
> > > > > > > fail
> > > > to
> > > > > > > do the checks they should and might mistake these segments
> > for
> > > > > > > ordinary UDP datagrams.
> > > > > > >
> > > > > > > Note that this idea does not work with UDP-lite, which
> > > > > > > replaces
> > > > the
> > > > > > > Length field with a Checksum Coverage field.  That could
> > > > > > > easily
> > > > be
> > > > > > too
> > > > > > > short to exceed the L4 length from IP.
> > > > > > >
> > > > > > > Mike Heard
> > > > > > > -----------------------------------------------------------
> --
> > -
> > > > > > > -
> > > --
> > > > --
> > > > > -
> > > > > > > IETF IPv6 working group mailing list ipv6@ietf.org
> > > Administrative
> > > > > > > Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > > > > > > -----------------------------------------------------------
> --
> > -
> > > > > > > -
> > > --
> > > > --
> > > > > -
> > > > > > >
> > > > > >
> > > > > >
> > > > > > -------------------------------------------------------------
> --
> > -
> > > > > > -
> > > --
> > > > -
> > > > > > IETF IPv6 working group mailing list ipv6@ietf.org
> > > > > > Administrative Requests:
> > > https://www.ietf.org/mailman/listinfo/ipv6
> > > > > > -------------------------------------------------------------
> --
> > -
> > > > > > -
> > > --
> > > > -
> > > > >
> > > >
> > >
> > > -------------------------------------------------------------------
> -
> > > IETF IPv6 working group mailing list
> > > ipv6@ietf.org
> > > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > > -------------------------------------------------------------------
> -
> >
>

v2.23.0 | Report a Bug | By Email