IETF Logo Mail Archive

Re: Path MTU Hop-by-Hop Option

Fernando Gont <fgont@si6networks.com> Wed, 24 October 2018 22:25 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5476E130E69 for <ipv6@ietfa.amsl.com>; Wed, 24 Oct 2018 15:25:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BaZbpp1xJlsx for <ipv6@ietfa.amsl.com>; Wed, 24 Oct 2018 15:25:50 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC6A5130E8B for <ipv6@ietf.org>; Wed, 24 Oct 2018 15:25:49 -0700 (PDT)
Received: from [192.168.0.104] (unknown [80.30.179.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 1298B86AA9; Thu, 25 Oct 2018 00:25:44 +0200 (CEST)
Subject: Re: Path MTU Hop-by-Hop Option
To: Tom Herbert <tom@herbertland.com>
Cc: Carsten Bormann <cabo@tzi.org>, Bob Hinden <bob.hinden@gmail.com>, Gorry Fairhurst <gorry@erg.abdn.ac.uk>, IPv6 List <ipv6@ietf.org>
References: <153972960647.9465.12295361632444928551.idtracker@ietfa.amsl.com> <E97952C5-3E3C-4EC1-B414-BDA8717FD7DF@gmail.com> <24F21185-0E76-449D-B9C7-729DD8CD30EE@tzi.org> <4a8602d4-7bbd-1ce0-7c25-5149f2f8d1ec@si6networks.com> <CALx6S37GG_UDpyJqd61OMXgLCCoEJuXsN5WvkNERdGcUQp0X4A@mail.gmail.com> <7de0cfd8-340a-7f85-f28e-9ebc054cfe4a@si6networks.com> <CALx6S36v22h+3-ee_OvnYyrQsbxPbvAanHFgbXr-BKu_AnX9og@mail.gmail.com>
From: Fernando Gont <fgont@si6networks.com>
Openpgp: preference=signencrypt
Autocrypt: addr=fgont@si6networks.com; prefer-encrypt=mutual; keydata= xsFNBE5so2gBEACzBQBLUy8nzgAzSZn6ViXT6TmZBFNYNqTpPRvTVtUqF6+tkI+IEd9N2E8p pXUXCd0W4dkxz6o7pagnK63m4QSueggvp881RVVHOF8oTSHOdnGxLfLeLNJFKE1FOutU3vod GK/wG/Fwzkv9MebdXpMlLV8nnJuAt66XGl/lU1JrNfrKO4SoYQi4TsB/waUQcygh7OR/PEO0 EttiU8kZUbZNv58WH+PAj/rdZCrgUSiGXiWUQQKShqKnJxLuAcTcg5YRwL8se/V6ciW0QR9i /sr52gSmLLbW5N3hAoO+nv1V/9SjJAUvzXu43k8sua/XlCXkqU7uLj41CRR72JeUZ4DQsYfP LfNPC98ZGTVxbWbFtLXxpzzDDT8i3uo7w1LJ2Ij/d5ezcARqw01HGljWWxnidUrjbTpxkJ9X EllcsH94mer728j/HKzC9OcTuz6WUBP3Crgl6Q47gY5ZIiF0lsmd9/wxbaq5NiJ+lGuBRZrD v0dQx9KmyI0/pH2AF8cW897/6ypvcyD/1/11CJcN+uAGIrklwJlVpRSbKbFtGC6In592lhu7 wnK8cgyP5cTU+vva9+g6P1wehi4bylXdlKc6mMphbtSA+T3WBNP557+mh3L62l4pGaEGidcZ DLYT2Ud18eAJmxU3HnM8P3iZZgeoK7oqgb53/eg96vkONXNIOwARAQABzSVGZXJuYW5kbyBH b250IDxmZ29udEBzaTZuZXR3b3Jrcy5jb20+wsGBBBMBAgArAhsjBQkSzAMABgsJCAcDAgYV CAIJCgsEFgIDAQIeAQIXgAUCTmylpQIZAQAKCRCuJQ1VHU50kv7wD/9fuNtTfxSLk3B3Hs3p ixTy8YXVjdkVwWlnJjFd7BOWmg7sI+LDhpjGfT6+ddOiwkumnvUZpObodj4ysH0i8c7P4C5t F9yu7WjklSlrB5Rth2CGChg5bKt541z2WHkFFxys9qBLmCSYDeKQkzLqhCjIUJizY2kOJ2GI MnSFDzJjhSFEh//oW830Y8fel1xnf/NVF+lBVtRMtMOfoWUqDjvP3sJ1G4zgkDCnF0CfncLx +hq2Mv26Uq9OTzvLH9aSQQ/f067BOkKAJKsfHdborX4E96ISTz57/4xECRSMr5dVsKVm4Y// uVIsb+L5z+a32FaiBZIAKDgnJO7Z8j6CV5e5yfuBTtX52Yi9HjYYqnYJGSDxYd6igD4bWu+7 xmJPHjkdqZgGV6dQIgiUfqkU+s5Cv350vK48CMaT/ZLo2BdsMhWsmaHmb+waePUMyq6E4E9x 9Js+EJb9ZiCfxS9exgieZQpet1L36IvhiwByvkQM009ywfa30JeMOltUtfLi5V06WQWsTzPL 5C+4cpkguSuAJVDTctjCA0moIeVDOpJ8WH9voQ4IeWapQnX35OIoj1jGJqqYdx65gc1ygbyx b8vw+pJ9E5GLse5TQnYifOWpXzX9053dtbwp/2OVhU4KLlzfCPCEsoTyfu9nIZxdI2PMwiL5 M85BfjX4NmwBLmPGoM7BTQRObKNoARAAqqXCkr250BchRDmi+05F5UQFgylUh10XTAJxBeaQ UNtdxZiZRm6jgomSrqeYtricM9t9K0qb4X2ZXmAMW8o8AYW3RrQHTjcBwMnAKzUIEXXWaLfG cid/ygmvWzIHgMDQKP+MUq1AGQrnvt/MRLvZLyczAV1RTXS58qNaxtaSpc3K/yrDozh/a4pu WcUsVvIkzyx43sqcwamDSBb6U8JFoZizuLXiARLLASgyHrrCedNIZdWSx0z0iHEpZIelA2ih AGLiSMtmtikVEyrJICgO81DkKNCbBbPg+7fi23V6M24+3syHk3IdQibTtBMxinIPyLFF0byJ aGm0fmjefhnmVJyCIl/FDkCHprVhTme57G2/WdoGnUvnT7mcwDRb8XY5nNRkOJsqqLPemKjz kx8mXdQbunXtX9bKyVgd1gIl+LLsxbdzRCch773UBVoortPdK3kMyLtZ4uMeDX3comjx+6VL bztUdJ1Zc9/njwVG8fgmQ+0Kj5+bzQfUY+MmX0HTXIx3B4R1I1a8QoOwi1N+iZNdewV5Zfq+ 29NlQLnVPjCRCKbaz9k6RJ2oIti55YUI6zSsL3lmlOXsRbXN5bRswFczkNSCJxJMlDiyAUIC WOay7ymzvgzPa+BY/mYn94vRaurDQ4/ljOfj6oqgfjts+dJev4Jj89vp8MQI3KJpZPEAEQEA AcLBZQQYAQIADwUCTmyjaAIbDAUJEswDAAAKCRCuJQ1VHU50km4xEACho45PZrUjY4Zl2opR DFNo5a6roTOPpgwO9PcBb3I5F8yX2Dnew+9OhgWXbBhAFq4DCx+9Gjs43Bn60qbZTDbLGJ/m 8N4PwEiq0e5MKceYcbetEdEUWhm5L6psU9ZZ82GR3UGxPXYe+oifEoJjOXQ39avf9S8p3yKP Diil0E79rn7LbJjMcgMLyjFg9SDoJ6pHLtniJoDhEAaSSgeV7Y745+gyMIdtQmrFHfqrFdjq D6G0HE+Z68ywc5KN67YxhvhBmSycs1ZSKAXv1zLDlXdmjHDHkU3xMcB+RkuiTba8yRFYwb/n j62CC4NhFTuIKOc4ta3dJsyXTGh/hO9UjWUnmAGfd0fnzTBZF8Qlnw/8ftx5lt4/O+eqY1EN RITScnPzXE/wMOlTtdkddQ+QN6xt6jyR2XtAIi7aAFHypIqA3lLI9hF9x+lj4UQ2yA9LqpoX 6URpPOd13JhAyDe47cwsP1u9Y+OBvQTVLSvw7Liu2b4KjqL4lx++VdBi7dXsjJ6kjIRjI6Lb WVpxe8LumMCuVDepTafBZ49gr7Fgc4F9ZSCo6ChgQNLn6WDzIkqFX+42KuHz90AHWhuW+KZR 1aJylERWeTcMCGUSBptd48KniWmD6kPKpzwoMkJtEXTuO2lVuborxzwuqOTNuYg9lWDl7zKt wPI9brGzquUHy4qRrA==
Message-ID: <94f4ccba-3bd8-9bde-150e-e18e97c07261@si6networks.com>
Date: Thu, 25 Oct 2018 00:00:04 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <CALx6S36v22h+3-ee_OvnYyrQsbxPbvAanHFgbXr-BKu_AnX9og@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/628KcENrubLBLoRPF2JKtCjQJGU>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2018 22:26:00 -0000

Hello, Tom,

On 10/24/18 5:45 PM, Tom Herbert wrote:
> On Tue, Oct 23, 2018 at 8:14 PM, Fernando Gont <fgont@si6networks.com> wrote:
>> On 10/24/18 3:57 AM, Tom Herbert wrote:
>>> On Tue, Oct 23, 2018 at 11:03 AM, Fernando Gont <fgont@si6networks.com> wrote:
>>>> On 10/17/18 6:49 AM, Carsten Bormann wrote:
>>>>> On Oct 17, 2018, at 00:55, Bob Hinden <bob.hinden@gmail.com> wrote:
>>>>>>
>>>>>> This document specifies a new Hop-by-Hop IPv6 option that is used to
>>>>>>   record the minimum Path MTU
>>>>>
>>>>> A while ago I proposed something similar to collect information about adaptation layer fragmentation MTUs (information about which is truly not available in any other way):
>>>>>
>>>>> https://tools.ietf.org/html/draft-bormann-intarea-alfi-04
>>>>>
>>>>> (I also only looked at the Internet layer here — leaving it as an exercise to put in transport/application protocol support.)
>>>>>
>>>>> After mulling an initial version of the proposal, there was pretty much consensus that hop-by-hop options were not really available on the Internet.  So I put in an alternative way to collect the information, see above if you are interested.  Then at some point SPUD came along and I was hoping that would lead to a framework within in which this information could be better handled.
>>>>>
>>>>> Maybe it’s time to pull the old draft out again.  The hop-by-hop option problem of course hasn’t gone away.
>>>>
>>>> IPv6 EHs are not readily available on the public IPv6 Internet. See
>>>> RFC7872. While not included in RFC7872, my measurements indicate that
>>>> the same applies even to IPsec EHs. :(
>>>
>>> Fernando,
>>>
>>> If I'm reading RFC7872 correctly, it is more accurate to say that the
>>> drop rates for EH vary between 12% and 55% depending on type and
>>> destination. We cannot say that EH always works on the Internet, but
>>> neither is it correct to say that EH never works on the Internet.
>>> Success rate is somewhere in between.
>>
>> Can you depend on something that fails in 10% (or more) of cases?
>>
> Well, aren't we also trying to depend on IPv6 itself which still has a
> pretty high failure rate on the Internet? 

I haven't measured IPv6 failure rate, I should say.



> If we're restricted to only
> use protocols that we can absolutely depend on to work then the only
> choice is to use plain TCP over plain IPv4.

I guess that there are things that are likely to be workable, and others
that aren't. The structure of EHs doesn't seem to be friendly wth modern
router architectures
(https://iepg.org/2015-11-01-ietf94/IEPG-RouterArchitecture-jgs.pdf), so
there's not much of an indication that things will move in a different
direction.



> Also, I think "depend" is an interesting word in this context. By
> definition the Path MTU option is an *option*, it cannot be required
> for basic communications. No one can depend on it.

Either you have a reliable PMTUD, or you prepare to send1280-byte
packets (or smaller). So in such case the algorithm should be "the MTU
is 1280. Upon receipt of a PTMU option, rase it to, at most, the MTU of
your outgoing interface". Otherwise traffic can get blackholed and you
get a DoS.


>>
>>> While the data in RFC7872 is objective, the conclusions being drawn
>>> are not. I think there are two possible conclusions 1) Success rate of
>>> EH is abysmal, EH is a failure and should be deprecated, and the
>>> would-be contents of EH need to be moved to other layers somehow
>>
>> Tags aside, the reality is that if you need the the would-be contents to
>> be reliable, you'd put them else where. Not that I like it... but
>> whatever my personal taste is, it doesn't solve problems by itself.
>>
> The problem there is that no one has yet to define the alternative
> that would work any better.

Currently (SR aside), you need EHs from fragmentation and IPsec. For
fragmentation, it remains to be researched how things are working out
(maybe fall back to v4 for the DNS,.. but I don't know). For IPsec...
well, you probably avoid native IPsec traffic as you did for v4, anyway.

Put another way, looks like nobody   looked for an alternative because
nobody "needed" it.



>>> 2) EH
>>> support is less than desirable, but this is a current condition that
>>> may be improve over time with new deployments, protocol
>>> clarifications, definition of some "useful" options.
>>
>> Yes, it could improve. One never knows. Me, my gut feeling is that's
>> unlikely.
>>
>>
>>> IMO, until EH is
>>> officially deprecated, it is entirely appropriate to define new uses
>>> such as the Path MTU Option here.
>>
>> No matter how EHs are flagged, we're doing engineering. It works, or it
>> doesn't. (as unfortunate as that may be).
>>
> I disagree that it has to be a global binary choice. Happy eyeballs
> has shown how to deal with a protocol that has greater than zero, but
> less than 100% support.

It's a different thing. Happy eyeballs essentially deal with multiple
choices where all of them are equivalent. You just need one to work.
Happy Eyeballs wouldn't work if you tried to use it when acecss stes
behind a firewall that filters port 80 and 443.

If, say, IPsec fails, you can't just "disable ipsec". or "well, lets try
a TLS tunnel".




>> To me, it all looks like they are reliable in controlled domains (within
>> your network, where you control everything), but not elsewhere (public
>> Internet)
>>
> That's not clear at all. For a small domain this might be plausible,
> but for large sprawling domains like the big DC operators that use
> multiple vendors it may or may not be true. Besides that, if the plan
> is to only use features like EH in a controlled domain, then we need
> to have an implementation at host to determine whether the destination
> is in the controlled domain-- that is not necessarily easy to do. A
> common solution should consider whether the feature is viable to each
> particular destination.

So, just as a sample scenario: how ould you workaround non-working IPse
(due to filtering of IPsec EHs?)


> 
>>> Since we know up front that the
>>> option might not always be viable on the Internet, the mechanism will
>>> need a fallback;
>>
>> If the fall-back "just works" why not keep it simple?
>>
> Because fallback means we don't get the advantages of the feature.

That means that the possible outcome, for the pmtu option , is that you
end up using 1280 instead of some larger PMTU.  (The pmtu option is
subject to blackholes... hence the fall back needs to be the minimum
IPv6 MTU, or PLPMTUD).



>>> but the need for a fallback is hardly unique: IPv6
>>> falls back  IPv4 via happy eyeballs, UDP falls back to TCP when
>>> firewalls block UDP, etc.
>>
>> I'd compare such a fall-back with e.g. retrying TCP connections without
>> the ECN bits set. When doing the fall-back, you lose the benefits of
>> ECN. - but I would expect that in most EH cases, loosig the
>> functionality is not a viable option. e.g., what would the fall-back be
>> for IPsec packets that get blackholed?   (I tel you *my* workaround: I
>> tunel over TLS over a transport protocol.. don't even bother to try to
>> do IPsec in the general case)
>>
> I think IPsec is an extreme. For other use cases of EH, particularly
> DO and HBH, like Path MTU option, OAM, FAST the fallback is not to use
> the option. Communication can proceed but advantages is lost possibly
> resulting in a degraded mode of service relative to using the option.

For some of these cases, I'd agree. But for PMTUD, it's tricky (see above).

Cheers,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email