IETF Logo Mail Archive

Re: FW: New Version Notification for draft-bonica-6man-frag-deprecate-00.txt

Mark Andrews <marka@isc.org> Mon, 24 June 2013 03:10 UTC

Return-Path: <marka@isc.org>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D718C21F9BC8 for <ipv6@ietfa.amsl.com>; Sun, 23 Jun 2013 20:10:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.535
X-Spam-Level:
X-Spam-Status: No, score=-2.535 tagged_above=-999 required=5 tests=[AWL=0.064, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id POolXK01QzoN for <ipv6@ietfa.amsl.com>; Sun, 23 Jun 2013 20:09:58 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id 898B521F9360 for <ipv6@ietf.org>; Sun, 23 Jun 2013 20:09:58 -0700 (PDT)
Received: from mx.pao1.isc.org (localhost [127.0.0.1]) by mx.pao1.isc.org (Postfix) with ESMTP id CA21BC9424; Mon, 24 Jun 2013 03:09:49 +0000 (UTC) (envelope-from marka@isc.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=dkim2012; t=1372043398; bh=XhIK456Smnvq8IyOFH3wwWlKIxiMgfPHT36kSa2r9T0=; h=To:Cc:From:References:Subject:In-reply-to:Date; b=Vlbc3Gm0RiTLJbHL3pqVU9nG0JScXn8VsFuYapotgBz2CaYHpxvomkmERoQacQDgk lZTdRR25w1ms4bgZkfy4nab2LY4X4LKfKrq4b2tM0LCEup61I5JhHaS5B5qiYxx1bZ eLNJNkE4P0f9MwsKhtvliV6gNPRZZ4ovsVB26/NI=
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.pao1.isc.org (Postfix) with ESMTP; Mon, 24 Jun 2013 03:09:49 +0000 (UTC) (envelope-from marka@isc.org)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 84FFB160056; Mon, 24 Jun 2013 03:10:51 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id m9o_9J7g4kPo; Mon, 24 Jun 2013 03:10:50 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id C0BDC160089; Mon, 24 Jun 2013 03:10:50 +0000 (UTC)
X-Virus-Scanned: amavisd-new at zmx1.isc.org
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 2gBhJEfxIvSl; Mon, 24 Jun 2013 03:10:50 +0000 (UTC)
Received: from drugs.dv.isc.org (c211-30-172-21.carlnfd1.nsw.optusnet.com.au [211.30.172.21]) by zmx1.isc.org (Postfix) with ESMTPSA id 53DD3160088; Mon, 24 Jun 2013 03:10:50 +0000 (UTC)
Received: from drugs.dv.isc.org (localhost [IPv6:::1]) by drugs.dv.isc.org (Postfix) with ESMTP id CA0DD363070C; Mon, 24 Jun 2013 13:09:39 +1000 (EST)
To: Doug Barton <dougb@dougbarton.us>
From: Mark Andrews <marka@isc.org>
References: <2CF4CB03E2AA464BA0982EC92A02CE2509F85151@BY2PRD0512MB653.namprd05.prod.outlook.com> <51C408BC.4030909@forthnetgroup.gr> <2CF4CB03E2AA464BA0982EC92A02CE2509F85BCB@BY2PRD0512MB653.namprd05.prod.outlook.com> <51C48776.9070107@globis.net> <2CF4CB03E2AA464BA0982EC92A02CE2509F85FBA@BY2PRD0512MB653.namprd05.prod.outlook.com> <51C4AD03.2050303@globis.net> <2CF4CB03E2AA464BA0982EC92A02CE2509F86075@BY2PRD0512MB653.namprd05.prod.outlook.com> <51C4BD1E.6030002@gmail.com> <51C7A69F.40400@dougbarton.us>
Subject: Re: FW: New Version Notification for draft-bonica-6man-frag-deprecate-00.txt
In-reply-to: Your message of "Sun, 23 Jun 2013 18:53:35 -0700." <51C7A69F.40400@dougbarton.us>
Date: Mon, 24 Jun 2013 13:09:39 +1000
Message-Id: <20130624030939.CA0DD363070C@drugs.dv.isc.org>
X-DCC--Metrics: post.isc.org; whitelist
Cc: ipv6@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jun 2013 03:10:03 -0000

In message <51C7A69F.40400@dougbarton.us>, Doug Barton writes:
> Given that larger and faster pipes are becoming more common, and given 
> that we know that larger packet sizes make for more efficient 
> utilization of those pipes, IMO it's a really bad idea to "give up the 
> fight" at this early stage in IPv6 deployment.
> 
> Until there is dramatic evidence to the contrary it seems to me that 
> it's still worthwhile to push for making the protocol work as designed.
> 
> Doug

For DNS PMTUD is just too slow (TCP) or doesn't work (UDP) as the
servers don't keep query state to resend replies on ICMPv6 frag
required and client retries are just too slow to trigger the resend.
This is why I pushed for a way to say fragment at 1280 back in
'98[1] which became IPv6_USE_MIN_MTU[2].

A recursive server has around 3 seconds to do a DNS lookup before
the client gives up.  In that time it has to talk to multiple
servers.  Deal with dead servers.  Deal with packet loss due to
congestion.  Deal with broken servers that don't respond.  Deal
with PMTUD.  Deal with broken firewalls that don't pass fragments.

PMTUD can be eliminated by setting IPv6_USE_MIN_MTU.  This should
result in UDP fragments and TCP segments that don't get blocked due
to IP packet size.  Some TCP stacks are broken as IPv6_USE_MIN_MTU
is ignored when they do their MSS negotiation.

As far as I can see the main reason fragmentation becomes a issue
is that firewalls and load balancers can't determine what to do
with a fragment as some information from the L4 header is missing.
If we supply that information in every fragment as a hop-by-hop
option{s} most of the problems are addressed.

You still have some firewalls that want to do deep inspection of
the packet but even then they could reassemble after filtering based
on the hop-by-hop option{s} which would provide some protection to
the reassembly queues on the firewall.

I also don't see what the deep inspection of UDP/DNS packets is
trying to accomplish when the same firewall passes TCP/DNS messages
without reassembling them.  If you are a malicious server you would
just set TC=1 and attack the client over TCP.  Yes, most clients
do correctly handle TC=1.

Mark

[1] https://datatracker.ietf.org/doc/draft-ietf-ipngwg-bsd-frag/
[2] http://tools.ietf.org/html/rfc3542
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email