Re: Feedback on the use of Hop-by-Hop options extension header (draft-francois-dots-ipv6-signal-option-01)

Jérôme François <jerome.francois@inria.fr> Fri, 10 February 2017 22:35 UTC

Return-Path: <jerome.francois@inria.fr>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54361129479 for <ipv6@ietfa.amsl.com>; Fri, 10 Feb 2017 14:35:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2PKTkeBVkYAD for <ipv6@ietfa.amsl.com>; Fri, 10 Feb 2017 14:35:37 -0800 (PST)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 392BC129408 for <ipv6@ietf.org>; Fri, 10 Feb 2017 14:35:37 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.35,142,1484002800"; d="scan'208,217";a="259839559"
Received: from 100.42.158.77.rev.sfr.net (HELO [10.192.1.156]) ([77.158.42.100]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES128-SHA; 10 Feb 2017 23:35:35 +0100
Message-ID: <589E4036.6030801@inria.fr>
Date: Fri, 10 Feb 2017 23:35:34 +0100
From: =?UTF-8?B?SsOpcsO0bWUgRnJhbsOnb2lz?= <jerome.francois@inria.fr>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Mark Smith <markzzzsmith@gmail.com>
Subject: Re: Feedback on the use of Hop-by-Hop options extension header (draft-francois-dots-ipv6-signal-option-01)
References: <589AE235.6080808@inria.fr> <CAO42Z2x56kuB1jS8sOy6RC+rh4AYMy0_tdz-UOqaU4_C_9epbg@mail.gmail.com>
In-Reply-To: <CAO42Z2x56kuB1jS8sOy6RC+rh4AYMy0_tdz-UOqaU4_C_9epbg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------040803000006080305010905"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/8rXyZwIgXEEuc14Ifi98masU_io>
Cc: 6man WG <ipv6@ietf.org>, Abdelkader Lahmadi <abdelkader.lahmadi@inria.fr>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 22:35:40 -0000

Thanks Mark

Le 08/02/2017 14:29, Mark Smith a écrit :
>
>
> On 8 Feb. 2017 20:18, "Jérôme François" <jerome.francois@inria.fr
> <mailto:jerome.francois@inria.fr>> wrote:
>
>     Dear all,
>
>     We are working on a DOTS draft about using the Hop-by-Hop option
>     header
>     to encapsulated DDoS signaling  within network to enabel a kind of
>     epidemic propagation
>     (https://tools.ietf.org/html/draft-francois-dots-ipv6-signal-option-01
>     <https://tools.ietf.org/html/draft-francois-dots-ipv6-signal-option-01>)
>
>     Some comments have been raised considering the real use of the
>     Hop-by-Hop option. We would like to ask you your feedback about
>     using it
>     for very specific signaling among trusted parties. In particular,
>     do you
>     know any reference to a particular use of Hop-by-Hop in a real case.
>
>     We have also followed the mailing list discussion about header
>     insertion,
>     which obviously concerns our approach since we are extracting and
>     inserting
>     some info in headers on the paths. Even if this is is limited to
>     specific
>     routers in a single domain,
>
>
> The only place it will be guaranteed to be limited to a single domain
> is the specification. It is not possible to make and rely on that
> guarantee in implementations, as implementations can be imperfect.
>
> If the packet leaks out of the insertion domain, the inserter won't
> know it, because they'll suffer no, no obvious and/or no immediate
> consequences, and the receiver who does suffer consequences with have
> no ability to easily identify who inserted the EH or even if one was
> added by an intermediary while the packet was in flight.
>
Our initial idea is to force that exit routers are in charge of removing
the EH to every leaving packets. Of course, this supposes that all of
them properly implements this process.
>
>     we understand that it can create problems and
>     should maybe use packet encapsulation.
>
>
> That would be best. It clearly delineates between what was the
> original packet and what was added, and adds another set of source and
> destination addresses that identify what domain/device added the
> information, and what destination device within that domain that  the
> added information was intended for.
>
> Encapsulation has a higher per-packet overhead, however it provides
> attribution of the addition and prevents misinterpretation of the
> additional information if it gets sent somewhere it shouldn't (an
> encapsulated packet leaking out of an encapsulation domain should be
> sent back towards it because of the encapsulation destination address,
> or will be dropped because the encapsulation destination address is
> unreachable outside the domain.)
>
Is there a document or report which have evaluated the oevrhead precise
? In our context, the network already suffers from a DDoS attacks.
Adding overhead may amplify the problem but it is somehow a last chance
to inform the mitigator about the attack (whatever it will cost letting
the attack continuing is worst in terms of overhead).

Best regards,
jerome
> Regards,
> Mark.
>
>
>
>     Best regards,
>
>
>     --------------------------------------------------------------------
>     IETF IPv6 working group mailing list
>     ipv6@ietf.org <mailto:ipv6@ietf.org>
>     Administrative Requests:
>     https://www.ietf.org/mailman/listinfo/ipv6
>     <https://www.ietf.org/mailman/listinfo/ipv6>
>     --------------------------------------------------------------------
>
>