Re: Comments on draft-herbert-ipv6-update-dest-ops
Tom Herbert <tom@herbertland.com> Mon, 20 August 2018 15:05 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 245E1130E52 for <ipv6@ietfa.amsl.com>; Mon, 20 Aug 2018 08:05:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ifDLDdKyH5Gg for <ipv6@ietfa.amsl.com>; Mon, 20 Aug 2018 08:05:41 -0700 (PDT)
Received: from mail-qk0-x22c.google.com (mail-qk0-x22c.google.com [IPv6:2607:f8b0:400d:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF16C12D7F8 for <ipv6@ietf.org>; Mon, 20 Aug 2018 08:05:41 -0700 (PDT)
Received: by mail-qk0-x22c.google.com with SMTP id 126-v6so11031549qke.5 for <ipv6@ietf.org>; Mon, 20 Aug 2018 08:05:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=GnKaof3BIvqKdad4lElncah8Z821mBzDhI+4npfmckw=; b=Ej8j8pLc5qrgNaYupQtwULIzB04aJZCq//7pj3D+dpHpdq402Jl0VpkkKZbG90sgTA sfiVNFUXfZjSG8putkBmYvntvkEd8YOQHoKzI+pk4P6eI6luAYffvhU4i3M60pYLDqan O4jCTBGWQ0C2vE5CJ/Yodkpq3hFw/HqjRI/yGr+6pIJjFDdS2u5mX4hX/H60NFxn3zLe UioAId2McjHVgenqEInl9Z1qnKGJy8KfgAO9urx/Ekj6s6PAYg+5Vig62SvZnX3XtUJi vUnmAI0DCaKGQyM4i6NsAFjxHiO+Lh6A2dJJloSmAO71cPjNzAr1+TmQM4LIKOU9MBvy hUcg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=GnKaof3BIvqKdad4lElncah8Z821mBzDhI+4npfmckw=; b=UHG1rXfHHvt+iSnhnWxbyJm36RRBPrXELaEnTOyor9HlDJgCtWk0QmXU+MaWx0mx2l Z5AkS5tWL6motDS0V1dv6hS3u4GOW0RT1NQ1MnQUKNwSmoTiudsKrC9uPsY82jUfP7pH eGZnDkKN6FxDeEKFG9HmtXiUTnhSPKizVO96TvGNB8kgrru/0yXEJSV+W1TRAZZTxILE zKVh0wrWvVH0e1SpNGI+7NXpdtBv0sxyqF6Gp8rBU+/B/mGrMUqdwR4BK9+2XWjdCkog l/TTPWPdgLeItlSRQnKszPxOYxiqTUkfaZIzgETdwLPWzs4hZK4h7EY97L7lQp0XQFsR WH7g==
X-Gm-Message-State: AOUpUlF6YcEnUGgjuZoqDJ1Yx5iEZ/LoIy+vZ2tDYJLq/bJTP6044dM+ DJ5BsdmX0gS7JLTyvKJacfZFR4GhrCr+3V8CJBUYHQ==
X-Google-Smtp-Source: AA+uWPw/otOSE4JW5w+Z4nNMpDkDQl2XZSCJHdTM+3UWebVcEwjo32Tv4AEekHR27BobWOM0dUJmLoJiwWX1fEC9lZE=
X-Received: by 2002:ae9:c002:: with SMTP id u2-v6mr41066873qkk.391.1534777540555; Mon, 20 Aug 2018 08:05:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ac8:3312:0:0:0:0:0 with HTTP; Mon, 20 Aug 2018 08:05:39 -0700 (PDT)
In-Reply-To: <CACL_3VGfMj6DjAWsxib6Hw_x=5X3CWASKU1oiGqvFdksDuFXDw@mail.gmail.com>
References: <CACL_3VF+EoKOEF-TkB3179UsmN_Yhaqt60jh_h2d2GLnE0EWDA@mail.gmail.com> <CALx6S356TVnbnZ_zp5+aK_x-DmMJUTidw0Wzbc3Tn=cscTd7VA@mail.gmail.com> <CACL_3VGUUs1FS4Qog6pzJ2WZyir2-keEVZTU6opzXQ4t0M-XUw@mail.gmail.com> <CALx6S35q5EqZt26KSPTGHBXZpzaNYyFBO9UxVNsi4is1BxUHrQ@mail.gmail.com> <CACL_3VGfMj6DjAWsxib6Hw_x=5X3CWASKU1oiGqvFdksDuFXDw@mail.gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Mon, 20 Aug 2018 08:05:39 -0700
Message-ID: <CALx6S37c_WCa+A3aD7X-rq-kj_RTGfGur8HVekt_LWTg6Os18g@mail.gmail.com>
Subject: Re: Comments on draft-herbert-ipv6-update-dest-ops
To: "C. M. Heard" <heard@pobox.com>
Cc: 6man <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/9mi2vMBogCaXSZJPuH2ytBIOo7Q>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Aug 2018 15:05:45 -0000
On Sun, Aug 19, 2018 at 8:10 PM, C. M. Heard <heard@pobox.com> wrote: > On Sun, Aug 19, 2018 at 1:30 PM, Tom Herbert <tom@herbertland.com> wrote: >> On Sat, Aug 18, 2018 at 1:22 PM, C. M. Heard <heard@pobox.com> wrote: >>> On Sat, Aug 18, 2018 at 11:06 AM, Tom Herbert <tom@herbertland.com> wrote: >>>> On Sat, Aug 18, 2018 at 10:16 AM, C. M. Heard <heard@pobox.com> wrote: >>>>> First, the proposal makes processing of a Destination Options header that >>>>> precedes a routing header optional for the final destination node, to >>>>> which the stated rationale clearly does not apply. >>> >>> Would you care to address this objection? >> >> The allowance would have to cover all destination nodes including the >> last one because there is no way to to know a node is last in the >> routing list without processing the routing header which would violate >> RFC8200. I would note that this wouldn't impact DestOpts after a >> Routing header which must be processed only by the final destination. > > True, but surely a node that can process a Destination Options header that > follows a Routing Header -- which an end node must be able to do -- also has > the capability to process a Destination Options header that precedes a > Routing Header. It should not matter whether or not it is the final > destination of the packet. > Mike, Yes, that would be true if the final destination is a compliant host stack (e.g. Linux). In that case Hop-by-Hop options as well as Destination options before or after a Routing header are properly parsed. As I mentioned, we can now limit the number of TLVs that are parsed to reasonably limit processing and prevent some denial of service attack, but there's no motivation for these stacks to start completely ignoring options all together-- it's only a MAY in RFC8200 that a stack can ignore HBH and a MAY in this draft to ignore DestOpts . The negative converse also seems to be true. If an implementation does not support parsing of Destantion Options before the Routing header, then the node probably doesn't support parsing of any Destination Options. This becomes an issue in router implementations that terminate tunnels int the network with intent to and forward the tunneled packets. For instance FD.io VPP supports VXLAN, LISP, SR-IPIP among other encapsulations, AFAICT if the implementation receives an encapsulated packet addressed to the node that has a Destination Option (second type that follows any Routing header), either the packet is either dropped or the Destination options are ignored. Tom > [ ... ] > >>> Do you know how that >>> all works for the implementations(other than Linux) that are listed in >>> https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-14#section-8? >> >> Linux properly implements Destination Options (both before and after >> Routing header), including handling of unknown TLV types. It also now >> limits the number of TLVs per the recommendations of RFC6434bis (eight >> is default limit). >> >> I looked at FD.io VPP code. AFAICT they do NOT implement compliant >> support for Destination Options. It appears that the Routing header is >> being fished for using the function ip6_ext_header_find_t. That >> function will skip over Destination Options before the Routing header. >> There are only two inconsequential references to >> IP_PROTOCOL_IP6_DESTINATION_OPTIONS (nexthdr constant) in all the VPP >> code, and I can't find any evidence that Destination Options TLVs are >> ever parsed. >> >> I looked for information on P4 how implements this an couldn't find >> much of relevance. As I understand it, P4 does not natively support >> loops so parsing an unlimited list of TLVs might not be feasible, >> although maybe it's possible to parse a small number of them. >> >> For commercial implementations, like Cisco and Juniper, I'll let it up >> to the vendors to report whether or not they have proper support for >> Destination Options and how much they have tested that. > > Thanks for providing that information. > > Mike Heard
- Comments on draft-herbert-ipv6-update-dest-ops C. M. Heard
- Re: Comments on draft-herbert-ipv6-update-dest-ops Tom Herbert
- Re: Comments on draft-herbert-ipv6-update-dest-ops C. M. Heard
- Re: Comments on draft-herbert-ipv6-update-dest-ops Tom Herbert
- Re: Comments on draft-herbert-ipv6-update-dest-ops C. M. Heard
- Re: Comments on draft-herbert-ipv6-update-dest-ops Tom Herbert
- Re: Comments on draft-herbert-ipv6-update-dest-ops Ole Troan
- Re: Comments on draft-herbert-ipv6-update-dest-ops Joel M. Halpern
- Re: Comments on draft-herbert-ipv6-update-dest-ops Tom Herbert
- Re: Comments on draft-herbert-ipv6-update-dest-ops Ole Troan
- Re: Comments on draft-herbert-ipv6-update-dest-ops Ole Troan
- Re: Comments on draft-herbert-ipv6-update-dest-ops Tom Herbert
- Re: Comments on draft-herbert-ipv6-update-dest-ops Fred Baker
- Re: Comments on draft-herbert-ipv6-update-dest-ops Ole Troan
- Re: Comments on draft-herbert-ipv6-update-dest-ops Tom Herbert
- Re: Comments on draft-herbert-ipv6-update-dest-ops Tom Herbert
- Re: Comments on draft-herbert-ipv6-update-dest-ops Ole Troan
- Re: Comments on draft-herbert-ipv6-update-dest-ops Tom Herbert
- Re: Comments on draft-herbert-ipv6-update-dest-ops Ole Troan
- Re: Comments on draft-herbert-ipv6-update-dest-ops Tom Herbert
- Re: Comments on draft-herbert-ipv6-update-dest-ops Ole Troan
- Re: Comments on draft-herbert-ipv6-update-dest-ops Brian E Carpenter
- Re: Comments on draft-herbert-ipv6-update-dest-ops Tom Herbert
- Re: Comments on draft-herbert-ipv6-update-dest-ops Brian E Carpenter