IETF Logo Mail Archive

Re: [2nd] Working Group Last Call for draft-ietf-6man-mtu-option-06

Fernando Gont <fernando.gont@edgeuno.com> Fri, 03 September 2021 00:45 UTC

Return-Path: <fernando.gont@edgeuno.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB4CE3A1A3B; Thu, 2 Sep 2021 17:45:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=edgeuno.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wt8TX1ikpkaC; Thu, 2 Sep 2021 17:45:28 -0700 (PDT)
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2105.outbound.protection.outlook.com [40.107.237.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 355CC3A1A39; Thu, 2 Sep 2021 17:45:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eRCdmlEwclyUfcGaghHf+W5HrWF8eXh5O5l4DdK28/JS7C8ck3SzXpGDqbZ28jETd2zFtrJTePn4ywiFaUOppPOJObcKq2g28usyhKhy2xd4RifpWHq8cl/WMzw2OQFiR1mL9MEOU4cloYLBd/QgzePKvw0/P1kTNw1eC7knbAxFLA09M53rZWlDfCbdeqAoE+TdViUq8bG/c3J57avnVaZIitbHCAjvwby7yAWnfUsiz/fgVnHy0lc7ljE71V655N5W7vxu5Ur6hFwomHFJfJlPsKSlwyxCS/U4cYyASSjSRVgBBU+td0pvluDTpOnrsYRrqWA594zn/ZX/nS23qA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=XXsdcKawjAYRY6wdaD3KRceoqmZJBu2cECDpnlTxH50=; b=BTvQfHv8u5rXW4aaGjVpeu0xSJWSPCzk2R93ImzYzQ+OlKmEZBEV07iMryVZRmPf8ye+3mA7FzRXSRtKeCcJzy+EYgYB2Dq96hJJB0ablWfXi1SNmhsLqf/vnzoOz4XCZ5hHJfNc9yIFvCItdX1HaN8qQ+6kNKfkSNvYHBcn505PecQV8sWx4lYyc7F8w+ZFCmvbslk3ZeGcMYFv7NVex2TRO39fEcqjykrxQVevByI+vyNOM3HRhCIT6lKKHJGbPIO0uYEZbWZ6oSfCa41/np3TmF7E17+JkeEpwtjZi6goOtixDN0j5gIka1OxuiY6+7Tnw75XRtYphEeDc0xlWA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=edgeuno.com; dmarc=pass action=none header.from=edgeuno.com; dkim=pass header.d=edgeuno.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=edgeuno.onmicrosoft.com; s=selector1-edgeuno-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XXsdcKawjAYRY6wdaD3KRceoqmZJBu2cECDpnlTxH50=; b=D2zQ5aI56Aa46BCZJhqQQnpnUKXkDcTdrkBfVtLnix04hiCK/NcKswivvdWgotfKdko/cyYt7Pqesl/NVAEPR98oxfCTD/RsBqhcUslspTH8a/Ryzyjn82RE9j80lGkl73XRFN3LIC4bFlDoa/DstRbHf+icvycUFtuCPx9Nthg=
Authentication-Results: edgeuno.com; dkim=none (message not signed) header.d=none;edgeuno.com; dmarc=none action=none header.from=edgeuno.com;
Received: from BY3PR05MB8578.namprd05.prod.outlook.com (2603:10b6:a03:3cd::10) by BYAPR05MB6581.namprd05.prod.outlook.com (2603:10b6:a03:f0::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4478.16; Fri, 3 Sep 2021 00:45:25 +0000
Received: from BY3PR05MB8578.namprd05.prod.outlook.com ([fe80::5d1a:6f5:58a5:87e1]) by BY3PR05MB8578.namprd05.prod.outlook.com ([fe80::5d1a:6f5:58a5:87e1%7]) with mapi id 15.20.4500.007; Fri, 3 Sep 2021 00:45:25 +0000
To: otroan@employees.org, 6man WG <ipv6@ietf.org>, "Gorry (erg)" <gorry@erg.abdn.ac.uk>, Bob Hinden <bob.hinden@gmail.com>
Cc: 6man Chairs <6man-chairs@ietf.org>
References: <9BD9945A-7A2B-490E-A0C4-6FEED9D41E49@employees.org> <8F54E45B-AE5E-4DD6-84D6-1A44B79E14AE@employees.org>
From: Fernando Gont <fernando.gont@edgeuno.com>
Subject: Re: [2nd] Working Group Last Call for draft-ietf-6man-mtu-option-06
Message-ID: <d37ddbb9-0fb9-2182-a1d9-3439657c958e@edgeuno.com>
Date: Thu, 02 Sep 2021 21:45:15 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
In-Reply-To: <8F54E45B-AE5E-4DD6-84D6-1A44B79E14AE@employees.org>
Content-Type: text/plain; charset="windows-1252"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
X-ClientProxiedBy: CPYP284CA0053.BRAP284.PROD.OUTLOOK.COM (2603:10d6:103:81::22) To BY3PR05MB8578.namprd05.prod.outlook.com (2603:10b6:a03:3cd::10)
MIME-Version: 1.0
Received: from [192.168.1.10] (190.179.67.27) by CPYP284CA0053.BRAP284.PROD.OUTLOOK.COM (2603:10d6:103:81::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4478.19 via Frontend Transport; Fri, 3 Sep 2021 00:45:22 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 0802af11-c9e9-4fb9-36aa-08d96e741df2
X-MS-TrafficTypeDiagnostic: BYAPR05MB6581:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <BYAPR05MB65818E08B29F1FA69580698CE5CF9@BYAPR05MB6581.namprd05.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8882;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: SEKUvUGElp3+3h3LjvhxxTRUe4UT5zKd3entbJfnpBV7BQBxHScU7L50w3YHtbspplO15tNvEfrNT/5K+HQXRt+6AnRLlL7EyHbeDAbS3kZY3u0Kx4gsLUs8DOxd7ZkiB5Vb1qRib/skdFG20Wwtk/GWYITC7W96v9Dm7294BtiEqC0wk4jc1/i7SXHti1ytkgQrh/OD3LKSYlumE3PFirfG9xpecmATA/2rWdiJobopHayME4Q5nSjugStFzH+XEgehaSvKF/Ne5IXAYi9+vPog3K+DmsSYEiUTqhqvOUdwZPGGxm+G9rZZRgFzN52vWcWsMqFJHyKSLtZ05onzBdNl+l7p8+1R8feK+meicxkHcvhax+Pw74BJ/HWLcU1H+mId46Gw5vTwpHejzIaVCkmyYNM7YrqvMMp38zpUc6fXVRIoqbuNRmo6tcRAH5prUwTWWewvZU2XCO7vlWs2abPlR9HxczoHDk+L9N3Hz8ySEnmZhwYkMfo02Uag2TM58e51amUuLqp/Zg4IYMMH3phQka4+gamrk2Ycx1aMaSuuwfdJ0k8L5XzXD9UKCDOZ1qKBXk+JcI/vF9y8Ve/KewhEInObbFQBU6kiqrSM8Y/NOCg7eRPHaFh/7aQVKTy4ieaMx9APbJMI9uE0EE+++/q5SzSs1SBunOswVXkT8XW6UhfLIz1Uf5DJ9t3WEBRkLJjbEhxri/iND4hdvHDz8oMC5SZTU3+DntZeHicqr+rWl/HbfACuaQuDv0wuDbM15qdBhAUpvg/P4cn7o1jQ43nK8EDXM70nCNDaCQOUPNlWUuA6rED3URp4W6vsUHn6k789gLq5dp9hneEh3LmmWw==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY3PR05MB8578.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(86362001)(6486002)(83380400001)(5660300002)(8676002)(66574015)(6666004)(52116002)(508600001)(966005)(2906002)(2616005)(956004)(66556008)(66476007)(66946007)(8936002)(4326008)(44832011)(38100700002)(53546011)(31696002)(110136005)(36756003)(186003)(316002)(26005)(16576012)(31686004)(38350700002)(45980500001)(43740500002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: NuRMpHmeX1XlAsircLQrRDwEfy/obSnfIxa8GQk4E3DZIcNVfH/xNgVjuQWoNWYa4UQXL++YQjcoUfaXC7eBV1fcxHxOOVrPogWE6RhPeG6C5Z4KLN+8/NLesQoxL72VyHsHHySPpTKF8wsZV+9o2qADLQWwGkWA2LPuocc9UDAYrpbxq/+lD2jJBv9BwkCRPx8x/Uq8yhrMqOgCH1nhoiZ0wwMFfPlXWlIW4GQPU7MOlZqgTtKZtPGScI0lf6btCB4Ufssk2hCmQ7VtdozLY1PHvNYVIzzAr3wQ8NzDdRBhMXWAbzuUi4WjwJHx9eAWzKKLz/KWhGVKgusarneSPi3kWARysR4rCemW7osTKGYE5xKALKzGBqxqCJ92XtwYdP/UwaY6EVBYIBRuhdUTcaED0HxtFgaW9WBpJKZO/i4tABQgu+6u4yIUBbXqtgsI0k3aMwQEcVN0gomAwZcGiROE/7XRtUc23fqLcF0yVBhfgIMvz6njE7zhmGIBs6OwY2s4VCw/2MV9CT+KjO3q8FA1vDZUR4E015d0G8xWBjU28RT+nlbbC634iBo06i+SPYqfD1+f1nSeaDfVI/qo0GwOfWnVIVNag78uynSoQcdLcEI5L2jrs1l+lz/m9TQMF1zK9VGTVRxfxwIHxrY71ZymSiUgW/V1Yiak7se9GFH25E4YYUP5oDOZ/YXMYYo9keaRyagSGaZTFl1AXr/HF+J/Fs7oxNanfKORrJhBJG3a0K+EGfbU473nf3clIq9Pl81sARE1Psbky05pF1AwY29DH7m9p1zbQOPXnWr8KIh/9lkTdaDN9MWCTrGspvU8MkCn0f/OU7+a+eud/TZRRU7RYK9x2qhC7mpp5bZFi28nQHtMTkAHpn0rkGQ0jpW6p7pPFPr8QpUf0+5HY9sPPE+YDFXPWAPdK/c3Q7CtD+hcpwjfNtxSUW6ez8BdL2fqgd9wXcjm25Tp1J1pfjKrfg8I7xJ/ezy6WehMUAvl/TAIU0sEttPyYLBepBFsjXTo6e6gAHtHVsQM+d3kEO7PxlSqw7Wr0perqjTSNnkPBI2BMhXqxyxZJvXIL0ESMBPuL7D5UG3yfsGOzlUdDTulCqQO+Bh0iSgHRrg1KG7M94hrZhG5sM9s/SMEhuTYnut8AYkuqqOlP02XLKrX9CUnkTfio/OxQplbIuZYFHtwnIRLNLJT2GflPrJSi9a/JYviOQblBRrKecmNQgw2V4Fut1PwBWY+6PmeVJQI9XHnnwv96UU+VW6BhHs9OmVa9a+erIIIy621E7SRWeTHKuIJMLWCEkfKAoOYZ7UJgzXzIfqMoAXfSri+LSnszcEZcd+D
X-OriginatorOrg: edgeuno.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0802af11-c9e9-4fb9-36aa-08d96e741df2
X-MS-Exchange-CrossTenant-AuthSource: BY3PR05MB8578.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Sep 2021 00:45:25.0197 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 20879dba-fabf-45da-8300-60b8ce560217
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: Qdfwb8CNXIFJ4XbuRxiThXnnAhZuG6qOFXHJBPkAr8XBN6PUFf2UPdqLiIa9Rt8LhlpC0y1T2N/trCRU+VJTsI3jQsuusK4iS6BFuTPIkxA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB6581
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/CCwQESEEzMWCaKekg6FwkltyMDA>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Sep 2021 00:45:34 -0000

Hi, all,

I happened to read this thread, and took some time to look at the draft.
Sorry for the bad timing... but I felt it was probably better to send
this now that during IETF LC.

I took a quick look at the document, and have the following comments:

* Meta:

It is not quite clear to me if this option is expect to provide an
alternative to e.g. PMTUD or PLPMTUD, or complement it. But in any case,
I think this should be more evident early in the document, and probably
even in the abstract itself.

* Meta:

It seems this option would allow for a PMTU increase, whereas previous
PMTU mechanisms (ICMP-based PMTU) can only increase the PMTU when
specifically probing the path for PMTU increases.


* Meta:

In many parts the document talks about "the minimum Path MTU". HOwever,
this is a bit confusing. as "Path MTU" typically implies "the minimum
MTU along the path".


* Section 1:
   At each subsequent hop where the option is processed, the router
   compares the value of the Min-PMTU Field in the option and the MTU of
   its outgoing link.  If the MTU of the link is less than the Min-PMTU,
   it rewrites the value in the option data with the smaller value.

I'm probably missing something, but: if the outgoing MTU is smaller that
the MTU value in the option (possibly because the outgoing link will
reduce the PMTU), wouldn;t the packet be dropped? -- in which case, how
would the associated information be communicated?


* 1.1.  Example Operation

For the figure, I;d use symbols in all cases, are numeric MTU values in
all cases (and hence two figures).



* Section 2: "Motivation and Problem Solved"

The document essentially notes that this option could solve the issue of
Path-MTU being broken. However, IPv6 options are as broken (or more) in
the public Internet as PMTUD.

In that sense, if this option is meant for the general Internet, then
there's no indication whatsoever that this option will produce an
improvement (actually, data seems to argue quite the contrary).

And, if the option is mean for limited domains, then... if you can make
this option work, you could also make PMTUD work -- unless I;m missing
something.


* 4.  Applicability Statements

At the risk of sounding our own horn, I'm surprised this section (and
the previous one) do not reference RFC7872 and the upcoming RFC 9098,
which essentially cover the issue of IPv6 option processing.


* 5.  IPv6 Minimum Path MTU Hop-by-Hop Option

There's no checksum in IPv6. How does this affect this option? -- i.e.,
the option being corrputed and hence signaling incorrect information.


* Section 5:
     Min-PMTU: n 16-bits.  The minimum MTU recorded along the path
                 in octets, reflecting the smallest link MTU that
                 the packet experienced along the path.
                 A value less than the IPv6 minimum link
                 MTU [RFC8200] should be ignored.

s/should/SHOULD/ ?  Or actually s/should/MUST/?



* 6.2.2.1.  Including the Option in an Outgoing Packet

   *  The use of this option with DNS and DNSSEC over UDP ought to work
      for paths where the PMTU is symmetric.  The DNS server will learn
      the PMTU from the DNS query messages.  If the Rtn-PMTU value is
      smaller, then a large DNSSEC response might be dropped and the
      known problems with PMTUD will then occur.  DNS and DNSSEC over
      transport protocols that can carry the PMTU ought to work.

This probably implies that the option would be used in the public
Internet. However, RFC7872 argues that it will not work reliably.


* 8.2.  Validating use of the Option Data

Port randomization is discussed in RFC6056.


* 8.2.  Validating use of the Option Data

Generally speaking, relying *only* on port randomizayion is not
considered acceptable. For validation, it would seem to me that
validations similar to RFC5927. Or, more explicitly, one could require
that packets are "in windows" (e.g., when the upper layer protocol is
TCP). As with the considerations in RFC5927 for the ICMP-based attacks,
catching the PMTU on a per-src-dst basis might not be a good idea if the
info was generated by a transport protocol that doesn;t allow for even
basic validation.



* Section  8.2

   A network node on the path has visibility of all packets it forwards.
   By observing the network packet payload, the node might be able to
   construct a packet that might be validated by the destination host.
   Such a node would also be able to drop or limit the flow in other
   ways that could be potentially more disruptive.  Authenticating the
   packet, for example, using IPsec [RFC4301] or TLS [RFC8446] mitigates
   this attack.

How would these help protect the option?


* 10.  Implementation Status

   At the time this document was published there are two known
   implementations of the Path MTU Hop-by-Hop option.  These are:

   *  Wireshark dissector.  This is shipping in production in Wireshark
      version 3.2 [WIRESHARK].

I might be wrong, but the WIreshark disector, while useful, wouldn;t
count as an implementation of the option.


Apologies for the delay in sending feedback. I've been strucling to keep
up with IETF stuff.

Thanks,
Fernando




On 1/9/21 05:30, otroan@employees.org wrote:
> I did my shepherd's/chair's review is on google docs:
> https://docs.google.com/document/d/1jffQL-nWfsIkbBsCLzeyJIje1raKiHR8z7-mthHSRcw/edit?usp=sharing
>
> Best regards,
> Ole
>
>
>> On 18 Aug 2021, at 09:12, otroan@employees.org wrote:
>>
>> Signed PGP part
>> Just a reminder of the WGLC for the MTU option.
>> Thanks for the comments so far.
>>
>> Are there anyone who would volunteer to do a very thorough review as part of the WGLC as well?
>>
>> Best regards,
>> Ole, co-chair 6man.
>>
>>
>> This message starts a new two week 6MAN Working Group Last Call on advancing:
>>
>>  Title           : IPv6 Minimum Path MTU Hop-by-Hop Option
>>  Authors         : Robert M. Hinden
>>                    Godred Fairhurst
>>  Filename        : draft-ietf-6man-mtu-option-06.txt
>>  Pages           : 19
>>  Date            : 2021-08-07
>>
>> https://datatracker.ietf.org/doc/draft-ietf-6man-mtu-option/
>>
>> as an Experimental Track document.
>>
>> Substantive comments and statements of support for publishing this document should be directed to the ipv6@ietf.org mailing list. Editorial suggestions can be sent to the author.
>>
>> This last call will end on 23 August 2021.
>>
>> Thanks,
>> Ole
>>
>>
>>
>
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

--
Fernando Gont
Director of Information Security
EdgeUno, Inc.
PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531
“This communication is the property of EdgeUno or one of its group companies and/or affiliates. This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and if you are not the intended recipient be aware that any non-explicitly authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, and will be considered a criminal offense. Please notify legal@edgeuno.com about the unintended receipt of this electronic message and delete it.”

v2.23.0 | Report a Bug | By Email