Re: [2nd] Working Group Last Call for draft-ietf-6man-mtu-option-06
Fernando Gont <fernando.gont@edgeuno.com> Fri, 03 September 2021 00:45 UTC
Return-Path: <fernando.gont@edgeuno.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB4CE3A1A3B; Thu, 2 Sep 2021 17:45:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=edgeuno.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wt8TX1ikpkaC; Thu, 2 Sep 2021 17:45:28 -0700 (PDT)
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2105.outbound.protection.outlook.com [40.107.237.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 355CC3A1A39; Thu, 2 Sep 2021 17:45:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eRCdmlEwclyUfcGaghHf+W5HrWF8eXh5O5l4DdK28/JS7C8ck3SzXpGDqbZ28jETd2zFtrJTePn4ywiFaUOppPOJObcKq2g28usyhKhy2xd4RifpWHq8cl/WMzw2OQFiR1mL9MEOU4cloYLBd/QgzePKvw0/P1kTNw1eC7knbAxFLA09M53rZWlDfCbdeqAoE+TdViUq8bG/c3J57avnVaZIitbHCAjvwby7yAWnfUsiz/fgVnHy0lc7ljE71V655N5W7vxu5Ur6hFwomHFJfJlPsKSlwyxCS/U4cYyASSjSRVgBBU+td0pvluDTpOnrsYRrqWA594zn/ZX/nS23qA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=XXsdcKawjAYRY6wdaD3KRceoqmZJBu2cECDpnlTxH50=; b=BTvQfHv8u5rXW4aaGjVpeu0xSJWSPCzk2R93ImzYzQ+OlKmEZBEV07iMryVZRmPf8ye+3mA7FzRXSRtKeCcJzy+EYgYB2Dq96hJJB0ablWfXi1SNmhsLqf/vnzoOz4XCZ5hHJfNc9yIFvCItdX1HaN8qQ+6kNKfkSNvYHBcn505PecQV8sWx4lYyc7F8w+ZFCmvbslk3ZeGcMYFv7NVex2TRO39fEcqjykrxQVevByI+vyNOM3HRhCIT6lKKHJGbPIO0uYEZbWZ6oSfCa41/np3TmF7E17+JkeEpwtjZi6goOtixDN0j5gIka1OxuiY6+7Tnw75XRtYphEeDc0xlWA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=edgeuno.com; dmarc=pass action=none header.from=edgeuno.com; dkim=pass header.d=edgeuno.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=edgeuno.onmicrosoft.com; s=selector1-edgeuno-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XXsdcKawjAYRY6wdaD3KRceoqmZJBu2cECDpnlTxH50=; b=D2zQ5aI56Aa46BCZJhqQQnpnUKXkDcTdrkBfVtLnix04hiCK/NcKswivvdWgotfKdko/cyYt7Pqesl/NVAEPR98oxfCTD/RsBqhcUslspTH8a/Ryzyjn82RE9j80lGkl73XRFN3LIC4bFlDoa/DstRbHf+icvycUFtuCPx9Nthg=
Authentication-Results: edgeuno.com; dkim=none (message not signed) header.d=none;edgeuno.com; dmarc=none action=none header.from=edgeuno.com;
Received: from BY3PR05MB8578.namprd05.prod.outlook.com (2603:10b6:a03:3cd::10) by BYAPR05MB6581.namprd05.prod.outlook.com (2603:10b6:a03:f0::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4478.16; Fri, 3 Sep 2021 00:45:25 +0000
Received: from BY3PR05MB8578.namprd05.prod.outlook.com ([fe80::5d1a:6f5:58a5:87e1]) by BY3PR05MB8578.namprd05.prod.outlook.com ([fe80::5d1a:6f5:58a5:87e1%7]) with mapi id 15.20.4500.007; Fri, 3 Sep 2021 00:45:25 +0000
To: otroan@employees.org, 6man WG <ipv6@ietf.org>, "Gorry (erg)" <gorry@erg.abdn.ac.uk>, Bob Hinden <bob.hinden@gmail.com>
Cc: 6man Chairs <6man-chairs@ietf.org>
References: <9BD9945A-7A2B-490E-A0C4-6FEED9D41E49@employees.org> <8F54E45B-AE5E-4DD6-84D6-1A44B79E14AE@employees.org>
From: Fernando Gont <fernando.gont@edgeuno.com>
Subject: Re: [2nd] Working Group Last Call for draft-ietf-6man-mtu-option-06
Message-ID: <d37ddbb9-0fb9-2182-a1d9-3439657c958e@edgeuno.com>
Date: Thu, 02 Sep 2021 21:45:15 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
In-Reply-To: <8F54E45B-AE5E-4DD6-84D6-1A44B79E14AE@employees.org>
Content-Type: text/plain; charset="windows-1252"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
X-ClientProxiedBy: CPYP284CA0053.BRAP284.PROD.OUTLOOK.COM (2603:10d6:103:81::22) To BY3PR05MB8578.namprd05.prod.outlook.com (2603:10b6:a03:3cd::10)
MIME-Version: 1.0
Received: from [192.168.1.10] (190.179.67.27) by CPYP284CA0053.BRAP284.PROD.OUTLOOK.COM (2603:10d6:103:81::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4478.19 via Frontend Transport; Fri, 3 Sep 2021 00:45:22 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 0802af11-c9e9-4fb9-36aa-08d96e741df2
X-MS-TrafficTypeDiagnostic: BYAPR05MB6581:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <BYAPR05MB65818E08B29F1FA69580698CE5CF9@BYAPR05MB6581.namprd05.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8882;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: SEKUvUGElp3+3h3LjvhxxTRUe4UT5zKd3entbJfnpBV7BQBxHScU7L50w3YHtbspplO15tNvEfrNT/5K+HQXRt+6AnRLlL7EyHbeDAbS3kZY3u0Kx4gsLUs8DOxd7ZkiB5Vb1qRib/skdFG20Wwtk/GWYITC7W96v9Dm7294BtiEqC0wk4jc1/i7SXHti1ytkgQrh/OD3LKSYlumE3PFirfG9xpecmATA/2rWdiJobopHayME4Q5nSjugStFzH+XEgehaSvKF/Ne5IXAYi9+vPog3K+DmsSYEiUTqhqvOUdwZPGGxm+G9rZZRgFzN52vWcWsMqFJHyKSLtZ05onzBdNl+l7p8+1R8feK+meicxkHcvhax+Pw74BJ/HWLcU1H+mId46Gw5vTwpHejzIaVCkmyYNM7YrqvMMp38zpUc6fXVRIoqbuNRmo6tcRAH5prUwTWWewvZU2XCO7vlWs2abPlR9HxczoHDk+L9N3Hz8ySEnmZhwYkMfo02Uag2TM58e51amUuLqp/Zg4IYMMH3phQka4+gamrk2Ycx1aMaSuuwfdJ0k8L5XzXD9UKCDOZ1qKBXk+JcI/vF9y8Ve/KewhEInObbFQBU6kiqrSM8Y/NOCg7eRPHaFh/7aQVKTy4ieaMx9APbJMI9uE0EE+++/q5SzSs1SBunOswVXkT8XW6UhfLIz1Uf5DJ9t3WEBRkLJjbEhxri/iND4hdvHDz8oMC5SZTU3+DntZeHicqr+rWl/HbfACuaQuDv0wuDbM15qdBhAUpvg/P4cn7o1jQ43nK8EDXM70nCNDaCQOUPNlWUuA6rED3URp4W6vsUHn6k789gLq5dp9hneEh3LmmWw==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY3PR05MB8578.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(86362001)(6486002)(83380400001)(5660300002)(8676002)(66574015)(6666004)(52116002)(508600001)(966005)(2906002)(2616005)(956004)(66556008)(66476007)(66946007)(8936002)(4326008)(44832011)(38100700002)(53546011)(31696002)(110136005)(36756003)(186003)(316002)(26005)(16576012)(31686004)(38350700002)(45980500001)(43740500002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: NuRMpHmeX1XlAsircLQrRDwEfy/obSnfIxa8GQk4E3DZIcNVfH/xNgVjuQWoNWYa4UQXL++YQjcoUfaXC7eBV1fcxHxOOVrPogWE6RhPeG6C5Z4KLN+8/NLesQoxL72VyHsHHySPpTKF8wsZV+9o2qADLQWwGkWA2LPuocc9UDAYrpbxq/+lD2jJBv9BwkCRPx8x/Uq8yhrMqOgCH1nhoiZ0wwMFfPlXWlIW4GQPU7MOlZqgTtKZtPGScI0lf6btCB4Ufssk2hCmQ7VtdozLY1PHvNYVIzzAr3wQ8NzDdRBhMXWAbzuUi4WjwJHx9eAWzKKLz/KWhGVKgusarneSPi3kWARysR4rCemW7osTKGYE5xKALKzGBqxqCJ92XtwYdP/UwaY6EVBYIBRuhdUTcaED0HxtFgaW9WBpJKZO/i4tABQgu+6u4yIUBbXqtgsI0k3aMwQEcVN0gomAwZcGiROE/7XRtUc23fqLcF0yVBhfgIMvz6njE7zhmGIBs6OwY2s4VCw/2MV9CT+KjO3q8FA1vDZUR4E015d0G8xWBjU28RT+nlbbC634iBo06i+SPYqfD1+f1nSeaDfVI/qo0GwOfWnVIVNag78uynSoQcdLcEI5L2jrs1l+lz/m9TQMF1zK9VGTVRxfxwIHxrY71ZymSiUgW/V1Yiak7se9GFH25E4YYUP5oDOZ/YXMYYo9keaRyagSGaZTFl1AXr/HF+J/Fs7oxNanfKORrJhBJG3a0K+EGfbU473nf3clIq9Pl81sARE1Psbky05pF1AwY29DH7m9p1zbQOPXnWr8KIh/9lkTdaDN9MWCTrGspvU8MkCn0f/OU7+a+eud/TZRRU7RYK9x2qhC7mpp5bZFi28nQHtMTkAHpn0rkGQ0jpW6p7pPFPr8QpUf0+5HY9sPPE+YDFXPWAPdK/c3Q7CtD+hcpwjfNtxSUW6ez8BdL2fqgd9wXcjm25Tp1J1pfjKrfg8I7xJ/ezy6WehMUAvl/TAIU0sEttPyYLBepBFsjXTo6e6gAHtHVsQM+d3kEO7PxlSqw7Wr0perqjTSNnkPBI2BMhXqxyxZJvXIL0ESMBPuL7D5UG3yfsGOzlUdDTulCqQO+Bh0iSgHRrg1KG7M94hrZhG5sM9s/SMEhuTYnut8AYkuqqOlP02XLKrX9CUnkTfio/OxQplbIuZYFHtwnIRLNLJT2GflPrJSi9a/JYviOQblBRrKecmNQgw2V4Fut1PwBWY+6PmeVJQI9XHnnwv96UU+VW6BhHs9OmVa9a+erIIIy621E7SRWeTHKuIJMLWCEkfKAoOYZ7UJgzXzIfqMoAXfSri+LSnszcEZcd+D
X-OriginatorOrg: edgeuno.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0802af11-c9e9-4fb9-36aa-08d96e741df2
X-MS-Exchange-CrossTenant-AuthSource: BY3PR05MB8578.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Sep 2021 00:45:25.0197 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 20879dba-fabf-45da-8300-60b8ce560217
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: Qdfwb8CNXIFJ4XbuRxiThXnnAhZuG6qOFXHJBPkAr8XBN6PUFf2UPdqLiIa9Rt8LhlpC0y1T2N/trCRU+VJTsI3jQsuusK4iS6BFuTPIkxA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB6581
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/CCwQESEEzMWCaKekg6FwkltyMDA>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Sep 2021 00:45:34 -0000
Hi, all, I happened to read this thread, and took some time to look at the draft. Sorry for the bad timing... but I felt it was probably better to send this now that during IETF LC. I took a quick look at the document, and have the following comments: * Meta: It is not quite clear to me if this option is expect to provide an alternative to e.g. PMTUD or PLPMTUD, or complement it. But in any case, I think this should be more evident early in the document, and probably even in the abstract itself. * Meta: It seems this option would allow for a PMTU increase, whereas previous PMTU mechanisms (ICMP-based PMTU) can only increase the PMTU when specifically probing the path for PMTU increases. * Meta: In many parts the document talks about "the minimum Path MTU". HOwever, this is a bit confusing. as "Path MTU" typically implies "the minimum MTU along the path". * Section 1: At each subsequent hop where the option is processed, the router compares the value of the Min-PMTU Field in the option and the MTU of its outgoing link. If the MTU of the link is less than the Min-PMTU, it rewrites the value in the option data with the smaller value. I'm probably missing something, but: if the outgoing MTU is smaller that the MTU value in the option (possibly because the outgoing link will reduce the PMTU), wouldn;t the packet be dropped? -- in which case, how would the associated information be communicated? * 1.1. Example Operation For the figure, I;d use symbols in all cases, are numeric MTU values in all cases (and hence two figures). * Section 2: "Motivation and Problem Solved" The document essentially notes that this option could solve the issue of Path-MTU being broken. However, IPv6 options are as broken (or more) in the public Internet as PMTUD. In that sense, if this option is meant for the general Internet, then there's no indication whatsoever that this option will produce an improvement (actually, data seems to argue quite the contrary). And, if the option is mean for limited domains, then... if you can make this option work, you could also make PMTUD work -- unless I;m missing something. * 4. Applicability Statements At the risk of sounding our own horn, I'm surprised this section (and the previous one) do not reference RFC7872 and the upcoming RFC 9098, which essentially cover the issue of IPv6 option processing. * 5. IPv6 Minimum Path MTU Hop-by-Hop Option There's no checksum in IPv6. How does this affect this option? -- i.e., the option being corrputed and hence signaling incorrect information. * Section 5: Min-PMTU: n 16-bits. The minimum MTU recorded along the path in octets, reflecting the smallest link MTU that the packet experienced along the path. A value less than the IPv6 minimum link MTU [RFC8200] should be ignored. s/should/SHOULD/ ? Or actually s/should/MUST/? * 6.2.2.1. Including the Option in an Outgoing Packet * The use of this option with DNS and DNSSEC over UDP ought to work for paths where the PMTU is symmetric. The DNS server will learn the PMTU from the DNS query messages. If the Rtn-PMTU value is smaller, then a large DNSSEC response might be dropped and the known problems with PMTUD will then occur. DNS and DNSSEC over transport protocols that can carry the PMTU ought to work. This probably implies that the option would be used in the public Internet. However, RFC7872 argues that it will not work reliably. * 8.2. Validating use of the Option Data Port randomization is discussed in RFC6056. * 8.2. Validating use of the Option Data Generally speaking, relying *only* on port randomizayion is not considered acceptable. For validation, it would seem to me that validations similar to RFC5927. Or, more explicitly, one could require that packets are "in windows" (e.g., when the upper layer protocol is TCP). As with the considerations in RFC5927 for the ICMP-based attacks, catching the PMTU on a per-src-dst basis might not be a good idea if the info was generated by a transport protocol that doesn;t allow for even basic validation. * Section 8.2 A network node on the path has visibility of all packets it forwards. By observing the network packet payload, the node might be able to construct a packet that might be validated by the destination host. Such a node would also be able to drop or limit the flow in other ways that could be potentially more disruptive. Authenticating the packet, for example, using IPsec [RFC4301] or TLS [RFC8446] mitigates this attack. How would these help protect the option? * 10. Implementation Status At the time this document was published there are two known implementations of the Path MTU Hop-by-Hop option. These are: * Wireshark dissector. This is shipping in production in Wireshark version 3.2 [WIRESHARK]. I might be wrong, but the WIreshark disector, while useful, wouldn;t count as an implementation of the option. Apologies for the delay in sending feedback. I've been strucling to keep up with IETF stuff. Thanks, Fernando On 1/9/21 05:30, otroan@employees.org wrote: > I did my shepherd's/chair's review is on google docs: > https://docs.google.com/document/d/1jffQL-nWfsIkbBsCLzeyJIje1raKiHR8z7-mthHSRcw/edit?usp=sharing > > Best regards, > Ole > > >> On 18 Aug 2021, at 09:12, otroan@employees.org wrote: >> >> Signed PGP part >> Just a reminder of the WGLC for the MTU option. >> Thanks for the comments so far. >> >> Are there anyone who would volunteer to do a very thorough review as part of the WGLC as well? >> >> Best regards, >> Ole, co-chair 6man. >> >> >> This message starts a new two week 6MAN Working Group Last Call on advancing: >> >> Title : IPv6 Minimum Path MTU Hop-by-Hop Option >> Authors : Robert M. Hinden >> Godred Fairhurst >> Filename : draft-ietf-6man-mtu-option-06.txt >> Pages : 19 >> Date : 2021-08-07 >> >> https://datatracker.ietf.org/doc/draft-ietf-6man-mtu-option/ >> >> as an Experimental Track document. >> >> Substantive comments and statements of support for publishing this document should be directed to the ipv6@ietf.org mailing list. Editorial suggestions can be sent to the author. >> >> This last call will end on 23 August 2021. >> >> Thanks, >> Ole >> >> >> > > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > -- Fernando Gont Director of Information Security EdgeUno, Inc. PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531 “This communication is the property of EdgeUno or one of its group companies and/or affiliates. This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and if you are not the intended recipient be aware that any non-explicitly authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, and will be considered a criminal offense. Please notify legal@edgeuno.com about the unintended receipt of this electronic message and delete it.”
- [2nd] Working Group Last Call for draft-ietf-6man… otroan
- Re: [2nd] Working Group Last Call for draft-ietf-… Mark Smith
- Re: [2nd] Working Group Last Call for draft-ietf-… otroan
- Re: [2nd] Working Group Last Call for draft-ietf-… otroan
- Re: [2nd] Working Group Last Call for draft-ietf-… Fernando Gont
- Re: [2nd] Working Group Last Call for draft-ietf-… Bob Hinden