Re: [IPv6] draft-ietf-6man-hbh-processing WGLC comments
Tom Herbert <tom@herbertland.com> Mon, 28 August 2023 20:39 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E6ACC151066 for <ipv6@ietfa.amsl.com>; Mon, 28 Aug 2023 13:39:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SrImoWijdJvo for <ipv6@ietfa.amsl.com>; Mon, 28 Aug 2023 13:39:28 -0700 (PDT)
Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com [IPv6:2607:f8b0:4864:20::534]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A04A7C14CF0C for <6man@ietf.org>; Mon, 28 Aug 2023 13:39:28 -0700 (PDT)
Received: by mail-pg1-x534.google.com with SMTP id 41be03b00d2f7-564cd28d48dso1632257a12.0 for <6man@ietf.org>; Mon, 28 Aug 2023 13:39:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1693255168; x=1693859968; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=0VBEfP8s+ICWRFtoTQVFaSqLYPAI/f4+uceGEvc1g0s=; b=gTFqQsBtk75OXVLFxvpMnyd+V1Cgs1j2fHX1Oo8LPbr9HACdk9u2vl+BKIL3u7C/la MAQeUmyO6mG2VID1vrITjlPwtBiQVXkNp5z7VBXNvMXmkOZLVoANN81XFfQicmO/8r7w 1V8STI7dEQZxSowsNSv9ojHb8XEk7J3VIja2GhvmQ6IOMbfGduQpaPdz1oIKDJBbLX0O vmfLvXKj7yvn+eF15ysyNsfG+aSxgTdCq2SA4cWXRtabithveQHv1ba1AOxatyxEjQX5 usgSMN4ubQnVo58umCw3/A4hXJeWZursGk1wAJ+wwuXP+okoLZndUHBS5gxBAkqVnTC2 K01A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693255168; x=1693859968; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0VBEfP8s+ICWRFtoTQVFaSqLYPAI/f4+uceGEvc1g0s=; b=KWlIGXlkzz5M/Um0QKZY/FB2L7Ji8p7sbXKl0M84TfhiZeZ7hoHowO2PGiwHj8Rtud tu7YOvz3eycdWvFTEcVMmzfQwEfuURGgmaB7JtS5+mSmo7LUIpmHTPuX1ZyI+WseBXxL TdBHIX1BdikwXgHCVQvCxWmjjq55xnetL+ZTi3K2k2dibo3ABxl2gVU2o8lEBMvbffJp U4YGVCQqVVsVEyw0TXfC8b1JHktKAEEsaH6MIExL3Nux/KcTr2lL3SSgm3nWRvYt6eM4 ul7BqvFf9AD1zKISqx4417drnnDMMTjtlaTmg/so2TDJJO0Hv21aTZloA8rXCU2Bt2z1 bUpQ==
X-Gm-Message-State: AOJu0YzWFUh1WiVsGvSqSYdSFCj2pGhW9AzTb3KAaRdujas2YNP5sYc7 zvaf6drGT4uUPK8p9f4M6ygue6B+iEBvsq/UIMyufQ==
X-Google-Smtp-Source: AGHT+IE/BqikMlAzqvRbHOsNZziiUlFfOKf4H8ghhTCZwf3eQjrOKiKcDoXmsYJ0MsD+BL+WZbJJMbhtv2tHfjl3+10=
X-Received: by 2002:a05:6a20:7da2:b0:148:4c5:9714 with SMTP id v34-20020a056a207da200b0014804c59714mr26074680pzj.13.1693255167481; Mon, 28 Aug 2023 13:39:27 -0700 (PDT)
MIME-Version: 1.0
References: <ZMaiTw1kXtIMDEkZ@faui48e.informatik.uni-erlangen.de> <ZOTxJQLKyY4m4Qv8@faui48e.informatik.uni-erlangen.de> <9bb7bbc1-b5c2-9429-59e5-8a74f8309510@erg.abdn.ac.uk> <ZOhrvEBR5FO2Yr4m@faui48e.informatik.uni-erlangen.de>
In-Reply-To: <ZOhrvEBR5FO2Yr4m@faui48e.informatik.uni-erlangen.de>
From: Tom Herbert <tom@herbertland.com>
Date: Mon, 28 Aug 2023 13:39:15 -0700
Message-ID: <CALx6S36ULmqF-F8mshhQcMsktn0AOAHv7dHyez0vP3RN1ENSSA@mail.gmail.com>
To: Toerless Eckert <tte@cs.fau.de>
Cc: Gorry Fairhurst <gorry@erg.abdn.ac.uk>, "6man@ietf.org" <6man@ietf.org>, draft-ietf-6man-hbh-processing@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/CductYxB00Vo1mPrL8GBdOOKhHI>
Subject: Re: [IPv6] draft-ietf-6man-hbh-processing WGLC comments
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Aug 2023 20:39:32 -0000
On Fri, Aug 25, 2023 at 1:52 AM Toerless Eckert <tte@cs.fau.de> wrote: > > Inline. > > Btw: Is there a github ? Would make it easier to address multiple smaller > textual points individually and discuss them. > > On Wed, Aug 23, 2023 at 02:10:11PM +0100, Gorry Fairhurst wrote: > > On 22/08/2023 18:32, Toerless Eckert wrote: > > > To follow up on my generic comments, > > Thanks, the comments were helpful, and the new revision will respond to > > these, and will be better for this insight. > > > a few more generic concerns: > > > > > > 1. I am worried that by constraining the document to HBH, we will have to duplicate > > > probably all of the work for routing headers as well. It would be preferrable to > > > see how much more work it would be to make the document address both > > > headers that can be processed by routers along the path (HBH and routing). > > > > > > Conceptually i think it should be easy, but textually given how the draft > > > refers to so much detailled rfc8200 text, it might lead to equal amount of > > > duplication of text to fix *sigh*. > > > > This could be a much bigger question. > > > > - First, I agree there are things in common - and I think key parts can be > > carried forward to any work on the routing header. > > Well, if you do not want to take this on now, how about cloning and working > (at a slower pace on that second draft). > > But multiple draft will just create risk of more undesirable discrepanices. > > Maybe worst existing discrepancy: draft-raviolli-intarea-trusted-domain-srv6, > > If we had a doc like your HBH doc for RH. Would that have avoided the problems > that draft attempts to address ? Would the authors of that draft still think it's > the safer, easier solution ? > > Aka: How can we best avoid discrepancies. > > IMHO: I would not want to see the process rushed at this point... > > > > 2. As seen from the other threads, i think we want to move into a direction where > > > we remove the hurdles from applications to send EH (HBH/routing). But we then > > > need to make sure we can feel safe with that recommendations and not be beaten > > > up by opeators to open floodgates of attacks. > > > The draft does a good base level of asking for MUST configure (to process), > > > but i wonder if the granularity that is specified (aka: pretty much none) > > > is sufficient. For example, i would think that one at least wants to have > > > ACLs to permit/deny individual option header processing, and extended ACLs > > > at that (aka: only for TCP or UDP traffic, or based on source/dest combinations). > > > > > > (and no, i am not paid for by Tom to create pain with ACLs that FAST would > > > solve/remove, but pretty much those ACLs would be the cost of doing EH business > > > without FAST. And igoring the cost by not specifying the need for them would just backfire). > > > > From my perspective, I could see configuration to allow/deny forwarding > > packets with a HBH EH and for processing individual HBH Options, and I hope > > the draft says that. Is there a need for specific text? > > See above reply re. the risks at a domain edge and how well you want to harden it. > > Practically speaking i think we need to think about the actual policies required > and see how to best apply them to requirements text. The one we have is very > hand waiving. > > Aka: It seems we want interface level filters If we want to make an argument that > something like draft-raviolli-intarea-trusted-domain-srv6 was not needed > (assuming similarily successfully deployed, but intradomain intended HBH header > with similar attack options for traffic from interdomain). > > But we also need router - wide filter (which i think is what you may have implied, > but the text is not specific about the context of the policy). > We may also want to have src/dst filters at the edge or hop-by-hop to be able > to e.g.: distinguish intradomain from transit traffic (based on ACL recognition > of intradomain traffic as opposed to put it onto edge interface). > > Wrt to the discuss re. which headers can be used in conjunction with differnt > transport protocols. I can see a lot of interaction between transport protocol > and HBH, so it would be very prudent to mandate support for extended ACL > (5-tuple filter). > > Wrt. reaction: I think the draft ignores the problem, that ignoring of option > headers/options in existing routers may not work at the desired rate (not > to say linerate as i have issues with that, see prior response from me). Toerless, I don't think this is a problem. RFC8200 states that routers may completely ignore the HbH Options header; that is there are no mandatory options that must be processed. So if a router can't keep up at the desired rate, then it can just ignore HBH entirely. > > In this case it seems routers should be able to discard and ICMP reply to such > headers. Aka: Force senders to not insert such headers/options - or else traffic > will not make it through. A router ignoring HbH is MUCH PREFERABLE to routers dropping packets with HbH options. > > Of course, we wouldn't want such future routers, but we MUST be able to support > such existing routers. > > And for example, we have a lot of history with such discarding when packet has > something routers do not like. At least we should have a SHOULD raise ICMP > errors so apps can react faster. > Yes, that's covered by RFC8883. Of course in reality, ICMP has about as much luck making it through the Internet as HBH EH! > And then there is diagnostics, aka: counters for what type of extension header/option > was received, and what policy reaction it had. Without that, introduction of > new HBH will just fail due to frustrated operators. But again, routers can just ignore any new HbH. Tom > > I know, we traditionally where very weak on such policy/operations aspects in our > core protocol specifications and hoped for vendors to somehow to it, and when > we where luckyl we had some MIB 20 years later for it. But that also contributed > IMHO heavily to the demise of most advanced technologies we proposed, because > they could not well be operationalized. > > Cheers > Toerless > > > Gorry > > > > > Cheers > > > toerless > > > > > > On Sun, Jul 30, 2023 at 07:47:59PM +0200, Toerless Eckert wrote: > > > > Hi Gory, Bob, *: > > > > > > > > Thanks a lot for the document, and sorry that i can jump in only so late > > > > in the process. I have a couple of NIT/MINOR comments, but primarily two > > > > MAYOR concerns, and those are that i think the document is way too negative > > > > about HbH headr going forward, by not including simple, but mandatory > > > > forwarding plane requirements to ensure new work can not cause issues. > > > > > > > > In one case, this is about new router-alert spec, which i think are not > > > > more problematic than other control plane, if just the right requirements > > > > are met (which this document should well specify), > > > > > > > > In the other case, it is higher than "full-line-rate" perfomance of HbH > > > > packets, which also can be made to work perfectly fine in the face of > > > > attacks by just having appropriate protection against attacks (such as > > > > rate-limiters). > > > > > > > > We have all the same issues in similar form in other forwarding/control-plane, > > > > and we know how to overcome them. But the work to overcome problems usually > > > > happens when stuff is widely deployed only. Thats why seemingly nobody > > > > thinks about applying the same principles to HbH - because we do so little > > > > with it. > > > > > > > > Cheers > > > > Toerless > > > > > > > > 1. NIT: > > > > > > > > Suggest to change: > > > > > > > > When the IPv6 Specification was updated and published in July 2017 as > > > > [RFC8200], the procedures relating to Hop-by-Hop options were as > > > > follows: > > > > > > > > to: > > > > > > > > When the IPv6 Specification was updated and published in July 2017, > > > > the procedures relating to Hop-by-Hop options where specified as > > > > follows (from [RFC8200], section 4): > > > > > > > > Reason: It was not clear to me that the text was really 1:1 copied > > > > from RFC8200, and i think quotations should really be marked very > > > > explicitly. Also, because i didn't read it immediately as a citation, > > > > i bothered in suggesting a NIT for that text, which i guess now is > > > > inapproprite. > > > > > > > > The same note may apply to other citations in the text, aka: please > > > > refer to them with section and ensure it's similarily clear it is a citation. > > > > > > > > 2. NIT: > > > > > > > > This one (see above) you'll likely want to skip given how its in > > > > an rfc8200 citation. > > > > > > > > suggest to rewrite: > > > > > > > > by any node along a packet's delivery > > > > path, until the packet reaches the node (or each of the set of > > > > nodes, in the case of multicast) identified in the Destination > > > > Address field of the IPv6 header > > > > > > > > to: > > > > > > > > by any node along a packet's delivery > > > > path, until the packet reaches the node > > > > identified in the Destination Address field of the IPv6 header, > > > > or each of the set of nodes, in the case of multicast. > > > > > > > > Reason: In SSM, RFC4607, the set of nodes is identified by > > > > the combination of source and destination address, not only > > > > by the destination address. I think the original sentence > > > > excluded that interpretation, and this rewrite allows it > > > > (so as not having to elaborate more about these intricacies). > > > > > > > > 3. MAYOR > > > > > > > > Section: > > > > Any option that can be used to force packets into the router's > > > > Control Plane can be exploited as a denial of service attack on a > > > > transit router by saturating the resources needed for router > > > > management protocols ... > > > > > > > > IMHO, this is inappropriate. > > > > > > > > Just because something needs to go to control plane does not mean > > > > that it would hurt other control plane. HbH header processing would > > > > not be different from any other control plane activity in this > > > > respect. > > > > > > > > For every control plane activity, you need to have some appropriate > > > > share of control plane resources depending on its functions and the > > > > desired performance, and you need to provide protection against > > > > that control plane function to exceed these shares, for example when > > > > it is being DoS'ed. > > > > > > > > Routers can do as little as round-robin for CPU across control plane > > > > functions, as well as per-function rate-limiters on packets, just as > > > > a simple example. > > > > > > > > Of course it is inappropriate to implement a HbH function in > > > > control-plane if its meant to operate at line rate, but if a HbH > > > > header function is defined to operate at the same performance > > > > level as other control plane, it is perfectly valid. For example > > > > router-alert for PGM or RSVP where logically correct. Just our > > > > specifications where and are bad, and implementations where (and are) > > > > likely even worse. But providing better specs would at least > > > > make it right from the IETF side (and put blame clearly on bad > > > > implementations). > > > > > > > > 3. MAYOR > > > > > > > > Section: > > > > > > > > "In a nutshell, the IP Router Alert Option does not provide a > > > > convenient universal mechanism to accurately and reliably > > > > distinguish between IP Router Alert packets of interest and > > > > unwanted IP Router Alert packets..." > > > > > > > > That text does not make a lot of sense, because you can IMHO > > > > downtalk any function we have specified by prepending it with > > > > "convenient, universal, accurately and reliably" - and find some > > > > issue. > > > > > > > > The actual issue at the point of writing rfc6398 was that some router > > > > OS that was back then widely used, and AFAIK very likely the reference > > > > for Francois' experiences was punting without any rate-limiters or without > > > > any fair scheduling afterwards router-alert packets for protocols > > > > that where not even configured to be used on the router. So all > > > > those packets simply got slow-path forwarded, which was even > > > > slower than the actual router-alert processing would have been. > > > > > > > > PGM was the core example of this (for me), Francois' experience was > > > > likely RSVP. Router that had PGM processing enabled > > > > did actually work well with the production level of PGM messages, > > > > but those that did not have it enabled (maybe they did not even > > > > support it) suffered from those punted PGM packets. And of course > > > > the simple solution would have been to simply punt router alert > > > > packets only for those router alerts whose protocols where enabled > > > > on the router. > > > > > > > > My takeway from this situation was that router alert already had > > > > a really useful (enough) way to distinguish packets by IP protocol > > > > ID, but because the router alert specification (to this day) does > > > > not outline that you MUST NOT punt when the protocol is not > > > > supported, and that you MUST ensure rate-limiting and limiting > > > > CPU ressources (like you need to do for non onpath control plane > > > > functions), we then got these lousy implementations. Which killed > > > > good protocols in whole industries. > > > > > > > > If you are interested to revisit this text and the conclusions to draw > > > > from these experiences, i'm happy to help, but i don't want to volunteer > > > > unwanted text now. > > > > > > > > 3. MINOR > > > > > > > > "The share of traffic containing more than one EH however, is very small." > > > > > > > > Such a data point from the past is no useful indication for prior > > > > experiences. The conclusion to support at least one EH is still > > > > useful, but IMHO only in conjunction with a somewhat better > > > > logic: > > > > > > > > - It is unclear how man EH a forwader can support. > > > > - If it is possible to always put the most important EH > > > > first, and ensure that all routers that do support this EH > > > > will also always act on it if it is the first EH, then hosts > > > > can at least realiably get support for their most important EH. > > > > - And once there is more deployment of EH where at least the first > > > > EH will work, there is more motivation for deployments > > > > to make more EH work, if/when there is sufficient need. > > > > > > > > 4. MAYOR > > > > > > > > "Transmission and Processing of IPv6 Extension Headers" [RFC7045] > > > > ... > > > > > > > > Unfortunately, RFC7045 does also not capture the spec/implementation > > > > issues relating to slow-path EH processing outlined above. > > > > > > > > 5. MINOR > > > > > > > > In 5.1 the text says: > > > > > > > > Routers SHOULD process the Hop-by-Hop Options header. If a router > > > > > > > > In 5.1.1, the rfc8200 text is repeated: > > > > > > > > Options header if explicitly configured to do so > > > > > > > > It seems this draft wants to keep that rfc8200 text intact and just > > > > extend it, but that text seems to conflict with the 5.1 text. > > > > > > > > E.g.: the 5.1 text could say "Routers SHOULD process the HbH Options header > > > > if explicitly configured to do so". > > > > > > > > And/or be explicit about what is the default. To me, the rfc8200 text > > > > reads as if the default could be to not process (which would be safe, > > > > and i'd implement it that way). But the 5.1 text also reads like default. > > > > Else it should better we written as "SHOULD be able to process...". > > > > > > > > 6. MINOR > > > > > > > > configuration could control that normal processing skips any or all > > > > of the Hop-by-Hop options carried in the Hop-by-Hop Options header. > > > > A router that does not process the contents of the Hop-by-Hop Options > > > > header does not therefore process the identifiers of individual > > > > Option Types to perform any specified action. > > > > > > > > So, what is the semantic difference between "any or all" and "all" ? > > > > I was confused to think that "any or all" could also mean that > > > > specific Options could be enabled/disabled, but the following text would > > > > then be inconsistent (it only talks about "all" IMHO). > > > > > > > > In any case, IMHO it wold make perfect sense to explicity enable > > > > each Option separately to be on the safe side (and enabling all could > > > > of course also be an option). > > > > > > > > 6. MINOR > > > > > > > > 01 - MAY discard the packet. Nodes should not rely on routers > > > > dropping these unrecognized Option Types. > > > > > > > > change to: > > > > > > > > 01 - SHOULD discard the packet. Nodes MUST NOT not rely on routers > > > > dropping these unrecognized Option Types. > > > > > > > > Aka: keep the original intention, but just make it easier to implement, > > > > but also ensure that apps will deal with not getting the desired drop. > > > > > > > > Otherwise, if you want to keep your text, you need better explanation > > > > why the radical shift in behavior, and why no normative requirement > > > > against the application to deal with it. > > > > > > > > 7. MAYOR > > > > > > > > The 10 and 11 text really needs to be changed to allow sending back > > > > ICMP replies ofr multicast packets only upon explicit configuration > > > > that ideally should also be tied to source (and group) ACL so that > > > > it only is issued for source addresses known to not be faked. Aka: > > > > ICMP replies to a multicast packet is an amplification attack, > > > > and the source address may be faked (agreeable more difficult > > > > with clasical RPF forwarding multicast protocols, but i wouldn't > > > > want to guarantee all this self protection when we have e.g.: BIER, > > > > or whatever else may come along), so it can be a great DDoS attack > > > > vector. > > > > > > > > Othewise, for the unicast case, i think the text should be like i > > > > proposed for 01, e.g.: SHOULD, and also add the MUST NOT rely on > > > > the dropping... > > > > > > > > 8. MAYOR > > > > > > > > I reject the directons of this sections because as laid out in before, > > > > fundamentally the needs to make a control plane function work against > > > > attacks is not fundamentally different from when using onpath signalling > > > > to using explicit addressing (e.g.: host stack address as destination). > > > > In both cases, you do need to protect yourself against too many packets, > > > > and you need to ensure that the control plane service does not > > > > consume more CPU than feasible compared to othre functions. > > > > > > > > RSVP or PGM (not defined for IPv6, but equally applicable) are > > > > perfectly good signaling mechanism and highly valueable, and where > > > > they failed (as explained above), that only happened because the spec > > > > (router alertt) did not specify MANDATORY requirements to MUST NOT > > > > punt/process/cause-performance-issues of any protocols not supported > > > > or enabled. > > > > > > > > Aka: I really would like to see router-alert be specified a a forward > > > > going, full supported option, but specifying in this text all the > > > > requirements not only for implementations in general, but also > > > > for any router-alert specifications to be safe. > > > > > > > > I think the second part of the section already has good starting points, > > > > and i'd be happy to help improving the text so it really is as bullet > > > > proof for implementation and deployment of route-alerts as we know. > > > > > > > > One simple example is that MUST support > > > > line-rate ignoring of router-alert options that they do not support nor > > > > have enabled. If an implementation can not do that, it MUST support > > > > limiting processing of router-alert to only trusted sources, known > > > > to send router-alert only at supportable (but not attack) levels, > > > > such as via source IPv6 address filtering of processing of router-alert. > > > > > > > > And of course MUST NOT enable router-alert processing by default, > > > > unless the software deployed has not been upgraded to support this documents > > > > behavior but prior RFCs (aka: for running software you might need to > > > > explicitly enable the new behavior). > > > > > > > > 9. NIT > > > > > > > > The split in text between 5.1 and 5.2.2 is confusing. I think these > > > > are better merged. > > > > > > > > I also think the text should talk about "supported and enabled", aka: > > > > if we really want to be safe, we need operators to explicitly enable > > > > hbh header functions. > > > > . > > > > > > > > 10. MAYOR > > > > > > > > Section 6: > > > > > > > > The whole logic of "full forwarding rate" is highly questionable and would > > > > severely limit the ability to build useful on-path processing if left > > > > in the text unchanged. > > > > > > > > COnsider for example OAM style HbH - just because lots of people would > > > > think its useful (well, users. But lets assume enlightened operators > > > > would allow them to be enabled... which i think will not happen because > > > > operators do like to keep secrets. But thats a different issu). > > > > > > > > Eample HbH header packets with e.g.: some OAM might take as much forwarding > > > > plane resources as e.g.: 10 "normal" packets. But that would be fine, > > > > bcause the spec for it could say for example that one should use > > > > e.g.: only a maximum of 1 in 100 packets with the OAM header. Which wold > > > > create an overall overhead of 10% performance more. Or maybe converted, > > > > a 10% higher average packet sized that the router can process at linerate. > > > > Aka: perfectly acceptable. Because the operator for example knows that > > > > his packet size mix is well below linerate mix. > > > > > > > > What is of course for an Internet use of such a HbH feature significant is > > > > that the router MUST be able to rate-limit processing of the option to > > > > said < 1 % of packets processed. and if someone does a (D)DoS attack with > > > > packets using such "expensive" options, then the router would still be > > > > safe and not need more than the expected 10% more resources. > > > > > > > > If on the other hand, a HbH option is meant to be used in controlled networks, > > > > then the cost could even be higher. FOr example, IP multicast often > > > > douples, if not triples the average packet size routers can provide linerate > > > > forwarding for. Just because its more lookup and replication also may cost > > > > more (per replica). E.g.: 256 bit (S,G) lookup instead of 128 bit D lookup. > > > > But that is not a problem, because in controlled networks you do want to > > > > sped the router resources for the value. And you have more tools at disposal > > > > to ensure routers are not overrun. > > > > > > > > I think that all the cool new HbH would start out in controlled networks, > > > > so it is important to allows also similiarily "expensive" hBh features > > > > as we've had success with other forwarding features in the past (e.g.: > > > > ip multicast). > > > > > > > > Would be happy to help think of more appropriate text, e.g. as above, something > > > > like: > > > > > > > > If a HbH option requires more router performance than "full forwarding rate", > > > > routers MUST be able to support rate-limiting the processing of packets with > > > > such an option so that if configured with an appropriate maximum rate, > > > > distributed denial of service attacks via larger rates of such packets than > > > > supportable by the router will not cause issues in the routers deployment > > > > and performance. > > > > > > > > I'll stop here with review for the moment because i would like to first see > > > > where this document wants to go with the MAYOR points raised before checking > > > > further details. > > > > > > > > Cheers > > > > Toerless > > > > > > > > In-Reply-To: <5840.1690652533@localhost> > > > > On Sat, Jul 29, 2023 at 01:42:13PM -0400, Michael Richardson wrote: > > > > > Ron Bonica<rbonica=40juniper.net@dmarc.ietf.org> wrote: > > > > > > The Internet is a loosely confederated group of "limited domains". Each > > > > > > limited domain maintains its own forwarding and routing policy. HBH > > > > > > processing, as it is defined in RFC 8200, is OK within a limited > > > > > > domain. It provides yet another tool for deployment of that limited > > > > > > domain's forwarding and policies. > > > > > > > > > > It's an interesting view. > > > > > > > > > > So, the "unlimited Internet" is just a path across a bunch of limited > > > > > domains, where the sender does not know which limited domains will be used. > > > > > I think that is a useful change from how we used to think about the Internet, > > > > > because it might be that we know something about the nearby limited domain, > > > > > and something else about the receivers limited domain. It's the unknown > > > > > part in the middle that gets in our way. > > > > > > > > > > An interesting thing about Ben Schwartz and Co's RISAV proposal is that it > > > > > gives a way for those two limited domains to communicate directly. > > > > > > > > > > > Deployment of the HBH across limited domains may not be a very good > > > > > > idea, because it provides a tool for one limited domain to influence > > > > > > the forwarding and routing polices of another. Can you think of a > > > > > > single HBH option for which the above statement is not true? (The > > > > > > question is not rhetorical.) > > > > > > > > > > If the HBH didn't influence things, then we wouldn't bother! > > > > > So by definition, it's true. > > > > > But, you are missing a key phrase in this: > > > > > > > > > > it provides a tool for one limited domain to influence > > > > > the forwarding and routing polices of another IN AN UNAUTHORIZED WAY > > > > > > > > > > > > > > > -- > > > > > Michael Richardson<mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) > > > > > Sandelman Software Works Inc, Ottawa and Worldwide > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -------------------------------------------------------------------- > > > > > IETF IPv6 working group mailing list > > > > > ipv6@ietf.org > > > > > Administrative Requests:https://www.ietf.org/mailman/listinfo/ipv6 > > > > > -------------------------------------------------------------------- > > > > > > > > -- > > > > --- > > > > tte@cs.fau.de > > > > > > -- > --- > tte@cs.fau.de > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > --------------------------------------------------------------------
- [IPv6] draft-ietf-6man-hbh-processing WGLC commen… Toerless Eckert
- Re: [IPv6] draft-ietf-6man-hbh-processing WGLC co… Toerless Eckert
- Re: [IPv6] draft-ietf-6man-hbh-processing WGLC co… Gorry Fairhurst
- Re: [IPv6] draft-ietf-6man-hbh-processing WGLC co… Toerless Eckert
- Re: [IPv6] draft-ietf-6man-hbh-processing WGLC co… Mike Simpson
- Re: [IPv6] draft-ietf-6man-hbh-processing WGLC co… Tom Herbert
- Re: [IPv6] draft-ietf-6man-hbh-processing WGLC co… Ole Troan
- Re: [IPv6] draft-ietf-6man-hbh-processing WGLC co… Gorry Fairhurst