IETF Logo Mail Archive

Re: Death by extension header

Tom Herbert <tom@herbertland.com> Mon, 13 July 2020 20:26 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3FE23A08B1 for <ipv6@ietfa.amsl.com>; Mon, 13 Jul 2020 13:26:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SkyjtLi9H4Mr for <ipv6@ietfa.amsl.com>; Mon, 13 Jul 2020 13:26:53 -0700 (PDT)
Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B89243A0D40 for <6man@ietf.org>; Mon, 13 Jul 2020 13:26:41 -0700 (PDT)
Received: by mail-ej1-x62d.google.com with SMTP id ga4so18877510ejb.11 for <6man@ietf.org>; Mon, 13 Jul 2020 13:26:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bUeRMguO+7qjU+y8rXRW58wxUoJqHyUW+xcapXPBUUQ=; b=cDY9kpHwI+N4DUcFfCY2W1ZzqEiMABLkrmGP7w095+gMmxIU28ZMTeL8gkXFYyPm/6 81vTwQeQQn7HNklS7Bwf2YP861v/szI32DrXDo4pGiACAHUrhiW9OjYByRfYr/nCWiYt MyEdqnBfdyW9LfSvCKYvk5kUBv02vyDCUJhevrbDIKlKCsqtXRwhtbFIVLMFwPTppoqa nZ0Joy5EXSpuiSwq/OPC5wWdPqTbyhElUeJIIdGs6wXAUhUTALaWp7XgpcsI0NOGHPPP k8sr72tsqMplEt5HZlJkBQBOuR9AAloRaR4cHp2BrQHSfl0m3Se66MvXTjC1TC5i/HLC 5OJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bUeRMguO+7qjU+y8rXRW58wxUoJqHyUW+xcapXPBUUQ=; b=HL5WUoKZyJvr/6CuaIpXqzv34RnOmWOHQd2qJ0RQsUJVZ0cTWro+XpUs0brC0l1Fxq 2CzFO9OtEQSIu1X9VQkljxrPkAjsA0id9tqgRaQOm2cN2IHskus0o8wdKC186H0pnbFl gJDIDhkLddJoIOVO5t9F6OKYRoANlBpAjC+JBWK1e7rpSrDp8K/YMZuVP8Ryl0HWGm77 vCA61z7DMvSXgbvGIDsBsQLEeNLaG03wzwFBvYvewAgcXAH0mm2m6hGYdKo8zr4Lyrqi C/fbN2vLHH67i87EG/xoCzmG9Tfq8eWVZNWMJD19nQArsxQsP8nspOQcjyQSF4zg4gIL MeqA==
X-Gm-Message-State: AOAM5327RQCVi88rl110/XKgYHNYI+9HzKr3NnElTClxKb/LPVJGh8mS j5L4Kg7XN5lAsamn6Eykj63tu9+QZEyoqBBEg59D5EXL2QE=
X-Google-Smtp-Source: ABdhPJxNfeeWhyV1AWbMFUhCtBGoSOzmrXBU+Ehh9SydINZAlouDv5VNMtAUQRRTZ4J93qkcKBlDUWYen87vK2nD99Y=
X-Received: by 2002:a17:906:fac1:: with SMTP id lu1mr1477221ejb.427.1594672000128; Mon, 13 Jul 2020 13:26:40 -0700 (PDT)
MIME-Version: 1.0
References: <DM6PR05MB6348708352E1EE4421A61D63AE650@DM6PR05MB6348.namprd05.prod.outlook.com> <CALx6S34e21BLHRfx+p7agrzzDsx-M-XxB6cZQnWc-d0wqSesRQ@mail.gmail.com> <20200710183228.GV42197@faui48f.informatik.uni-erlangen.de> <6fc66168-f04c-c23e-856c-5a61e1a28f5f@gont.com.ar> <CALx6S37T_7JYW=93iOhaHaq_Kw1CsaFc37sjT3Bo4Sx_wtbfqQ@mail.gmail.com> <c1ecb592-6e99-0dca-90c5-51a19b893af5@si6networks.com> <CALx6S36m75249_Gk33n-6ZEahfod6hi5snD0u07ZjCPhH0fj7Q@mail.gmail.com> <b512bd75-ffb7-23c8-8b87-ea1a40747616@si6networks.com>
In-Reply-To: <b512bd75-ffb7-23c8-8b87-ea1a40747616@si6networks.com>
From: Tom Herbert <tom@herbertland.com>
Date: Mon, 13 Jul 2020 13:26:28 -0700
Message-ID: <CALx6S36g5wxzE22gFunTc4QC9v+08EmTfNivMtEw4pe=kjD-5Q@mail.gmail.com>
Subject: Re: Death by extension header
To: Fernando Gont <fgont@si6networks.com>
Cc: Fernando Gont <fernando@gont.com.ar>, "6man@ietf.org" <6man@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/GYXjEsAn8h3GMd1yYRVtcA5LnJk>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2020 20:26:55 -0000

On Mon, Jul 13, 2020 at 1:02 PM Fernando Gont <fgont@si6networks.com> wrote:
>
> Hello, Tom,
>
> On 13/7/20 15:53, Tom Herbert wrote:
> [....]
> >
> > Fernando,
> >
> > draft-ietf-6man-icmp-limits-08 defines the ICMP errors for limits of
> > number of options, length of extension headers, length of extension
> > header chain, etc. However, I don't believe any default limits are
> > suggested other than the RFC8504 limits.
>
> Yep, that's what I meant.
>
>
>
> > Wrt byte length, the most interesting limit with regards to routers is
> > when the aggregate length of the header chain exceeds the size of the
> > parsing buffer in the device.
>
> Indeed.
>
>
> > As I understand it common lengths of
> > parsing buffers are 128, 256, or 512 bytes. That might suggest the
> > default minimum should be 128 bytes or maybe 256 bytes. That is, we
> > would expect that routers should be able to process IP header,
> > extension headers, and first four bytes of transport header (e.g. to
> > get ports for ECMP) fit in the parsing buffer in the first N bytes of
> > the packet. We can narrow this down if the standard is followed such
> > that routers only process the IPv6 and HBH headers, intermediate
> > destinations in a routing header only process headers through the
> > routing header, and end hosts process all options.
>
> Please see:
> https://tools.ietf.org/html/draft-gont-v6ops-ipv6-ehs-packet-drops-03 .
> Folks need to look deeper. SO unless the entire length of the EH chain
> is limited, this problem will be faced.
>
Fernando,

Yes, the practical limit is probably to be able to parse all IP
headers and at least four bytes of transport layer headers. There is
some ambiguity when encapsulation is present since packets may have
multiple transport layer headers in the presence of encapsulation and
whether network devices should be parsing into encapsulations (which
may not even be possible in many cases).

One comment about draft-gont-v6ops-ipv6-ehs-packet-drops-03:

"However, we note that for a long time many IPv6 implementations
failed to set the Flow Label, and ECMP and Hash-based Load-Sharing
devices also did not employ the Flow Label for performing their task."

I believe the first part of this statement has been addressed, all
major OSes set the flow label AFAIK. Hopefully, devices are migrating
to use flow labels for ECMP.


> Indeed, the longer the EH-chain length, the higher the chances of
> packets being dropped -- as per RFC7872 and others.
>
> Thanks,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>
>
>
>

v2.23.0 | Report a Bug | By Email