[IPv6]Re: Warren Kumari's Discuss on draft-ietf-6man-hbh-processing-18: (with DISCUSS and COMMENT)
Bob Hinden <bob.hinden@gmail.com> Thu, 30 May 2024 00:18 UTC
Return-Path: <bob.hinden@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6EECC16940A; Wed, 29 May 2024 17:18:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bqrc9U9YNI5f; Wed, 29 May 2024 17:17:58 -0700 (PDT)
Received: from mail-oi1-x22a.google.com (mail-oi1-x22a.google.com [IPv6:2607:f8b0:4864:20::22a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7D84C1519AA; Wed, 29 May 2024 17:17:57 -0700 (PDT)
Received: by mail-oi1-x22a.google.com with SMTP id 5614622812f47-3d1d78b7418so147962b6e.1; Wed, 29 May 2024 17:17:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1717028277; x=1717633077; darn=ietf.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=XOPA801Dl5qFGFRvJ4VPrbdieg/kJf1WedBMhoZSC7Y=; b=kTMslBOJbO1YxcdCXMBjwwenRFHJfioln88kLRo+m0dFbSut3Fj/G/DFJB1uHQjkKU 6YGUXUfPfpMRAjeSy9Fbl3G00Yj4cwEp4rJj5TA7klhNDMUp89UkZwDfeuSYxm4i6J1V FuwxlZR4TwKhQJtYSd7Ku6NbYyv4AAZYlKk5TqZ/Lvs+n2PxgMP1ORcJ7Aq4iYxHKhxS lguBM6Qtd54qej8N76Bsm72Aw56L/YXhI+XBEgSa4VOXbIjuL0w/JYQfzlAedOqxnWbu ANRM3MUWp7k8v3qKIOXN4vqHCuvKy2Luf1s8n2WHJ3QUNyhCMjOx69skLL0Ni1n3dain DrJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717028277; x=1717633077; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=XOPA801Dl5qFGFRvJ4VPrbdieg/kJf1WedBMhoZSC7Y=; b=gV/HQY5KLX8TRMH6tJmQ12jbqjStoBirkzLiYsWEokSRbwsCaQwpXwKaBT5ft6U0VK iRjGFVEMC2GwEbJwG1R43S5/MlP8VadSp6wlPZ2I1xTYFThPDtHvvwIiFSZuFBvDcg1Z 0QFFKAhNbF81/QOqRrpS+2liALFJOrckROmmdEclil6l5s0f+J+etTZINzTx0f1stnZz 52geIB8xieVlWIwEDQ6oTz5+bcs+XBvmSfHZwMUAP21zAaOzoi7wzrPup9lvImph+eGm /Nc2seJ1Y/iLT6aSW+eikWA18z+fUdoghG79ymZBQvX7KoyONNt5KdCNOMo/mD45LKrO PpJw==
X-Forwarded-Encrypted: i=1; AJvYcCWl9r9sIpRQmjWKmmU1fmrkrFRjUM1uTJOIRknzJtsL1Fvr02X/99UgIwHVMJm+E0RffTMNxa0Gol/i1Tf1OywnZYm2pw3/xr44aVStXnpTnUWd/7e6B4YYqRzOBtuiTrtJC+0qHDQBJrxO5G+31rohm3XrLuonSv3dokP4Y397XuCtWXheyzxDJ9zH
X-Gm-Message-State: AOJu0YyHXpW9XckTk87UlOC+AQeQn1x3exTobS0yMTZYY2Fvkhr+6z40 Se8EMH77Hiw8D7Rly+6qDAQ/8eNUghIhba2S06BykU3pPUQ1F0cAqMM7hQ==
X-Google-Smtp-Source: AGHT+IH89/fvGy4v3E1ODa36HdgtHMjzUs+V05ikCrLsg+pnALy+rkd98uq0jsH3EZ9oJp9iobXXqg==
X-Received: by 2002:a05:6871:5898:b0:24f:ef6b:353e with SMTP id 586e51a60fabf-25060de16d1mr862695fac.36.1717028276659; Wed, 29 May 2024 17:17:56 -0700 (PDT)
Received: from smtpclient.apple ([2600:1700:4383:c05f:ec13:5e12:e918:82d3]) by smtp.gmail.com with ESMTPSA id 46e09a7af769-6f8d0de599asm2472580a34.33.2024.05.29.17.17.55 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 29 May 2024 17:17:56 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.600.62\))
From: Bob Hinden <bob.hinden@gmail.com>
In-Reply-To: <171701998302.4837.5999563238399491967@ietfa.amsl.com>
Date: Wed, 29 May 2024 17:17:35 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <72C0C27E-CF00-48DA-BF21-6536D36FB32B@gmail.com>
References: <171701998302.4837.5999563238399491967@ietfa.amsl.com>
To: Warren Kumari <warren@kumari.net>
X-Mailer: Apple Mail (2.3774.600.62)
Message-ID-Hash: EWRXP3TT4NFTJKOHMJ5GJ222SRTC5FRU
X-Message-ID-Hash: EWRXP3TT4NFTJKOHMJ5GJ222SRTC5FRU
X-MailFrom: bob.hinden@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ipv6.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Bob Hinden <bob.hinden@gmail.com>, 6man Chairs <6man-chairs@ietf.org>, IESG <iesg@ietf.org>, Gorry Fairhurst <gorry@erg.abdn.ac.uk>, IPv6 List <ipv6@ietf.org>, draft-ietf-6man-hbh-processing@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [IPv6]Re: Warren Kumari's Discuss on draft-ietf-6man-hbh-processing-18: (with DISCUSS and COMMENT)
List-Id: "IPv6 Maintenance Working Group (6man)" <ipv6.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/H-cSK7YT9FoRFZrqVIw4FuAhgOQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Owner: <mailto:ipv6-owner@ietf.org>
List-Post: <mailto:ipv6@ietf.org>
List-Subscribe: <mailto:ipv6-join@ietf.org>
List-Unsubscribe: <mailto:ipv6-leave@ietf.org>
Warren, Comments below. Bob & Gorry > On May 29, 2024, at 2:59 PM, Warren Kumari via Datatracker <noreply@ietf.org> wrote: > > Warren Kumari has entered the following ballot position for > draft-ietf-6man-hbh-processing-18: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-6man-hbh-processing/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Apologies for the late-breaking DISCUSS. :-( > > I am unclear on the following text: > "If a router does not process the Hop-by-Hop Options header, it MUST forward > the packet normally based on the remaining Extension Header(s) after the > Hop-by-Hop Option header (i.e., a router MUST NOT drop a packet solely because > it contains an Extension Header carrying Hop-by-Hop options).". > > As noted in the document, many networks do not currently follow this behavior, > and it appears that in some cases this is because the network has chosen to > filter packets with Hop-by-Hop options. It is unclear to me if this is intended > to prohibit this behavior. Operators may need to perform this filtering -- for > example, their "border" router may need to filter packets containing HbH > options to protect interior devices which have not yet been upgraded (or > similar). I'm **assuming** that you are not trying to prohibit vendors > providing the ability to filter HbH packets, but this is not clear. The draft is attempting to reduce this behavior (dropping packets because they contain the HBH options), and to make it the default to forward packets with HBH option headers instead of dropping the packet. Note that RFC8200 doesn’t mention dropping packets, just not processing the options based on local configuration: NOTE: While [RFC2460] required that all nodes must examine and process the Hop-by-Hop Options header, it is now expected that nodes along a packet's delivery path only examine and process the Hop-by-Hop Options header if explicitly configured to do so. We do understand, that nodes will continue to do this and that an IETF specification can’t change that. What do you suggest? We could say something to the effect that some nodes will drop packets containing HBH options to protect other routers who can’t process them safely. Or something similar. > > I don't really understand the interplay between Section 5.1.1 (Configuration > Enabling Hop-by-Hop Header Processing) and Section 5.2 (Hop-by-Hop Options > Processing). S 5.1.1 notes that "Section 4 of [RFC8200] allows a router to > control its processing of IPv6 Hop-by-Hop options by local configuration." and > that "it is now expected that nodes along the path only examine and process the > Hop-by-Hop Options header if explicitly configured to do so.", but Section 5.2 > says: "A router SHOULD NOT therefore be configured to process the first > Hop-by-Hop option if this adversely impacts the aggregate forwarding rate." The > "[a] router SHOULD NOT ..." text sounds like it is trying to change the default > from "nodes along the path only examine and process the Hop-by-Hop Options > header if explicitly configured to do so" into "they normally should, unless > this adversely impacts the aggregate forwarding rate.". If that is the intent, > this should be clearer. Yes, we can make that clearer, I can see how it is confusing. Looking at the text, the second paragraph in 5.2 should probably be moved the earlier section 5.1.1 about configuration. That paragraph is saying don’t create configuration to process an option if it can’t be done at full forwarding rate. Or maybe it is obvious and should be removed. > > Actually, I find really difficult to figure out what *exactly* has changed from > RFC8200. Section 5 says "This section describes several changes to [RFC8200].", > but the actual changes are not particularly clear (modulo the "Option Type > identifiers" changes, which are nice and clear). RFC8200 doesn’t say a lot about processing HBH options except for: The Hop-by-Hop Options header is not inserted or deleted, but may be examined or processed by any node along a packet's delivery path, until the packet reaches the node (or each of the set of nodes, in the case of multicast) identified in the Destination Address field of the IPv6 header. The Hop-by-Hop Options header, when present, must immediately follow the IPv6 header. Its presence is indicated by the value zero in the Next Header field of the IPv6 header. NOTE: While [RFC2460] required that all nodes must examine and process the Hop-by-Hop Options header, it is now expected that nodes along a packet's delivery path only examine and process the Hop-by-Hop Options header if explicitly configured to do so. This draft is expanding on these two paragraph on how HBH options should be processed (basically Section 5). We could add some text that says that clearly. BTW, Section 6 is clear that it is updating Section 4.8 of [RFC8200]. > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- Many of comments you raised below were also raised in other IESG reviews, especially John Scudders. The authors are working on an update that resolves them. > > I initially had this as part of the DISCUSS, but moved it to a comment instead. > I find this bit of text ambiguous (or at least unclear): "A router SHOULD NOT > therefore be configured to process the first Hop-by-Hop option if this > adversely impacts the aggregate forwarding rate. A router SHOULD process > additional Hop-by-Hop options, if configured to do so, providing that these > also do not adversely impact the aggregate forwarding rate." This could be read > as: 1: The router should be configured to skip the first HbH option, but should > process the additional ones. 2: The router should process the first HBH option, > but unless there is explicit configuration it should ignore the rest. The > "SHOULD NOT" vs "SHOULD" and double-negatives makes this hard to read, and also > makes it sounds like there are expected to be a number configuration knobs here > (First vs Subsequent HbH options). > > A similar problem occurs here: > "If a router is unable to process any Hop-by-Hop option (or is not configured > to do so), it SHOULD behave in the way specified for an unrecognized Option > Type when the action bits were set to "00" " I'm assuming you mean "If a router > either unable (or configured) to not process any Hop-by-Hop option ..." ? > > and then again here: > "If a router is unable to process further Hop-by-Hop options (or is not > configured to do so), the router SHOULD skip the remaining options using the > "Hdr Ext Len" field in the Hop-by-Hop Options header. " I think that the > document would benefit greatly from some clarity here -- I'm assuming that the > intent is only a single configuration knob, but it's really not clear... > Is this duplication, or is there a meaningful difference in these two sentences > (destination vs host): "It is expected that the Hop-by-Hop Options header will > be processed by the destination. Hosts SHOULD process the Hop-by-Hop Options > header in received packets."? > > I don't really understand some of the SHOULDs in Section 6 -- e.g: "New > Hop-by-Hop options SHOULD be designed to ensure the router can process the > options at the full forwarding rate." -- what router? I have a Cisco 2509 > sitting in a rack in my basement. It has very different processing > characteristics to an M40 or modern Cisco or a Linux box, and they way that > they process HbH packets differs wildly. I agree with the sentiment, but not > how this is worded. I think that this should be clarified, or at least the > SHOULD should become a should... The Uppercase SHOULD/MUST was changed to lower case based on Roman Danyliw's review. That is in -18 we just published. > > Nits: Thanks, we will fix.. > 1: "The reason behind this includes:" - reasons, include? > 2: "or that forward packets" - forwards. > 3: "The Router Alert Option [RFC2711] is an exception that can result in > processing in the control plane, see Section 5.2.1." - perhaps "that can > require processing by the control plane"? Or perhaps I don't understand what > this is trying to say. 4: "When an ICMP Parameter Problem, Code 2, message is > delivered to the source, the source can become aware that at least one node on > the path has failed to recognize the option." - I don't have a suggestion, but > "the source can become aware" make it sound like this is an information leakage > issue, and not the actual intent of the ICMP Code. 5: "The Router Alert Option > could have a potential for use with new functions that have to be processed in > the control plane." - "The Router Alert Option could potentially be used by new > functions that have to be processed in the control plane." ? 6: "An > implementation that does recognize the Router Alert Option, SHOULD verify that > a" - drop the comma. 7: The document sets an expectation that if a packet > includes a single Hop-by-Hop option that packet will be forwarded across the > network path." - there is a random closing quote. 8: "If a subset of packets > in a flow were to include Hop-by-Hop options, this could introduce a potential > to increase the number" - could potentially ? > > >
- [IPv6]Warren Kumari's Discuss on draft-ietf-6man-… Warren Kumari via Datatracker
- [IPv6]Re: Warren Kumari's Discuss on draft-ietf-6… Bob Hinden
- [IPv6]Re: Warren Kumari's Discuss on draft-ietf-6… Warren Kumari
- [IPv6]Re: Warren Kumari's Discuss on draft-ietf-6… Bob Hinden
- [IPv6]Re: Warren Kumari's Discuss on draft-ietf-6… Bob Hinden