IETF Logo Mail Archive

Re: Re: HBH Option Header Configuration (draft-hinden-6man-hbh-processing)

"li_zhenqiang@hotmail.com" <li_zhenqiang@hotmail.com> Thu, 10 June 2021 07:28 UTC

Return-Path: <li_zhenqiang@hotmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9BC53A3857 for <ipv6@ietfa.amsl.com>; Thu, 10 Jun 2021 00:28:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.114
X-Spam-Level:
X-Spam-Status: No, score=-0.114 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, TRACKER_ID=0.1, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uR8Vh5O8eWkc for <ipv6@ietfa.amsl.com>; Thu, 10 Jun 2021 00:28:30 -0700 (PDT)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01olkn2081e.outbound.protection.outlook.com [IPv6:2a01:111:f403:7005::81e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C960F3A3852 for <ipv6@ietf.org>; Thu, 10 Jun 2021 00:28:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mC35BuizCWdIshTMi20o7MIllNZdurzX4tpg1/qR1Whpb9LH90kpi+r2SsM9zqJXQfTgDEEGKaSR7EXWD7PKXki6TOvxdfK3tfZMvRmNwfO1MM8x7cdoCi6FNRc13fChjyu2MjA6FJWGyzu58ZdQXNzjfXlT6p+fagVTrfRDgfBzBtpBs9Mwys/HBVN7332+Je2dFcOeSKr+i9slm0yB46FLTqvQK3tf+KAGWNFTeyVC4Nn74ldfIwa5y5VmR2KXgUt8nRmpOlUm8p97OCwGSMCKZkcXKSsXyeiAK/t99nYVoGQVKqhz1dWutqgg/3oI9sSlEI5NxuE2VTS3z9t+JA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8PVf7UbCXoG/4C07UyZy+B/wft10AoF5HN0Lmp/EXGY=; b=Ycr14HBV94gCiprFdTfBYCtF+K07Jn7IUBZUPpINH5DIF4vJ0Kz0fyIfIPvqnDPqLrD4OTe6yvYKM4zYnseC/a8+g72tGKwm55ircXSZ8LsN/N+Z6gEAoYHBXo6jyCbLyXDplfjdF+M8aDxRvO2PbToXoT2LsB2naY16VOp42orFiuH5pa/bsm85OdY8I4XMm4a1pdSA8N3CWQ6aNY7+ZuESOe/d+L7df4ElfeRqc9LdHAI4hYkujO6mg1cMdGzVDRK0opg5NUny/aNckSFZYW5y9vWheMrwPPLV31iTSJNG1uyOZtjIb/ahGxHr9Jd9qTAildDCyIKX90RyfewLig==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8PVf7UbCXoG/4C07UyZy+B/wft10AoF5HN0Lmp/EXGY=; b=eJs1SpHcM2Fiz+6uXnZojNgyiEBnZtXpeTvykC8w6H/90ikQEAx7YglyGSsv+0REgD+YaNU+B+N97cOfuKzWdtlAztph97UGHmDsq2DTCUsbWtAemaX56gzXvsHpHLumPtGUpUZQZASJ5hjH0+3KN26qAwXjIYyi0yN3pX9N5aZI7Xzv6PhYho/E1DAoJywEuZkWIUxKSkYZ6ud+BO7W/4mKCnYNRKKrzMXQIVW834fdarkjccP/BOAqd3eABUZVCQvHn0O2jHhUW5C4f1qcSvgXjmyg1cD9RZkbOKAA/E/enC+bTqjQ1PC460LK8mFJae/CFdoI/VOy6Z07r9BxJQ==
Received: from MEYP282MB2942.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:157::9) by ME3P282MB2890.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:13b::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.21; Thu, 10 Jun 2021 03:54:58 +0000
Received: from MEYP282MB2942.AUSP282.PROD.OUTLOOK.COM ([fe80::1509:afbc:fb4c:27cd]) by MEYP282MB2942.AUSP282.PROD.OUTLOOK.COM ([fe80::1509:afbc:fb4c:27cd%7]) with mapi id 15.20.4195.030; Thu, 10 Jun 2021 03:54:58 +0000
Date: Thu, 10 Jun 2021 11:56:13 +0800
From: "li_zhenqiang@hotmail.com" <li_zhenqiang@hotmail.com>
To: Fernando Gont <fernando.gont=40edgeuno.com@dmarc.ietf.org>, Bob Hinden <bob.hinden@gmail.com>, "ipv6@ietf.org" <ipv6@ietf.org>
Subject: Re: Re: HBH Option Header Configuration (draft-hinden-6man-hbh-processing)
References: <90F1C7DD-A8FF-45C1-9B9F-6E57A04AB88B@gmail.com>, <7f64a647efa75ef19c60b86a036e367d9c140381.camel@edgeuno.com>
X-Has-Attach: no
X-Mailer: Foxmail 7.2.9.156[cn]
Message-ID: <MEYP282MB294202D6AAEBCC6729A35E6AFC359@MEYP282MB2942.AUSP282.PROD.OUTLOOK.COM>
Content-Type: multipart/alternative; boundary="----=_001_NextPart127545314650_=----"
X-TMN: [I0lwX8xEOSjyIUuXDK3jVpCKLawObcmgxb1qA1yXpIo=]
X-ClientProxiedBy: HK2PR06CA0016.apcprd06.prod.outlook.com (2603:1096:202:2e::28) To MEYP282MB2942.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:157::9)
X-Microsoft-Original-Message-ID: <202106101156099941165@hotmail.com>
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from cmcc-PC (183.243.240.141) by HK2PR06CA0016.apcprd06.prod.outlook.com (2603:1096:202:2e::28) with Microsoft SMTP Server (version=TLS1_1, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) id 15.20.4219.21 via Frontend Transport; Thu, 10 Jun 2021 03:54:56 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 049f1d14-c6ad-4ad6-f8f9-08d92bc38356
X-MS-TrafficTypeDiagnostic: ME3P282MB2890:
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: eru6K4JtfRl+0t2Nso6eUficxTd3P8JsPLp/u5rCpRKSERwM3OHR3ZKLcp4GG6PTake+Gin3kZSxv9srpZ+o1M2nzN0/J5WxwBD//Q04E/R/WAhzauFm3tHFyeqklYRdsTX081QIuzdqsk7tImKZloHN2w5tI3hFBZR9pmQ3ajd/LpxdQ348h61zP84luKHFiJJneie6ANPsmts5IGnPpqWkN931hx2q2OL3T6td5uOh0R/pId4g0U3ichz/xg1wilQ/DKZpcbqYloiZas0ASOw5LM7vfEBCpO3c6/uhHtiGKW72k3xJz/+OrFnrBcBiEr05PgxQ5OcJiWfWwLQkjAN56TuicKmxLRMeHC9fuFFLdN2VTJHhATNi2PdfmGYqj1xhe6HmJJSZgQYC9U/dFiBbB+ilGIQguuRh5aO5czF6NAqr9L0jXMazXCQ+rAA+Ex61GkwwqA2eAhZY13kLuQ==
X-MS-Exchange-AntiSpam-MessageData: U2FpmCbXHTLTgbqzrlpmrMUeD3/H9XVzmugQ0DJDAF3W22DqGm+Usyi3DuM70nzQyMPG+MrcUECoU5eyig1HzRGGkC7y4jAsUzSxCX0NBqpAlU3keLNr37d4gV8m2RBYYNrUU+Y/Zz276dtXN6EIcA==
X-OriginatorOrg: sct-15-20-3174-20-msonline-outlook-8dac2.templateTenant
X-MS-Exchange-CrossTenant-Network-Message-Id: 049f1d14-c6ad-4ad6-f8f9-08d92bc38356
X-MS-Exchange-CrossTenant-AuthSource: MEYP282MB2942.AUSP282.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Jun 2021 03:54:57.9623 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ME3P282MB2890
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/L1EJgZQMtpWajol14SJrhb4azEw>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jun 2021 07:28:33 -0000

Add one more co-existing policy:
1) rfc2460 implementations, which aim to process all HbH
2) Deployed reality which drops HbH
3) RFC8200 implementations -- which ignore HbH unless required
4) draft-hinden-6man-hbh-processing, which would only process part of it.
5) draft-ietf-opsec-ipv6-eh-filtering, in which the processing policy for the packets with HBH EH is DROP or IGNORE

Best Regards,
Zhenqiang Li


li_zhenqiang@hotmail.com
 
From: Fernando Gont
Date: 2021-06-10 01:12
To: bob.hinden@gmail.com; ipv6@ietf.org
Subject: Re: HBH Option Header Configuration (draft-hinden-6man-hbh-processing)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
 
Hello, Bob,
 
On Tue, 2021-06-08 at 13:06 -0700, Bob Hinden wrote:
> Gorry and I are going over the comments received on draft-hinden-
> 6man-hbh-processing-01, thanks very much for your comments, it is
> very helpful.  We are working on respond to them.
> 
> One issue that is common to several questions is what does
> configuration mean regarding HBH Option headers.    Our draft and in
> hindsight RFC8200 is not clear what this means.   The note in Section
> 4 of RFC8200:
> 
>   NOTE: While [RFC2460] required that all nodes must examine and
>   process the Hop-by-Hop Options header, it is now expected that
> nodes
>   along a packet's delivery path only examine and process the
>   Hop-by-Hop Options header if explicitly configured to do so.
> 
> This can be interpreted to mean a configuration flag
> allowing/disallowing processing of a HBH Option Header, or specific
> configuration for each HBH Option type.
 
IMO, the above meanns "unless you have been explicitly configured
otherwise, feel free to skip/ignore the HbH header".
 
That relieves intermmediate systems from having to process HbH header,
which in some cases might be unnfeasible.
 
 
 
> 
draft-hinden-6man-hbh-processing-01 says:
> 
>   This document updates [RFC8200] that a
>   node MUST process the first Option in the Hop-by-Hop Header in the
>   Fast Path and MAY process additional Hop-by-Hop Options if
> configured
>   to do so.
> 
 
IMO, it's hard to enforce that requirement -- if at all possible.
 
1) You're assuming there is a fast-path -- maybe there isn't such a
thing.
 
2) What if there are multiple HbH?
 
3) What about the option size? e.g., if the first option is, say 512
bytes long, maybe you just can't do that.
 
4) If processing other options is a MAY, is there any point in
supporting multiple options in HbH?
 
 
 
> Several people asked if we are proposing to remove the ability to not
> process the HBH Option Header.
> 
> We have discussed this and conclude that yes, we are proposing to
> require all nodes to examine and process the first HBH Option in the
> Fast Path.   Not just drop packets with HBH Option Headers.  This
> change needs to be made clearer in the draft.
 
While other might disagree, even if the IETF were to manage to progress
this to an RFC, for the reasons specified above I really doubt this
would have any impact on real devices.
 
OTOH, we'd have a bunsh of things co-existing:
 
1) rfc2460 implementations, which aim to process all HbH
2) Deployed reality which drops HbH
3) RFC8200 implementations -- which ignore HbH unless required
4) draft-hinden-6man-hbh-processing, which would only process part of
   it.
 
 
If I had any reason for even thinking about using HbH options, the
above would certainly drive me away of that.
 
 
 
> We do note that per option configuration could be set to not support
> any options, that would be allowed, but it would require a router to
> follow the two high order bits in the Option type that control if the
> packet should be dropped or forwarded for at least the first option,
> and any other options that it was configured to support.
 
At least for infrastructure devices, that's not doable.
 
I find it very hard for an operator to even consider processing HbH
options (*), unless they have a very specific requirement to do so (say
RSVP).
 
(*) Some might extrapolate that to EHs in general :-) , but I won't get
into that. ;-)
 
Thanks,
- -- 
Fernando Gont
Director of Information Security
EdgeUno, Inc.
PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531
 
 
 
 
-----BEGIN PGP SIGNATURE-----
 
iQFOBAEBCgA4FiEE371j47JIrnnFmK8j667aAwZEFTEFAmDA9n8aHGZlcm5hbmRv
LmdvbnRAZWRnZXVuby5jb20ACgkQ667aAwZEFTFGiQgAors1BHXz812gxmQzhv5H
FUzC7+2gUeLJtgWNUamnrPUdZbMSvymYqRWRPvdviTklSJqTvGuthBgZBaEtJjDz
i3QUcqjC0AFhVVOzXolfofO4s0gXSfarrl99BdOh3LwFGpXIOZJzKSTga8XvYTaC
FywEDrek4+HQVNntcMOcF8lcn0RD3LrvU0NNYODoOGVXcdcMWroVujPPwleXJ9PJ
ajgror9IR8QvqvPPSLJbxS0a2xnZb692YWJYCWG+lJoA7jyM1Hvex4C4ow5CbDQw
v1U0+Yk0/Z9V9EriI8dwNB2WSwFw3geOq2pQaoJo02SYZX4TsbVeVThx6rT8SHD9
uQ==
=7v0L
-----END PGP SIGNATURE-----
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

v2.29.0 | Report a Bug | By Email | System Status