Re: [IPv6] Updated review of draft-ietf-6man-eh-limits-08
Jen Linkova <furry13@gmail.com> Wed, 08 November 2023 06:49 UTC
Return-Path: <furry13@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F677C1519AE; Tue, 7 Nov 2023 22:49:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.858
X-Spam-Level:
X-Spam-Status: No, score=-1.858 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3exXf9RjNzTb; Tue, 7 Nov 2023 22:49:48 -0800 (PST)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B71F9C1C02AF; Tue, 7 Nov 2023 22:49:48 -0800 (PST)
Received: by mail-lj1-x232.google.com with SMTP id 38308e7fff4ca-2c523ac38fbso86813041fa.0; Tue, 07 Nov 2023 22:49:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699426186; x=1700030986; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=aPhrKmuJEHOMh7AMFePJVa4lDShOBT1rx08VlWuwGGw=; b=fPEHqXyxCVl3YdvvJbWlvhgLsYSJWzvZqQkPIqmBevzqCSfwk1IFeTKQQz8+THkfXH uIxOIkFl4zeDDTb15OoPURNorbQjwqoSCBw+hvtTTf9P4w0Vww6E37lQlgaBcwFrXh6l V5VQHkqVkFAaCMw+SrI1nOTbCY1c+6U4cRQY9+lv6+hbR7KaqSSKtCr40+DdNC/h0hji RvbIl1ZsAUveaJdm/83RlkqUWe3IJQel3cpjwrqWpdp/4LFCvEyAlXiuG0IhSVJL2BQJ +742tOIW7f9sthezoMdXsx/NPkFKi6U1X8qkAcfEw5cWz/WDQfU/yKGUpFTCb4AEqZsb fdYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699426186; x=1700030986; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=aPhrKmuJEHOMh7AMFePJVa4lDShOBT1rx08VlWuwGGw=; b=p1FOWpJrswbVM2JpJkrNNNw5s/Mwo0Gsy/kB/YFxiibm9tvt7F7RXU4K1ut5Kcj0rX l4Yg+WF+wkoSlW9kMKqAnZXSE1cprYLRR5HqPo3PAaucbKtLNww8zTU+2dgRphR/O8t0 IGVMxiQxT6h4/u7vaquEX8BhEchoyGewnVZ2O8LTqJUjOLmOvOTW+Ufr/Z6pDT8zWhwy ZdhgsyAcYn0JP3O7w2D0wh+GCc9H+DW34BNAgYsMR6FhT51bkltLGYmmabkUTGz/EqxG Gfan/xYT6biM6+ACvNnNqRqxvn1/6mvXwvNWDWzWiGepyJSNF7ytl52yUObuDal7Th3f qSkQ==
X-Gm-Message-State: AOJu0YwSFaH7R0d8L7x1e879T/FpMgJTIUhMQaslNLazOio6zgd0qLch WoI14+wqFw72ScPZVybnrvIePqwDENi2TkPljlxlrcWIMKiyBOn8
X-Google-Smtp-Source: AGHT+IFVUzPkWIAOCWHDhVSIO7jfwGVrCBIqDT7jRXhUiXJ2myZ/ArcTiFVBDFDY8RtWRjfd3c9dhXAKLILZQFqvVSY=
X-Received: by 2002:a2e:95ce:0:b0:2c6:ee98:de85 with SMTP id y14-20020a2e95ce000000b002c6ee98de85mr777809ljh.23.1699426186198; Tue, 07 Nov 2023 22:49:46 -0800 (PST)
MIME-Version: 1.0
References: <CAFU7BAQXxe_qTscyMyVZ9kefozKqKd4VEexiOdi9ZkM0fa-=tg@mail.gmail.com>
In-Reply-To: <CAFU7BAQXxe_qTscyMyVZ9kefozKqKd4VEexiOdi9ZkM0fa-=tg@mail.gmail.com>
From: Jen Linkova <furry13@gmail.com>
Date: Wed, 08 Nov 2023 07:49:35 +0100
Message-ID: <CAFU7BARcL9D5jjVap0j+Mb8Xgj7quH4q07XTq+gVA2PHrWCy_g@mail.gmail.com>
To: Tom Herbert <tom@herbertland.com>
Cc: 6man Chairs <6man-chairs@ietf.org>, 6man <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/OxTvwmPRty6p7iSRYkmnF6Z1ldA>
Subject: Re: [IPv6] Updated review of draft-ietf-6man-eh-limits-08
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Nov 2023 06:49:49 -0000
Adding the WG this time for real.. On Wed, Nov 8, 2023 at 1:01 AM Jen Linkova <furry13@gmail.com> wrote: > > Tom, > > The document is significantly improved. Thanks for resolving most of > the issues we raised. > > We have following high level comments: > > Overall, we think the document is long and may be hard for > implementations to understand. Finding way to shorten and simplify. > Having a table of the limits would make it easier to understand and > implement. > > We think that terms like limited domains will make this challenging to > get through the IESG given it’s lack of clear IETF definition. Note, > we are not suggesting that it be defined here, better to remove it. > The text about explicit knowledge should cover this. > > Similar concern about the use of DPI. That is a broader concept that > just at IPv6 header chains. We don’t think it is necessary to be > included here. > > In the document, having separate text about limits for routers and > routers processing routing headers adds complexity. Is it possible to > consolidate these limits? > > We think the document could simplified if it only focused on length of > EHs (~64 bytes) and not get into the number of things like padding > options, or making distinctions between options and padding options. > We think this would meet the overall goals, but be simplifier to > understand. > > We also think that there doesn’t need to be limits on destination EHs > for destination hosts. Note, we do think there should be limits on > what hosts send that match the limits that routers have. > > Specific comments on draft-ietf-6man-eh-limits-08 below. > > Bob, Jen, Ole > > > > 1.2 Terminology > > Why is NAT mentioned in the terminology section? We don’t see any > other mention in the document, we think should be removed. > > The terminology for terms defined in RFC8200 should be exact quotes, > not summarized. > > Header Chain vs. IPv6 Header Chain? Why the distinction? We think > “Header Chain” is sufficient. Also, we note in Section 2.2.6 some of > this is described, but we think the limits defined in this draft > should only apply to the outer most IPv6 headers. > > 2.1 Types of nodes > > Given the addition of Section 1.2 Terminology, is this section still > needed? Seems mostly redundant. > > Is there a way to simplify the document by not treating “routing > processing routing headers” as a separate case? Also, the definition > of "router processing the RH" and "router not processing the RH" look > rather complicated and confusing. > > 2.2 Types of Limits > > Are Sections 2.2.1, 2.2.2, 2.2.3 still needed? They don’t appear to > say very much. > > > 2.2.4 Limits on number of options > > Please add reference for “P4”, it’s not well known. > > > 2.2.6. Limit on IPv6 header chain length > > The text says: "In addition to limits on the length of the IP header > chain, it is > conceivable that there could be a limit on the length of the whole > header chain in a packet. The whole header chain would comprise the > IPv6 header chain as well as any headers that are part of network > encapsulation that precedes the innermost transport layer. The > definition of such a limit is out of scope for this specification," > > As per the Terminology section, "the whole header chain" == "the IP > header chain" + the IPv6 > header, so there is always just 40 bytes difference between them. So > how can the router have different limits for those two header chains? > Also, "the innermost" part is confusing. Does that mean that in case > of encapsulation, the header chain includes all encapsulation > overhead? It seems to be inconsistent with the Terminology section, > which doesn't mention "the innermost". > > > > "The Encryption header may be used on the Internet,” > > We had thought that it was widely used for VPNs. > > Also, that sentence says that encryption obfuscates the encapsulated > transport headers - so does it mean that the header chain covers the > whole packet? In that case wouldn't any ESP packet exceed the limits > defined in the document? > > "Fragmentation may be used in the Internet, however only the first > fragment of a fragmented packet contains transport layer headers that > could be read by an Intermediate node.” > > Suggest something like: > > When Fragmentation is used in the Internet, the first fragment is > required by RFC8200 to contain all of the headers up to and including > the transport header, these headers can be read by a router. > > Note, “intermediate node” is still in this text in a few other places > and in some section headers. Please fix them. > > "However, the use of the Authentication header without encryption is > likely rare on the Internet.” > > Do you have any data to support this statement? > > This document, should not have the side effect of making the > Authentication header impossible to use. > > > 2.3 Actions when limits are exceeded > > General comment: I don’t think the doc need to say “router not > processing routing headers”, just saying “router” should be > sufficient. > > In the paragraph starting with “For routers not processing routing > headers…”, there is no relation between processing Hop-by-Hop options > and processing routing headers. We found this confusing. > > “[RFC8200] and > [I-D.ietf-6man-hbh-processing] allow that routers may not process the > Hop-by-Hop Options headers, therefore a router processing routing > headers may ignore all of the Hop-by-Hop options in a packet. This > specification expands on that requirement to allow an to process some > arbitrary subset of consecutive Hop-by-Hop options in the TLV list > and to ignore the following ones.” > > We don’t think this document should be making protocols changes, it > should be focused on setting limits. Please remove. > > In the last paragraph in this section, we didn’t understand what is > trying to be said. The comparison with hosts is not correct (hosts > would process all the rest of the packet). This needs more work to > clarify. > > 2.5 Design Philosophy > > We continue to think this document would be clearer with more focus on > routers, and less on hosts. It’s not clear there needs to be the same > kind of receiving limits in hosts. As noted in the draft “hosts > typically have more processing capabilities”. Note, it does make > sense to specify the host sending requirments to match the router > limits. > > 3.2 Host requirements > > Why say “Source host” or “destination host” vs. just “host”. The > text is clear about describing sending or receiving. > > The two section headers titles are inconsistent in style: > > 3.2.1. Source host requirements > 3.2.2. Receiving extension headers by destination hosts > > General comments for these sections. > > Most but not all items includes “unless it has explicit knowledge”. > The text could be simplified if that was stated in the beginning of > the section instead of in each item. Also, is it intentional that not > all items have that text about explicit knowledge"? > > The document sets limits in both numbers of options and total length. > We had thought the focus was driven by how may bytes a router could > process, do we need the number of options? > > 3.2.2. Receiving extension headers by destination hosts > > We are still not convinced that limits need to be specified for > destination hosts. Basically, if the packet got there, the host > should process it. It is very different from the limits that routers > have forwarding packets. > > > Section 3.3 Router requirements > > In the first paragraph it says “The limits described in this section > should all be configurable and therea are default values specified if > the limits are set”. But then in the following text the does appear > to specify specific limits (for example, 104 bytes). Please clarify > this. > > Some of the items in this list here are not about “limits”. For example: > > * Per [RFC8200] a router MAY be configured not to process Hop-by-Hop > Options headers. If a router is configured as such and a packet > with a Hop-by-Hop Options header is received, the extension header > MUST be skipped and the packet MUST otherwise be properly > processed and forwarded. > > * If a router encounters an unknown Hop-by-Hop option and the two > high order bits are not 00 then the router SHOULD immediately stop > processing the Hop-by-Hop Options header and ignore any Hop-by-Hop > options beyond the unknown option…….. > > We think this is out of scope for this draft and should be removed. > > Section 3.4 Intermediate destination requirements > > Change section title to Router Processing Routing Headers > > However, this seems like a lot of complexity and we am not sure why > processing EHs before routing headers need to be different. Don’t all > routers need to be able to process routing headers? -- Cheers, Jen Linkova
- Re: [IPv6] Updated review of draft-ietf-6man-eh-l… Jen Linkova
- [IPv6] Fwd: Updated review of draft-ietf-6man-eh-… Tom Herbert
- Re: [IPv6] Fwd: Updated review of draft-ietf-6man… Frank Brockners (fbrockne)
- Re: [IPv6] Fwd: Updated review of draft-ietf-6man… Tom Herbert