draft-bonica-6man-frag-deprecate
Havard Eidnes <he@uninett.no> Fri, 28 June 2013 13:26 UTC
Return-Path: <he@uninett.no>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41D1E21F9B52 for <ipv6@ietfa.amsl.com>; Fri, 28 Jun 2013 06:26:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l5Ma3uTKklQi for <ipv6@ietfa.amsl.com>; Fri, 28 Jun 2013 06:26:05 -0700 (PDT)
Received: from smistad.uninett.no (smistad.uninett.no [IPv6:2001:700:1:0:21e:4fff:feed:ced]) by ietfa.amsl.com (Postfix) with ESMTP id 2C0B621F888F for <ipv6@ietf.org>; Fri, 28 Jun 2013 06:25:29 -0700 (PDT)
Received: from smistad.uninett.no (smistad.uninett.no [158.38.62.77]) by smistad.uninett.no (Postfix) with ESMTP id 097A43D0B5 for <ipv6@ietf.org>; Fri, 28 Jun 2013 15:25:27 +0200 (CEST)
Date: Fri, 28 Jun 2013 15:25:26 +0200
Message-Id: <20130628.152526.152295907.he@uninett.no>
To: ipv6@ietf.org
Subject: draft-bonica-6man-frag-deprecate
From: Havard Eidnes <he@uninett.no>
X-Mailer: Mew version 6.5 on Emacs 23.4 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jun 2013 13:26:10 -0000
Hi, some comments from this corner, some small, some not so...: In section 1: MTU is a unidirectional metric. A bidirectional link may be characterized by one MTU in the forward direction and another MTU in the reverse direction. I'm sure this is formally true. However, in practice, I have never seen a router where you can separately configure the receive and transmit MTU. So ... I would remove this altogether; it may otherwise pave the way for unsuspecting individuals reading this to create a path MTU discovery black hole by configuring inconsistent MTUs for devices on the same link. In section 2.1: [Kent87] points out that the reassembly process is resource intensive. It consumes significant compute and memory resources. Is that argument still valid today? Is it impossible to engineer an implementaiton which restricts the memory consumption in order to improve robustness of the implementation? Section 2.2 states "Fragmentation Is Rare". I think this will be hihgly dependent on your choice of observation points. E.g. in the vicinity of an NFS server serving using UDP, I would not be surprised to see a lot of fragments. And, as has been mentioned elsewhere in this discussion, in the vicinity of a DNSSEC-validating recursive DNS resolver, you would expect to see an increasing proportion of fragmented UDP traffic as DNSSEC deployment progresses. In section 2.2.1, the document appears to dismiss the DNSSEC use of UDP and fragmentation with "use TCP instead". I beleive Mark Andrews in <20130624030939.CA0DD363070C@drugs.dv.isc.org> stated why this is far from good enough as an answer. In addition to TCP PMTUD being too slow, you have the issue that TCP in general is about 3 times slower than UDP in delivering a DNS response even if PMTUD is not involved -- I beleive RIPE NCC Labs did a test using their "RIPE Atlas" probes to check for this, and they came up with 2.5x - 3x as the slowdown factor. Additionally there is the vastly increased need to keep state in DNS name servers by the TCP load which would result from the abolishment of UDP as a transport for DNS. On top of this, there is the argument that "firewalls and network operators may filter DNS over TCP", but I would not use that as an argument because I consider it invalid -- more on that below. Section 2.3, "Attack vectors". Isn't this whole section giving bad excuses to IP stack implementors for not providing a robust and well-tested implementation?!? BTW, I'm wondering whether there is a spec issue lurking within this area, wrt. invalidating the most obscure corner cases? Section 2.4, "Operator behavior". It is claimed that IPv6 fragments are being dropped in several places, e.g. by enterprise firewalls or other environments who want to tightly control what traffic is passed. I claim that is's a matter of principle whether we let the tail wag the dog. Firewall administrators or other users of the network may do unwise things when configuring their device, but should such behaviour be allowed to restrict what becomes standardized?!? If that were the case, we might as well all restrict ourselves to speaking TCP over port 80. Section 3, "Recommendation". I question whether you can in fact make the backward-incompatible change of getting rid of the need for implementations to support fragment reassembly -- the genie is already out of the bottle -- has been for quite a while, and I claim it's already too late to try to put it back in. So some of the claimed attack vectors in section 2.3 will also be difficult to get rid of, as hosts will in all probability have to continue to support fragment reassembly for quite a while. At the very least, there's a need to separate the recommendations for "sending fragments" and "support reception of fragments". Best regards, - HÃ¥vard
- draft-bonica-6man-frag-deprecate Havard Eidnes
- Re: draft-bonica-6man-frag-deprecate Brian E Carpenter