RE: Never fragment: getting PMTU info transmitted reliably
"Lubashev, Igor" <ilubashe@akamai.com> Thu, 17 January 2019 17:59 UTC
Return-Path: <ilubashe@akamai.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6529E130EB5 for <ipv6@ietfa.amsl.com>; Thu, 17 Jan 2019 09:59:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.254
X-Spam-Level:
X-Spam-Status: No, score=-5.254 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, KHOP_DYNAMIC=2, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BXvmxP35e3ZB for <ipv6@ietfa.amsl.com>; Thu, 17 Jan 2019 09:59:46 -0800 (PST)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A229130EAB for <ipv6@ietf.org>; Thu, 17 Jan 2019 09:59:46 -0800 (PST)
Received: from pps.filterd (m0122332.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x0HHvQFH008069; Thu, 17 Jan 2019 17:59:45 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=jan2016.eng; bh=aZ5QxJ6G0IOc1Va3MlMh2MgVshgIp9EkMfoL7L5EjeQ=; b=S6h1zl8jbbzYb4Rw4/Psm6oWVUuRDPsNFjhnL8WwG9jb/dvfygfBYfRSBwR/f5+HMBiS ngd1+fZnn8Jf8WbP5SzEbb9892uu7h4kKX6oAKkOLuywdmBqByLTjLzmV7AXfuY7d18A 0hR8S6YQsNB2HB6fNi/7whh/lmCkn1Q91UM7DCaBvx/Yne4ClACZRpC/mSQHtCNinSA5 bNzyDl5IAC6aoDW2HLxemlp9Stbb2nUmP6WDjsH9YPg/o6P6W7wMZJa86Wat5RcCIwat prSpW8eWRc9PZ0jUZdWgRFYQ9imJQqKYFYlp2AHLRpKAA0+GbgUz+lXjwGXlHkNvtZnr 3Q==
Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19]) by mx0a-00190b01.pphosted.com with ESMTP id 2q1hjpfdqn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 17 Jan 2019 17:59:44 +0000
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.27/8.16.0.27) with SMTP id x0HHlXHp024538; Thu, 17 Jan 2019 12:59:43 -0500
Received: from email.msg.corp.akamai.com ([172.27.27.25]) by prod-mail-ppoint2.akamai.com with ESMTP id 2pycf01yf9-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 17 Jan 2019 12:59:42 -0500
Received: from USTX2EX-DAG1MB5.msg.corp.akamai.com (172.27.27.105) by ustx2ex-dag1mb5.msg.corp.akamai.com (172.27.27.105) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Thu, 17 Jan 2019 11:58:54 -0600
Received: from USTX2EX-DAG1MB5.msg.corp.akamai.com ([172.27.27.105]) by ustx2ex-dag1mb5.msg.corp.akamai.com ([172.27.27.105]) with mapi id 15.00.1365.000; Thu, 17 Jan 2019 11:58:54 -0600
From: "Lubashev, Igor" <ilubashe@akamai.com>
To: Tom Herbert <tom@herbertland.com>
CC: Mark Smith <markzzzsmith@gmail.com>, 6man <ipv6@ietf.org>, "mcr+ietf@sandelman.ca" <mcr+ietf@sandelman.ca>
Subject: RE: Never fragment: getting PMTU info transmitted reliably
Thread-Topic: Never fragment: getting PMTU info transmitted reliably
Thread-Index: AQHUrfRJNoiRW7HbHk+RedCzRe2QzKWy+zWAgAAFIoCAACQggIAABLEAgAAIrgCAABL9AP//r+VKgAEB/ID//69vIA==
Date: Thu, 17 Jan 2019 17:58:54 +0000
Message-ID: <80ef6bdba2514206baa7795dedffb2a7@ustx2ex-dag1mb5.msg.corp.akamai.com>
References: <CAOSSMjV0Vazum5OKztWhAhJrjLjXc5w5YGxdzHgbzi7YVSk7rg@mail.gmail.com> <6aae7888-46a4-342d-1d76-10f8b50cebc4@gmail.com> <EC9CC5FE-5215-4105-8A34-B3F123D574B9@employees.org> <4c56f504-7cd7-6323-b14a-d34050d13f4e@foobar.org> <9E6D4A6E-8ABA-4BAB-BEC5-969078323C96@employees.org> <CAAedzxpdF+yhBXfnwUcaQb-HkgdaqXRU3L+S7v8sS1F0OkwM9A@mail.gmail.com> <78a8a0e0-8808-364c-41f7-f81f90362432@gont.com.ar> <CAAedzxpjxhP0nOZVU0CTwA1u3fsPFthrJASjDEfnLcRNvr2gBQ@mail.gmail.com> <c9be798e-5a32-7c3e-a948-9ca2fab30411@si6networks.com> <CAHw9_i+M2-420pykp99LcgMNSG=eeDqsZK8+hN20t_uUdANHfA@mail.gmail.com> <d6e52c30-bbd1-1ee7-144c-fa13a9df5f38@gmail.com> <0f4a6c88-1def-6766-235b-1bcd2cc5e33b@si6networks.com> <CAHw9_i+FB-tb8c+G22FCUxNg9BDpMfwqur8gSn5QaXteBcABZA@mail.gmail.com> <14135.1547681760@localhost> <a044c327-d9ce-573e-a158-6c4b157f2d6c@joelhalpern.com> <24583.1547692781@localhost> <116fbbeb-c191-cd57-5998-1d80db1c9917@gmail.com> <CAO42Z2wsK+e3p25ZVnRfYXqmATLoEj+-1uTx8QVuEZEHqcXj0w@mail.gmail.com> <CALx6S35=AhF=5WdQNymTNu+Xtd3zV2KVWyHdwJzw2XNejns77g@mail.gmail.com> <cf56fa2230a14e358b297561a32bcf5b@ustx2ex-dag1mb5.msg.corp.akamai.com> <CALx6S37oBojME2B53KGmurGgHVx+T_RtWv=NORk4ouBCVPApww@mail.gmail.com>
In-Reply-To: <CALx6S37oBojME2B53KGmurGgHVx+T_RtWv=NORk4ouBCVPApww@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.33.108]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-01-17_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901170125
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-01-17_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901170127
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/XjVe7sn9oH39jNypmAxQMsIgJLs>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jan 2019 17:59:49 -0000
On Thursday, January 17, 2019 10:12 AM Tom Herbert <tom@herbertland.com> wrote: > On Wed, Jan 16, 2019, 9:48 PM Lubashev, Igor <mailto:ilubashe@akamai.com wrote: >> There is a lot of complexity in injecting entropy into IP addresses. As >> long as using a 4-tupple for TCP and UDP traffic, 2-tupple+SPI for IPSec, >> 2-tupple+Key for GRE, etc. "just works", there is little incentive to >> deploy complex solutions that involve DNS, neighbour caches, etc. The hope >> for new protocols on top of ipv6 is the flow label, because it is so simple >> to use right by everyone: the sender, the receiver, and the middle boxes. > > Igor, > > I'm not sure I'd say that it "just works". Take a look at Maglev load > balancer > (https://urldefense.proofpoint.com/v2/url?u=https-3A__static.googleusercontent.com_media_research.google.com_en__pubs_archive_44824.pdf&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=Djn3bQ5uNJDPM_2skfL3rW1tzcIxyjUZdn_m55KPmlo&m=Ov_Q64EPg0L4YTIJM46mUQ1XCRAUa2erO899x4BVQK8&s=HmQ5z09TFfKB0FmiHCgAgj6I_xnkpP6de0-529U28kw&e=) > and all the complexity needed to ensure consistent routing to backends, and > even with all that it still will drop some number of connections when > backends change. I am familiar with Maglev. In fact, I run a load balancer system whose backend pool changes every few seconds. To preserve connections, you either needs to do some clever tricks and/or keep per-connection state (our load balancer for TCP is mostly stateless). It would not matter what part of the packet contains your load balancing connection key: IP, ports, QUIC CID, IPSec SPI, etc. You either find a way for the server to pass a token to the client to include in each of their packets or you keep a per-connection state on the load balancer. Moreover, I would argue that any method that has the client select a load balancing connection key (an ephemeral src port or less significant bits of IP address) is going to require load balancer to keep per-connection state or drop some connections on a backend pool change. This is exactly why IETF QUIC has packets from clients feature a server-supplied Connection ID (after handshake completion). > Using flow label or transport layer information is only best effort for > persistence. Intermediate devices are allowed to change devices flow labels, > NAT evictions of UDP may change the client side ports and address > mid-flow. You can also add IP fragmentation to the list. NAT rebinding is a potential problem for UDP-based protocols, indeed (hence QUIC is trying to mitigate it). I do not think intermediary devices are allowed to change flow labels, though, since RFC 6437 forbids this: "Once set to a non-zero value, the Flow Label is expected to be delivered unchanged to the destination node(s). A forwarding node MUST either leave a non-zero flow label value unchanged or change it only for compelling operational security reasons as described in Section 6.1." (Off topic: "Section 6.1" makes me amused that it supposes that networks worried about covert exfiltration of information by the sender will allow packet transmissions by that sender sans the flow label.) > QUIC is interesting since it doesn't use the IP addresses or ports > for identifying connections. QUIC allows either endpoint to provide a 0-length connection ID, effectively using IPs and ports for connection identification. I believe Chromium does (did?) just that. Moreover, a change in a 4-tuple during QUC handshake is likely to kill that handshake. > That conceptually allows a client to purposely > randomize both the source address and the port on every packet That would not work too well for QUIC (at least the current version), since QUIC requires path validation (QUIC does not want to be a vector for reflection attacks). The exact details of connection migration and validation are not completely settled, yet, but what is certain is that while frequent connection migration should work, it would need to be much less frequent than every packet. - Igor
- Non-Last Small IPv6 Fragments Timothy Winters
- Re: Non-Last Small IPv6 Fragments Bob Hinden
- Re: Non-Last Small IPv6 Fragments 神明達哉
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- RE: Non-Last Small IPv6 Fragments Ron Bonica
- Re: Non-Last Small IPv6 Fragments Erik Kline
- RE: Non-Last Small IPv6 Fragments Ron Bonica
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- RE: Non-Last Small IPv6 Fragments Ron Bonica
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Mark Andrews
- Re: Non-Last Small IPv6 Fragments Simon Hobson
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments David Farmer
- Re: Non-Last Small IPv6 Fragments Mark Andrews
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Carsten Bormann
- Re: Non-Last Small IPv6 Fragments 神明達哉
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Mikael Abrahamsson
- Re: Non-Last Small IPv6 Fragments Mark Andrews
- Re: Non-Last Small IPv6 Fragments Bjoern A. Zeeb
- Re: Non-Last Small IPv6 Fragments Bjoern A. Zeeb
- Re: Non-Last Small IPv6 Fragments Timothy Winters
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Timothy Winters
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Simon Hobson
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments David Farmer
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- RE: Non-Last Small IPv6 Fragments Ron Bonica
- Re: Non-Last Small IPv6 Fragments David Farmer
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Bob Hinden
- Re: Non-Last Small IPv6 Fragments David Farmer
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Christian Huitema
- Re: Non-Last Small IPv6 Fragments Ole Troan
- RE: Non-Last Small IPv6 Fragments Lubashev, Igor
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Bob Hinden
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- RE: Non-Last Small IPv6 Fragments Manfredi (US), Albert E
- Re: Non-Last Small IPv6 Fragments Bjoern A. Zeeb
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Mark Smith
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Simon Hobson
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Bjoern A. Zeeb
- Re: Non-Last Small IPv6 Fragments Simon Hobson
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Mark Andrews
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- End-to-end (was Re: Non-Last Small IPv6 Fragments) Christian Huitema
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Tom Herbert
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Warren Kumari
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Fernando Gont
- Re: Non-Last Small IPv6 Fragments Mikael Abrahamsson
- Re: Non-Last Small IPv6 Fragments Tim Chown
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Warren Kumari
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Tom Herbert
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fred Baker
- Re: Non-Last Small IPv6 Fragments Tim Chown
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Tom Herbert
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Michael Richardson
- Never fragment: getting PMTU info transmitted rel… Michael Richardson
- Re: Never fragment: getting PMTU info transmitted… Joel M. Halpern
- Re: Never fragment: getting PMTU info transmitted… Brian E Carpenter
- Re: Never fragment: getting PMTU info transmitted… Tom Herbert
- Re: Never fragment: getting PMTU info transmitted… Michael Richardson
- Re: Never fragment: getting PMTU info transmitted… Brian E Carpenter
- Re: Never fragment: getting PMTU info transmitted… Mark Smith
- Re: Never fragment: getting PMTU info transmitted… Erik Kline
- Re: Never fragment: getting PMTU info transmitted… Mark Smith
- Re: Never fragment: getting PMTU info transmitted… Tom Herbert
- Re: Never fragment: getting PMTU info transmitted… Brian E Carpenter
- RE: Never fragment: getting PMTU info transmitted… Lubashev, Igor
- Re: Never fragment: getting PMTU info transmitted… Tom Herbert
- RE: Never fragment: getting PMTU info transmitted… Lubashev, Igor
- Re: Never fragment: getting PMTU info transmitted… C. M. Heard
- Re: Never fragment: getting PMTU info transmitted… Christian Huitema