IETF Logo Mail Archive

Re: Path MTU Hop-by-Hop Option

Tom Herbert <tom@herbertland.com> Wed, 24 October 2018 23:20 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0DEE12D4EC for <ipv6@ietfa.amsl.com>; Wed, 24 Oct 2018 16:20:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DYqQdb5WhmXp for <ipv6@ietfa.amsl.com>; Wed, 24 Oct 2018 16:20:22 -0700 (PDT)
Received: from mail-qk1-x729.google.com (mail-qk1-x729.google.com [IPv6:2607:f8b0:4864:20::729]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 993C2130DCE for <ipv6@ietf.org>; Wed, 24 Oct 2018 16:20:22 -0700 (PDT)
Received: by mail-qk1-x729.google.com with SMTP id g13-v6so4562267qke.8 for <ipv6@ietf.org>; Wed, 24 Oct 2018 16:20:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=ReeRxbukJjI+MjL6HSJTbQFknZ5L/sW8KEQ4ZkdIuIo=; b=n8rr+ad1eBZKWjjNNy5diJWxfxcPwETW0U2mz6roKvnJaABWy9OUPPrGvxs9jAaiH9 zi1mHJELmQ9o/Jf+/t9dqeABELgXo3PBHtyhiJdRhE3VyuqjQZiBBlK49O+Pi7EBm86S sSHvWj5S29UYPEHCQsY6mOodBji7b7Q8phWAyQJNBBSVTYCzoxaD4XFKyv7oWL47xtk4 /Br1dylCGgjiSVPHAauSRwpF/coAcVmBsL+tYSnNkFuj2tvGi9/c9LzsaxpphZJSGEAh +esn50WTknlgji+29v4MaviId4cUKwLmga00W8hpmit8ko2TPsj+iT2mLDNS7pDKJN9N bzAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=ReeRxbukJjI+MjL6HSJTbQFknZ5L/sW8KEQ4ZkdIuIo=; b=L2qFaR4ZowTBkGnngJ4uXoZ/QeOiA6zmITl7JE2+D8MhRNnOw9FhXAsUa1WCvxtzbo OaUWBjKX0SHB7wWivSvwisT9h/E9zV18blvc7oAg7Hn03agZ0HvD2jly0wIjc/ITUzYb ZP9+dzPvDAXyg0fjg2217XQVuCkmTmkQmiereUIxa0EM6ggCg7MT+ayoQ6Vjw59ygK0Y TxOerAor2PInOgvOtnKMLR/YcgnCn93LB79f79iTVZfYQQ5X/dB/I5/6cARgtd7haZkp e4Ye6ziJiyTSujb/LD+6+yEvobubOL5aP13M3x62Unzal2Kon59OtFfxNdhSfvcoHbpF s6Fw==
X-Gm-Message-State: AGRZ1gJuBi0jRS87mhFbpR4Q5NTFCA4zfzpnEih6gUXLAIQ2QQnLYgk6 GZ7LBfdQ5eyLZJb/8632jMCtkFKzym/X3bhSkRxhkA==
X-Google-Smtp-Source: AJdET5c8s0RNdn0+EvZAD7l6y3KgfEhl7Fl7uAkv7XkD+yej7Cc8g9CuQ0p18WKzvjNwza6fm006Zm9kjR3uoykTvu4=
X-Received: by 2002:a37:8607:: with SMTP id i7-v6mr4481354qkd.121.1540423221494; Wed, 24 Oct 2018 16:20:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:aed:2022:0:0:0:0:0 with HTTP; Wed, 24 Oct 2018 16:20:20 -0700 (PDT)
In-Reply-To: <94f4ccba-3bd8-9bde-150e-e18e97c07261@si6networks.com>
References: <153972960647.9465.12295361632444928551.idtracker@ietfa.amsl.com> <E97952C5-3E3C-4EC1-B414-BDA8717FD7DF@gmail.com> <24F21185-0E76-449D-B9C7-729DD8CD30EE@tzi.org> <4a8602d4-7bbd-1ce0-7c25-5149f2f8d1ec@si6networks.com> <CALx6S37GG_UDpyJqd61OMXgLCCoEJuXsN5WvkNERdGcUQp0X4A@mail.gmail.com> <7de0cfd8-340a-7f85-f28e-9ebc054cfe4a@si6networks.com> <CALx6S36v22h+3-ee_OvnYyrQsbxPbvAanHFgbXr-BKu_AnX9og@mail.gmail.com> <94f4ccba-3bd8-9bde-150e-e18e97c07261@si6networks.com>
From: Tom Herbert <tom@herbertland.com>
Date: Wed, 24 Oct 2018 16:20:20 -0700
Message-ID: <CALx6S34urOH7N2EJsveLLN0CRJVSQKLHiSKJhEzKTOCcb1ep=Q@mail.gmail.com>
Subject: Re: Path MTU Hop-by-Hop Option
To: Fernando Gont <fgont@si6networks.com>
Cc: Carsten Bormann <cabo@tzi.org>, Bob Hinden <bob.hinden@gmail.com>, Gorry Fairhurst <gorry@erg.abdn.ac.uk>, IPv6 List <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/fQBPku9ngTGwmR_8mKbr9_J0m4U>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2018 23:20:27 -0000

On Wed, Oct 24, 2018 at 3:00 PM, Fernando Gont <fgont@si6networks.com> wrote:
> Hello, Tom,
>
> On 10/24/18 5:45 PM, Tom Herbert wrote:
>> On Tue, Oct 23, 2018 at 8:14 PM, Fernando Gont <fgont@si6networks.com> wrote:
>>> On 10/24/18 3:57 AM, Tom Herbert wrote:
>>>> On Tue, Oct 23, 2018 at 11:03 AM, Fernando Gont <fgont@si6networks.com> wrote:
>>>>> On 10/17/18 6:49 AM, Carsten Bormann wrote:
>>>>>> On Oct 17, 2018, at 00:55, Bob Hinden <bob.hinden@gmail.com> wrote:
>>>>>>>
>>>>>>> This document specifies a new Hop-by-Hop IPv6 option that is used to
>>>>>>>   record the minimum Path MTU
>>>>>>
>>>>>> A while ago I proposed something similar to collect information about adaptation layer fragmentation MTUs (information about which is truly not available in any other way):
>>>>>>
>>>>>> https://tools.ietf.org/html/draft-bormann-intarea-alfi-04
>>>>>>
>>>>>> (I also only looked at the Internet layer here — leaving it as an exercise to put in transport/application protocol support.)
>>>>>>
>>>>>> After mulling an initial version of the proposal, there was pretty much consensus that hop-by-hop options were not really available on the Internet.  So I put in an alternative way to collect the information, see above if you are interested.  Then at some point SPUD came along and I was hoping that would lead to a framework within in which this information could be better handled.
>>>>>>
>>>>>> Maybe it’s time to pull the old draft out again.  The hop-by-hop option problem of course hasn’t gone away.
>>>>>
>>>>> IPv6 EHs are not readily available on the public IPv6 Internet. See
>>>>> RFC7872. While not included in RFC7872, my measurements indicate that
>>>>> the same applies even to IPsec EHs. :(
>>>>
>>>> Fernando,
>>>>
>>>> If I'm reading RFC7872 correctly, it is more accurate to say that the
>>>> drop rates for EH vary between 12% and 55% depending on type and
>>>> destination. We cannot say that EH always works on the Internet, but
>>>> neither is it correct to say that EH never works on the Internet.
>>>> Success rate is somewhere in between.
>>>
>>> Can you depend on something that fails in 10% (or more) of cases?
>>>
>> Well, aren't we also trying to depend on IPv6 itself which still has a
>> pretty high failure rate on the Internet?
>
> I haven't measured IPv6 failure rate, I should say.
>
>
>
>> If we're restricted to only
>> use protocols that we can absolutely depend on to work then the only
>> choice is to use plain TCP over plain IPv4.
>
> I guess that there are things that are likely to be workable, and others
> that aren't. The structure of EHs doesn't seem to be friendly wth modern
> router architectures
> (https://iepg.org/2015-11-01-ietf94/IEPG-RouterArchitecture-jgs.pdf), so
> there's not much of an indication that things will move in a different
> direction.

I believe the emergence of programmable devices, like those with P4,
change that. RFC8200 also allows devices to skip over HBH, this should
be trivial code in P4.

>
>
>
>> Also, I think "depend" is an interesting word in this context. By
>> definition the Path MTU option is an *option*, it cannot be required
>> for basic communications. No one can depend on it.
>
> Either you have a reliable PMTUD, or you prepare to send1280-byte
> packets (or smaller). So in such case the algorithm should be "the MTU
> is 1280. Upon receipt of a PTMU option, rase it to, at most, the MTU of
> your outgoing interface". Otherwise traffic can get blackholed and you
> get a DoS.
>
>
>>>
>>>> While the data in RFC7872 is objective, the conclusions being drawn
>>>> are not. I think there are two possible conclusions 1) Success rate of
>>>> EH is abysmal, EH is a failure and should be deprecated, and the
>>>> would-be contents of EH need to be moved to other layers somehow
>>>
>>> Tags aside, the reality is that if you need the the would-be contents to
>>> be reliable, you'd put them else where. Not that I like it... but
>>> whatever my personal taste is, it doesn't solve problems by itself.
>>>
>> The problem there is that no one has yet to define the alternative
>> that would work any better.
>
> Currently (SR aside), you need EHs from fragmentation and IPsec. For
> fragmentation, it remains to be researched how things are working out
> (maybe fall back to v4 for the DNS,.. but I don't know). For IPsec...
> well, you probably avoid native IPsec traffic as you did for v4, anyway.
>
> Put another way, looks like nobody   looked for an alternative because
> nobody "needed" it.

There also been a number of proposals to get OAM data into the packet.
Suggestions have included stealing bits from flow label, diffserv
bits, or putting them in TCP. None of these have been shown to be
viable. And of course there was SPUD proposal, which in the end would
have more issues than getting EH to work.

>
>
>
>>>> 2) EH
>>>> support is less than desirable, but this is a current condition that
>>>> may be improve over time with new deployments, protocol
>>>> clarifications, definition of some "useful" options.
>>>
>>> Yes, it could improve. One never knows. Me, my gut feeling is that's
>>> unlikely.
>>>
>>>
>>>> IMO, until EH is
>>>> officially deprecated, it is entirely appropriate to define new uses
>>>> such as the Path MTU Option here.
>>>
>>> No matter how EHs are flagged, we're doing engineering. It works, or it
>>> doesn't. (as unfortunate as that may be).
>>>
>> I disagree that it has to be a global binary choice. Happy eyeballs
>> has shown how to deal with a protocol that has greater than zero, but
>> less than 100% support.
>
> It's a different thing. Happy eyeballs essentially deal with multiple
> choices where all of them are equivalent. You just need one to work.
> Happy Eyeballs wouldn't work if you tried to use it when acecss stes
> behind a firewall that filters port 80 and 443.
>
> If, say, IPsec fails, you can't just "disable ipsec". or "well, lets try
> a TLS tunnel".
>
>
>
>
>>> To me, it all looks like they are reliable in controlled domains (within
>>> your network, where you control everything), but not elsewhere (public
>>> Internet)
>>>
>> That's not clear at all. For a small domain this might be plausible,
>> but for large sprawling domains like the big DC operators that use
>> multiple vendors it may or may not be true. Besides that, if the plan
>> is to only use features like EH in a controlled domain, then we need
>> to have an implementation at host to determine whether the destination
>> is in the controlled domain-- that is not necessarily easy to do. A
>> common solution should consider whether the feature is viable to each
>> particular destination.
>
> So, just as a sample scenario: how ould you workaround non-working IPse
> (due to filtering of IPsec EHs?)

I'd probably tunnel it over UDP (GUE to be precise). If UDP doesn't
work because it's blocked by a firewall, then I'd tunnel over TCP (GTE
described in https://tools.ietf.org/html/draft-herbert-tsvwg-gte-00).

Tom

>
>
>>
>>>> Since we know up front that the
>>>> option might not always be viable on the Internet, the mechanism will
>>>> need a fallback;
>>>
>>> If the fall-back "just works" why not keep it simple?
>>>
>> Because fallback means we don't get the advantages of the feature.
>
> That means that the possible outcome, for the pmtu option , is that you
> end up using 1280 instead of some larger PMTU.  (The pmtu option is
> subject to blackholes... hence the fall back needs to be the minimum
> IPv6 MTU, or PLPMTUD).
>
>
>
>>>> but the need for a fallback is hardly unique: IPv6
>>>> falls back  IPv4 via happy eyeballs, UDP falls back to TCP when
>>>> firewalls block UDP, etc.
>>>
>>> I'd compare such a fall-back with e.g. retrying TCP connections without
>>> the ECN bits set. When doing the fall-back, you lose the benefits of
>>> ECN. - but I would expect that in most EH cases, loosig the
>>> functionality is not a viable option. e.g., what would the fall-back be
>>> for IPsec packets that get blackholed?   (I tel you *my* workaround: I
>>> tunel over TLS over a transport protocol.. don't even bother to try to
>>> do IPsec in the general case)
>>>
>> I think IPsec is an extreme. For other use cases of EH, particularly
>> DO and HBH, like Path MTU option, OAM, FAST the fallback is not to use
>> the option. Communication can proceed but advantages is lost possibly
>> resulting in a degraded mode of service relative to using the option.
>
> For some of these cases, I'd agree. But for PMTUD, it's tricky (see above).
>
> Cheers,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>
>
>
>

v2.23.0 | Report a Bug | By Email