Re: [Gen-art] Review of draft-ietf-6man-rfc1981bis-04

Mark Andrews <marka@isc.org> Mon, 13 February 2017 05:30 UTC

Return-Path: <marka@isc.org>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BB09129480; Sun, 12 Feb 2017 21:30:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VQK6uAo1HHLB; Sun, 12 Feb 2017 21:30:30 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 196FE12948C; Sun, 12 Feb 2017 21:30:29 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.ams1.isc.org (Postfix) with ESMTPS id D8E5324AE0B; Mon, 13 Feb 2017 05:30:25 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 74979160043; Mon, 13 Feb 2017 05:30:24 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 4B473160067; Mon, 13 Feb 2017 05:30:24 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id vsXD7j-Owyzc; Mon, 13 Feb 2017 05:30:24 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 640D1160043; Mon, 13 Feb 2017 05:30:23 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id BE00D6390011; Mon, 13 Feb 2017 16:30:18 +1100 (EST)
To: otroan@employees.org
From: Mark Andrews <marka@isc.org>
References: <CACL_3VEm=M9cYG1HEe7wu2RHo23P9hqH4e7qX-GGWds1CLSL=w@mail.gmail.com> <A33FF8C9-E244-4404-9596-503D82F20B47@employees.org>
Subject: Re: [Gen-art] Review of draft-ietf-6man-rfc1981bis-04
In-reply-to: Your message of "Sat, 11 Feb 2017 23:59:20 +0100." <A33FF8C9-E244-4404-9596-503D82F20B47@employees.org>
Date: Mon, 13 Feb 2017 16:30:18 +1100
Message-Id: <20170213053018.BE00D6390011@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/hWZ_8Gi3L7hHraileOBiWgSLbr0>
Cc: 6man WG <ipv6@ietf.org>, IETF <ietf@ietf.org>, "C. M. Heard" <heard@pobox.com>, Gen-ART <gen-art@ietf.org>, Suresh Krishnan <suresh.krishnan@gmail.com>, Stewart Bryant <stewart@g3ysx.org.uk>, draft-ietf-6man-rfc1981bis.all@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2017 05:30:32 -0000

In message <A33FF8C9-E244-4404-9596-503D82F20B47@employees.org>rg>, otroan@employees.org writes:
> > How does this work for UDP?
> >
> > Sending packets no larger than 1280 bytes is always an option, and in
> > the case of UDP-based request-response protocols such as DNS that do
> > not have connection state, it may be the only feasible option.
>
> Yes, but DNS tend to use IP fragmentation that suffers an order of
> magnitude worse fate than ICMP messages. ;-)

Yep.  Idiots with firewalls break otherwise working protocols.
 
> > Anyway, the point I was trying to make was not to argue about better
> > or worse methods but rather to dispute the statement that PMTUD is
> > essential for avoiding black holes. I don't believe that it is. The
> > draft itself explicitly says that "IPv6 nodes are not required to
> > implement Path MTU Discovery."
>
> That's correct. But it then must restrict itself to sending packets at
> the minimum MTU size.
> You cannot implement RFC2473 (IP in IP) without PMTUD for example.
>
> [...]
>
> > What criteria for advancement to IS do you think are not met by this
> document?
> >
> > I do not dispute that the document has met the formal criteria for IS
> in Section
> > 2.2 of RFC 6410. I would argue, however, that its failure to provide a
> complete
> > solution for environments where delivery of ICMP messages is not assured
> > constitutes a significant technical omission for today's Internet, and
> I note
> > that per RFC 2026 Section 4.1.1, even a PS "should have no known
> technical
> > omissions." What I am asking the community, and the IESG, is whether it
> is
> > wise to advance a document with known technical omissions; it seems to
> me
> > that the Gen-ART reviewer has raised much the same question.
>
> For IPv6, because of the removal of fragmentation by intermediate nodes,
> failure to provide a path where ICMP message delivery is assured is a
> considered a configuration error.
>
> From
> http://www.nlnetlabs.nl/downloads/publications/pmtu-black-holes-msc-thesis
> .pdf:
>
> "We observed that for IPV4 between 4% and 6% of the paths between the
> vantage points and our experimental setup filter ICMP PTB packets. For
> IPV6 this was between 0.77% and 1.07%. Furthermore, we found that when
> IPV4 Domain Name System (DNS) servers do not act on the receipt of ICMP
> PTB packets, between 11% and 14% of the answers from these DNS servers
> are lost. For IPV6 DNS servers this was between 40% and 42%. Lastly, we
> found that for IPV4 approximately 6% of the paths between the vantage
> points and our experimental setup filter IP fragments. For IPV6 this was
> approximately 10%."

There isn't a lot a DNS server can do unless the host OS records
the path MTU for that destination.  I suppose theoretically it could
listen for PTB then set IPV6_USE_MIN_MTU for destinations that it
has received a PTB for but that is not optimal.  Unfortunately the
OPT/TSIG/SIG records are towards the end of the packet so it generally
isn't possible to resend the response that triggered the PTB.

> From that data it looks like we have been quite successful. ICMPv6 PMTUD
> is treated a lot better (about a 1% loss) than its IPv4 counterpart.
> Unless better data exists I tend to conclude that the claim that the
> Internet breaks PTUMD for IPv6 is a myth.
>
> Fragmentation on the other hand...

Fragmentation failing is basically gun, foot, shoot by blocking all
fragments at the firewall.  Nameservers don't need to support
fragmentation for request traffic which is what at least one of the
fragmentation is broken tested.  Firewall could reassemble or be
more selective about the fragments they drop.

It doesn't help that there is this myth that IPv6 packets will never
be fragmented.

Mark

> And please don't get me wrong, I think we have a big job to do on MTU
> issues. I just don't see data showing that PMTUD isn't doing what it was
> designed to do.
>
> Best regards,
> Ole
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org