IETF Logo Mail Archive

Re: [IPv6] Removing extension headers from packets (revisited)

Mark Smith <markzzzsmith@gmail.com> Fri, 18 August 2023 05:35 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 823E8C15106C for <ipv6@ietfa.amsl.com>; Thu, 17 Aug 2023 22:35:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.603
X-Spam-Level:
X-Spam-Status: No, score=-1.603 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lnMmHrTAXJFa for <ipv6@ietfa.amsl.com>; Thu, 17 Aug 2023 22:35:06 -0700 (PDT)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26641C14F736 for <6man@ietf.org>; Thu, 17 Aug 2023 22:35:06 -0700 (PDT)
Received: by mail-ed1-x530.google.com with SMTP id 4fb4d7f45d1cf-525597d891fso631035a12.3 for <6man@ietf.org>; Thu, 17 Aug 2023 22:35:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1692336904; x=1692941704; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=3YmYObc3mkMuYUMT9SSFED740SwVQUufyztf3YxwGTw=; b=K5kJGtrLLdztjTbb9obbd6BCHoGkdN6EMhmPHSy+ythX/BOaff/cp88ZZ+Ms/o6imb oM+YkMfGN2cY6DuSw4+xGvlY/vq27luywr3bFWttvN2/pv71hLX5r38ZFA0ZDpdJPL6g rBw1jxv2OjDQ3UXRDKld/69mbxwN7a0kbdHjupwYkTvt8iAL+j7NGmxpCLuodcIuPjGE 1ND4/uFQpHM4S7CWkloSsatn0d2QzYV9sSjf/83HioBA0dIGDcuRSSkRXyklC6AfBMWt MGBp93Gz2kcgzog2+gFlDg9rldjEpiSUaZMQTbXUaAddx1jcCBw9jcbv+c6zmX4U4wmN 5nuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692336904; x=1692941704; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3YmYObc3mkMuYUMT9SSFED740SwVQUufyztf3YxwGTw=; b=fz1Cnj53OdZIHq2/LY/s3RecAZogN9dS24K9K0T7Xwo8NGfrrU8B2ObtmcgBNFETqG sp8ByFNd03yrtk2ehFOzVhcX24oFLliztt7PqocCX4FoTHyqjRO6uVQn4ksCsSvaTFv6 XTAgTlex46CHXvybXZ3o5YAIkX3WwOtQavC6tUVw+8/9pVjkh1iwCaZJloZLgH2o4jEi mRYn5WhhbJYgkb0rqWWqEZSdWj8RPuF8Chtxwolvynf8dw4BuFbO9OVF/siQRa7cpfUT 9r5zSRPhsYa9tqQjDxHBsfc8WEIQutNrxnJ+d2c8PaQyD/my6VInI51jKkJCvs6s8Hgr JmwA==
X-Gm-Message-State: AOJu0YwXhB/7Oq5p6Av8FR3f2Xozt4K78gzyOO4TvzrQnzJh/1HZKJFj LELHvsSYTK47wA0EKX/uHUIebeFsAgAtlvKvWZs=
X-Google-Smtp-Source: AGHT+IFYz/4Tyy2QPYKjm8Q5oWniNyTCBhN0Lodwae8nc1+wtNgrYIDZXAt3Wd9pnmL24B8R1Ryj3Y6aMiuu5t/uYX8=
X-Received: by 2002:a05:6402:5154:b0:528:8977:a11e with SMTP id n20-20020a056402515400b005288977a11emr1367511edd.28.1692336904228; Thu, 17 Aug 2023 22:35:04 -0700 (PDT)
MIME-Version: 1.0
References: <CALx6S36QSaWwqPjTo_42qXWG6vmvYBN-EOB7VmYrTGQAzg2ybw@mail.gmail.com> <93501AF3-E542-413F-B9F5-4E6168855027@gmail.com> <CALx6S34F7gnQ+xmeWwcM6Lyu22XGytj48cj5uqbsFURV9HSXXw@mail.gmail.com>
In-Reply-To: <CALx6S34F7gnQ+xmeWwcM6Lyu22XGytj48cj5uqbsFURV9HSXXw@mail.gmail.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Fri, 18 Aug 2023 15:34:36 +1000
Message-ID: <CAO42Z2wHCBb7TtnF8jfhH+dScK6hSt7fgwxmzOp_vuS7tT+5Yw@mail.gmail.com>
To: Tom Herbert <tom@herbertland.com>
Cc: Mike Simpson <mikie.simpson@gmail.com>, 6MAN <6man@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/iOkHhmqYW4s-x-UePI09SLx-5JU>
Subject: Re: [IPv6] Removing extension headers from packets (revisited)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2023 05:35:10 -0000

Hi Tom,

On Thu, 17 Aug 2023 at 00:54, Tom Herbert <tom@herbertland.com> wrote:
>

<snip>

>>
>> Tom,
>>
>> Why is it not our job to design tools that operators can’t shoot themselves in the foot with?
>
>
> Hi Mike,
>
> It's already common that operators take liberties with protocols and already do many things that are non-conformant.

Can you please provide some examples?

Having been a network operator for a long time, and for a number of
networks, in my experience and to my knowledge, it is not common for
operators to "take liberties with protocols and already do many things
that are non-conformant".

The main reason is that they can cause unreliable and unavailable
services, which cause customers to complain, and then eventually
cancel their services.

> We're already pretty good designing tools that they can shoot themselves in the foot with!
>>
>>
>> If it’s trivial to misconfigure routers that then allow “limited domain only” packets to leak out onto the internets then that’s not a failure of the operator but a failure of the design and implementation of the protocol.
>
>
> That's a problem that already exists. For instance, it's a bad idea for segment routing packets to escape the segment routing domain-- this is such a major concern that there is a proposal to use a new EtherType just for segment routing to make filtering easier -- that would be replete with opportunities for operators to shoot themselves in the foot :-)
>

I don't think you've understood the motivation for that proposal.

It will be inspired by MPLS not leaking onto the Internet, because it
has a different Ethertype than IPv4 or IPv6, and MPLS isn't required
to be enabled within a network, between networks and to end-user
devices to carry end-user Internet traffic.

A lot of the risks that SRv6 is creating are because end-users use
IPv6 for their Internet traffic too, meaning end-user devices can be
used to spoof SRv6 IPv6 packets. This risk just doesn't exist with
networks using different Ethertype MPLS (or SRoMPLS).


>
>>
>>
>> In my other field of expertise we did a study on an intensive care ward looking at drug errors and discovered that 1) there was a surprising number of them (thousands of errors per month) and 2) that a huge amount of them were caused by the way we were storing the drugs on the dispensing trolleys - different concentrations of epinephrine placed next to each other etc.
>> We then “engineered” the ability to make those errors out of the system and as a direct result the “operators” weren’t able to make those mistakes leading to so much less harm.
>> (I believe death by doctor is running at about 400k people per year in the US so still loads of work to do)
>
>
> Yes, it's a problem. But we also have to consider the benefits versus potential harm. If a packet with Hop-by-Hop options escapes a limited domain into the Internet, then the most likely outcome based on current data is that the packet will be dropped. If Hop-by-Hop options are removed then the packet has better chances to successfully traverse the Internet. If there is some misconfiguration, then the likely effect is that packet is dropped anyway. So in this case, I don't see that the potential harm is outweighs the potential benefit.
>

For a network operator, packets being dropped isn't the end of the story.

Packets are sent for a reason, so when they're dropped, somebody
usually and eventually will want to know why, because most of the time
it is causing a performance problem or a service outage.

If your protocol specification or implementation makes finding out why
harder than necessary, then it's less likely to be adopted and
deployed by network operators, who are dealing directly with the
end-users of the IETF protocols.

"... the IAB believes that, when there is a conflict between the
interests of end users of the Internet and other parties, IETF
decisions should favor end users." - RFC 8890, "The Internet is for
End Users".

The longer a fault takes to rectify, the angrier end-users (customers) get.

>>
>> Blaming operators misconfiguration for ie all the RFC1918 being blocked at my borders is victim shaming when the actual blame lies with the engineers that designed the protocols and the vendors that implement them.
>>
>> So as we haven’t puled the trigger on all these new wonderful ways for “limited domain only” packets to escape out in the wild with completely unknown consequences when it hits all the stuff still running 20 year old network code, why don’t we try and find solutions that don’t rely on operators being infallible?
>
>
> As I mentioned, the problem already exists and solutions are in deployment in terms of trying to contain packets or data in limited domains.

Be conservative with what you send, ...

"Prevention is better than better than cure." - Erasmus.

Regards,
Mark.


>
> Tom
>
>
>>
>> Coz y’all are clever but none of us are gods.
>>
>> Mike
>>
>> >> ?
>> >>
>> >> These and other problems caused by EH removal were covered in the
>> >> "In-Flight EH Insertion Considered Harmful draft in the section about
>> >> failed EH removal.
>> >
>> > EH insertion would be considered harmful since it increases packet
>> > size and could exceed path MTU to the point such that a sender
>> > couldn't even send minimal size MTU packets without them being
>> > systematically dropped. So EH insertion can materially break the IPv6
>> > protocol, but I still don't see how EH removal could break it.
>> >
>> > Tom
>> >
>> >>
>> >> https://datatracker.ietf.org/doc/html/draft-smith-6man-in-flight-eh-insertion-harmful-02
>> >>
>> >> I presented on it at IETF 106, slide deck:
>> >>
>> >> https://datatracker.ietf.org/meeting/106/materials/slides-106-6man-sessb-in-flight-ipv6-extension-header-insertion-considered-harmful-00
>> >>
>> >> It was suggested that it be worked towards publishing as a 6man WG
>> >> RFC, however quite frankly, I could tell it was going to be ignored by
>> >> the SPRING working group, and it was, so I didn't bother spending any
>> >> further time on it.
>> >>
>> >>
>> >> Regards,
>> >> Mark.
>> >>
>> >>
>> >>
>> >>> Tom
>> >>>
>> >>>
>> >>>> Yours,
>> >>>>
>> >>>> Joel
>> >>>>
>> >>>> On 8/14/2023 10:52 PM, Tom Herbert wrote:
>> >>>>
>> >>>>
>> >>>>
>> >>>> On Mon, Aug 14, 2023, 6:12 PM Joel Halpern <jmh@joelhalpern.com> wrote:
>> >>>>>
>> >>>>> Yes, knowing what the correct egress should be is, for the general case, a harder problem.  But, the example you cited is segment routing.  If the host is trusted enough by the operator to actually provide a segment route across the operator domain, it seems necessary for the host to have enough information to properly address the egress.  Thus, for the case you chose for an example, encaps seems quite natural, efficient, and achievable.
>> >>>>
>> >>>>
>> >>>> Okay, maybe segment routing wasn't the best example :-) Consider draft-kaippallimalil-tsvwg-media- hdr-wireless. The basic idea of this draft is to let hosts annotate packets with information, signals that can be consumed by the network to provide QoS. This is for 3GPP networks, so the hosts are potentially all the mobile devices in a network. The signals are only processed by one intermediate device in the path which is the Mobile Router (basically the first hop router). After that point, the signal is no longer processed. All the mobile hosts have is a default route to their carrier and a destination address, they don't have any knowledge of whether a packet will leave a limited domain and what the egress point-- and, in fact, we don't want them to have that information since it would expose information about the internals of the provider network.
>> >>>>>
>> >>>>>
>> >>>>> There may be other cases where knowing the proper egress is harder, but it seems to me that solving the information problem is MUCH easier than solving the problem of removing bytes from the middle of a packet at wire rate at a high speed inter-operator
>> >>>>
>> >>>>
>> >>>> Functionally, it's equivalent to a decap/encap operation, or a push/pop of headers. Maybe fixed function hardware can't easily do this, but I'd be surprised if programmable devices like P4 couldn't do it. Also, like in the case of draft-kaippallimalil-tsvwg-media- hdr-wireless, the last intermediate that processes thh HBH options could also be the one that removes it from the packet.
>> >>>>
>> >>>> In any case, the points about debuggability and feasibility are well taken, but those are operational concerns. I am still wondering if removing a HBH extension header could actually break the IPv6 protocol.
>> >>>>
>> >>>> Tom
>> >>>>
>> >>>>
>> >>>>> interface.
>> >>>>>
>> >>>>> Yours,
>> >>>>>
>> >>>>> Joel
>> >>>>>
>> >>>>> On 8/14/2023 9:05 PM, Tom Herbert wrote:
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> On Mon, Aug 14, 2023, 5:53 PM Joel Halpern <jmh@joelhalpern.com> wrote:
>> >>>>>>
>> >>>>>> Hmmm.  Trimmed to focus on a point you make.
>> >>>>>>
>> >>>>>> Comments below.
>> >>>>>>
>> >>>>>> Joel
>> >>>>>>
>> >>>>>> On 8/14/2023 8:45 PM, Tom Herbert wrote:
>> >>>>>>>
>> >>>>>>> Hi Mark,
>> >>>>>>>
>> >>>>>>> No, it's not about bandwidth. It's about survivability and
>> >>>>>>> deployability of extension headers. The current prevailing belief is
>> >>>>>>> that extension headers are not usable across the Internet since there
>> >>>>>>> is a high probability of packet drop. However, within a limited
>> >>>>>>> domain, extension headers are deployable, especially if the network
>> >>>>>>> itself is consuming them as would be the case of HBH options
>> >>>>>>> requesting QoS or segment routing headers.
>> >>>>>>>
>> >>>>>>> This presents two problems:
>> >>>>>>>
>> >>>>>>> 1) Hosts create extension headers and if extension headers are known
>> >>>>>>> to work in a limited domain then they can safely use them _if_ the
>> >>>>>>> destination is in the same domain as the source and the entire path is
>> >>>>>>> within the same limited domain. The problem is that a host wouldn't
>> >>>>>>> necessarily know which destination are in the limited domain and which
>> >>>>>>> aren't
>> >>>>>>> 2) Even if a host knows it is sending to a destination outside of the
>> >>>>>>> limited domain, it might still want to apply the packets and services
>> >>>>>>> in extension headers for the time that the packet is in the limited
>> >>>>>>> domain. For instance, segment routing might be used to route a packet
>> >>>>>>> to a specific egress node. At the egress node, the SRH is removed and
>> >>>>>>> the packet can be forwarded into the Internet (I believe this was the
>> >>>>>>> scenario that motivated removal of SRH when it was presented a while
>> >>>>>>> back)
>> >>>>>>>
>> >>>>>>> The alternative for #2 that is usually suggested is to use tunneling
>> >>>>>>> from the source to an egress, for instance the outside IP header could
>> >>>>>>> contain the extension headers and the encapsulated packet is the one
>> >>>>>>> sent one the Internet with no extensions. That might work and be
>> >>>>>>> conformant, but it's significantly more complex and probably not as
>> >>>>>>> practical as just removing extension headers at the border router
>> >>>>>>> (more decisions, we have to explicitly route to egress points, more on
>> >>>>>>> the wire overhead, tracing ICMP errors back to a connection is
>> >>>>>>> tricky). Also, troubleshooting still can be difficult because the same
>> >>>>>>> packet looks very different depending on where it's viewed (for
>> >>>>>>> instance, at one point the packet is encapsulated, at another point
>> >>>>>>> it's not).
>> >>>>>>>
>> >>>>>>> Tom
>> >>>>>>> ---------------------------------------------------
>> >>>>>>
>> >>>>>> <jmh>   You state that encaps / decaps is "significantly more complex
>> >>>>>> and probably not as practical as just removing the extension headers at
>> >>>>>> the border rotuer."  I am missing something .  As far as I can tell,
>> >>>>>> decapsulation at an addressed egress is easy to implement and widely
>> >>>>>> supported in existing hardware. Removing a set of bytes from the middle
>> >>>>>> of a packet is not widely implemented, hard to do in fast path hardware,
>> >>>>>> and prone to interesting failures all its own.   I would have exactly
>> >>>>>> reversed the comparison you make. </jmh>
>> >>>>>
>> >>>>>
>> >>>>> Joel,
>> >>>>>
>> >>>>> Easy at the decapsulation, not necessarily at the encap point. It's the same problem I mentioned before, hosts wouldn't know when a packet will be leaving the domain, and even if they did they wouldn't easily know what the endpoint address of the tunnel is should be for the real destination.
>> >>>>>
>> >>>>> Tom
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>>
>> >>> --------------------------------------------------------------------
>> >>> IETF IPv6 working group mailing list
>> >>> ipv6@ietf.org
>> >>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> >>> --------------------------------------------------------------------
>> >
>> > --------------------------------------------------------------------
>> > IETF IPv6 working group mailing list
>> > ipv6@ietf.org
>> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> > --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email