IETF Logo Mail Archive

Re: draft-bonica-6man-frag-deprecate

Antonios Atlasis <antonios.atlasis@gmail.com> Thu, 27 June 2013 20:15 UTC

Return-Path: <antonios.atlasis@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EEC121F9E89 for <ipv6@ietfa.amsl.com>; Thu, 27 Jun 2013 13:15:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Y43UdOsxoBz for <ipv6@ietfa.amsl.com>; Thu, 27 Jun 2013 13:15:45 -0700 (PDT)
Received: from mail-qa0-x233.google.com (mail-qa0-x233.google.com [IPv6:2607:f8b0:400d:c00::233]) by ietfa.amsl.com (Postfix) with ESMTP id 14EDB21F9E60 for <ipv6@ietf.org>; Thu, 27 Jun 2013 13:15:44 -0700 (PDT)
Received: by mail-qa0-f51.google.com with SMTP id f11so77489qae.3 for <ipv6@ietf.org>; Thu, 27 Jun 2013 13:15:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=BQOqVRVfAqiqsP2wM04+1SlsQn3QeAtdWPAU6SkllaI=; b=Q6xO+wgTjBwohXllIMMc1tS0fVKs1YmAU+131w/nJzWk4uES4XjpidYJYAOihK4p8/ Sy4ms/vPogzsd7EN17H8rj8pyZ2Bs5U4y1JPMXm3aq1rYGLsxfrOEDqTYvx3W91Biuyq lVW+nJWLrL9KyhXC5TTHCE4tTfHEb7K5cxU6mD2R+k4Apa8ozLyNMMumvbp4NegEvgV3 vTc0Dk9HhwZTZ7WRNE82v6/o+8xxl8GwFYJInSGT+z5BLd6ZPWdFX9p+Es33baae1ZLl VWez3/pRxclAyCXuINb2y9RP9zgigMusRGo81MfcPvVqlDqpk9OHHMUy40q2o1/6hmyt WTPw==
MIME-Version: 1.0
X-Received: by 10.224.188.74 with SMTP id cz10mr294269qab.31.1372364144415; Thu, 27 Jun 2013 13:15:44 -0700 (PDT)
Received: by 10.224.184.79 with HTTP; Thu, 27 Jun 2013 13:15:44 -0700 (PDT)
In-Reply-To: <2134F8430051B64F815C691A62D983180AECDE@XCH-BLV-504.nw.nos.boeing.com>
References: <2CF4CB03E2AA464BA0982EC92A02CE2509F85151@BY2PRD0512MB653.namprd05.prod.outlook.com> <51C32FA9.1090207@gmail.com> <2CF4CB03E2AA464BA0982EC92A02CE2509F85F38@BY2PRD0512MB653.namprd05.prod.outlook.com> <20130624204008.GB3647@virgo.local> <20130624205226.GC3647@virgo.local> <2CF4CB03E2AA464BA0982EC92A02CE2509F8761C@BY2PRD0512MB653.namprd05.prod.outlook.com> <51C902DC.9000408@gmail.com> <m24ncmaozs.wl%randy@psg.com> <2EA20F89-02F5-4D06-90EE-A7D2974045A3@employees.org> <m2li5yj7u3.wl%randy@psg.com> <8C48B86A895913448548E6D15DA7553B9268E3@xmb-rcd-x09.cisco.com> <m2ehbpij86.wl%randy@psg.com> <51CB91E4.5090603@gmail.com> <CADoTVZLe=dm+JhMSAxFiAYpUMG=T-cUFdtkdHtmzmebG9=Dujw@mail.gmail.com> <2134F8430051B64F815C691A62D983180AECDE@XCH-BLV-504.nw.nos.boeing.com>
Date: Thu, 27 Jun 2013 23:15:44 +0300
Message-ID: <CADoTVZLEKt1FdB+UadvAM6AeVZ3Weacm+0o74F9aYqxmrisBqg@mail.gmail.com>
Subject: Re: draft-bonica-6man-frag-deprecate
From: Antonios Atlasis <antonios.atlasis@gmail.com>
To: "Templin, Fred L" <Fred.L.Templin@boeing.com>
Content-Type: multipart/alternative; boundary="485b397dd237550e8604e0286d2c"
Cc: "ipv6@ietf.org" <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jun 2013 20:15:46 -0000

Hi Fred,


2013/6/27 Templin, Fred L <Fred.L.Templin@boeing.com>

> Hi,
>
> > a. Tiny fragments (smaller than 1280 bytes) should not be accepted
> (unless they are atomic fragments or > the last fragment of a datagram).
>
> I disagree that all fragments less than 1280 bytes should be classified
> as "tiny fragments". For nested tunnels, for example, the first tunnel
> ingress may wish to fragment to a smaller size (e.g. 1024 bytes) so that
> subsequent tunnel ingresses do not have to fragment further. I think a
> "tiny fragment" is simply an initial fragment that does not include all
> extension headers plus upper layer headers.
>
> On the other hand, SEAL fragments cannot be smaller than 256bytes
> so there is no possible way to create a truly tiny SEAL first fragment.
> SEAL also requires the sender to include all upper layer headers in
> the first fragment unless they absolutely cannot fit due to a size
> restriction.
>


Actually, I was not talking only about SEAL, but generally. If this is the
case, the minimum acceptable size of fragments could be discussed/adjusted
accordingly, but as it is, OS accept as small as 56 bytes fragments!



>
> > b. RFC 5722 should be updated so as only the overlapping fragments to be
> dropped, not all the ones
> > already received, or the ones that follow (as it is the recommendation
> now). This is already
> > implemented by FreeBSD and seems to me the most proper way for handling
> overlapping fragments.
>
> SEAL has a strategy for dealing with overlapping fragments. It would
> be interesting to hear whether it meets your understanding of how best
> to handle overlaps because we can still make changes now if something
> doesn't look right.
>

Again, generally speaking (and not just for SEAL) RFC 5722 "allows" the
abuse of its recommended policy for launching DoS attacks (a single
overlapping fragment will result in discarding a whole datagram). On the
contrary, if  only the overlapping fragment is discarded, at least DoS will
be slightly more difficult.


>
> > We should also never forget that the rest of IPvt6Extension headers can
> result in datagrams much
> > bigger than 1280 bytes, 1500 bytes, or even more. So, if you want to
> deprecate fragmentation in IPv6,
> > you should also deprecate or at least change the extension headers usage
> in IPv6. Which actually means,
> > redesign IPv6.
>
> I agree that excessively-long extension headers are problematic
> in any case - especially if the length of the extension headers
> exceeds the effective path MTU. That needs to be fixed no matter
> what frag/reass scheme is applied.
>
>
I agree

Thank you too

Antonios



> Thanks - Fred
> fred.l.templin@boeing.com
>
> > Just my 0.02$
>
> Antonios
>
> 2013/6/27 Brian E Carpenter <brian.e.carpenter@gmail.com>
> Cutting to the chase, and assuming that the next version
> will have more analysis and observational evidence, I'm thinking
> something like the following:
>
> 3.  Recommendation
>
>    This memo deprecates IPv6 fragmentation and the IPv6 fragment header.
>    Application and transport layer protocols SHOULD support effective
>    PMTU discovery [RFC4821], since ICMP-based PMTU discovery [RFC1981]
>    is unreliable. Any application or transport layer protocol that
>    cannot support effective PMTU discovery MUST NOT in any circumstances
>    send IPv6 packets that exceed the IPv6 minimum MTU of 1280 bytes.
>
>    IPv6 stacks and forwarding nodes SHOULD continue to support inbound
>    fragmented IPv6 packets as specified in [RFC2460]. However, this
>    requirement exceeds the capability of some types of forwarding node
>    such as firewalls and load balancers. Therefore implementers and
>    operators need to be aware that on many paths through the Internet,
>    IPv6 fragmentation will fail. Legacy applications and transport layer
>    protocols that do not conform to the previous paragraph can expect
>    connectivity failures as a result.
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>
>

v2.23.0 | Report a Bug | By Email