Re: Non-Last Small IPv6 Fragments
Tom Herbert <tom@herbertland.com> Mon, 14 January 2019 17:58 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AED9A1311FD for <ipv6@ietfa.amsl.com>; Mon, 14 Jan 2019 09:58:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.041
X-Spam-Level:
X-Spam-Status: No, score=-2.041 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kU4njvbFbgdm for <ipv6@ietfa.amsl.com>; Mon, 14 Jan 2019 09:58:50 -0800 (PST)
Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82AA813121B for <ipv6@ietf.org>; Mon, 14 Jan 2019 09:58:50 -0800 (PST)
Received: by mail-qt1-x82f.google.com with SMTP id l11so27597873qtp.0 for <ipv6@ietf.org>; Mon, 14 Jan 2019 09:58:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xfGZEnGTVwzpwkG94pdeakpykiSJfgF+tNtZ9quv8X4=; b=dvnJAjdho4wqRj3d7dQG8JB3q+8FPBxFs32jcP5sAU/Qmu8tW6bWhPOh/BbrubJZyr +XqEW8exJrxJ3OnbAbJ21F1yYdE+J4MwG58zVsqpO/EGtOmKrNRRX84jUmqkLRnODSPe qhASHZH8RBB4YYcb0nlhJOWruKoCmP/x9zVYMwQPf8ojVIMcCCgMN+Gh2+StqQugIkbj HqTyqhSn596XGd6aiUqPXNfHuUY+PwCr4pWtyYmFlq6Iv6oHTqafh3rZRgf8cf2Ogetv BqY0as9lyWAgq4JSLyXiUa/f7o/DQGOXiFmDRoZKUe5R4u5f7xuiPV/EJiR9C3yiUxcI xktA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xfGZEnGTVwzpwkG94pdeakpykiSJfgF+tNtZ9quv8X4=; b=f7mh8w0/713eBjeqgXrtxW2BvUCspEZhM7E71Gqlkxb5BK/Oisv4U+YvSFR5jOwtSM Vqqj6iDSPur9zJnqyFM6IfTy3iyyXETXLuyPM+bn0aibHQs5F81o+an5szQwLTSSlbry JY0TfSA3ZBZo1XuVMV6Ixm+ypYZEYUEMSleCLlEiTCuzwILzoF4WRZnkHkMRcnVZ+xYb TZHGqpAo7Rd5IH/iaXo4jnRtuHU6uyCQ+XHl13ib5mga9MAUMze5DCAoyPUafjk+P/WF vwwxY1/s/SH+POn5Mjlj0v3WO5owIR4hjsQmZH2WBjn3rOMzfD7ZwSlk49OrHB3cQncd TR3Q==
X-Gm-Message-State: AJcUukfwyMIJN08tym1Qd1GxD7a+/hdg6+EuiMxvC22AZBzmUr0soLuT mAK4/mqyCTLvtDP70T/Icol+Jdlg/yZRrEPf/ES0yA==
X-Google-Smtp-Source: ALg8bN6Lzc41mZW4fqrZtLqMcWQrrWkxDCfPWIpzjK43t75+T+tWeVVZP6zkelfMVpkJBXY7hasROPBmSFQ168gz6X8=
X-Received: by 2002:a0c:b174:: with SMTP id r49mr24021016qvc.70.1547488729475; Mon, 14 Jan 2019 09:58:49 -0800 (PST)
MIME-Version: 1.0
References: <CAOSSMjV0Vazum5OKztWhAhJrjLjXc5w5YGxdzHgbzi7YVSk7rg@mail.gmail.com> <CALx6S34AyV9OpvnjQhQc56n5vfeVgU5Zd3kheP0g+XvsMbBV9g@mail.gmail.com> <1b2e318e-1a9f-bb5d-75a5-04444c42ef20@si6networks.com> <CALx6S37TJr++fC=pVoeS=mrO1fHc4gL_Wtu-XkVTswzs2XxXCA@mail.gmail.com> <CALx6S36V7vrVyoTP0G6+S5XeFNB3KWS5UaNnVi20xogRERdCfg@mail.gmail.com> <973A1649-55F6-4D97-A97F-CEF555A4D397@employees.org> <CALx6S34YbBe8xBod3VsWVO33TpZcdxh2uV1vaO8Z_NKnVXp66g@mail.gmail.com> <A3C3F9C0-0A07-41AF-9671-B9E486CB8246@employees.org> <AEA47E27-C0CB-4ABE-8ADE-51E9D599EF8F@gmail.com> <6aae7888-46a4-342d-1d76-10f8b50cebc4@gmail.com> <EC9CC5FE-5215-4105-8A34-B3F123D574B9@employees.org> <4c56f504-7cd7-6323-b14a-d34050d13f4e@foobar.org> <9E6D4A6E-8ABA-4BAB-BEC5-969078323C96@employees.org> <CAAedzxpdF+yhBXfnwUcaQb-HkgdaqXRU3L+S7v8sS1F0OkwM9A@mail.gmail.com> <78a8a0e0-8808-364c-41f7-f81f90362432@gont.com.ar> <CALx6S37YnSbOUgVoWEA46aN88a3CfERWemhQKi_GOrP_g+=rFQ@mail.gmail.com> <308d9dff-87c4-cc63-6792-fcbfce722d1e@gont.com.ar>
In-Reply-To: <308d9dff-87c4-cc63-6792-fcbfce722d1e@gont.com.ar>
From: Tom Herbert <tom@herbertland.com>
Date: Mon, 14 Jan 2019 09:58:37 -0800
Message-ID: <CALx6S34kseXuKrrbB44=wz7OQBysUmbJh++N79Da9Kx1rseAUw@mail.gmail.com>
Subject: Re: Non-Last Small IPv6 Fragments
To: Fernando Gont <fernando@gont.com.ar>
Cc: Erik Kline <ek@loon.co>, Ole Troan <otroan@employees.org>, Bob Hinden <bob.hinden@gmail.com>, IPv6 List <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/ljIrmewhorxdWaU4ayH4bKyGaso>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jan 2019 17:59:00 -0000
On Mon, Jan 14, 2019 at 9:04 AM Fernando Gont <fernando@gont.com.ar> wrote: > > On 14/1/19 12:18, Tom Herbert wrote: > >> > >> * a stateful operation for anotherwise stateless protocol > >> > > Fernando, > > > > There is no fundamental problem with fragmentation. The core problem > > is that some intermediate nodes are processing headers and data beyond > > the IP and Hop-by-Hop options header. > > If you need to reassemble fragments in the network, or at an end system, Fernando, I don't know what it means to "reassemble fragments in the network". Reassembly is specified as an operation at destination end points. Unless there's a specification for in-network reassembly that describes the requirements and procedures, I see no point in considering it. > and you're receiving packets at a very high data rate, you just cannot > keep up with fragments. that's the Inherent problem. Yo need to keep > packets in memory without even knowing whether they have been spoofed. > This has been know since fragmentation was first defined. Host implementations have implemented several mitigations including lowering reassembly timeout, limiting number of reassembly states, etc. This isn't a unique problem either, SYN attacks have many similar characteristics, and we've learned over time how to deal with those as well. As we learn more and identify attack vectors, such as the aforementioned non-last tiny fragments, we can adapt the implementation accordingly. Tom > > > > That is non-conformant with > > RFC8200: "Extension headers (except for the Hop-by-Hop Options header) > > are not processed, inserted, or deleted by any node along a packet's > > delivery path". This becomes a material interoperability problem when > > intermediate nodes take invasive action, such as dropping packets or > > degrading the service, when they encounter protocols they don't > > understand. This problem applies not only to fragmentation, but also > > other extension headers, non-TCP transport protocols, and other > > protocols outside some narrow set of typically used protocols. To fix > > this, either non-conformant implementations should be changed to > > conform to the standard, or the standard should be changed to conform > > to the implementation. > > Please look at draft-gont-v6ops-ipv6-ehs-packet-drops. There are > operational reasons for that. So, you need to look into the packet, but > you cannot do it in the fast path. Hence you just drop them. > > Operators need to do their thing. And nobody is going to pay extra money > to do it on the past path -- even then, it would take time for all > current boxes to be phased out. > > Your argument would be on the same line with my own regarding why there > shouldn't be any people under the line of poverty. -- that doesn't > change facts. > > > -- > Fernando Gont > e-mail: fernando@gont.com.ar || fgont@si6networks.com > PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 > > >
- Non-Last Small IPv6 Fragments Timothy Winters
- Re: Non-Last Small IPv6 Fragments Bob Hinden
- Re: Non-Last Small IPv6 Fragments 神明達哉
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- RE: Non-Last Small IPv6 Fragments Ron Bonica
- Re: Non-Last Small IPv6 Fragments Erik Kline
- RE: Non-Last Small IPv6 Fragments Ron Bonica
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- RE: Non-Last Small IPv6 Fragments Ron Bonica
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Mark Andrews
- Re: Non-Last Small IPv6 Fragments Simon Hobson
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments David Farmer
- Re: Non-Last Small IPv6 Fragments Mark Andrews
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Carsten Bormann
- Re: Non-Last Small IPv6 Fragments 神明達哉
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Mikael Abrahamsson
- Re: Non-Last Small IPv6 Fragments Mark Andrews
- Re: Non-Last Small IPv6 Fragments Bjoern A. Zeeb
- Re: Non-Last Small IPv6 Fragments Bjoern A. Zeeb
- Re: Non-Last Small IPv6 Fragments Timothy Winters
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Timothy Winters
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Simon Hobson
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments David Farmer
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- RE: Non-Last Small IPv6 Fragments Ron Bonica
- Re: Non-Last Small IPv6 Fragments David Farmer
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Bob Hinden
- Re: Non-Last Small IPv6 Fragments David Farmer
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Christian Huitema
- Re: Non-Last Small IPv6 Fragments Ole Troan
- RE: Non-Last Small IPv6 Fragments Lubashev, Igor
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Bob Hinden
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- RE: Non-Last Small IPv6 Fragments Manfredi (US), Albert E
- Re: Non-Last Small IPv6 Fragments Bjoern A. Zeeb
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Mark Smith
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Simon Hobson
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Bjoern A. Zeeb
- Re: Non-Last Small IPv6 Fragments Simon Hobson
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Mark Andrews
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- End-to-end (was Re: Non-Last Small IPv6 Fragments) Christian Huitema
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Tom Herbert
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Warren Kumari
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Fernando Gont
- Re: Non-Last Small IPv6 Fragments Mikael Abrahamsson
- Re: Non-Last Small IPv6 Fragments Tim Chown
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Warren Kumari
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Tom Herbert
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fred Baker
- Re: Non-Last Small IPv6 Fragments Tim Chown
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Tom Herbert
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Michael Richardson
- Never fragment: getting PMTU info transmitted rel… Michael Richardson
- Re: Never fragment: getting PMTU info transmitted… Joel M. Halpern
- Re: Never fragment: getting PMTU info transmitted… Brian E Carpenter
- Re: Never fragment: getting PMTU info transmitted… Tom Herbert
- Re: Never fragment: getting PMTU info transmitted… Michael Richardson
- Re: Never fragment: getting PMTU info transmitted… Brian E Carpenter
- Re: Never fragment: getting PMTU info transmitted… Mark Smith
- Re: Never fragment: getting PMTU info transmitted… Erik Kline
- Re: Never fragment: getting PMTU info transmitted… Mark Smith
- Re: Never fragment: getting PMTU info transmitted… Tom Herbert
- Re: Never fragment: getting PMTU info transmitted… Brian E Carpenter
- RE: Never fragment: getting PMTU info transmitted… Lubashev, Igor
- Re: Never fragment: getting PMTU info transmitted… Tom Herbert
- RE: Never fragment: getting PMTU info transmitted… Lubashev, Igor
- Re: Never fragment: getting PMTU info transmitted… C. M. Heard
- Re: Never fragment: getting PMTU info transmitted… Christian Huitema