IETF Logo Mail Archive

Re: Non-Last Small IPv6 Fragments

Tom Herbert <tom@herbertland.com> Mon, 14 January 2019 17:58 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AED9A1311FD for <ipv6@ietfa.amsl.com>; Mon, 14 Jan 2019 09:58:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.041
X-Spam-Level:
X-Spam-Status: No, score=-2.041 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kU4njvbFbgdm for <ipv6@ietfa.amsl.com>; Mon, 14 Jan 2019 09:58:50 -0800 (PST)
Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82AA813121B for <ipv6@ietf.org>; Mon, 14 Jan 2019 09:58:50 -0800 (PST)
Received: by mail-qt1-x82f.google.com with SMTP id l11so27597873qtp.0 for <ipv6@ietf.org>; Mon, 14 Jan 2019 09:58:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xfGZEnGTVwzpwkG94pdeakpykiSJfgF+tNtZ9quv8X4=; b=dvnJAjdho4wqRj3d7dQG8JB3q+8FPBxFs32jcP5sAU/Qmu8tW6bWhPOh/BbrubJZyr +XqEW8exJrxJ3OnbAbJ21F1yYdE+J4MwG58zVsqpO/EGtOmKrNRRX84jUmqkLRnODSPe qhASHZH8RBB4YYcb0nlhJOWruKoCmP/x9zVYMwQPf8ojVIMcCCgMN+Gh2+StqQugIkbj HqTyqhSn596XGd6aiUqPXNfHuUY+PwCr4pWtyYmFlq6Iv6oHTqafh3rZRgf8cf2Ogetv BqY0as9lyWAgq4JSLyXiUa/f7o/DQGOXiFmDRoZKUe5R4u5f7xuiPV/EJiR9C3yiUxcI xktA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xfGZEnGTVwzpwkG94pdeakpykiSJfgF+tNtZ9quv8X4=; b=f7mh8w0/713eBjeqgXrtxW2BvUCspEZhM7E71Gqlkxb5BK/Oisv4U+YvSFR5jOwtSM Vqqj6iDSPur9zJnqyFM6IfTy3iyyXETXLuyPM+bn0aibHQs5F81o+an5szQwLTSSlbry JY0TfSA3ZBZo1XuVMV6Ixm+ypYZEYUEMSleCLlEiTCuzwILzoF4WRZnkHkMRcnVZ+xYb TZHGqpAo7Rd5IH/iaXo4jnRtuHU6uyCQ+XHl13ib5mga9MAUMze5DCAoyPUafjk+P/WF vwwxY1/s/SH+POn5Mjlj0v3WO5owIR4hjsQmZH2WBjn3rOMzfD7ZwSlk49OrHB3cQncd TR3Q==
X-Gm-Message-State: AJcUukfwyMIJN08tym1Qd1GxD7a+/hdg6+EuiMxvC22AZBzmUr0soLuT mAK4/mqyCTLvtDP70T/Icol+Jdlg/yZRrEPf/ES0yA==
X-Google-Smtp-Source: ALg8bN6Lzc41mZW4fqrZtLqMcWQrrWkxDCfPWIpzjK43t75+T+tWeVVZP6zkelfMVpkJBXY7hasROPBmSFQ168gz6X8=
X-Received: by 2002:a0c:b174:: with SMTP id r49mr24021016qvc.70.1547488729475; Mon, 14 Jan 2019 09:58:49 -0800 (PST)
MIME-Version: 1.0
References: <CAOSSMjV0Vazum5OKztWhAhJrjLjXc5w5YGxdzHgbzi7YVSk7rg@mail.gmail.com> <CALx6S34AyV9OpvnjQhQc56n5vfeVgU5Zd3kheP0g+XvsMbBV9g@mail.gmail.com> <1b2e318e-1a9f-bb5d-75a5-04444c42ef20@si6networks.com> <CALx6S37TJr++fC=pVoeS=mrO1fHc4gL_Wtu-XkVTswzs2XxXCA@mail.gmail.com> <CALx6S36V7vrVyoTP0G6+S5XeFNB3KWS5UaNnVi20xogRERdCfg@mail.gmail.com> <973A1649-55F6-4D97-A97F-CEF555A4D397@employees.org> <CALx6S34YbBe8xBod3VsWVO33TpZcdxh2uV1vaO8Z_NKnVXp66g@mail.gmail.com> <A3C3F9C0-0A07-41AF-9671-B9E486CB8246@employees.org> <AEA47E27-C0CB-4ABE-8ADE-51E9D599EF8F@gmail.com> <6aae7888-46a4-342d-1d76-10f8b50cebc4@gmail.com> <EC9CC5FE-5215-4105-8A34-B3F123D574B9@employees.org> <4c56f504-7cd7-6323-b14a-d34050d13f4e@foobar.org> <9E6D4A6E-8ABA-4BAB-BEC5-969078323C96@employees.org> <CAAedzxpdF+yhBXfnwUcaQb-HkgdaqXRU3L+S7v8sS1F0OkwM9A@mail.gmail.com> <78a8a0e0-8808-364c-41f7-f81f90362432@gont.com.ar> <CALx6S37YnSbOUgVoWEA46aN88a3CfERWemhQKi_GOrP_g+=rFQ@mail.gmail.com> <308d9dff-87c4-cc63-6792-fcbfce722d1e@gont.com.ar>
In-Reply-To: <308d9dff-87c4-cc63-6792-fcbfce722d1e@gont.com.ar>
From: Tom Herbert <tom@herbertland.com>
Date: Mon, 14 Jan 2019 09:58:37 -0800
Message-ID: <CALx6S34kseXuKrrbB44=wz7OQBysUmbJh++N79Da9Kx1rseAUw@mail.gmail.com>
Subject: Re: Non-Last Small IPv6 Fragments
To: Fernando Gont <fernando@gont.com.ar>
Cc: Erik Kline <ek@loon.co>, Ole Troan <otroan@employees.org>, Bob Hinden <bob.hinden@gmail.com>, IPv6 List <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/ljIrmewhorxdWaU4ayH4bKyGaso>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jan 2019 17:59:00 -0000

On Mon, Jan 14, 2019 at 9:04 AM Fernando Gont <fernando@gont.com.ar> wrote:
>
> On 14/1/19 12:18, Tom Herbert wrote:
> >>
> >> * a stateful operation for anotherwise stateless protocol
> >>
> > Fernando,
> >
> > There is no fundamental problem with fragmentation. The core problem
> > is that some intermediate nodes are processing headers and data beyond
> > the IP and Hop-by-Hop options header.
>
> If you need to reassemble fragments in the network, or at an end system,

Fernando,

I don't know what it means to "reassemble fragments in the network".
Reassembly is specified as an operation at destination end points.
Unless there's a specification for in-network reassembly that
describes the requirements and procedures, I see no point in
considering it.

> and you're receiving packets at a very high data rate, you just cannot
> keep up with fragments. that's the Inherent problem. Yo need to keep
> packets in memory without even knowing whether they have been spoofed.
>
This has been know since fragmentation was first defined.  Host
implementations have implemented several mitigations including
lowering reassembly timeout, limiting number of reassembly states,
etc. This isn't a unique problem either, SYN attacks have many similar
characteristics, and we've learned over time how to deal with those as
well. As we learn more and identify attack vectors, such as the
aforementioned non-last tiny fragments, we can adapt the
implementation accordingly.

Tom

>
>
> > That is non-conformant with
> > RFC8200: "Extension headers (except for the Hop-by-Hop Options header)
> > are not processed, inserted, or deleted by any node along a packet's
> > delivery path". This becomes a material interoperability problem when
> > intermediate nodes take invasive action, such as dropping packets or
> > degrading the service, when they encounter protocols they don't
> > understand. This problem applies not only to fragmentation, but also
> > other extension headers, non-TCP transport protocols, and other
> > protocols outside some narrow set of typically used protocols. To fix
> > this, either non-conformant implementations should be changed to
> > conform to the standard, or the standard should be changed to conform
> > to the implementation.
>
> Please look at draft-gont-v6ops-ipv6-ehs-packet-drops. There are
> operational reasons for that. So, you need to look into the packet, but
> you cannot do it in the fast path. Hence you just drop them.
>
> Operators need to do their thing. And nobody is going to pay extra money
> to do it on the past path -- even then, it would take time for all
> current boxes to be phased out.
>
> Your argument would be on the same line with my own regarding why there
> shouldn't be any people under the line of poverty. -- that doesn't
> change facts.
>
>
> --
> Fernando Gont
> e-mail: fernando@gont.com.ar || fgont@si6networks.com
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>

v2.23.0 | Report a Bug | By Email