IETF Logo Mail Archive

Re: Comments on draft-herbert-ipv6-update-dest-ops

Tom Herbert <tom@herbertland.com> Tue, 21 August 2018 01:07 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57E00130E07 for <ipv6@ietfa.amsl.com>; Mon, 20 Aug 2018 18:07:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fj9RpMqiZxrU for <ipv6@ietfa.amsl.com>; Mon, 20 Aug 2018 18:07:28 -0700 (PDT)
Received: from mail-qt0-x244.google.com (mail-qt0-x244.google.com [IPv6:2607:f8b0:400d:c0d::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E996124D68 for <ipv6@ietf.org>; Mon, 20 Aug 2018 18:07:28 -0700 (PDT)
Received: by mail-qt0-x244.google.com with SMTP id z8-v6so18430546qto.9 for <ipv6@ietf.org>; Mon, 20 Aug 2018 18:07:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=S/n52SD6SlgfJS+mNPvB6Y/L/ZQbVuPLEZGavIPnHh4=; b=kT8fIUowPtxgdNPtjIqTJ9CayWjyRpBDmvfX52hSe75hcrO+e2/rX9Az0jsIviP/Hc a82dcFL5i18KqPiVvnFA475h/Bp7wk2IZq5JFvqMqwiXFzPVAyiYJTsVU+KeCD+iNcDx LC3UwZk38P6ikT1nJjlz5JIuUIX0st/NEQEsGCg7b5o9L3cfbTrEI+Xps7cq3BC3Dc7/ 1cRBxVIigGIbtMNPBxs68C8o/i+6cqYTWoZobtVwDxUo+4+J7aSQFXbmHzVWl5FTXNO0 /jgvRFijdL+Lwl3+UvhZnHsb6KQsS9YfiQiaYB+bq4SFvg9rcWK4v7iOKKR7huXQ1boq /ZEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=S/n52SD6SlgfJS+mNPvB6Y/L/ZQbVuPLEZGavIPnHh4=; b=RLNPxV7F3vmbbqkSPtEeThsQlSPC/fgLQKHRWDCpU6gZQeq59BCl5PkNveifg2l2pQ iEUaFlknySpLr13BbTjt+m1jx2sdLagdcxg0VvpFc5ZtPu6NKVEI2mQD6xTGLOlNJJpM rjgYOV/oaj3WhDVwADoX6vWNvVTP23hOGkjQbujh4397QQ6xkiiBuOZuvAkiPWfFY94U lDTDTLrXEyw45CZutUT27KBzSVJOMOb7WRt8Cr+YsSIEYRk+s58R5kltUIE4KawsCRGu izbBkKclJM4bVO+nFzg8gtquAagb2CGmxmsV0499rn/wWnKMCAcA0coG/iB/cuObZfUn xV8w==
X-Gm-Message-State: AOUpUlHewMgSp/3hnFpwn8e1DZI1l5ebiEUbIeq+kETYrvtLzbk00EUu Z+CmIr2uoL3CKL04Vaddl9Ic9xjuVb2nxsMQShmHpg==
X-Google-Smtp-Source: ANB0Vdb9oQ3fP18tcAdwZPe9r14ZsQNuYqOiwWH6ATsYtSQ1rz92Vm4u3j4bwkihIwIJg0arYa3FUuI4Nm1iU+3Hc44=
X-Received: by 2002:ac8:611c:: with SMTP id a28-v6mr13504932qtm.130.1534813647305; Mon, 20 Aug 2018 18:07:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ac8:3312:0:0:0:0:0 with HTTP; Mon, 20 Aug 2018 18:07:26 -0700 (PDT)
In-Reply-To: <CBA29A6D-9C4C-4F7D-9621-6C3A04AEFC7E@employees.org>
References: <CACL_3VF+EoKOEF-TkB3179UsmN_Yhaqt60jh_h2d2GLnE0EWDA@mail.gmail.com> <CALx6S356TVnbnZ_zp5+aK_x-DmMJUTidw0Wzbc3Tn=cscTd7VA@mail.gmail.com> <CACL_3VGUUs1FS4Qog6pzJ2WZyir2-keEVZTU6opzXQ4t0M-XUw@mail.gmail.com> <CALx6S35q5EqZt26KSPTGHBXZpzaNYyFBO9UxVNsi4is1BxUHrQ@mail.gmail.com> <CACL_3VGfMj6DjAWsxib6Hw_x=5X3CWASKU1oiGqvFdksDuFXDw@mail.gmail.com> <CALx6S37c_WCa+A3aD7X-rq-kj_RTGfGur8HVekt_LWTg6Os18g@mail.gmail.com> <F01E55CE-0E88-47BF-A30B-B83A0B7F5F0F@employees.org> <CALx6S35mAnjCw=0Jmz7Niacobw2QmKkUxNJPJ-CNVok_4dAOeQ@mail.gmail.com> <EDE97FE5-B72A-4ED5-A4B0-F143A0F23C3A@employees.org> <CALx6S35mZQ1HyDS3EWLZXJtT0ViXNJt1L_v3QqrKH9n7zDOM1g@mail.gmail.com> <837265C7-AF4A-4E78-A7B4-5D4AE5C38C8A@employees.org> <CALx6S37mE6wXGk9jkkJeG_tuSA8x157wgCGqh-QxW-3Kws1ZnQ@mail.gmail.com> <CBA29A6D-9C4C-4F7D-9621-6C3A04AEFC7E@employees.org>
From: Tom Herbert <tom@herbertland.com>
Date: Mon, 20 Aug 2018 18:07:26 -0700
Message-ID: <CALx6S35uOuoAd2rdAxKTnEgcuXg2z0AQPdKrP2=7jm0ehVd3fQ@mail.gmail.com>
Subject: Re: Comments on draft-herbert-ipv6-update-dest-ops
To: Ole Troan <otroan@employees.org>
Cc: "C. M. Heard" <heard@pobox.com>, 6man WG <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/nFhEhSU94233R4JoxBk8cVDeCe0>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2018 01:07:30 -0000

On Mon, Aug 20, 2018 at 2:47 PM, Ole Troan <otroan@employees.org> wrote:
> Hi Tom,
>
>>>> Consider the folling scenario:
>>>>
>>>> Someone is developing a new Destination Option that might be of
>>>> interest for use with tunnels and might even become one of those
>>>> options "that makes sense to support" . Maybe it's an option for the
>>>> aforementioned insitu-OAM, or maybe a general packet CRC, etc. The
>>>> developer dutifully uses experimental option type 0x1e for the type
>>>> value of their option to test it. In particular, the action taken if
>>>> the option is unknown to a receiver is to skip over it. They made that
>>>> choice because that allows incremental deployment of the support for
>>>> the option in any combination supporting sending side or receivers. In
>>>> other words, they don't want a flag day for the option that requires
>>>> all nodes to support the new option.
>>>>
>>>> Now they go to test backwards comapatbility of the option by sending
>>>> it to a node that hasn't been updated to receive it. If the receiving
>>>> node is a Linux system, then the option is ignored and the tunneled
>>>> packet is processed as before-- expected behavior per the spec.
>>>> However, if it's sent to a VPP node then the packet is dropped-- not
>>>> expected. Even if this doesn't lead to incorrectness, it does breaks
>>>> interoperability and violates "be liberal in what you receive". This
>>>> net effect is that this makes development, test, and pilot deployment
>>>> of new options really hard. Just implementing the TLV loop, even if
>>>> the implementation doesn't process any of them, would resolve this.
>>>
>>> Absolutely. The set of _optional_ destination options would benefit from this approach.
>>> Of which we have none. I’d much rather just implement new options as they come available (if they ever will)
>>
>> Ole,
>>
>> I'm not sure what "comes available" mean here. Does that mean VPP
>> would only support TLVs parsing once one becomes standardized and the
>> VPP maintainers think is worth supporting? As shown in the scenario
>> above, with that approach its difficult to develop optional TLVs if
>> implementations don't properly skip over them.
>
> No, don’t get me wrong.
> As in any open source project you are welcome to provide a patch, and I’m pretty sure it would get in.
>
I would, but for me VPP code is very hard to decipher. For someone who
knows the code this should be relatively easy. The ip6_parse_tlv (in
net-next/net/ipv6/exthdrs.c) function does this in Linux in < 100 LOC.
It's straightforward, supporting padding, unknown options, and limits.

> That said since we’re talking about tunnels, and in those cases you generally know whom you are talking to, I’m not sure I buy the argument that would make deploying new destination options harder. It’s not like a tunnel head end accepts traffic from random sources around the Internet (well, we’ve tried that with stuff like RFC1933, 6to4 and so on, but that didn’t quite pan out).

I'm not sure this is just about tunnels. It looks like VPP can also
support TCP connections (there's a reference on web to HTTP server for
VPP) as well as UDP sockets, and VPP also can do classification, NAT,
and other firewall functions. Do you know if VPP properly handle
Destination Options in these cases?

I'm afraid this might be an example of an implementation deployed on
middleboxes in the Internet (like firewalls) that arbitrarily drop
packets because they have a DestOpts extension header (RFC7872).
That's exactly a principle reason why Destination Options are unusable
on the Internet, and hence why there's been so much effort to avoid
using them and no one bother's trying to create "useful" options. This
is an example of death of a good protocol feature by undermining it
with a thousand arbitrary decisions on what parts of the spec to
implement or not.

This goes goes back to a major rationale for this draft. If an
implementation really doesn't want to implement the TLV loop for
processing options then so be it, but then at least they should skip
over the options instead of just dropping the packet so as not to kill
the feature for everyone else.

Tom

> So you’d end up with a configuration option I’d imagine…
>
>>
>>> If I get time, I’ll try to do some performance measurements on what the actual cost is for a software based system.
>>>
>> Our testing in Linux showed that the performance hit is heavily
>> dependent on the number of TLVs to be processed. Processing a small
>> number of TLVs was fairly inconsequential relative the rest of the
>> header processing. A a packet filled with tiny TLVs so that a single
>> MTU sized packet has hundreds of them will kill performance on any
>> software or hardware system and really has no other practical purpose
>> other than to be a DOS attack. This why we needed to add limits in
>> RFC6434bis. In Linux, the default  limit of number of options a stack
>> will process is eight.
>
> Right.
>
> Cheers,
> Ole

v2.23.0 | Report a Bug | By Email