Re: Offset Indicating option
Libor Polčák <ipolcak@fit.vutbr.cz> Mon, 26 September 2011 11:03 UTC
Return-Path: <ipolcak@fit.vutbr.cz>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EA1921F8B9B for <ipv6@ietfa.amsl.com>; Mon, 26 Sep 2011 04:03:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6uVxSabHzFSw for <ipv6@ietfa.amsl.com>; Mon, 26 Sep 2011 04:03:49 -0700 (PDT)
Received: from kazi.fit.vutbr.cz (kazi6.fit.vutbr.cz [IPv6:2001:67c:1220:808::93e5:80c]) by ietfa.amsl.com (Postfix) with ESMTP id 0F7AE21F8B95 for <ipv6@ietf.org>; Mon, 26 Sep 2011 04:03:48 -0700 (PDT)
Received: from [147.229.13.162] (pcpolcak.fit.vutbr.cz [147.229.13.162]) (authenticated user=ipolcak mech=PLAIN bits=0) by kazi.fit.vutbr.cz (envelope-from ipolcak@fit.vutbr.cz) (8.14.5/8.14.4) with ESMTP id p8QB6Q46084349 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Mon, 26 Sep 2011 13:06:26 +0200 (CEST)
Message-ID: <4E805CB2.1020405@fit.vutbr.cz>
Date: Mon, 26 Sep 2011 13:06:26 +0200
From: Libor Polčák <ipolcak@fit.vutbr.cz>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:6.0) Gecko/20110922 Firefox/6.0 SeaMonkey/2.3.1
MIME-Version: 1.0
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Subject: Re: Offset Indicating option
References: <4E7FDEFA.6060808@gmail.com>
In-Reply-To: <4E7FDEFA.6060808@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.71 on 147.229.8.12
Cc: 6man <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2011 11:03:50 -0000
Brian E Carpenter wrote: > Hi, > > draft-zhang-6man-offset-option-01 proposes an idea for how to make it > easier for a node that needs to skip over an IPv6 header chain to do > so quickly, for example for flow classification or flow logging, > or (perish the thought) for payload inspection. The idea is to > avoid overhead. If you read the -00 draft, please forget about it > and read the -01 draft, which is significantly different. > Hello, I read only the -01 draft. I worked on a hardware IPv6 parser and I encountered the problems mentioned in the draft (jumping through the chain, future extension headers etc.) and I appreciate the effort of simplifying the processing. However, I think that benefits of this draft might be lower than the security issues it will introduce. Consider a passive monitoring device and a case when the NH after Jump lists another protocol number than Next Header in the last extension header. The value in the Offset field can also point to incorrect location in the data (to the middle of extension header chain or somewhere inside the IPv6 payload). The passive monitoring device cannot drop the packet and can only guess that the packet is going to be dropped by some security device or destination device. But what if there is no security device and the destination device is prepared for such packets and it will accept such packets? An attacker could hide connections from the probe. If the probe is smart it may at least detect the ambiguous connections. In such cases the workload for processing of one packet will be higher than it is in present. Unfortunately, I believe that if we want to fix extension headers we have to obsolete the current model and introduce a new one. For example allow only L4 protocol numbers in IPv6 header or a special value indicating that extension headers are present. Then, after IPv6 header, something like the data structure proposed in the I-D will follow. So the special header would list next extension header type, L4 protocol type and IPv6 payload offset. After the special header, current extension headers will follow in the same manner as they are constructed in present. The only exception will be the last header which will not list any next header. I see two downsides of my example. 1) It is incompatible with current devices. 2) What if the length of the chain is bigger than the Offset value? However, my proposal has also the benefit of specifying exact location of the fields (number of bytes behind IPv6 header). The I-D allows placement of the option behind another options and consequently, the search for the option could be more expensive than jumping the chain. See for example Packet Processing at 100 Gbps and Beyond - Challenges and Perspectives (http://www.ikr.uni-stuttgart.de/printable/Content/Publications/Archive/Hg_packetprocessingat100gbps_36830.pdf). If we continue with the draft I propose listing ACL processing as another application which will benefit from this mechanism. Cheers, Libor Polčák
- Offset Indicating option Brian E Carpenter
- Re: Offset Indicating option Libor Polčák
- Re: Offset Indicating option Hagen Paul Pfeifer
- Re: Offset Indicating option John Leslie
- Re: Offset Indicating option Libor Polčák
- Re: Offset Indicating option Brian E Carpenter
- Re: Offset Indicating option John Leslie
- Re: Offset Indicating option Christopher Morrow
- Re: Offset Indicating option Brian E Carpenter
- Re: Offset Indicating option Christopher Morrow
- Re: Offset Indicating option Thomas Narten
- Re: Offset Indicating option Brian Haberman