IETF Logo Mail Archive

Re: Offset Indicating option

Libor Polčák <ipolcak@fit.vutbr.cz> Mon, 26 September 2011 11:03 UTC

Return-Path: <ipolcak@fit.vutbr.cz>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EA1921F8B9B for <ipv6@ietfa.amsl.com>; Mon, 26 Sep 2011 04:03:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6uVxSabHzFSw for <ipv6@ietfa.amsl.com>; Mon, 26 Sep 2011 04:03:49 -0700 (PDT)
Received: from kazi.fit.vutbr.cz (kazi6.fit.vutbr.cz [IPv6:2001:67c:1220:808::93e5:80c]) by ietfa.amsl.com (Postfix) with ESMTP id 0F7AE21F8B95 for <ipv6@ietf.org>; Mon, 26 Sep 2011 04:03:48 -0700 (PDT)
Received: from [147.229.13.162] (pcpolcak.fit.vutbr.cz [147.229.13.162]) (authenticated user=ipolcak mech=PLAIN bits=0) by kazi.fit.vutbr.cz (envelope-from ipolcak@fit.vutbr.cz) (8.14.5/8.14.4) with ESMTP id p8QB6Q46084349 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Mon, 26 Sep 2011 13:06:26 +0200 (CEST)
Message-ID: <4E805CB2.1020405@fit.vutbr.cz>
Date: Mon, 26 Sep 2011 13:06:26 +0200
From: Libor Polčák <ipolcak@fit.vutbr.cz>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:6.0) Gecko/20110922 Firefox/6.0 SeaMonkey/2.3.1
MIME-Version: 1.0
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Subject: Re: Offset Indicating option
References: <4E7FDEFA.6060808@gmail.com>
In-Reply-To: <4E7FDEFA.6060808@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.71 on 147.229.8.12
Cc: 6man <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2011 11:03:50 -0000

Brian E Carpenter wrote:
> Hi,
>
> draft-zhang-6man-offset-option-01 proposes an idea for how to make it
> easier for a node that needs to skip over an IPv6 header chain to do
> so quickly, for example for flow classification or flow logging,
> or (perish the thought) for payload inspection. The idea is to
> avoid overhead. If you read the -00 draft, please forget about it
> and read the -01 draft, which is significantly different.
>

Hello,

I read only the -01 draft. I worked on a hardware IPv6 parser and I 
encountered the problems mentioned in the draft (jumping through the 
chain, future extension headers etc.) and I appreciate the effort of 
simplifying the processing.

However, I think that benefits of this draft might be lower than the 
security issues it will introduce. Consider a passive monitoring device 
and a case when the NH after Jump lists another protocol number than 
Next Header in the last extension header. The value in the Offset field 
can also point to incorrect location in the data (to the middle of 
extension header chain or somewhere inside the IPv6 payload).

The passive monitoring device cannot drop the packet and can only guess 
that the packet is going to be dropped by some security device or 
destination device. But what if there is no security device and the 
destination device is prepared for such packets and it will accept such 
packets? An attacker could hide connections from the probe.

If the probe is smart it may at least detect the ambiguous connections. 
In such cases the workload for processing of one packet will be higher 
than it is in present.

Unfortunately, I believe that if we want to fix extension headers we 
have to obsolete the current model and introduce a new one. For example 
allow only L4 protocol numbers in IPv6 header or a special value 
indicating that extension headers are present. Then, after IPv6 header, 
something like the data structure proposed in the I-D will follow. So 
the special header would list next extension header type, L4 protocol 
type and IPv6 payload offset. After the special header, current 
extension headers will follow in the same manner as they are constructed 
in present. The only exception will be the last header which will not 
list any next header.

I see two downsides of my example. 1) It is incompatible with current 
devices. 2) What if the length of the chain is bigger than the Offset value?

However, my proposal has also the benefit of specifying exact location 
of the fields (number of bytes behind IPv6 header). The I-D  allows 
placement of the option behind another options and consequently, the 
search for the option could be more expensive than jumping the chain. 
See for example Packet Processing at 100 Gbps and Beyond - Challenges 
and Perspectives 
(http://www.ikr.uni-stuttgart.de/printable/Content/Publications/Archive/Hg_packetprocessingat100gbps_36830.pdf).

If we continue with the draft I propose listing ACL processing as 
another application which will benefit from this mechanism.

Cheers,

Libor Polčák

v2.23.0 | Report a Bug | By Email