Re: A problem with RFC 6465's Uniform Format for Extension Headers
Fernando Gont <fgont@si6networks.com> Fri, 07 February 2014 13:44 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7601E1A1EF8 for <ipv6@ietfa.amsl.com>; Fri, 7 Feb 2014 05:44:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.403
X-Spam-Level:
X-Spam-Status: No, score=-1.403 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_RANDOM_SURE=0.499, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o6Yb9H-alI6W for <ipv6@ietfa.amsl.com>; Fri, 7 Feb 2014 05:44:12 -0800 (PST)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:d10:2000:e::3]) by ietfa.amsl.com (Postfix) with ESMTP id 3C4A11A00F5 for <6man@ietf.org>; Fri, 7 Feb 2014 05:44:11 -0800 (PST)
Received: from [2001:5c0:1000:a::533] by web01.jbserver.net with esmtpsa (TLSv1:DHE-RSA-CAMELLIA256-SHA:256) (Exim 4.82) (envelope-from <fgont@si6networks.com>) id 1WBlim-0002Xg-FS; Fri, 07 Feb 2014 14:43:56 +0100
Message-ID: <52F4DDC7.8070606@si6networks.com>
Date: Fri, 07 Feb 2014 10:21:11 -0300
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Ole Troan <otroan@employees.org>
Subject: Re: A problem with RFC 6465's Uniform Format for Extension Headers
References: <20140130230740.25350.9524.idtracker@ietfa.amsl.com> <52EAF63A.7050108@si6networks.com> <52F1B8CE.4070803@ericsson.com> <52F1BD1F.2080007@si6networks.com> <m3k3d82zz6.wl%narten@us.ibm.com> <52F383A0.7030002@si6networks.com> <m28utnbwj9.wl%randy@psg.com> <52F44A73.3000609@si6networks.com> <86BA587E-A7F8-47B9-AC74-98D3DB9A7E46@employees.org>
In-Reply-To: <86BA587E-A7F8-47B9-AC74-98D3DB9A7E46@employees.org>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: Thomas Narten <narten@us.ibm.com>, "6man@ietf.org" <6man@ietf.org>, "C. M. Heard" <heard@pobox.com>, Suresh Krishnan <suresh.krishnan@ericsson.com>, Tim Chown <tjc@ecs.soton.ac.uk>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Feb 2014 13:44:14 -0000
Hi, Ole, On 02/07/2014 06:05 AM, Ole Troan wrote: > >> But to keep hearing that e.g. extensions are expected to work >> when I'm measuring over 40% of breakage, It seems to boil down to >> "you, heretic! don't filter these packets!" on one side and "shut >> up! you don't know how to run a network" on another. *That* >> doesn't seem to be the more sane approach to this issue. > > I think we have to be careful throwing these numbers about without > qualifying them. > > aren't you in many cases detecting filtering in front of services, > where the operator has very good control of how their traffic > should look like? Probably, I guess -- I'm in the process of finding out where these packets are being filtered. But widespread filtering of stuff that is supposed to be "ignored if unsupported" eventually leads to "It's not usable, because if you try to, your packets get dropped". If, say, tomorrow you come up with this shiny cool new Dst Opt-based extension for clients, then, from starters, you would have to think of a back-up plan, because in more than 40% cases your packets would get dropped just because of that extension. -- that's where we are right now. > you are not saying if you, me and 8 of our other friends decided > to use a new L4 protocol we invented between ourselves, those > packets would in 40% of cases be filtered by the Internet core? I'm certainly not. But let's consider this: We want IPv6 to be extensible, so we have IPv6 extension headers. And we want middle-boxes to be able to find the upper layer header (or else the higher the chances our packets will be dropped on the floor). The options/scenarios are: 1) Pre-RFC6465: If I'm a middle-box and receive a packet, I have no way of telling whether it's a protocol that I'm supposed to allow (that just happens to have a unsupported EH), or an upper-layer protocol that I shouldn't be letting through. So my options: a) Drop those packets -- and now you have widespread deployment of devices at the edge that wouldn't allow new transport protocols or new EHs b) Allow everything -- which I doubt would be the case if e.g. any sort of firewalling is meant to be in place. 2) post-RFC6465/now: Firstly, I'd like to believe that RFC6465 has not been interpreted as "any other Next-Header values you don't explicitly support should follow the uniform format". Or else a new transport protocol would look (to any device trying to process the entire IPv6 header chain) like a malformed EH and get dropped. -- it might be a dumb interpretation.. but that's how many of us interpreted RFC6465 at one point or another. Secondly, we really need to provide a mechanism for middle-boxes to find the upper-layer header. Simple example: Let's say that I have a home firewall that is meant to just allow outgoing communication instances (for which extension headers are deemed as "fine"). Without a way to parsing new EHs (such as in the I-D we posted). Such firewall would simply drop new EHs, not because it wants, but rather because it has no way of telling what's an extension, and what's a protocol that it doesn't want to let through. In that case, we should completely forget about our ability to specify new (usable) EHs. Thoughts? Thanks, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- A problem with RFC 6465's Uniform Format for Exte… Fernando Gont
- Re: A problem with RFC 6465's Uniform Format for … Hagen Paul Pfeifer
- Re: A problem with RFC 6465's Uniform Format for … Brian E Carpenter
- Re: A problem with RFC 6465's Uniform Format for … Hagen Paul Pfeifer
- Re: A problem with RFC 6465's Uniform Format for … Brian E Carpenter
- Re: A problem with RFC 6465's Uniform Format for … Jen Linkova
- Re: A problem with RFC 6465's Uniform Format for … Fernando Gont
- Re: A problem with RFC 6465's Uniform Format for … Suresh Krishnan
- Re: A problem with RFC 6465's Uniform Format for … Fernando Gont
- Re: A problem with RFC 6465's Uniform Format for … Thomas Narten
- Re: A problem with RFC 6465's Uniform Format for … Fernando Gont
- Re: A problem with RFC 6465's Uniform Format for … brianjusa
- Re: A problem with RFC 6465's Uniform Format for … Brian E Carpenter
- Re: A problem with RFC 6465's Uniform Format for … Randy Bush
- Re: A problem with RFC 6465's Uniform Format for … Fernando Gont
- Re: A problem with RFC 6465's Uniform Format for … Randy Bush
- Re: A problem with RFC 6465's Uniform Format for … Fernando Gont
- Re: A problem with RFC 6465's Uniform Format for … Karsten Thomann
- Re: A problem with RFC 6465's Uniform Format for … Hagen Paul Pfeifer
- Re: A problem with RFC 6465's Uniform Format for … Brian E Carpenter
- Re: A problem with RFC 6465's Uniform Format for … Mark ZZZ Smith
- Re: A problem with RFC 6465's Uniform Format for … C. M. Heard
- Re: A problem with RFC 6465's Uniform Format for … Brian E Carpenter
- Re: A problem with RFC 6465's Uniform Format for … Fernando Gont
- Re: A problem with RFC 6465's Uniform Format for … RJ Atkinson
- Re: A problem with RFC 6465's Uniform Format for … Fernando Gont
- Re: A problem with RFC 6465's Uniform Format for … Brian E Carpenter
- Re: A problem with RFC 6465's Uniform Format for … Fernando Gont
- Re: A problem with RFC 6465's Uniform Format for … RJ Atkinson
- Re: A problem with RFC 6465's Uniform Format for … Fernando Gont
- Re: Re: A problem with RFC 6465's Uniform Format … Ray Hunter
- Re: A problem with RFC 6465's Uniform Format for … C. M. Heard
- Re: A problem with RFC 6465's Uniform Format for … Mark ZZZ Smith
- Re: A problem with RFC 6465's Uniform Format for … Fernando Gont
- Re: A problem with RFC 6465's Uniform Format for … Dan Lüdtke
- Re: A problem with RFC 6465's Uniform Format for … Mark ZZZ Smith
- Re: A problem with RFC 6465's Uniform Format for … Brian E Carpenter
- Re: A problem with RFC 6465's Uniform Format for … Fernando Gont